From b591902d837747efe6d095cb3f5e11243405ca02 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Wed, 23 Jan 2013 12:22:19 +0100 Subject: [PATCH] * Wed Jan 23 2013 Miroslav Grepl 3.12.1-6 - kde gnomeclock wants to write content to /tmp - /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde - Allow blueman_t to rwx zero_device_t, for some kind of jre - Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre - Ftp full access should be allowed to create directories as well as files - Add boolean to allow rsync_full_acces, so that an rsync server can write all - over the local machine - logrotate needs to rotate logs in openshift directories, needs back port to RHEL6 - Add missing vpnc_roles type line - Allow stapserver to write content in /tmp - Allow gnome keyring to create keyrings dir in ~/.local/share - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on - Add interface to colord_t dbus_chat to allow it to read remote process state - Allow colord_t to read cupsd_t state - Add mate-thumbnail-font as thumnailer - Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data. - Allow qpidd to list /tmp. Needed by ssl - Only allow init_t to transition to rsync_t domain, not initrc_t. This should be b - - Added systemd support for ksmtuned - Added booleans ksmtuned_use_nfs ksmtuned_use_cifs - firewalld seems to be creating mmap files which it needs to execute in /run /tmp a - Looks like qpidd_t needs to read /dev/random - Lots of probing avc's caused by execugting gpg from staff_t - Dontaudit senmail triggering a net_admin avc - Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back - Logwatch does access check on mdadm binary - Add raid_access_check_mdadm() iterface --- policy-rawhide-base.patch | 154720 +++++++++++++++++++++++++------- policy-rawhide-contrib.patch | 747 +- selinux-policy.spec | 42 +- 3 files changed, 124598 insertions(+), 30911 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index e913e254..7415fc7f 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -75,11 +75,11 @@ index c049e10..150f281 100644 +system_u:system_r:svirt_tcg_t:s0 diff --git a/man/man8/NetworkManager_selinux.8 b/man/man8/NetworkManager_selinux.8 new file mode 100644 -index 0000000..62a48d7 +index 0000000..4e63b92 --- /dev/null +++ b/man/man8/NetworkManager_selinux.8 -@@ -0,0 +1,292 @@ -+.TH "NetworkManager_selinux" "8" "12-11-01" "NetworkManager" "SELinux Policy documentation for NetworkManager" +@@ -0,0 +1,476 @@ ++.TH "NetworkManager_selinux" "8" "13-01-16" "NetworkManager" "SELinux Policy documentation for NetworkManager" +.SH "NAME" +NetworkManager_selinux \- Security Enhanced Linux Policy for the NetworkManager processes +.SH "DESCRIPTION" @@ -95,7 +95,9 @@ index 0000000..62a48d7 + +.SH "ENTRYPOINTS" + -+The NetworkManager_t SELinux type can be entered via the "NetworkManager_exec_t" file type. The default entrypoint paths for the NetworkManager_t domain are the following:" ++The NetworkManager_t SELinux type can be entered via the \fBNetworkManager_exec_t\fP file type. ++ ++The default entrypoint paths for the NetworkManager_t domain are the following: + +/usr/s?bin/NetworkManager, /usr/s?bin/wpa_supplicant, /usr/sbin/wicd, /sbin/wpa_supplicant, /usr/sbin/wpa_supplicant, /usr/sbin/nm-system-settings, /usr/sbin/NetworkManagerDispatcher +.SH PROCESS TYPES @@ -113,98 +115,148 @@ index 0000000..62a48d7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a NetworkManager_t ++can be used to make the process type NetworkManager_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux NetworkManager policy is very flexible allowing users to setup their NetworkManager processes in as secure a method as possible. -+.PP -+The following file types are defined for NetworkManager: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. NetworkManager policy is extremely flexible and has several booleans that allow you to manipulate the policy and run NetworkManager with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B NetworkManager_etc_rw_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the NetworkManager_etc_rw_t type, if you want to treat the files as NetworkManager etc read/write content. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B NetworkManager_etc_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the NetworkManager_etc_t type, if you want to store NetworkManager files in the /etc directories. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B NetworkManager_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the NetworkManager_exec_t type, if you want to transition an executable to the NetworkManager_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B NetworkManager_initrc_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the NetworkManager_initrc_exec_t type, if you want to transition an executable to the NetworkManager_initrc_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B NetworkManager_log_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the NetworkManager_log_t type, if you want to treat the data as NetworkManager log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B NetworkManager_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the NetworkManager_tmp_t type, if you want to store NetworkManager temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B NetworkManager_unit_file_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the NetworkManager_unit_file_t type, if you want to treat the files as NetworkManager unit content. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B NetworkManager_var_lib_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the NetworkManager_var_lib_t type, if you want to store the NetworkManager files under the /var/lib directory. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B NetworkManager_var_run_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the NetworkManager_var_run_t type, if you want to store the NetworkManager files under the /run directory. ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xguest_connect_network 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the NetworkManager_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the NetworkManager_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -219,14 +271,6 @@ index 0000000..62a48d7 +.br + +.br -+.B NetworkManager_log_t -+ -+ /var/log/wicd.* -+.br -+ /var/log/wpa_supplicant.* -+.br -+ -+.br +.B NetworkManager_tmp_t + + @@ -271,6 +315,8 @@ index 0000000..62a48d7 + + /var/named/data(/.*)? +.br ++ /var/lib/unbound(/.*)? ++.br + /var/named/slaves(/.*)? +.br + /var/named/dynamic(/.*)? @@ -287,8 +333,6 @@ index 0000000..62a48d7 +.br +.B net_conf_t + -+ /etc/ntpd?\.conf.* -+.br + /etc/hosts[^/]* +.br + /etc/yp\.conf.* @@ -299,8 +343,6 @@ index 0000000..62a48d7 +.br + /etc/resolv\.conf.* +.br -+ /etc/ntp/step-tickers.* -+.br + /etc/sysconfig/networking(/.*)? +.br + /etc/sysconfig/network-scripts(/.*)? @@ -321,6 +363,14 @@ index 0000000..62a48d7 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B sysfs_t + + /sys(/.*)? @@ -334,22 +384,152 @@ index 0000000..62a48d7 + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux NetworkManager policy is very flexible allowing users to setup their NetworkManager processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the NetworkManager_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the NetworkManager_t, you must turn on the kerberos_enabled boolean. ++NetworkManager policy stores data with multiple different file context types under the /var/run/wpa_supplicant directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/wpa_supplicant /srv/wpa_supplicant ++.br ++.B restorecon -R -v /srv/wpa_supplicant ++.PP ++ ++.PP ++NetworkManager policy stores data with multiple different file context types under the /var/run/NetworkManager directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/NetworkManager /srv/NetworkManager ++.br ++.B restorecon -R -v /srv/NetworkManager ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the NetworkManager, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t NetworkManager_etc_rw_t '/srv/NetworkManager/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myNetworkManager_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for NetworkManager: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B NetworkManager_etc_rw_t +.EE + ++- Set files with the NetworkManager_etc_rw_t type, if you want to treat the files as NetworkManager etc read/write content. ++ ++.br ++.TP 5 ++Paths: ++/etc/NetworkManager/system-connections(/.*)?, /etc/NetworkManager/NetworkManager\.conf ++ ++.EX ++.PP ++.B NetworkManager_etc_t ++.EE ++ ++- Set files with the NetworkManager_etc_t type, if you want to store NetworkManager files in the /etc directories. ++ ++ ++.EX ++.PP ++.B NetworkManager_exec_t ++.EE ++ ++- Set files with the NetworkManager_exec_t type, if you want to transition an executable to the NetworkManager_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/s?bin/NetworkManager, /usr/s?bin/wpa_supplicant, /usr/sbin/wicd, /sbin/wpa_supplicant, /usr/sbin/wpa_supplicant, /usr/sbin/nm-system-settings, /usr/sbin/NetworkManagerDispatcher ++ ++.EX ++.PP ++.B NetworkManager_initrc_exec_t ++.EE ++ ++- Set files with the NetworkManager_initrc_exec_t type, if you want to transition an executable to the NetworkManager_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/nm-dispatcher.action, /etc/NetworkManager/dispatcher\.d(/.*)?, /etc/rc\.d/init\.d/wicd ++ ++.EX ++.PP ++.B NetworkManager_log_t ++.EE ++ ++- Set files with the NetworkManager_log_t type, if you want to treat the data as NetworkManager log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/wicd.*, /var/log/wpa_supplicant.* ++ ++.EX ++.PP ++.B NetworkManager_tmp_t ++.EE ++ ++- Set files with the NetworkManager_tmp_t type, if you want to store NetworkManager temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B NetworkManager_unit_file_t ++.EE ++ ++- Set files with the NetworkManager_unit_file_t type, if you want to treat the files as NetworkManager unit content. ++ ++ ++.EX ++.PP ++.B NetworkManager_var_lib_t ++.EE ++ ++- Set files with the NetworkManager_var_lib_t type, if you want to store the NetworkManager files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/wicd(/.*)?, /var/lib/NetworkManager(/.*)?, /etc/dhcp/wired-settings.conf, /etc/wicd/wired-settings.conf, /etc/dhcp/manager-settings.conf, /etc/wicd/manager-settings.conf, /etc/dhcp/wireless-settings.conf, /etc/wicd/wireless-settings.conf ++ ++.EX ++.PP ++.B NetworkManager_var_run_t ++.EE ++ ++- Set files with the NetworkManager_var_run_t type, if you want to store the NetworkManager files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/nm-dhclient.*, /var/run/NetworkManager(/.*)?, /var/run/wpa_supplicant(/.*)?, /var/run/NetworkManager\.pid, /var/run/nm-dns-dnsmasq\.conf, /var/run/wpa_supplicant-global ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -360,6 +540,9 @@ index 0000000..62a48d7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -371,13 +554,15 @@ index 0000000..62a48d7 + +.SH "SEE ALSO" +selinux(8), NetworkManager(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/abrt_dump_oops_selinux.8 b/man/man8/abrt_dump_oops_selinux.8 new file mode 100644 -index 0000000..c365bc5 +index 0000000..f86d90f --- /dev/null +++ b/man/man8/abrt_dump_oops_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "abrt_dump_oops_selinux" "8" "12-11-01" "abrt_dump_oops" "SELinux Policy documentation for abrt_dump_oops" +@@ -0,0 +1,171 @@ ++.TH "abrt_dump_oops_selinux" "8" "13-01-16" "abrt_dump_oops" "SELinux Policy documentation for abrt_dump_oops" +.SH "NAME" +abrt_dump_oops_selinux \- Security Enhanced Linux Policy for the abrt_dump_oops processes +.SH "DESCRIPTION" @@ -393,7 +578,9 @@ index 0000000..c365bc5 + +.SH "ENTRYPOINTS" + -+The abrt_dump_oops_t SELinux type can be entered via the "abrt_dump_oops_exec_t" file type. The default entrypoint paths for the abrt_dump_oops_t domain are the following:" ++The abrt_dump_oops_t SELinux type can be entered via the \fBabrt_dump_oops_exec_t\fP file type. ++ ++The default entrypoint paths for the abrt_dump_oops_t domain are the following: + +/usr/bin/abrt-dump-oops +.SH PROCESS TYPES @@ -411,8 +598,76 @@ index 0000000..c365bc5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a abrt_dump_oops_t ++can be used to make the process type abrt_dump_oops_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. abrt_dump_oops policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt_dump_oops with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type abrt_dump_oops_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B abrt_var_cache_t ++ ++ /var/tmp/abrt(/.*)? ++.br ++ /var/cache/abrt(/.*)? ++.br ++ /var/spool/abrt(/.*)? ++.br ++ /var/cache/abrt-di(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -422,7 +677,20 @@ index 0000000..c365bc5 +Policy governs the access confined processes have to these files. +SELinux abrt_dump_oops policy is very flexible allowing users to setup their abrt_dump_oops processes in as secure a method as possible. +.PP -+The following file types are defined for abrt_dump_oops: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the abrt_dump_oops, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t abrt_dump_oops_exec_t '/srv/abrt_dump_oops/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myabrt_dump_oops_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for abrt_dump_oops: + + +.EX @@ -440,22 +708,6 @@ index 0000000..c365bc5 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type abrt_dump_oops_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B abrt_var_cache_t -+ -+ /var/cache/abrt(/.*)? -+.br -+ /var/spool/abrt(/.*)? -+.br -+ /var/cache/abrt-di(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -466,6 +718,9 @@ index 0000000..c365bc5 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -477,15 +732,15 @@ index 0000000..c365bc5 + +.SH "SEE ALSO" +selinux(8), abrt_dump_oops(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, abrt_selinux(8), abrt_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8) ++, setsebool(8), abrt_selinux(8), abrt_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8) \ No newline at end of file diff --git a/man/man8/abrt_handle_event_selinux.8 b/man/man8/abrt_handle_event_selinux.8 new file mode 100644 -index 0000000..9cd4e4f +index 0000000..d371cee --- /dev/null +++ b/man/man8/abrt_handle_event_selinux.8 -@@ -0,0 +1,108 @@ -+.TH "abrt_handle_event_selinux" "8" "12-11-01" "abrt_handle_event" "SELinux Policy documentation for abrt_handle_event" +@@ -0,0 +1,155 @@ ++.TH "abrt_handle_event_selinux" "8" "13-01-16" "abrt_handle_event" "SELinux Policy documentation for abrt_handle_event" +.SH "NAME" +abrt_handle_event_selinux \- Security Enhanced Linux Policy for the abrt_handle_event processes +.SH "DESCRIPTION" @@ -501,7 +756,9 @@ index 0000000..9cd4e4f + +.SH "ENTRYPOINTS" + -+The abrt_handle_event_t SELinux type can be entered via the "abrt_handle_event_exec_t" file type. The default entrypoint paths for the abrt_handle_event_t domain are the following:" ++The abrt_handle_event_t SELinux type can be entered via the \fBabrt_handle_event_exec_t\fP file type. ++ ++The default entrypoint paths for the abrt_handle_event_t domain are the following: + +/usr/libexec/abrt-handle-event +.SH PROCESS TYPES @@ -519,25 +776,59 @@ index 0000000..9cd4e4f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a abrt_handle_event_t ++can be used to make the process type abrt_handle_event_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. abrt_handle_event policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt_handle_event with the tightest access possible. + + +.PP -+If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean. ++If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean. Disabled by default. + +.EX +.B setsebool -P abrt_handle_event 1 ++ +.EE + +.PP -+If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P abrt_handle_event 1 ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ +.EE + +.SH FILE CONTEXTS @@ -548,7 +839,20 @@ index 0000000..9cd4e4f +Policy governs the access confined processes have to these files. +SELinux abrt_handle_event policy is very flexible allowing users to setup their abrt_handle_event processes in as secure a method as possible. +.PP -+The following file types are defined for abrt_handle_event: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the abrt_handle_event, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t abrt_handle_event_exec_t '/srv/abrt_handle_event/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myabrt_handle_event_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for abrt_handle_event: + + +.EX @@ -566,8 +870,6 @@ index 0000000..9cd4e4f +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -596,11 +898,11 @@ index 0000000..9cd4e4f \ No newline at end of file diff --git a/man/man8/abrt_helper_selinux.8 b/man/man8/abrt_helper_selinux.8 new file mode 100644 -index 0000000..ffc4a82 +index 0000000..d84084e --- /dev/null +++ b/man/man8/abrt_helper_selinux.8 -@@ -0,0 +1,115 @@ -+.TH "abrt_helper_selinux" "8" "12-11-01" "abrt_helper" "SELinux Policy documentation for abrt_helper" +@@ -0,0 +1,211 @@ ++.TH "abrt_helper_selinux" "8" "13-01-16" "abrt_helper" "SELinux Policy documentation for abrt_helper" +.SH "NAME" +abrt_helper_selinux \- Security Enhanced Linux Policy for the abrt_helper processes +.SH "DESCRIPTION" @@ -616,7 +918,9 @@ index 0000000..ffc4a82 + +.SH "ENTRYPOINTS" + -+The abrt_helper_t SELinux type can be entered via the "abrt_helper_exec_t" file type. The default entrypoint paths for the abrt_helper_t domain are the following:" ++The abrt_helper_t SELinux type can be entered via the \fBabrt_helper_exec_t\fP file type. ++ ++The default entrypoint paths for the abrt_helper_t domain are the following: + +/usr/bin/abrt-pyhook-helper +.SH PROCESS TYPES @@ -634,8 +938,116 @@ index 0000000..ffc4a82 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a abrt_helper_t ++can be used to make the process type abrt_helper_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. abrt_helper policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt_helper with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the abrt_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the abrt_helper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type abrt_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B abrt_var_cache_t ++ ++ /var/tmp/abrt(/.*)? ++.br ++ /var/cache/abrt(/.*)? ++.br ++ /var/spool/abrt(/.*)? ++.br ++ /var/cache/abrt-di(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -645,7 +1057,20 @@ index 0000000..ffc4a82 +Policy governs the access confined processes have to these files. +SELinux abrt_helper policy is very flexible allowing users to setup their abrt_helper processes in as secure a method as possible. +.PP -+The following file types are defined for abrt_helper: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the abrt_helper, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t abrt_helper_exec_t '/srv/abrt_helper/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myabrt_helper_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for abrt_helper: + + +.EX @@ -663,36 +1088,6 @@ index 0000000..ffc4a82 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type abrt_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B abrt_var_cache_t -+ -+ /var/cache/abrt(/.*)? -+.br -+ /var/spool/abrt(/.*)? -+.br -+ /var/cache/abrt-di(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the abrt_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the abrt_helper_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -703,6 +1098,9 @@ index 0000000..ffc4a82 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -714,15 +1112,15 @@ index 0000000..ffc4a82 + +.SH "SEE ALSO" +selinux(8), abrt_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8) ++, setsebool(8), abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8) \ No newline at end of file diff --git a/man/man8/abrt_retrace_coredump_selinux.8 b/man/man8/abrt_retrace_coredump_selinux.8 new file mode 100644 -index 0000000..95c7f7f +index 0000000..f4f32f5 --- /dev/null +++ b/man/man8/abrt_retrace_coredump_selinux.8 -@@ -0,0 +1,115 @@ -+.TH "abrt_retrace_coredump_selinux" "8" "12-11-01" "abrt_retrace_coredump" "SELinux Policy documentation for abrt_retrace_coredump" +@@ -0,0 +1,183 @@ ++.TH "abrt_retrace_coredump_selinux" "8" "13-01-16" "abrt_retrace_coredump" "SELinux Policy documentation for abrt_retrace_coredump" +.SH "NAME" +abrt_retrace_coredump_selinux \- Security Enhanced Linux Policy for the abrt_retrace_coredump processes +.SH "DESCRIPTION" @@ -738,7 +1136,9 @@ index 0000000..95c7f7f + +.SH "ENTRYPOINTS" + -+The abrt_retrace_coredump_t SELinux type can be entered via the "abrt_retrace_coredump_exec_t" file type. The default entrypoint paths for the abrt_retrace_coredump_t domain are the following:" ++The abrt_retrace_coredump_t SELinux type can be entered via the \fBabrt_retrace_coredump_exec_t\fP file type. ++ ++The default entrypoint paths for the abrt_retrace_coredump_t domain are the following: + +/usr/bin/coredump2packages +.SH PROCESS TYPES @@ -756,34 +1156,60 @@ index 0000000..95c7f7f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a abrt_retrace_coredump_t ++can be used to make the process type abrt_retrace_coredump_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux abrt_retrace_coredump policy is very flexible allowing users to setup their abrt_retrace_coredump processes in as secure a method as possible. -+.PP -+The following file types are defined for abrt_retrace_coredump: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. abrt_retrace_coredump policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt_retrace_coredump with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B abrt_retrace_coredump_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the abrt_retrace_coredump_exec_t type, if you want to transition an executable to the abrt_retrace_coredump_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -813,7 +1239,44 @@ index 0000000..95c7f7f + /var/run/PackageKit(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux abrt_retrace_coredump policy is very flexible allowing users to setup their abrt_retrace_coredump processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the abrt_retrace_coredump, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t abrt_retrace_coredump_exec_t '/srv/abrt_retrace_coredump/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myabrt_retrace_coredump_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for abrt_retrace_coredump: ++ ++ ++.EX ++.PP ++.B abrt_retrace_coredump_exec_t ++.EE ++ ++- Set files with the abrt_retrace_coredump_exec_t type, if you want to transition an executable to the abrt_retrace_coredump_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -825,6 +1288,9 @@ index 0000000..95c7f7f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -836,15 +1302,15 @@ index 0000000..95c7f7f + +.SH "SEE ALSO" +selinux(8), abrt_retrace_coredump(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8) ++, setsebool(8), abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_worker_selinux(8), abrt_watch_log_selinux(8) \ No newline at end of file diff --git a/man/man8/abrt_retrace_worker_selinux.8 b/man/man8/abrt_retrace_worker_selinux.8 new file mode 100644 -index 0000000..c0c182f +index 0000000..8d0876c --- /dev/null +++ b/man/man8/abrt_retrace_worker_selinux.8 -@@ -0,0 +1,99 @@ -+.TH "abrt_retrace_worker_selinux" "8" "12-11-01" "abrt_retrace_worker" "SELinux Policy documentation for abrt_retrace_worker" +@@ -0,0 +1,171 @@ ++.TH "abrt_retrace_worker_selinux" "8" "13-01-16" "abrt_retrace_worker" "SELinux Policy documentation for abrt_retrace_worker" +.SH "NAME" +abrt_retrace_worker_selinux \- Security Enhanced Linux Policy for the abrt_retrace_worker processes +.SH "DESCRIPTION" @@ -860,7 +1326,9 @@ index 0000000..c0c182f + +.SH "ENTRYPOINTS" + -+The abrt_retrace_worker_t SELinux type can be entered via the "abrt_retrace_worker_exec_t" file type. The default entrypoint paths for the abrt_retrace_worker_t domain are the following:" ++The abrt_retrace_worker_t SELinux type can be entered via the \fBabrt_retrace_worker_exec_t\fP file type. ++ ++The default entrypoint paths for the abrt_retrace_worker_t domain are the following: + +/usr/bin/abrt-retrace-worker, /usr/bin/retrace-server-worker +.SH PROCESS TYPES @@ -878,34 +1346,60 @@ index 0000000..c0c182f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a abrt_retrace_worker_t ++can be used to make the process type abrt_retrace_worker_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux abrt_retrace_worker policy is very flexible allowing users to setup their abrt_retrace_worker processes in as secure a method as possible. -+.PP -+The following file types are defined for abrt_retrace_worker: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. abrt_retrace_worker policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt_retrace_worker with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B abrt_retrace_worker_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the abrt_retrace_worker_exec_t type, if you want to transition an executable to the abrt_retrace_worker_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -919,7 +1413,48 @@ index 0000000..c0c182f + /var/spool/retrace-server(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux abrt_retrace_worker policy is very flexible allowing users to setup their abrt_retrace_worker processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the abrt_retrace_worker, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t abrt_retrace_worker_exec_t '/srv/abrt_retrace_worker/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myabrt_retrace_worker_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for abrt_retrace_worker: ++ ++ ++.EX ++.PP ++.B abrt_retrace_worker_exec_t ++.EE ++ ++- Set files with the abrt_retrace_worker_exec_t type, if you want to transition an executable to the abrt_retrace_worker_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/abrt-retrace-worker, /usr/bin/retrace-server-worker ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -931,6 +1466,9 @@ index 0000000..c0c182f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -942,15 +1480,15 @@ index 0000000..c0c182f + +.SH "SEE ALSO" +selinux(8), abrt_retrace_worker(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_watch_log_selinux(8) ++, setsebool(8), abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_watch_log_selinux(8) \ No newline at end of file diff --git a/man/man8/abrt_selinux.8 b/man/man8/abrt_selinux.8 new file mode 100644 -index 0000000..25121c1 +index 0000000..ed9e098 --- /dev/null +++ b/man/man8/abrt_selinux.8 -@@ -0,0 +1,347 @@ -+.TH "abrt_selinux" "8" "12-11-01" "abrt" "SELinux Policy documentation for abrt" +@@ -0,0 +1,512 @@ ++.TH "abrt_selinux" "8" "13-01-16" "abrt" "SELinux Policy documentation for abrt" +.SH "NAME" +abrt_selinux \- Security Enhanced Linux Policy for the abrt processes +.SH "DESCRIPTION" @@ -966,7 +1504,9 @@ index 0000000..25121c1 + +.SH "ENTRYPOINTS" + -+The abrt_t SELinux type can be entered via the "abrt_exec_t" file type. The default entrypoint paths for the abrt_t domain are the following:" ++The abrt_t SELinux type can be entered via the \fBabrt_exec_t\fP file type. ++ ++The default entrypoint paths for the abrt_t domain are the following: + +/usr/sbin/abrtd, /usr/sbin/abrt-dbus +.SH PROCESS TYPES @@ -984,59 +1524,220 @@ index 0000000..25121c1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a abrt_t ++can be used to make the process type abrt_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. abrt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt with the tightest access possible. + + +.PP -+If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean. ++If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean. Disabled by default. + +.EX +.B setsebool -P abrt_handle_event 1 ++ +.EE + +.PP -+If you want to allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts, you must turn on the abrt_handle_event boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P abrt_handle_event 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+.SH SHARING FILES -+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. -+.TP -+Allow abrt servers to read the /var/abrt directory by adding the public_content_t file type to the directory and by restoring the file type. +.PP -+.B -+semanage fcontext -a -t public_content_t "/var/abrt(/.*)?" ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the abrt_helper_t, abrt_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the abrt_helper_t, abrt_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type abrt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ +.br -+.B restorecon -F -R -v /var/abrt -+.pp -+.TP -+Allow abrt servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_abrtd_anon_write boolean to be set. -+.PP -+.B -+semanage fcontext -a -t public_content_rw_t "/var/abrt/incoming(/.*)?" ++.B abrt_etc_t ++ ++ /etc/abrt(/.*)? +.br -+.B restorecon -F -R -v /var/abrt/incoming ++ ++.br ++.B abrt_tmp_t + + -+.PP -+If you want to allow ABRT to modify public files used for public file transfer services., you must turn on the abrt_anon_write boolean. ++.br ++.B abrt_var_cache_t + -+.EX -+.B setsebool -P abrt_anon_write 1 -+.EE ++ /var/tmp/abrt(/.*)? ++.br ++ /var/cache/abrt(/.*)? ++.br ++ /var/spool/abrt(/.*)? ++.br ++ /var/cache/abrt-di(/.*)? ++.br + -+.PP -+If you want to allow ABRT to modify public files used for public file transfer services., you must turn on the abrt_anon_write boolean. ++.br ++.B abrt_var_log_t + -+.EX -+.B setsebool -P abrt_anon_write 1 -+.EE ++ /var/log/abrt-logger.* ++.br ++ ++.br ++.B abrt_var_run_t ++ ++ /var/run/abrt(/.*)? ++.br ++ /var/run/abrtd?\.lock ++.br ++ /var/run/abrtd?\.socket ++.br ++ /var/run/abrt\.pid ++.br ++ ++.br ++.B public_content_rw_t ++ ++ /var/spool/abrt-upload(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B rpm_log_t ++ ++ /var/log/yum\.log.* ++.br ++ ++.br ++.B rpm_var_cache_t ++ ++ /var/cache/yum(/.*)? ++.br ++ /var/spool/up2date(/.*)? ++.br ++ /var/cache/PackageKit(/.*)? ++.br ++ ++.br ++.B rpm_var_run_t ++ ++ /var/run/yum.* ++.br ++ /var/run/PackageKit(/.*)? ++.br ++ ++.br ++.B sysfs_t ++ ++ /sys(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1046,7 +1747,47 @@ index 0000000..25121c1 +Policy governs the access confined processes have to these files. +SELinux abrt policy is very flexible allowing users to setup their abrt processes in as secure a method as possible. +.PP -+The following file types are defined for abrt: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++abrt policy stores data with multiple different file context types under the /var/cache/abrt directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/cache/abrt /srv/abrt ++.br ++.B restorecon -R -v /srv/abrt ++.PP ++ ++.PP ++abrt policy stores data with multiple different file context types under the /var/spool/abrt directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/spool/abrt /srv/abrt ++.br ++.B restorecon -R -v /srv/abrt ++.PP ++ ++.PP ++abrt policy stores data with multiple different file context types under the /var/run/abrt directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/abrt /srv/abrt ++.br ++.B restorecon -R -v /srv/abrt ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the abrt, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t abrt_dump_oops_exec_t '/srv/abrt/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myabrt_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for abrt: + + +.EX @@ -1072,6 +1813,10 @@ index 0000000..25121c1 + +- Set files with the abrt_exec_t type, if you want to transition an executable to the abrt_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/abrtd, /usr/sbin/abrt-dbus + +.EX +.PP @@ -1104,6 +1849,10 @@ index 0000000..25121c1 + +- Set files with the abrt_retrace_cache_t type, if you want to store the files under the /var/cache directory. + ++.br ++.TP 5 ++Paths: ++/var/cache/abrt-retrace(/.*)?, /var/cache/retrace-server(/.*)? + +.EX +.PP @@ -1120,6 +1869,10 @@ index 0000000..25121c1 + +- Set files with the abrt_retrace_spool_t type, if you want to store the abrt retrace files under the /var/spool directory. + ++.br ++.TP 5 ++Paths: ++/var/spool/abrt-retrace(/.*)?, /var/spool/retrace-server(/.*)? + +.EX +.PP @@ -1128,6 +1881,10 @@ index 0000000..25121c1 + +- Set files with the abrt_retrace_worker_exec_t type, if you want to transition an executable to the abrt_retrace_worker_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/abrt-retrace-worker, /usr/bin/retrace-server-worker + +.EX +.PP @@ -1152,6 +1909,10 @@ index 0000000..25121c1 + +- Set files with the abrt_var_cache_t type, if you want to store the files under the /var/cache directory. + ++.br ++.TP 5 ++Paths: ++/var/tmp/abrt(/.*)?, /var/cache/abrt(/.*)?, /var/spool/abrt(/.*)?, /var/cache/abrt-di(/.*)? + +.EX +.PP @@ -1166,8 +1927,12 @@ index 0000000..25121c1 +.B abrt_var_run_t +.EE + -+- Set files with the abrt_var_run_t type, if you want to store the abrt files under the /run directory. ++- Set files with the abrt_var_run_t type, if you want to store the abrt files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/abrt(/.*)?, /var/run/abrtd?\.lock, /var/run/abrtd?\.socket, /var/run/abrt\.pid + +.EX +.PP @@ -1184,92 +1949,30 @@ index 0000000..25121c1 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" ++.SH SHARING FILES ++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. ++.TP ++Allow abrt servers to read the /var/abrt directory by adding the public_content_t file type to the directory and by restoring the file type. ++.PP ++.B ++semanage fcontext -a -t public_content_t "/var/abrt(/.*)?" ++.br ++.B restorecon -F -R -v /var/abrt ++.pp ++.TP ++Allow abrt servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_abrtd_anon_write boolean to be set. ++.PP ++.B ++semanage fcontext -a -t public_content_rw_t "/var/abrt/incoming(/.*)?" ++.br ++.B restorecon -F -R -v /var/abrt/incoming + -+The SELinux process type abrt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B abrt_etc_t -+ -+ /etc/abrt(/.*)? -+.br -+ -+.br -+.B abrt_tmp_t -+ -+ -+.br -+.B abrt_var_cache_t -+ -+ /var/cache/abrt(/.*)? -+.br -+ /var/spool/abrt(/.*)? -+.br -+ /var/cache/abrt-di(/.*)? -+.br -+ -+.br -+.B abrt_var_log_t -+ -+ /var/log/abrt-logger -+.br -+ -+.br -+.B abrt_var_run_t -+ -+ /var/run/abrt(/.*)? -+.br -+ /var/run/abrtd?\.lock -+.br -+ /var/run/abrtd?\.socket -+.br -+ /var/run/abrt\.pid -+.br -+ -+.br -+.B rpm_log_t -+ -+ /var/log/yum\.log.* -+.br -+ -+.br -+.B rpm_var_cache_t -+ -+ /var/cache/yum(/.*)? -+.br -+ /var/spool/up2date(/.*)? -+.br -+ /var/cache/PackageKit(/.*)? -+.br -+ -+.br -+.B rpm_var_run_t -+ -+ /var/run/yum.* -+.br -+ /var/run/PackageKit(/.*)? -+.br -+ -+.br -+.B sysfs_t -+ -+ /sys(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the abrt_helper_t, abrt_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow ABRT to modify public files used for public file transfer services., you must turn on the abrt_anon_write boolean. + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the abrt_helper_t, abrt_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 ++.B setsebool -P abrt_anon_write 1 +.EE + +.SH "COMMANDS" @@ -1300,11 +2003,11 @@ index 0000000..25121c1 \ No newline at end of file diff --git a/man/man8/abrt_watch_log_selinux.8 b/man/man8/abrt_watch_log_selinux.8 new file mode 100644 -index 0000000..e8ab68b +index 0000000..a3490a9 --- /dev/null +++ b/man/man8/abrt_watch_log_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "abrt_watch_log_selinux" "8" "12-11-01" "abrt_watch_log" "SELinux Policy documentation for abrt_watch_log" +@@ -0,0 +1,183 @@ ++.TH "abrt_watch_log_selinux" "8" "13-01-16" "abrt_watch_log" "SELinux Policy documentation for abrt_watch_log" +.SH "NAME" +abrt_watch_log_selinux \- Security Enhanced Linux Policy for the abrt_watch_log processes +.SH "DESCRIPTION" @@ -1320,7 +2023,9 @@ index 0000000..e8ab68b + +.SH "ENTRYPOINTS" + -+The abrt_watch_log_t SELinux type can be entered via the "abrt_watch_log_exec_t" file type. The default entrypoint paths for the abrt_watch_log_t domain are the following:" ++The abrt_watch_log_t SELinux type can be entered via the \fBabrt_watch_log_exec_t\fP file type. ++ ++The default entrypoint paths for the abrt_watch_log_t domain are the following: + +/usr/bin/abrt-watch-log +.SH PROCESS TYPES @@ -1338,8 +2043,88 @@ index 0000000..e8ab68b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a abrt_watch_log_t ++can be used to make the process type abrt_watch_log_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. abrt_watch_log policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt_watch_log with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type abrt_watch_log_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1349,7 +2134,20 @@ index 0000000..e8ab68b +Policy governs the access confined processes have to these files. +SELinux abrt_watch_log policy is very flexible allowing users to setup their abrt_watch_log processes in as secure a method as possible. +.PP -+The following file types are defined for abrt_watch_log: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the abrt_watch_log, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t abrt_watch_log_exec_t '/srv/abrt_watch_log/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myabrt_watch_log_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for abrt_watch_log: + + +.EX @@ -1367,8 +2165,6 @@ index 0000000..e8ab68b +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -1379,6 +2175,9 @@ index 0000000..e8ab68b +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -1390,15 +2189,15 @@ index 0000000..e8ab68b + +.SH "SEE ALSO" +selinux(8), abrt_watch_log(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8) ++, setsebool(8), abrt_selinux(8), abrt_selinux(8), abrt_dump_oops_selinux(8), abrt_handle_event_selinux(8), abrt_helper_selinux(8), abrt_retrace_coredump_selinux(8), abrt_retrace_worker_selinux(8) \ No newline at end of file diff --git a/man/man8/accountsd_selinux.8 b/man/man8/accountsd_selinux.8 new file mode 100644 -index 0000000..0471351 +index 0000000..6a39340 --- /dev/null +++ b/man/man8/accountsd_selinux.8 -@@ -0,0 +1,132 @@ -+.TH "accountsd_selinux" "8" "12-11-01" "accountsd" "SELinux Policy documentation for accountsd" +@@ -0,0 +1,263 @@ ++.TH "accountsd_selinux" "8" "13-01-16" "accountsd" "SELinux Policy documentation for accountsd" +.SH "NAME" +accountsd_selinux \- Security Enhanced Linux Policy for the accountsd processes +.SH "DESCRIPTION" @@ -1414,9 +2213,11 @@ index 0000000..0471351 + +.SH "ENTRYPOINTS" + -+The accountsd_t SELinux type can be entered via the "accountsd_exec_t" file type. The default entrypoint paths for the accountsd_t domain are the following:" ++The accountsd_t SELinux type can be entered via the \fBaccountsd_exec_t\fP file type. + -+/usr/libexec/accounts-daemon ++The default entrypoint paths for the accountsd_t domain are the following: ++ ++/usr/libexec/accounts-daemon, /usr/lib/accountsservice/accounts-daemon +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -1432,8 +2233,148 @@ index 0000000..0471351 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a accountsd_t ++can be used to make the process type accountsd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. accountsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run accountsd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the accountsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the accountsd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type accountsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B accountsd_var_lib_t ++ ++ /var/lib/AccountsService(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B xdm_etc_t ++ ++ /etc/[mg]dm(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1443,7 +2384,20 @@ index 0000000..0471351 +Policy governs the access confined processes have to these files. +SELinux accountsd policy is very flexible allowing users to setup their accountsd processes in as secure a method as possible. +.PP -+The following file types are defined for accountsd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the accountsd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t accountsd_exec_t '/srv/accountsd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myaccountsd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for accountsd: + + +.EX @@ -1453,6 +2407,10 @@ index 0000000..0471351 + +- Set files with the accountsd_exec_t type, if you want to transition an executable to the accountsd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/libexec/accounts-daemon, /usr/lib/accountsservice/accounts-daemon + +.EX +.PP @@ -1477,38 +2435,6 @@ index 0000000..0471351 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type accountsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B accountsd_var_lib_t -+ -+ /var/lib/AccountsService(/.*)? -+.br -+ -+.br -+.B xdm_etc_t -+ -+ /etc/[mg]dm(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the accountsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the accountsd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -1519,6 +2445,9 @@ index 0000000..0471351 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -1530,13 +2459,15 @@ index 0000000..0471351 + +.SH "SEE ALSO" +selinux(8), accountsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/acct_selinux.8 b/man/man8/acct_selinux.8 new file mode 100644 -index 0000000..88dbb11 +index 0000000..4da0652 --- /dev/null +++ b/man/man8/acct_selinux.8 -@@ -0,0 +1,126 @@ -+.TH "acct_selinux" "8" "12-11-01" "acct" "SELinux Policy documentation for acct" +@@ -0,0 +1,245 @@ ++.TH "acct_selinux" "8" "13-01-16" "acct" "SELinux Policy documentation for acct" +.SH "NAME" +acct_selinux \- Security Enhanced Linux Policy for the acct processes +.SH "DESCRIPTION" @@ -1552,7 +2483,9 @@ index 0000000..88dbb11 + +.SH "ENTRYPOINTS" + -+The acct_t SELinux type can be entered via the "acct_exec_t" file type. The default entrypoint paths for the acct_t domain are the following:" ++The acct_t SELinux type can be entered via the \fBacct_exec_t\fP file type. ++ ++The default entrypoint paths for the acct_t domain are the following: + +/etc/cron\.(daily|monthly)/acct, /sbin/accton, /usr/sbin/accton +.SH PROCESS TYPES @@ -1570,42 +2503,108 @@ index 0000000..88dbb11 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a acct_t ++can be used to make the process type acct_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux acct policy is very flexible allowing users to setup their acct processes in as secure a method as possible. -+.PP -+The following file types are defined for acct: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. acct policy is extremely flexible and has several booleans that allow you to manipulate the policy and run acct with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B acct_data_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the acct_data_t type, if you want to treat the files as acct content. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B acct_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the acct_exec_t type, if you want to transition an executable to the acct_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the acct_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the acct_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -1625,21 +2624,68 @@ index 0000000..88dbb11 + /var/log/wtmp.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux acct policy is very flexible allowing users to setup their acct processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the acct_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the acct, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t acct_data_t '/srv/acct/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myacct_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for acct: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B acct_data_t +.EE + ++- Set files with the acct_data_t type, if you want to treat the files as acct content. ++ ++.br ++.TP 5 ++Paths: ++/var/account(/.*)?, /var/log/account(/.*)? ++ ++.EX ++.PP ++.B acct_exec_t ++.EE ++ ++- Set files with the acct_exec_t type, if you want to transition an executable to the acct_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/cron\.(daily|monthly)/acct, /sbin/accton, /usr/sbin/accton ++ ++.EX ++.PP ++.B acct_initrc_exec_t ++.EE ++ ++- Set files with the acct_initrc_exec_t type, if you want to transition an executable to the acct_initrc_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the acct_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -1651,6 +2697,9 @@ index 0000000..88dbb11 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -1662,13 +2711,296 @@ index 0000000..88dbb11 + +.SH "SEE ALSO" +selinux(8), acct(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/admin_crontab_selinux.8 b/man/man8/admin_crontab_selinux.8 +new file mode 100644 +index 0000000..6d4668d +--- /dev/null ++++ b/man/man8/admin_crontab_selinux.8 +@@ -0,0 +1,274 @@ ++.TH "admin_crontab_selinux" "8" "13-01-16" "admin_crontab" "SELinux Policy documentation for admin_crontab" ++.SH "NAME" ++admin_crontab_selinux \- Security Enhanced Linux Policy for the admin_crontab processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the admin_crontab processes via flexible mandatory access control. ++ ++The admin_crontab processes execute with the admin_crontab_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep admin_crontab_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The admin_crontab_t SELinux type can be entered via the \fBcrontab_exec_t\fP file type. ++ ++The default entrypoint paths for the admin_crontab_t domain are the following: ++ ++/usr/bin/(f)?crontab, /usr/bin/at, /usr/sbin/fcronsighup ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux admin_crontab policy is very flexible allowing users to setup their admin_crontab processes in as secure a method as possible. ++.PP ++The following process types are defined for admin_crontab: ++ ++.EX ++.B admin_crontab_t ++.EE ++.PP ++Note: ++.B semanage permissive -a admin_crontab_t ++can be used to make the process type admin_crontab_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. admin_crontab policy is extremely flexible and has several booleans that allow you to manipulate the policy and run admin_crontab with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to enable extra rules in the cron domain to support fcron, you must turn on the fcron_crond boolean. Disabled by default. ++ ++.EX ++.B setsebool -P fcron_crond 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the admin_crontab_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the admin_crontab_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type admin_crontab_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B admin_crontab_tmp_t ++ ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B user_cron_spool_t ++ ++ /var/spool/at(/.*)? ++.br ++ /var/spool/cron ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.br ++.B var_auth_t ++ ++ /var/ace(/.*)? ++.br ++ /var/rsa(/.*)? ++.br ++ /var/lib/abl(/.*)? ++.br ++ /var/lib/rsa(/.*)? ++.br ++ /var/lib/pam_ssh(/.*)? ++.br ++ /var/run/pam_ssh(/.*)? ++.br ++ /var/lib/pam_shield(/.*)? ++.br ++ /var/opt/quest/vas/vasd(/.*)? ++.br ++ /var/lib/google-authenticator(/.*)? ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), admin_crontab(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/afs_bosserver_selinux.8 b/man/man8/afs_bosserver_selinux.8 new file mode 100644 -index 0000000..4502080 +index 0000000..bea044d --- /dev/null +++ b/man/man8/afs_bosserver_selinux.8 -@@ -0,0 +1,105 @@ -+.TH "afs_bosserver_selinux" "8" "12-11-01" "afs_bosserver" "SELinux Policy documentation for afs_bosserver" +@@ -0,0 +1,203 @@ ++.TH "afs_bosserver_selinux" "8" "13-01-16" "afs_bosserver" "SELinux Policy documentation for afs_bosserver" +.SH "NAME" +afs_bosserver_selinux \- Security Enhanced Linux Policy for the afs_bosserver processes +.SH "DESCRIPTION" @@ -1684,9 +3016,11 @@ index 0000000..4502080 + +.SH "ENTRYPOINTS" + -+The afs_bosserver_t SELinux type can be entered via the "afs_bosserver_exec_t" file type. The default entrypoint paths for the afs_bosserver_t domain are the following:" ++The afs_bosserver_t SELinux type can be entered via the \fBafs_bosserver_exec_t\fP file type. + -+/usr/afs/bin/bosserver ++The default entrypoint paths for the afs_bosserver_t domain are the following: ++ ++/usr/sbin/bosserver, /usr/afs/bin/bosserver +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -1702,34 +3036,76 @@ index 0000000..4502080 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a afs_bosserver_t ++can be used to make the process type afs_bosserver_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux afs_bosserver policy is very flexible allowing users to setup their afs_bosserver processes in as secure a method as possible. -+.PP -+The following file types are defined for afs_bosserver: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. afs_bosserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run afs_bosserver with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B afs_bosserver_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the afs_bosserver_exec_t type, if you want to transition an executable to the afs_bosserver_t domain. ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -1738,6 +3114,8 @@ index 0000000..4502080 +.br +.B afs_config_t + ++ /etc/(open)?afs(/.*)? ++.br + /usr/afs/etc(/.*)? +.br + /usr/afs/local(/.*)? @@ -1749,7 +3127,56 @@ index 0000000..4502080 + /usr/afs/logs(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux afs_bosserver policy is very flexible allowing users to setup their afs_bosserver processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the afs_bosserver, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t afs_bosserver_exec_t '/srv/afs_bosserver/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myafs_bosserver_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for afs_bosserver: ++ ++ ++.EX ++.PP ++.B afs_bosserver_exec_t ++.EE ++ ++- Set files with the afs_bosserver_exec_t type, if you want to transition an executable to the afs_bosserver_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/bosserver, /usr/afs/bin/bosserver ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -1761,6 +3188,9 @@ index 0000000..4502080 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -1772,15 +3202,15 @@ index 0000000..4502080 + +.SH "SEE ALSO" +selinux(8), afs_bosserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, afs_selinux(8), afs_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8) ++, setsebool(8), afs_selinux(8), afs_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8) \ No newline at end of file diff --git a/man/man8/afs_fsserver_selinux.8 b/man/man8/afs_fsserver_selinux.8 new file mode 100644 -index 0000000..3881562 +index 0000000..13fb1e4 --- /dev/null +++ b/man/man8/afs_fsserver_selinux.8 -@@ -0,0 +1,115 @@ -+.TH "afs_fsserver_selinux" "8" "12-11-01" "afs_fsserver" "SELinux Policy documentation for afs_fsserver" +@@ -0,0 +1,181 @@ ++.TH "afs_fsserver_selinux" "8" "13-01-16" "afs_fsserver" "SELinux Policy documentation for afs_fsserver" +.SH "NAME" +afs_fsserver_selinux \- Security Enhanced Linux Policy for the afs_fsserver processes +.SH "DESCRIPTION" @@ -1796,9 +3226,11 @@ index 0000000..3881562 + +.SH "ENTRYPOINTS" + -+The afs_fsserver_t SELinux type can be entered via the "afs_fsserver_exec_t" file type. The default entrypoint paths for the afs_fsserver_t domain are the following:" ++The afs_fsserver_t SELinux type can be entered via the \fBafs_fsserver_exec_t\fP file type. + -+/usr/afs/bin/salvager, /usr/afs/bin/volserver, /usr/afs/bin/fileserver ++The default entrypoint paths for the afs_fsserver_t domain are the following: ++ ++/usr/afs/bin/salvager, /usr/afs/bin/volserver, /usr/afs/bin/fileserver, /usr/libexec/openafs/salvager, /usr/libexec/openafs/volserver, /usr/libexec/openafs/fileserver +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -1814,34 +3246,52 @@ index 0000000..3881562 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a afs_fsserver_t ++can be used to make the process type afs_fsserver_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux afs_fsserver policy is very flexible allowing users to setup their afs_fsserver processes in as secure a method as possible. -+.PP -+The following file types are defined for afs_fsserver: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. afs_fsserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run afs_fsserver with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B afs_fsserver_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the afs_fsserver_exec_t type, if you want to transition an executable to the afs_fsserver_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -1850,6 +3300,8 @@ index 0000000..3881562 +.br +.B afs_config_t + ++ /etc/(open)?afs(/.*)? ++.br + /usr/afs/etc(/.*)? +.br + /usr/afs/local(/.*)? @@ -1871,7 +3323,48 @@ index 0000000..3881562 + /usr/afs/logs(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux afs_fsserver policy is very flexible allowing users to setup their afs_fsserver processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the afs_fsserver, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t afs_fsserver_exec_t '/srv/afs_fsserver/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myafs_fsserver_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for afs_fsserver: ++ ++ ++.EX ++.PP ++.B afs_fsserver_exec_t ++.EE ++ ++- Set files with the afs_fsserver_exec_t type, if you want to transition an executable to the afs_fsserver_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/afs/bin/salvager, /usr/afs/bin/volserver, /usr/afs/bin/fileserver, /usr/libexec/openafs/salvager, /usr/libexec/openafs/volserver, /usr/libexec/openafs/fileserver ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -1883,6 +3376,9 @@ index 0000000..3881562 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -1894,15 +3390,15 @@ index 0000000..3881562 + +.SH "SEE ALSO" +selinux(8), afs_fsserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8) ++, setsebool(8), afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8) \ No newline at end of file diff --git a/man/man8/afs_kaserver_selinux.8 b/man/man8/afs_kaserver_selinux.8 new file mode 100644 -index 0000000..248aaef +index 0000000..615beeb --- /dev/null +++ b/man/man8/afs_kaserver_selinux.8 -@@ -0,0 +1,111 @@ -+.TH "afs_kaserver_selinux" "8" "12-11-01" "afs_kaserver" "SELinux Policy documentation for afs_kaserver" +@@ -0,0 +1,177 @@ ++.TH "afs_kaserver_selinux" "8" "13-01-16" "afs_kaserver" "SELinux Policy documentation for afs_kaserver" +.SH "NAME" +afs_kaserver_selinux \- Security Enhanced Linux Policy for the afs_kaserver processes +.SH "DESCRIPTION" @@ -1918,9 +3414,11 @@ index 0000000..248aaef + +.SH "ENTRYPOINTS" + -+The afs_kaserver_t SELinux type can be entered via the "afs_kaserver_exec_t" file type. The default entrypoint paths for the afs_kaserver_t domain are the following:" ++The afs_kaserver_t SELinux type can be entered via the \fBafs_kaserver_exec_t\fP file type. + -+/usr/afs/bin/kaserver ++The default entrypoint paths for the afs_kaserver_t domain are the following: ++ ++/usr/afs/bin/kaserver, /usr/libexec/openafs/kaserver +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -1936,34 +3434,52 @@ index 0000000..248aaef +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a afs_kaserver_t ++can be used to make the process type afs_kaserver_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux afs_kaserver policy is very flexible allowing users to setup their afs_kaserver processes in as secure a method as possible. -+.PP -+The following file types are defined for afs_kaserver: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. afs_kaserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run afs_kaserver with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B afs_kaserver_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the afs_kaserver_exec_t type, if you want to transition an executable to the afs_kaserver_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -1972,6 +3488,8 @@ index 0000000..248aaef +.br +.B afs_config_t + ++ /etc/(open)?afs(/.*)? ++.br + /usr/afs/etc(/.*)? +.br + /usr/afs/local(/.*)? @@ -1989,7 +3507,48 @@ index 0000000..248aaef + /usr/afs/logs(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux afs_kaserver policy is very flexible allowing users to setup their afs_kaserver processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the afs_kaserver, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t afs_kaserver_exec_t '/srv/afs_kaserver/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myafs_kaserver_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for afs_kaserver: ++ ++ ++.EX ++.PP ++.B afs_kaserver_exec_t ++.EE ++ ++- Set files with the afs_kaserver_exec_t type, if you want to transition an executable to the afs_kaserver_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/afs/bin/kaserver, /usr/libexec/openafs/kaserver ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -2001,6 +3560,9 @@ index 0000000..248aaef +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -2012,15 +3574,15 @@ index 0000000..248aaef + +.SH "SEE ALSO" +selinux(8), afs_kaserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8) ++, setsebool(8), afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8) \ No newline at end of file diff --git a/man/man8/afs_ptserver_selinux.8 b/man/man8/afs_ptserver_selinux.8 new file mode 100644 -index 0000000..dfd8d86 +index 0000000..ee11152 --- /dev/null +++ b/man/man8/afs_ptserver_selinux.8 -@@ -0,0 +1,103 @@ -+.TH "afs_ptserver_selinux" "8" "12-11-01" "afs_ptserver" "SELinux Policy documentation for afs_ptserver" +@@ -0,0 +1,167 @@ ++.TH "afs_ptserver_selinux" "8" "13-01-16" "afs_ptserver" "SELinux Policy documentation for afs_ptserver" +.SH "NAME" +afs_ptserver_selinux \- Security Enhanced Linux Policy for the afs_ptserver processes +.SH "DESCRIPTION" @@ -2036,9 +3598,11 @@ index 0000000..dfd8d86 + +.SH "ENTRYPOINTS" + -+The afs_ptserver_t SELinux type can be entered via the "afs_ptserver_exec_t" file type. The default entrypoint paths for the afs_ptserver_t domain are the following:" ++The afs_ptserver_t SELinux type can be entered via the \fBafs_ptserver_exec_t\fP file type. + -+/usr/afs/bin/ptserver ++The default entrypoint paths for the afs_ptserver_t domain are the following: ++ ++/usr/afs/bin/ptserver, /usr/libexec/openafs/ptserver +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -2054,34 +3618,52 @@ index 0000000..dfd8d86 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a afs_ptserver_t ++can be used to make the process type afs_ptserver_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux afs_ptserver policy is very flexible allowing users to setup their afs_ptserver processes in as secure a method as possible. -+.PP -+The following file types are defined for afs_ptserver: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. afs_ptserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run afs_ptserver with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B afs_ptserver_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the afs_ptserver_exec_t type, if you want to transition an executable to the afs_ptserver_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -2099,7 +3681,48 @@ index 0000000..dfd8d86 + /usr/afs/db/pr.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux afs_ptserver policy is very flexible allowing users to setup their afs_ptserver processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the afs_ptserver, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t afs_ptserver_exec_t '/srv/afs_ptserver/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myafs_ptserver_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for afs_ptserver: ++ ++ ++.EX ++.PP ++.B afs_ptserver_exec_t ++.EE ++ ++- Set files with the afs_ptserver_exec_t type, if you want to transition an executable to the afs_ptserver_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/afs/bin/ptserver, /usr/libexec/openafs/ptserver ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -2111,6 +3734,9 @@ index 0000000..dfd8d86 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -2122,15 +3748,15 @@ index 0000000..dfd8d86 + +.SH "SEE ALSO" +selinux(8), afs_ptserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_vlserver_selinux(8) ++, setsebool(8), afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_vlserver_selinux(8) \ No newline at end of file diff --git a/man/man8/afs_selinux.8 b/man/man8/afs_selinux.8 new file mode 100644 -index 0000000..3d27b08 +index 0000000..feff8b4 --- /dev/null +++ b/man/man8/afs_selinux.8 -@@ -0,0 +1,352 @@ -+.TH "afs_selinux" "8" "12-11-01" "afs" "SELinux Policy documentation for afs" +@@ -0,0 +1,494 @@ ++.TH "afs_selinux" "8" "13-01-16" "afs" "SELinux Policy documentation for afs" +.SH "NAME" +afs_selinux \- Security Enhanced Linux Policy for the afs processes +.SH "DESCRIPTION" @@ -2146,7 +3772,9 @@ index 0000000..3d27b08 + +.SH "ENTRYPOINTS" + -+The afs_t SELinux type can be entered via the "afs_exec_t" file type. The default entrypoint paths for the afs_t domain are the following:" ++The afs_t SELinux type can be entered via the \fBafs_exec_t\fP file type. ++ ++The default entrypoint paths for the afs_t domain are the following: + +/usr/sbin/afsd, /usr/vice/etc/afsd +.SH PROCESS TYPES @@ -2164,147 +3792,85 @@ index 0000000..3d27b08 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a afs_t ++can be used to make the process type afs_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux afs policy is very flexible allowing users to setup their afs processes in as secure a method as possible. -+.PP -+The following file types are defined for afs: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. afs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run afs with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B afs_bosserver_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the afs_bosserver_exec_t type, if you want to transition an executable to the afs_bosserver_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B afs_cache_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the afs_cache_t type, if you want to store the files under the /var/cache directory. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B afs_config_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the afs_config_t type, if you want to treat the files as afs configuration data, usually stored under the /etc directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B afs_dbdir_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the afs_dbdir_t type, if you want to treat the files as afs dbdir data. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B afs_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the afs_exec_t type, if you want to transition an executable to the afs_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B afs_files_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the afs_files_t type, if you want to treat the files as afs content. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B afs_fsserver_exec_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the afs_fsserver_exec_t type, if you want to transition an executable to the afs_fsserver_t domain. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B afs_initrc_exec_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the afs_initrc_exec_t type, if you want to transition an executable to the afs_initrc_t domain. -+ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. + +.EX -+.PP -+.B afs_ka_db_t ++.B setsebool -P nscd_use_shm 1 ++ +.EE + -+- Set files with the afs_ka_db_t type, if you want to treat the files as afs ka database content. -+ -+ -+.EX -+.PP -+.B afs_kaserver_exec_t -+.EE -+ -+- Set files with the afs_kaserver_exec_t type, if you want to transition an executable to the afs_kaserver_t domain. -+ -+ -+.EX -+.PP -+.B afs_logfile_t -+.EE -+ -+- Set files with the afs_logfile_t type, if you want to treat the files as afs logfile data. -+ -+ -+.EX -+.PP -+.B afs_pt_db_t -+.EE -+ -+- Set files with the afs_pt_db_t type, if you want to treat the files as afs pt database content. -+ -+ -+.EX -+.PP -+.B afs_ptserver_exec_t -+.EE -+ -+- Set files with the afs_ptserver_exec_t type, if you want to transition an executable to the afs_ptserver_t domain. -+ -+ -+.EX -+.PP -+.B afs_vl_db_t -+.EE -+ -+- Set files with the afs_vl_db_t type, if you want to treat the files as afs vl database content. -+ -+ -+.EX -+.PP -+.B afs_vlserver_exec_t -+.EE -+ -+- Set files with the afs_vlserver_exec_t type, if you want to transition an executable to the afs_vlserver_t domain. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. +.PP @@ -2320,6 +3886,19 @@ index 0000000..3d27b08 + +.EX +.TP 5 ++.B afs3_callback_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 7001 ++.EE ++udp 7001 ++.EE ++ ++.EX ++.TP 5 +.B afs_bos_port_t +.TP 10 +.EE @@ -2331,17 +3910,6 @@ index 0000000..3d27b08 + +.EX +.TP 5 -+.B afs_client_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+udp 7001 -+.EE -+ -+.EX -+.TP 5 +.B afs_fs_port_t +.TP 10 +.EE @@ -2392,7 +3960,7 @@ index 0000000..3d27b08 +.br +.B afs_cache_t + -+ /var/cache/afs(/.*)? ++ /var/cache/(open)?afs(/.*)? +.br + /usr/vice/cache(/.*)? +.br @@ -2418,10 +3986,10 @@ index 0000000..3d27b08 +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -2430,10 +3998,10 @@ index 0000000..3d27b08 +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -2452,10 +4020,207 @@ index 0000000..3d27b08 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B unlabeled_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux afs policy is very flexible allowing users to setup their afs processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the afs, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t afs_bosserver_exec_t '/srv/afs/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myafs_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for afs: ++ ++ ++.EX ++.PP ++.B afs_bosserver_exec_t ++.EE ++ ++- Set files with the afs_bosserver_exec_t type, if you want to transition an executable to the afs_bosserver_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/bosserver, /usr/afs/bin/bosserver ++ ++.EX ++.PP ++.B afs_cache_t ++.EE ++ ++- Set files with the afs_cache_t type, if you want to store the files under the /var/cache directory. ++ ++.br ++.TP 5 ++Paths: ++/var/cache/(open)?afs(/.*)?, /usr/vice/cache(/.*)? ++ ++.EX ++.PP ++.B afs_config_t ++.EE ++ ++- Set files with the afs_config_t type, if you want to treat the files as afs configuration data, usually stored under the /etc directory. ++ ++.br ++.TP 5 ++Paths: ++/etc/(open)?afs(/.*)?, /usr/afs/etc(/.*)?, /usr/afs/local(/.*)? ++ ++.EX ++.PP ++.B afs_dbdir_t ++.EE ++ ++- Set files with the afs_dbdir_t type, if you want to treat the files as afs dbdir data. ++ ++ ++.EX ++.PP ++.B afs_exec_t ++.EE ++ ++- Set files with the afs_exec_t type, if you want to transition an executable to the afs_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/afsd, /usr/vice/etc/afsd ++ ++.EX ++.PP ++.B afs_files_t ++.EE ++ ++- Set files with the afs_files_t type, if you want to treat the files as afs content. ++ ++.br ++.TP 5 ++Paths: ++/vicepa, /vicepb, /vicepc ++ ++.EX ++.PP ++.B afs_fsserver_exec_t ++.EE ++ ++- Set files with the afs_fsserver_exec_t type, if you want to transition an executable to the afs_fsserver_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/afs/bin/salvager, /usr/afs/bin/volserver, /usr/afs/bin/fileserver, /usr/libexec/openafs/salvager, /usr/libexec/openafs/volserver, /usr/libexec/openafs/fileserver ++ ++.EX ++.PP ++.B afs_initrc_exec_t ++.EE ++ ++- Set files with the afs_initrc_exec_t type, if you want to transition an executable to the afs_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/(open)?afs, /etc/rc\.d/init\.d/openafs-client ++ ++.EX ++.PP ++.B afs_ka_db_t ++.EE ++ ++- Set files with the afs_ka_db_t type, if you want to treat the files as afs ka database content. ++ ++ ++.EX ++.PP ++.B afs_kaserver_exec_t ++.EE ++ ++- Set files with the afs_kaserver_exec_t type, if you want to transition an executable to the afs_kaserver_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/afs/bin/kaserver, /usr/libexec/openafs/kaserver ++ ++.EX ++.PP ++.B afs_logfile_t ++.EE ++ ++- Set files with the afs_logfile_t type, if you want to treat the files as afs logfile data. ++ ++ ++.EX ++.PP ++.B afs_pt_db_t ++.EE ++ ++- Set files with the afs_pt_db_t type, if you want to treat the files as afs pt database content. ++ ++ ++.EX ++.PP ++.B afs_ptserver_exec_t ++.EE ++ ++- Set files with the afs_ptserver_exec_t type, if you want to transition an executable to the afs_ptserver_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/afs/bin/ptserver, /usr/libexec/openafs/ptserver ++ ++.EX ++.PP ++.B afs_vl_db_t ++.EE ++ ++- Set files with the afs_vl_db_t type, if you want to treat the files as afs vl database content. ++ ++ ++.EX ++.PP ++.B afs_vlserver_exec_t ++.EE ++ ++- Set files with the afs_vlserver_exec_t type, if you want to transition an executable to the afs_vlserver_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/afs/bin/vlserver, /usr/libexec/openafs/vlserver ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -2470,6 +4235,9 @@ index 0000000..3d27b08 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -2481,15 +4249,15 @@ index 0000000..3d27b08 + +.SH "SEE ALSO" +selinux(8), afs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8) ++, setsebool(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8), afs_vlserver_selinux(8) \ No newline at end of file diff --git a/man/man8/afs_vlserver_selinux.8 b/man/man8/afs_vlserver_selinux.8 new file mode 100644 -index 0000000..fae8285 +index 0000000..f83ce52 --- /dev/null +++ b/man/man8/afs_vlserver_selinux.8 -@@ -0,0 +1,103 @@ -+.TH "afs_vlserver_selinux" "8" "12-11-01" "afs_vlserver" "SELinux Policy documentation for afs_vlserver" +@@ -0,0 +1,167 @@ ++.TH "afs_vlserver_selinux" "8" "13-01-16" "afs_vlserver" "SELinux Policy documentation for afs_vlserver" +.SH "NAME" +afs_vlserver_selinux \- Security Enhanced Linux Policy for the afs_vlserver processes +.SH "DESCRIPTION" @@ -2505,9 +4273,11 @@ index 0000000..fae8285 + +.SH "ENTRYPOINTS" + -+The afs_vlserver_t SELinux type can be entered via the "afs_vlserver_exec_t" file type. The default entrypoint paths for the afs_vlserver_t domain are the following:" ++The afs_vlserver_t SELinux type can be entered via the \fBafs_vlserver_exec_t\fP file type. + -+/usr/afs/bin/vlserver ++The default entrypoint paths for the afs_vlserver_t domain are the following: ++ ++/usr/afs/bin/vlserver, /usr/libexec/openafs/vlserver +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -2523,34 +4293,52 @@ index 0000000..fae8285 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a afs_vlserver_t ++can be used to make the process type afs_vlserver_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux afs_vlserver policy is very flexible allowing users to setup their afs_vlserver processes in as secure a method as possible. -+.PP -+The following file types are defined for afs_vlserver: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. afs_vlserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run afs_vlserver with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B afs_vlserver_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the afs_vlserver_exec_t type, if you want to transition an executable to the afs_vlserver_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -2568,7 +4356,48 @@ index 0000000..fae8285 + /usr/afs/db/vl.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux afs_vlserver policy is very flexible allowing users to setup their afs_vlserver processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the afs_vlserver, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t afs_vlserver_exec_t '/srv/afs_vlserver/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myafs_vlserver_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for afs_vlserver: ++ ++ ++.EX ++.PP ++.B afs_vlserver_exec_t ++.EE ++ ++- Set files with the afs_vlserver_exec_t type, if you want to transition an executable to the afs_vlserver_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/afs/bin/vlserver, /usr/libexec/openafs/vlserver ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -2580,6 +4409,9 @@ index 0000000..fae8285 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -2591,15 +4423,15 @@ index 0000000..fae8285 + +.SH "SEE ALSO" +selinux(8), afs_vlserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8) ++, setsebool(8), afs_selinux(8), afs_selinux(8), afs_bosserver_selinux(8), afs_fsserver_selinux(8), afs_kaserver_selinux(8), afs_ptserver_selinux(8) \ No newline at end of file diff --git a/man/man8/aiccu_selinux.8 b/man/man8/aiccu_selinux.8 new file mode 100644 -index 0000000..1c447a0 +index 0000000..f9e78fd --- /dev/null +++ b/man/man8/aiccu_selinux.8 -@@ -0,0 +1,120 @@ -+.TH "aiccu_selinux" "8" "12-11-01" "aiccu" "SELinux Policy documentation for aiccu" +@@ -0,0 +1,221 @@ ++.TH "aiccu_selinux" "8" "13-01-16" "aiccu" "SELinux Policy documentation for aiccu" +.SH "NAME" +aiccu_selinux \- Security Enhanced Linux Policy for the aiccu processes +.SH "DESCRIPTION" @@ -2615,7 +4447,9 @@ index 0000000..1c447a0 + +.SH "ENTRYPOINTS" + -+The aiccu_t SELinux type can be entered via the "aiccu_exec_t" file type. The default entrypoint paths for the aiccu_t domain are the following:" ++The aiccu_t SELinux type can be entered via the \fBaiccu_exec_t\fP file type. ++ ++The default entrypoint paths for the aiccu_t domain are the following: + +/usr/sbin/aiccu +.SH PROCESS TYPES @@ -2633,8 +4467,102 @@ index 0000000..1c447a0 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a aiccu_t ++can be used to make the process type aiccu_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. aiccu policy is extremely flexible and has several booleans that allow you to manipulate the policy and run aiccu with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type aiccu_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B aiccu_var_run_t ++ ++ /var/run/aiccu\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2644,7 +4572,20 @@ index 0000000..1c447a0 +Policy governs the access confined processes have to these files. +SELinux aiccu policy is very flexible allowing users to setup their aiccu processes in as secure a method as possible. +.PP -+The following file types are defined for aiccu: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the aiccu, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t aiccu_etc_t '/srv/aiccu/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myaiccu_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for aiccu: + + +.EX @@ -2676,7 +4617,7 @@ index 0000000..1c447a0 +.B aiccu_var_run_t +.EE + -+- Set files with the aiccu_var_run_t type, if you want to store the aiccu files under the /run directory. ++- Set files with the aiccu_var_run_t type, if you want to store the aiccu files under the /run or /var/run directory. + + +.PP @@ -2686,18 +4627,6 @@ index 0000000..1c447a0 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type aiccu_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B aiccu_var_run_t -+ -+ /var/run/aiccu\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -2708,6 +4637,9 @@ index 0000000..1c447a0 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -2719,13 +4651,15 @@ index 0000000..1c447a0 + +.SH "SEE ALSO" +selinux(8), aiccu(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/aide_selinux.8 b/man/man8/aide_selinux.8 new file mode 100644 -index 0000000..183ad6a +index 0000000..881720d --- /dev/null +++ b/man/man8/aide_selinux.8 -@@ -0,0 +1,120 @@ -+.TH "aide_selinux" "8" "12-11-01" "aide" "SELinux Policy documentation for aide" +@@ -0,0 +1,188 @@ ++.TH "aide_selinux" "8" "13-01-16" "aide" "SELinux Policy documentation for aide" +.SH "NAME" +aide_selinux \- Security Enhanced Linux Policy for the aide processes +.SH "DESCRIPTION" @@ -2741,7 +4675,9 @@ index 0000000..183ad6a + +.SH "ENTRYPOINTS" + -+The aide_t SELinux type can be entered via the "aide_exec_t" file type. The default entrypoint paths for the aide_t domain are the following:" ++The aide_t SELinux type can be entered via the \fBaide_exec_t\fP file type. ++ ++The default entrypoint paths for the aide_t domain are the following: + +/usr/sbin/aide +.SH PROCESS TYPES @@ -2759,8 +4695,62 @@ index 0000000..183ad6a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a aide_t ++can be used to make the process type aide_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. aide policy is extremely flexible and has several booleans that allow you to manipulate the policy and run aide with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type aide_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B aide_db_t ++ ++ /var/lib/aide(/.*) ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2770,7 +4760,31 @@ index 0000000..183ad6a +Policy governs the access confined processes have to these files. +SELinux aide policy is very flexible allowing users to setup their aide processes in as secure a method as possible. +.PP -+The following file types are defined for aide: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++aide policy stores data with multiple different file context types under the /var/log/aide directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/log/aide /srv/aide ++.br ++.B restorecon -R -v /srv/aide ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the aide, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t aide_db_t '/srv/aide/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myaide_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for aide: + + +.EX @@ -2796,6 +4810,10 @@ index 0000000..183ad6a + +- Set files with the aide_log_t type, if you want to treat the data as aide log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/aide(/.*)?, /var/log/aide\.log + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -2804,26 +4822,6 @@ index 0000000..183ad6a +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type aide_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B aide_db_t -+ -+ /var/lib/aide(/.*) -+.br -+ -+.br -+.B aide_log_t -+ -+ /var/log/aide(/.*)? -+.br -+ /var/log/aide\.log.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -2834,6 +4832,9 @@ index 0000000..183ad6a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -2845,13 +4846,15 @@ index 0000000..183ad6a + +.SH "SEE ALSO" +selinux(8), aide(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/aisexec_selinux.8 b/man/man8/aisexec_selinux.8 new file mode 100644 -index 0000000..ced319f +index 0000000..114535b --- /dev/null +++ b/man/man8/aisexec_selinux.8 -@@ -0,0 +1,206 @@ -+.TH "aisexec_selinux" "8" "12-11-01" "aisexec" "SELinux Policy documentation for aisexec" +@@ -0,0 +1,327 @@ ++.TH "aisexec_selinux" "8" "13-01-16" "aisexec" "SELinux Policy documentation for aisexec" +.SH "NAME" +aisexec_selinux \- Security Enhanced Linux Policy for the aisexec processes +.SH "DESCRIPTION" @@ -2867,7 +4870,9 @@ index 0000000..ced319f + +.SH "ENTRYPOINTS" + -+The aisexec_t SELinux type can be entered via the "aisexec_exec_t" file type. The default entrypoint paths for the aisexec_t domain are the following:" ++The aisexec_t SELinux type can be entered via the \fBaisexec_exec_t\fP file type. ++ ++The default entrypoint paths for the aisexec_t domain are the following: + +/usr/sbin/aisexec +.SH PROCESS TYPES @@ -2885,8 +4890,184 @@ index 0000000..ced319f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a aisexec_t ++can be used to make the process type aisexec_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. aisexec policy is extremely flexible and has several booleans that allow you to manipulate the policy and run aisexec with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the aisexec_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the aisexec_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type aisexec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B aisexec_tmp_t ++ ++ ++.br ++.B aisexec_tmpfs_t ++ ++ ++.br ++.B aisexec_var_lib_t ++ ++ /var/lib/openais(/.*)? ++.br ++ ++.br ++.B aisexec_var_run_t ++ ++ /var/run/aisexec.* ++.br ++ ++.br ++.B dlm_controld_tmpfs_t ++ ++ ++.br ++.B fenced_tmpfs_t ++ ++ ++.br ++.B gfs_controld_tmpfs_t ++ ++ ++.br ++.B groupd_tmpfs_t ++ ++ ++.br ++.B initrc_tmp_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B var_lib_t ++ ++ /opt/(.*/)?var/lib(/.*)? ++.br ++ /var/lib(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2896,7 +5077,20 @@ index 0000000..ced319f +Policy governs the access confined processes have to these files. +SELinux aisexec policy is very flexible allowing users to setup their aisexec processes in as secure a method as possible. +.PP -+The following file types are defined for aisexec: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the aisexec, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t aisexec_exec_t '/srv/aisexec/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myaisexec_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for aisexec: + + +.EX @@ -2952,7 +5146,7 @@ index 0000000..ced319f +.B aisexec_var_run_t +.EE + -+- Set files with the aisexec_var_run_t type, if you want to store the aisexec files under the /run directory. ++- Set files with the aisexec_var_run_t type, if you want to store the aisexec files under the /run or /var/run directory. + + +.PP @@ -2962,80 +5156,6 @@ index 0000000..ced319f +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type aisexec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B aisexec_tmp_t -+ -+ -+.br -+.B aisexec_tmpfs_t -+ -+ -+.br -+.B aisexec_var_lib_t -+ -+ /var/lib/openais(/.*)? -+.br -+ -+.br -+.B aisexec_var_log_t -+ -+ /var/log/cluster/aisexec\.log.* -+.br -+ -+.br -+.B aisexec_var_run_t -+ -+ /var/run/aisexec\.pid -+.br -+ -+.br -+.B dlm_controld_tmpfs_t -+ -+ -+.br -+.B fenced_tmpfs_t -+ -+ -+.br -+.B gfs_controld_tmpfs_t -+ -+ -+.br -+.B groupd_tmpfs_t -+ -+ -+.br -+.B initrc_tmp_t -+ -+ -+.br -+.B var_lib_t -+ -+ /opt/(.*/)?var/lib(/.*)? -+.br -+ /var/lib(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the aisexec_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the aisexec_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -3046,6 +5166,9 @@ index 0000000..ced319f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -3057,13 +5180,15 @@ index 0000000..ced319f + +.SH "SEE ALSO" +selinux(8), aisexec(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ajaxterm_selinux.8 b/man/man8/ajaxterm_selinux.8 new file mode 100644 -index 0000000..2423a73 +index 0000000..eb5725b --- /dev/null +++ b/man/man8/ajaxterm_selinux.8 -@@ -0,0 +1,184 @@ -+.TH "ajaxterm_selinux" "8" "12-11-01" "ajaxterm" "SELinux Policy documentation for ajaxterm" +@@ -0,0 +1,267 @@ ++.TH "ajaxterm_selinux" "8" "13-01-16" "ajaxterm" "SELinux Policy documentation for ajaxterm" +.SH "NAME" +ajaxterm_selinux \- Security Enhanced Linux Policy for the ajaxterm processes +.SH "DESCRIPTION" @@ -3079,7 +5204,9 @@ index 0000000..2423a73 + +.SH "ENTRYPOINTS" + -+The ajaxterm_t SELinux type can be entered via the "ajaxterm_exec_t" file type. The default entrypoint paths for the ajaxterm_t domain are the following:" ++The ajaxterm_t SELinux type can be entered via the \fBajaxterm_exec_t\fP file type. ++ ++The default entrypoint paths for the ajaxterm_t domain are the following: + +/usr/share/ajaxterm/ajaxterm\.py +.SH PROCESS TYPES @@ -3097,8 +5224,156 @@ index 0000000..2423a73 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ajaxterm_t ++can be used to make the process type ajaxterm_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ajaxterm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ajaxterm with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ajaxterm_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ajaxterm_ssh_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type ajaxterm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B ajaxterm_var_run_t ++ ++ /var/run/ajaxterm\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B ssh_home_t ++ ++ /root/\.ssh(/.*)? ++.br ++ /var/lib/pgsql/\.ssh(/.*)? ++.br ++ /var/lib/openshift/[^/]+/\.ssh(/.*)? ++.br ++ /var/lib/amanda/\.ssh(/.*)? ++.br ++ /var/lib/stickshift/[^/]+/\.ssh(/.*)? ++.br ++ /var/lib/gitolite/\.ssh(/.*)? ++.br ++ /var/lib/nocpulse/\.ssh(/.*)? ++.br ++ /var/lib/gitolite3/\.ssh(/.*)? ++.br ++ /root/\.shosts ++.br ++ /home/[^/]*/\.ssh(/.*)? ++.br ++ /home/[^/]*/\.shosts ++.br ++ /home/pwalsh/\.ssh(/.*)? ++.br ++ /home/pwalsh/\.shosts ++.br ++ /home/dwalsh/\.ssh(/.*)? ++.br ++ /home/dwalsh/\.shosts ++.br ++ /var/lib/xguest/home/xguest/\.ssh(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.shosts ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3108,7 +5383,20 @@ index 0000000..2423a73 +Policy governs the access confined processes have to these files. +SELinux ajaxterm policy is very flexible allowing users to setup their ajaxterm processes in as secure a method as possible. +.PP -+The following file types are defined for ajaxterm: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ajaxterm, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ajaxterm_exec_t '/srv/ajaxterm/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myajaxterm_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ajaxterm: + + +.EX @@ -3132,7 +5420,7 @@ index 0000000..2423a73 +.B ajaxterm_var_run_t +.EE + -+- Set files with the ajaxterm_var_run_t type, if you want to store the ajaxterm files under the /run directory. ++- Set files with the ajaxterm_var_run_t type, if you want to store the ajaxterm files under the /run or /var/run directory. + + +.PP @@ -3142,44 +5430,180 @@ index 0000000..2423a73 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. +.PP -+You can see the types associated with a port by using the following command: ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. + -+.B semanage port -l ++.B semanage boolean ++can also be used to manipulate the booleans + +.PP -+Policy governs the access confined processes have to these ports. -+SELinux ajaxterm policy is very flexible allowing users to setup their ajaxterm processes in as secure a method as possible. ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), ajaxterm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), ajaxterm_ssh_selinux(8) +\ No newline at end of file +diff --git a/man/man8/ajaxterm_ssh_selinux.8 b/man/man8/ajaxterm_ssh_selinux.8 +new file mode 100644 +index 0000000..b7594be +--- /dev/null ++++ b/man/man8/ajaxterm_ssh_selinux.8 +@@ -0,0 +1,212 @@ ++.TH "ajaxterm_ssh_selinux" "8" "13-01-16" "ajaxterm_ssh" "SELinux Policy documentation for ajaxterm_ssh" ++.SH "NAME" ++ajaxterm_ssh_selinux \- Security Enhanced Linux Policy for the ajaxterm_ssh processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the ajaxterm_ssh processes via flexible mandatory access control. ++ ++The ajaxterm_ssh processes execute with the ajaxterm_ssh_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep ajaxterm_ssh_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The ajaxterm_ssh_t SELinux type can be entered via the \fBssh_exec_t\fP file type. ++ ++The default entrypoint paths for the ajaxterm_ssh_t domain are the following: ++ ++/usr/bin/ssh ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system +.PP -+The following port types are defined for ajaxterm: ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux ajaxterm_ssh policy is very flexible allowing users to setup their ajaxterm_ssh processes in as secure a method as possible. ++.PP ++The following process types are defined for ajaxterm_ssh: + +.EX -+.TP 5 -+.B ajaxterm_port_t -+.TP 10 ++.B ajaxterm_ssh_t +.EE ++.PP ++Note: ++.B semanage permissive -a ajaxterm_ssh_t ++can be used to make the process type ajaxterm_ssh_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ajaxterm_ssh policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ajaxterm_ssh with the tightest access possible. + + -+Default Defined Ports: -+tcp 8022 ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ajaxterm_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ajaxterm_ssh_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ +.SH "MANAGED FILES" + -+The SELinux process type ajaxterm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B ajaxterm_var_run_t -+ -+ /var/run/ajaxterm\.pid -+.br ++The SELinux process type ajaxterm_ssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br +.B ssh_home_t + + /root/\.ssh(/.*)? +.br ++ /var/lib/pgsql/\.ssh(/.*)? ++.br + /var/lib/openshift/[^/]+/\.ssh(/.*)? +.br + /var/lib/amanda/\.ssh(/.*)? @@ -3198,6 +5622,10 @@ index 0000000..2423a73 +.br + /home/[^/]*/\.shosts +.br ++ /home/pwalsh/\.ssh(/.*)? ++.br ++ /home/pwalsh/\.shosts ++.br + /home/dwalsh/\.ssh(/.*)? +.br + /home/dwalsh/\.shosts @@ -3207,21 +5635,19 @@ index 0000000..2423a73 + /var/lib/xguest/home/xguest/\.shosts +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B user_tmp_t + -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ajaxterm_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the ajaxterm_ssh_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br + +.SH "COMMANDS" +.B semanage fcontext @@ -3233,8 +5659,8 @@ index 0000000..2423a73 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + -+.B semanage port -+can also be used to manipulate the port definitions ++.B semanage boolean ++can also be used to manipulate the booleans + +.PP +.B system-config-selinux @@ -3246,14 +5672,16 @@ index 0000000..2423a73 +by Dan Walsh. + +.SH "SEE ALSO" -+selinux(8), ajaxterm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++selinux(8), ajaxterm_ssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), ajaxterm_selinux(8), ajaxterm_selinux(8) +\ No newline at end of file diff --git a/man/man8/alsa_selinux.8 b/man/man8/alsa_selinux.8 new file mode 100644 -index 0000000..75888ee +index 0000000..fadd99d --- /dev/null +++ b/man/man8/alsa_selinux.8 -@@ -0,0 +1,170 @@ -+.TH "alsa_selinux" "8" "12-11-01" "alsa" "SELinux Policy documentation for alsa" +@@ -0,0 +1,285 @@ ++.TH "alsa_selinux" "8" "13-01-16" "alsa" "SELinux Policy documentation for alsa" +.SH "NAME" +alsa_selinux \- Security Enhanced Linux Policy for the alsa processes +.SH "DESCRIPTION" @@ -3269,7 +5697,9 @@ index 0000000..75888ee + +.SH "ENTRYPOINTS" + -+The alsa_t SELinux type can be entered via the "alsa_exec_t" file type. The default entrypoint paths for the alsa_t domain are the following:" ++The alsa_t SELinux type can be entered via the \fBalsa_exec_t\fP file type. ++ ++The default entrypoint paths for the alsa_t domain are the following: + +/sbin/salsa, /sbin/alsactl, /usr/bin/ainit, /bin/alsaunmute, /usr/sbin/salsa, /usr/sbin/alsactl, /usr/bin/alsaunmute +.SH PROCESS TYPES @@ -3287,8 +5717,138 @@ index 0000000..75888ee +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a alsa_t ++can be used to make the process type alsa_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. alsa policy is extremely flexible and has several booleans that allow you to manipulate the policy and run alsa with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the alsa_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the alsa_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type alsa_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B alsa_etc_rw_t ++ ++ /etc/asound(/.*)? ++.br ++ /etc/alsa/pcm(/.*)? ++.br ++ /usr/share/alsa/pcm(/.*)? ++.br ++ /etc/asound\.state ++.br ++ /etc/alsa/asound\.state ++.br ++ /usr/share/alsa/alsa\.conf ++.br ++ ++.br ++.B alsa_tmp_t ++ ++ ++.br ++.B alsa_var_lib_t ++ ++ /var/lib/alsa(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3298,7 +5858,20 @@ index 0000000..75888ee +Policy governs the access confined processes have to these files. +SELinux alsa policy is very flexible allowing users to setup their alsa processes in as secure a method as possible. +.PP -+The following file types are defined for alsa: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the alsa, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t alsa_etc_rw_t '/srv/alsa/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myalsa_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for alsa: + + +.EX @@ -3308,6 +5881,10 @@ index 0000000..75888ee + +- Set files with the alsa_etc_rw_t type, if you want to treat the files as alsa etc read/write content. + ++.br ++.TP 5 ++Paths: ++/etc/asound(/.*)?, /etc/alsa/pcm(/.*)?, /usr/share/alsa/pcm(/.*)?, /etc/asound\.state, /etc/alsa/asound\.state, /usr/share/alsa/alsa\.conf + +.EX +.PP @@ -3316,6 +5893,10 @@ index 0000000..75888ee + +- Set files with the alsa_exec_t type, if you want to transition an executable to the alsa_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/salsa, /sbin/alsactl, /usr/bin/ainit, /bin/alsaunmute, /usr/sbin/salsa, /usr/sbin/alsactl, /usr/bin/alsaunmute + +.EX +.PP @@ -3324,6 +5905,10 @@ index 0000000..75888ee + +- Set files with the alsa_home_t type, if you want to store alsa files in the users home directory. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.asoundrc, /home/pwalsh/\.asoundrc, /home/dwalsh/\.asoundrc, /var/lib/xguest/home/xguest/\.asoundrc + +.EX +.PP @@ -3356,52 +5941,6 @@ index 0000000..75888ee +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type alsa_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B alsa_etc_rw_t -+ -+ /etc/asound(/.*)? -+.br -+ /etc/alsa/pcm(/.*)? -+.br -+ /usr/share/alsa/pcm(/.*)? -+.br -+ /etc/asound\.state -+.br -+ /etc/alsa/asound\.state -+.br -+ /usr/share/alsa/alsa\.conf -+.br -+ -+.br -+.B alsa_tmp_t -+ -+ -+.br -+.B alsa_var_lib_t -+ -+ /var/lib/alsa(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the alsa_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the alsa_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -3412,6 +5951,9 @@ index 0000000..75888ee +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -3423,13 +5965,15 @@ index 0000000..75888ee + +.SH "SEE ALSO" +selinux(8), alsa(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/amanda_recover_selinux.8 b/man/man8/amanda_recover_selinux.8 new file mode 100644 -index 0000000..680559a +index 0000000..dad048a --- /dev/null +++ b/man/man8/amanda_recover_selinux.8 -@@ -0,0 +1,131 @@ -+.TH "amanda_recover_selinux" "8" "12-11-01" "amanda_recover" "SELinux Policy documentation for amanda_recover" +@@ -0,0 +1,225 @@ ++.TH "amanda_recover_selinux" "8" "13-01-16" "amanda_recover" "SELinux Policy documentation for amanda_recover" +.SH "NAME" +amanda_recover_selinux \- Security Enhanced Linux Policy for the amanda_recover processes +.SH "DESCRIPTION" @@ -3445,7 +5989,9 @@ index 0000000..680559a + +.SH "ENTRYPOINTS" + -+The amanda_recover_t SELinux type can be entered via the "amanda_recover_exec_t" file type. The default entrypoint paths for the amanda_recover_t domain are the following:" ++The amanda_recover_t SELinux type can be entered via the \fBamanda_recover_exec_t\fP file type. ++ ++The default entrypoint paths for the amanda_recover_t domain are the following: + +/usr/sbin/amrecover +.SH PROCESS TYPES @@ -3463,42 +6009,100 @@ index 0000000..680559a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a amanda_recover_t ++can be used to make the process type amanda_recover_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux amanda_recover policy is very flexible allowing users to setup their amanda_recover processes in as secure a method as possible. -+.PP -+The following file types are defined for amanda_recover: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. amanda_recover policy is extremely flexible and has several booleans that allow you to manipulate the policy and run amanda_recover with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B amanda_recover_dir_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the amanda_recover_dir_t type, if you want to treat the files as amanda recover dir data. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B amanda_recover_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the amanda_recover_exec_t type, if you want to transition an executable to the amanda_recover_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the amanda_recover_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the amanda_recover_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -3522,161 +6126,28 @@ index 0000000..680559a +.B amanda_tmp_t + + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amanda_recover_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the amanda_recover_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), amanda_recover(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, amanda_selinux(8), amanda_selinux(8) -\ No newline at end of file -diff --git a/man/man8/amanda_selinux.8 b/man/man8/amanda_selinux.8 -new file mode 100644 -index 0000000..6bdbec5 ---- /dev/null -+++ b/man/man8/amanda_selinux.8 -@@ -0,0 +1,277 @@ -+.TH "amanda_selinux" "8" "12-11-01" "amanda" "SELinux Policy documentation for amanda" -+.SH "NAME" -+amanda_selinux \- Security Enhanced Linux Policy for the amanda processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the amanda processes via flexible mandatory access control. -+ -+The amanda processes execute with the amanda_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep amanda_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The amanda_t SELinux type can be entered via the "amanda_exec_t,amanda_inetd_exec_t" file types. The default entrypoint paths for the amanda_t domain are the following:" -+ -+/usr/lib/amanda/.+, /usr/lib/amanda/amandad, /usr/lib/amanda/amindexd, /usr/lib/amanda/amidxtaped -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible. -+.PP -+The following process types are defined for amanda: -+ -+.EX -+.B amanda_t, amanda_recover_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP +You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP +Policy governs the access confined processes have to these files. -+SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible. ++SELinux amanda_recover policy is very flexible allowing users to setup their amanda_recover processes in as secure a method as possible. +.PP -+The following file types are defined for amanda: + -+ -+.EX +.PP -+.B amanda_amandates_t -+.EE ++.B STANDARD FILE CONTEXT + -+- Set files with the amanda_amandates_t type, if you want to treat the files as amanda amandates data. ++SELinux defines the file context types for the amanda_recover, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. + ++.B semanage fcontext -a -t amanda_recover_dir_t '/srv/amanda_recover/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myamanda_recover_content + -+.EX -+.PP -+.B amanda_config_t -+.EE ++Note: SELinux often uses regular expressions to specify labels that match multiple files. + -+- Set files with the amanda_config_t type, if you want to treat the files as amanda configuration data, usually stored under the /etc directory. -+ -+ -+.EX -+.PP -+.B amanda_data_t -+.EE -+ -+- Set files with the amanda_data_t type, if you want to treat the files as amanda content. -+ -+ -+.EX -+.PP -+.B amanda_dumpdates_t -+.EE -+ -+- Set files with the amanda_dumpdates_t type, if you want to treat the files as amanda dumpdates data. -+ -+ -+.EX -+.PP -+.B amanda_exec_t -+.EE -+ -+- Set files with the amanda_exec_t type, if you want to transition an executable to the amanda_t domain. -+ -+ -+.EX -+.PP -+.B amanda_gnutarlists_t -+.EE -+ -+- Set files with the amanda_gnutarlists_t type, if you want to treat the files as amanda gnutarlists data. -+ -+ -+.EX -+.PP -+.B amanda_inetd_exec_t -+.EE -+ -+- Set files with the amanda_inetd_exec_t type, if you want to transition an executable to the amanda_inetd_t domain. -+ -+ -+.EX -+.PP -+.B amanda_log_t -+.EE -+ -+- Set files with the amanda_log_t type, if you want to treat the data as amanda log data, usually stored under the /var/log directory. ++.I The following file types are defined for amanda_recover: + + +.EX @@ -3695,30 +6166,6 @@ index 0000000..6bdbec5 +- Set files with the amanda_recover_exec_t type, if you want to transition an executable to the amanda_recover_t domain. + + -+.EX -+.PP -+.B amanda_tmp_t -+.EE -+ -+- Set files with the amanda_tmp_t type, if you want to store amanda temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B amanda_usr_lib_t -+.EE -+ -+- Set files with the amanda_usr_lib_t type, if you want to treat the files as amanda usr lib data. -+ -+ -+.EX -+.PP -+.B amanda_var_lib_t -+.EE -+ -+- Set files with the amanda_var_lib_t type, if you want to store the amanda files under the /var/lib directory. -+ -+ +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext @@ -3726,6 +6173,169 @@ index 0000000..6bdbec5 +.B restorecon +to apply the labels. + ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), amanda_recover(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), amanda_selinux(8), amanda_selinux(8) +\ No newline at end of file +diff --git a/man/man8/amanda_selinux.8 b/man/man8/amanda_selinux.8 +new file mode 100644 +index 0000000..182b115 +--- /dev/null ++++ b/man/man8/amanda_selinux.8 +@@ -0,0 +1,402 @@ ++.TH "amanda_selinux" "8" "13-01-16" "amanda" "SELinux Policy documentation for amanda" ++.SH "NAME" ++amanda_selinux \- Security Enhanced Linux Policy for the amanda processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the amanda processes via flexible mandatory access control. ++ ++The amanda processes execute with the amanda_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep amanda_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The amanda_t SELinux type can be entered via the \fBamanda_exec_t, amanda_inetd_exec_t\fP file types. ++ ++The default entrypoint paths for the amanda_t domain are the following: ++ ++/usr/lib/amanda/.+, /usr/sbin/amandad, /usr/lib/amanda/amandad, /usr/lib/amanda/amindexd, /usr/lib/amanda/amidxtaped ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible. ++.PP ++The following process types are defined for amanda: ++ ++.EX ++.B amanda_t, amanda_recover_t ++.EE ++.PP ++Note: ++.B semanage permissive -a amanda_t ++can be used to make the process type amanda_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. amanda policy is extremely flexible and has several booleans that allow you to manipulate the policy and run amanda with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the amanda_recover_t, amanda_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the amanda_recover_t, amanda_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. +.PP @@ -3803,22 +6413,172 @@ index 0000000..6bdbec5 + /var/lib/amanda +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux amanda policy is very flexible allowing users to setup their amanda processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amanda_recover_t, amanda_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the amanda_recover_t, amanda_t, you must turn on the kerberos_enabled boolean. ++amanda policy stores data with multiple different file context types under the /var/lib/amanda/[^/]+ directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/amanda/[^/]+ /srv/]+ ++.br ++.B restorecon -R -v /srv/]+ ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the amanda, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t amanda_amandates_t '/srv/amanda/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myamanda_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for amanda: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B amanda_amandates_t +.EE + ++- Set files with the amanda_amandates_t type, if you want to treat the files as amanda amandates data. ++ ++ ++.EX ++.PP ++.B amanda_config_t ++.EE ++ ++- Set files with the amanda_config_t type, if you want to treat the files as amanda configuration data, usually stored under the /etc directory. ++ ++.br ++.TP 5 ++Paths: ++/etc/amanda(/.*)?, /var/lib/amanda/\.amandahosts ++ ++.EX ++.PP ++.B amanda_data_t ++.EE ++ ++- Set files with the amanda_data_t type, if you want to treat the files as amanda content. ++ ++.br ++.TP 5 ++Paths: ++/etc/amanda/.*/index(/.*)?, /etc/amanda/.*/tapelist(/.*)?, /var/lib/amanda/[^/]+(/.*)? ++ ++.EX ++.PP ++.B amanda_dumpdates_t ++.EE ++ ++- Set files with the amanda_dumpdates_t type, if you want to treat the files as amanda dumpdates data. ++ ++ ++.EX ++.PP ++.B amanda_exec_t ++.EE ++ ++- Set files with the amanda_exec_t type, if you want to transition an executable to the amanda_t domain. ++ ++ ++.EX ++.PP ++.B amanda_gnutarlists_t ++.EE ++ ++- Set files with the amanda_gnutarlists_t type, if you want to treat the files as amanda gnutarlists data. ++ ++ ++.EX ++.PP ++.B amanda_inetd_exec_t ++.EE ++ ++- Set files with the amanda_inetd_exec_t type, if you want to transition an executable to the amanda_inetd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/amandad, /usr/lib/amanda/amandad, /usr/lib/amanda/amindexd, /usr/lib/amanda/amidxtaped ++ ++.EX ++.PP ++.B amanda_log_t ++.EE ++ ++- Set files with the amanda_log_t type, if you want to treat the data as amanda log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/amanda(/.*)?, /var/lib/amanda/[^/]*/log(/.*)? ++ ++.EX ++.PP ++.B amanda_recover_dir_t ++.EE ++ ++- Set files with the amanda_recover_dir_t type, if you want to treat the files as amanda recover dir data. ++ ++ ++.EX ++.PP ++.B amanda_recover_exec_t ++.EE ++ ++- Set files with the amanda_recover_exec_t type, if you want to transition an executable to the amanda_recover_t domain. ++ ++ ++.EX ++.PP ++.B amanda_tmp_t ++.EE ++ ++- Set files with the amanda_tmp_t type, if you want to store amanda temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B amanda_usr_lib_t ++.EE ++ ++- Set files with the amanda_usr_lib_t type, if you want to treat the files as amanda usr lib data. ++ ++ ++.EX ++.PP ++.B amanda_var_lib_t ++.EE ++ ++- Set files with the amanda_var_lib_t type, if you want to store the amanda files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/amanda/[^/]+/index(/.*)?, /var/lib/amanda ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -3832,6 +6592,9 @@ index 0000000..6bdbec5 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -3843,15 +6606,15 @@ index 0000000..6bdbec5 + +.SH "SEE ALSO" +selinux(8), amanda(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, amanda_recover_selinux(8) ++, setsebool(8), amanda_recover_selinux(8) \ No newline at end of file diff --git a/man/man8/amavis_selinux.8 b/man/man8/amavis_selinux.8 new file mode 100644 -index 0000000..28b1547 +index 0000000..ba1fb00 --- /dev/null +++ b/man/man8/amavis_selinux.8 -@@ -0,0 +1,283 @@ -+.TH "amavis_selinux" "8" "12-11-01" "amavis" "SELinux Policy documentation for amavis" +@@ -0,0 +1,428 @@ ++.TH "amavis_selinux" "8" "13-01-16" "amavis" "SELinux Policy documentation for amavis" +.SH "NAME" +amavis_selinux \- Security Enhanced Linux Policy for the amavis processes +.SH "DESCRIPTION" @@ -3867,7 +6630,9 @@ index 0000000..28b1547 + +.SH "ENTRYPOINTS" + -+The amavis_t SELinux type can be entered via the "amavis_exec_t" file type. The default entrypoint paths for the amavis_t domain are the following:" ++The amavis_t SELinux type can be entered via the \fBamavis_exec_t\fP file type. ++ ++The default entrypoint paths for the amavis_t domain are the following: + +/usr/sbin/amavisd.*, /usr/lib/AntiVir/antivir +.SH PROCESS TYPES @@ -3885,116 +6650,140 @@ index 0000000..28b1547 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a amavis_t ++can be used to make the process type amavis_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. amavis policy is extremely flexible and has several booleans that allow you to manipulate the policy and run amavis with the tightest access possible. + + +.PP -+If you want to allow amavis to use JIT compiler, you must turn on the amavis_use_jit boolean. ++If you want to determine whether amavis can use JIT compiler, you must turn on the amavis_use_jit boolean. Disabled by default. + +.EX +.B setsebool -P amavis_use_jit 1 ++ +.EE + +.PP -+If you want to allow amavis to use JIT compiler, you must turn on the amavis_use_jit boolean. ++If you want to allow antivirus programs to read non security files on a system, you must turn on the antivirus_can_scan_system boolean. Disabled by default. + +.EX -+.B setsebool -P amavis_use_jit 1 ++.B setsebool -P antivirus_can_scan_system 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux amavis policy is very flexible allowing users to setup their amavis processes in as secure a method as possible. -+.PP -+The following file types are defined for amavis: -+ ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.PP -+.B amavis_etc_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the amavis_etc_t type, if you want to store amavis files in the /etc directories. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B amavis_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the amavis_exec_t type, if you want to transition an executable to the amavis_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B amavis_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the amavis_initrc_exec_t type, if you want to transition an executable to the amavis_initrc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B amavis_quarantine_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the amavis_quarantine_t type, if you want to treat the files as amavis quarantine data. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B amavis_spool_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the amavis_spool_t type, if you want to store the amavis files under the /var/spool directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B amavis_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the amavis_tmp_t type, if you want to store amavis temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B amavis_var_lib_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the amavis_var_lib_t type, if you want to store the amavis files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B amavis_var_log_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the amavis_var_log_t type, if you want to treat the data as amavis var log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B amavis_var_run_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the amavis_var_run_t type, if you want to store the amavis files under the /run directory. ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the amavis_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the amavis_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -4069,6 +6858,8 @@ index 0000000..28b1547 + + /var/run/amavis(d)?(/.*)? +.br ++ /var/run/amavisd-snmp-subagent\.pid ++.br + +.br +.B antivirus_db_t @@ -4077,10 +6868,20 @@ index 0000000..28b1547 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B snmpd_var_lib_t + + /var/agentx(/.*)? +.br ++ /var/net-snmp(/.*) ++.br + /var/lib/snmp(/.*)? +.br + /var/net-snmp(/.*)? @@ -4090,21 +6891,128 @@ index 0000000..28b1547 + /usr/share/snmp/mibs/\.index +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux amavis policy is very flexible allowing users to setup their amavis processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amavis_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the amavis, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t amavis_etc_t '/srv/amavis/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myamavis_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for amavis: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B amavis_etc_t +.EE + ++- Set files with the amavis_etc_t type, if you want to store amavis files in the /etc directories. ++ ++.br ++.TP 5 ++Paths: ++/etc/amavis(d)?\.conf, /etc/amavisd(/.*)? ++ ++.EX ++.PP ++.B amavis_exec_t ++.EE ++ ++- Set files with the amavis_exec_t type, if you want to transition an executable to the amavis_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/amavisd.*, /usr/lib/AntiVir/antivir ++ ++.EX ++.PP ++.B amavis_initrc_exec_t ++.EE ++ ++- Set files with the amavis_initrc_exec_t type, if you want to transition an executable to the amavis_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/amavis, /etc/rc\.d/init\.d/amavisd-snmp ++ ++.EX ++.PP ++.B amavis_quarantine_t ++.EE ++ ++- Set files with the amavis_quarantine_t type, if you want to treat the files as amavis quarantine data. ++ ++ ++.EX ++.PP ++.B amavis_spool_t ++.EE ++ ++- Set files with the amavis_spool_t type, if you want to store the amavis files under the /var/spool directory. ++ ++ ++.EX ++.PP ++.B amavis_tmp_t ++.EE ++ ++- Set files with the amavis_tmp_t type, if you want to store amavis temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B amavis_var_lib_t ++.EE ++ ++- Set files with the amavis_var_lib_t type, if you want to store the amavis files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/amavis(/.*)?, /var/lib/amavis(/.*)? ++ ++.EX ++.PP ++.B amavis_var_log_t ++.EE ++ ++- Set files with the amavis_var_log_t type, if you want to treat the data as amavis var log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B amavis_var_run_t ++.EE ++ ++- Set files with the amavis_var_run_t type, if you want to store the amavis files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/amavis(d)?(/.*)?, /var/run/amavisd-snmp-subagent\.pid ++ +.PP -+If you want to allow confined applications to run with kerberos for the amavis_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -4137,11 +7045,11 @@ index 0000000..28b1547 \ No newline at end of file diff --git a/man/man8/amtu_selinux.8 b/man/man8/amtu_selinux.8 new file mode 100644 -index 0000000..96416ac +index 0000000..a860030 --- /dev/null +++ b/man/man8/amtu_selinux.8 -@@ -0,0 +1,102 @@ -+.TH "amtu_selinux" "8" "12-11-01" "amtu" "SELinux Policy documentation for amtu" +@@ -0,0 +1,183 @@ ++.TH "amtu_selinux" "8" "13-01-16" "amtu" "SELinux Policy documentation for amtu" +.SH "NAME" +amtu_selinux \- Security Enhanced Linux Policy for the amtu processes +.SH "DESCRIPTION" @@ -4157,9 +7065,11 @@ index 0000000..96416ac + +.SH "ENTRYPOINTS" + -+The amtu_t SELinux type can be entered via the "amtu_exec_t" file type. The default entrypoint paths for the amtu_t domain are the following:" ++The amtu_t SELinux type can be entered via the \fBamtu_exec_t\fP file type. + -+/usr/bin/amtu ++The default entrypoint paths for the amtu_t domain are the following: ++ ++/usr/bin/amtu, /usr/sbin/amtu +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -4175,34 +7085,60 @@ index 0000000..96416ac +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a amtu_t ++can be used to make the process type amtu_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux amtu policy is very flexible allowing users to setup their amtu processes in as secure a method as possible. -+.PP -+The following file types are defined for amtu: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. amtu policy is extremely flexible and has several booleans that allow you to manipulate the policy and run amtu with the tightest access possible. + + ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ +.EX -+.PP -+.B amtu_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the amtu_exec_t type, if you want to transition an executable to the amtu_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -4220,7 +7156,56 @@ index 0000000..96416ac + /boot +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux amtu policy is very flexible allowing users to setup their amtu processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the amtu, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t amtu_exec_t '/srv/amtu/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myamtu_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for amtu: ++ ++ ++.EX ++.PP ++.B amtu_exec_t ++.EE ++ ++- Set files with the amtu_exec_t type, if you want to transition an executable to the amtu_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/amtu, /usr/sbin/amtu ++ ++.EX ++.PP ++.B amtu_initrc_exec_t ++.EE ++ ++- Set files with the amtu_initrc_exec_t type, if you want to transition an executable to the amtu_initrc_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -4232,6 +7217,9 @@ index 0000000..96416ac +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -4243,6 +7231,341 @@ index 0000000..96416ac + +.SH "SEE ALSO" +selinux(8), amtu(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/anaconda_selinux.8 b/man/man8/anaconda_selinux.8 +new file mode 100644 +index 0000000..f50d529 +--- /dev/null ++++ b/man/man8/anaconda_selinux.8 +@@ -0,0 +1,182 @@ ++.TH "anaconda_selinux" "8" "13-01-16" "anaconda" "SELinux Policy documentation for anaconda" ++.SH "NAME" ++anaconda_selinux \- Security Enhanced Linux Policy for the anaconda processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the anaconda processes via flexible mandatory access control. ++ ++The anaconda processes execute with the anaconda_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep anaconda_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The anaconda_t SELinux type can be entered via the \fBsysctl_type, anaconda_exec_t, filesystem_type, mtrr_device_t, unlabeled_t, proc_type, file_type\fP file types. ++ ++The default entrypoint paths for the anaconda_t domain are the following: ++ ++/dev/cpu/mtrr, all files on the system ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux anaconda policy is very flexible allowing users to setup their anaconda processes in as secure a method as possible. ++.PP ++The following process types are defined for anaconda: ++ ++.EX ++.B anaconda_t ++.EE ++.PP ++Note: ++.B semanage permissive -a anaconda_t ++can be used to make the process type anaconda_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. anaconda policy is extremely flexible and has several booleans that allow you to manipulate the policy and run anaconda with the tightest access possible. ++ ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE ++ ++.PP ++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_insmod 1 ++ ++.EE ++ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_policyload 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execheap 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type anaconda_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B file_type ++ ++ all files on the system ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), anaconda(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/anon_sftpd_selinux.8 b/man/man8/anon_sftpd_selinux.8 +new file mode 100644 +index 0000000..e4088d8 +--- /dev/null ++++ b/man/man8/anon_sftpd_selinux.8 +@@ -0,0 +1,137 @@ ++.TH "anon_sftpd_selinux" "8" "13-01-16" "anon_sftpd" "SELinux Policy documentation for anon_sftpd" ++.SH "NAME" ++anon_sftpd_selinux \- Security Enhanced Linux Policy for the anon_sftpd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the anon_sftpd processes via flexible mandatory access control. ++ ++The anon_sftpd processes execute with the anon_sftpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep anon_sftpd_t ++ ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux anon_sftpd policy is very flexible allowing users to setup their anon_sftpd processes in as secure a method as possible. ++.PP ++The following process types are defined for anon_sftpd: ++ ++.EX ++.B anon_sftpd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a anon_sftpd_t ++can be used to make the process type anon_sftpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. anon_sftpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run anon_sftpd with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type anon_sftpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B public_content_rw_t ++ ++ /var/spool/abrt-upload(/.*)? ++.br ++ ++.SH SHARING FILES ++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. ++.TP ++Allow anon_sftpd servers to read the /var/anon_sftpd directory by adding the public_content_t file type to the directory and by restoring the file type. ++.PP ++.B ++semanage fcontext -a -t public_content_t "/var/anon_sftpd(/.*)?" ++.br ++.B restorecon -F -R -v /var/anon_sftpd ++.pp ++.TP ++Allow anon_sftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_anon_sftpdd_anon_write boolean to be set. ++.PP ++.B ++semanage fcontext -a -t public_content_rw_t "/var/anon_sftpd/incoming(/.*)?" ++.br ++.B restorecon -F -R -v /var/anon_sftpd/incoming ++ ++ ++.PP ++If you want to determine whether sftpd can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t., you must turn on the sftpd_anon_write boolean. ++ ++.EX ++.B setsebool -P sftpd_anon_write 1 ++.EE ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), anon_sftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/apache_selinux.8 b/man/man8/apache_selinux.8 new file mode 100644 index 0000000..1ff959f @@ -4253,11 +7576,11 @@ index 0000000..1ff959f \ No newline at end of file diff --git a/man/man8/apcupsd_selinux.8 b/man/man8/apcupsd_selinux.8 new file mode 100644 -index 0000000..5c83a01 +index 0000000..d335243 --- /dev/null +++ b/man/man8/apcupsd_selinux.8 -@@ -0,0 +1,264 @@ -+.TH "apcupsd_selinux" "8" "12-11-01" "apcupsd" "SELinux Policy documentation for apcupsd" +@@ -0,0 +1,365 @@ ++.TH "apcupsd_selinux" "8" "13-01-16" "apcupsd" "SELinux Policy documentation for apcupsd" +.SH "NAME" +apcupsd_selinux \- Security Enhanced Linux Policy for the apcupsd processes +.SH "DESCRIPTION" @@ -4273,7 +7596,9 @@ index 0000000..5c83a01 + +.SH "ENTRYPOINTS" + -+The apcupsd_t SELinux type can be entered via the "apcupsd_exec_t" file type. The default entrypoint paths for the apcupsd_t domain are the following:" ++The apcupsd_t SELinux type can be entered via the \fBapcupsd_exec_t\fP file type. ++ ++The default entrypoint paths for the apcupsd_t domain are the following: + +/sbin/apcupsd, /usr/sbin/apcupsd +.SH PROCESS TYPES @@ -4291,82 +7616,84 @@ index 0000000..5c83a01 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a apcupsd_t ++can be used to make the process type apcupsd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux apcupsd policy is very flexible allowing users to setup their apcupsd processes in as secure a method as possible. -+.PP -+The following file types are defined for apcupsd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. apcupsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run apcupsd with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B apcupsd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the apcupsd_exec_t type, if you want to transition an executable to the apcupsd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B apcupsd_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the apcupsd_initrc_exec_t type, if you want to transition an executable to the apcupsd_initrc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B apcupsd_lock_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the apcupsd_lock_t type, if you want to treat the files as apcupsd lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B apcupsd_log_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the apcupsd_log_t type, if you want to treat the data as apcupsd log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B apcupsd_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the apcupsd_tmp_t type, if you want to store apcupsd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B apcupsd_unit_file_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the apcupsd_unit_file_t type, if you want to treat the files as apcupsd unit content. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B apcupsd_var_run_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the apcupsd_var_run_t type, if you want to store the apcupsd files under the /run directory. ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -4404,14 +7731,6 @@ index 0000000..5c83a01 +.br + +.br -+.B apcupsd_log_t -+ -+ /var/log/apcupsd\.events.* -+.br -+ /var/log/apcupsd\.status.* -+.br -+ -+.br +.B apcupsd_tmp_t + + @@ -4442,10 +7761,10 @@ index 0000000..5c83a01 +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -4454,10 +7773,10 @@ index 0000000..5c83a01 +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -4488,6 +7807,14 @@ index 0000000..5c83a01 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B systemd_passwd_var_run_t + + /var/run/systemd/ask-password(/.*)? @@ -4495,7 +7822,100 @@ index 0000000..5c83a01 + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux apcupsd policy is very flexible allowing users to setup their apcupsd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the apcupsd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t apcupsd_exec_t '/srv/apcupsd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myapcupsd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for apcupsd: ++ ++ ++.EX ++.PP ++.B apcupsd_exec_t ++.EE ++ ++- Set files with the apcupsd_exec_t type, if you want to transition an executable to the apcupsd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/apcupsd, /usr/sbin/apcupsd ++ ++.EX ++.PP ++.B apcupsd_initrc_exec_t ++.EE ++ ++- Set files with the apcupsd_initrc_exec_t type, if you want to transition an executable to the apcupsd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B apcupsd_lock_t ++.EE ++ ++- Set files with the apcupsd_lock_t type, if you want to treat the files as apcupsd lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B apcupsd_log_t ++.EE ++ ++- Set files with the apcupsd_log_t type, if you want to treat the data as apcupsd log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/apcupsd\.events.*, /var/log/apcupsd\.status.* ++ ++.EX ++.PP ++.B apcupsd_tmp_t ++.EE ++ ++- Set files with the apcupsd_tmp_t type, if you want to store apcupsd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B apcupsd_unit_file_t ++.EE ++ ++- Set files with the apcupsd_unit_file_t type, if you want to treat the files as apcupsd unit content. ++ ++ ++.EX ++.PP ++.B apcupsd_var_run_t ++.EE ++ ++- Set files with the apcupsd_var_run_t type, if you want to store the apcupsd files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -4510,6 +7930,9 @@ index 0000000..5c83a01 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -4521,13 +7944,15 @@ index 0000000..5c83a01 + +.SH "SEE ALSO" +selinux(8), apcupsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/apm_selinux.8 b/man/man8/apm_selinux.8 new file mode 100644 -index 0000000..2791aca +index 0000000..7ac7999 --- /dev/null +++ b/man/man8/apm_selinux.8 -@@ -0,0 +1,149 @@ -+.TH "apm_selinux" "8" "12-11-01" "apm" "SELinux Policy documentation for apm" +@@ -0,0 +1,235 @@ ++.TH "apm_selinux" "8" "13-01-16" "apm" "SELinux Policy documentation for apm" +.SH "NAME" +apm_selinux \- Security Enhanced Linux Policy for the apm processes +.SH "DESCRIPTION" @@ -4543,7 +7968,9 @@ index 0000000..2791aca + +.SH "ENTRYPOINTS" + -+The apm_t SELinux type can be entered via the "apm_exec_t" file type. The default entrypoint paths for the apm_t domain are the following:" ++The apm_t SELinux type can be entered via the \fBapm_exec_t\fP file type. ++ ++The default entrypoint paths for the apm_t domain are the following: + +/usr/bin/apm +.SH PROCESS TYPES @@ -4561,8 +7988,68 @@ index 0000000..2791aca +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a apm_t ++can be used to make the process type apm_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. apm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run apm with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -4572,7 +8059,20 @@ index 0000000..2791aca +Policy governs the access confined processes have to these files. +SELinux apm policy is very flexible allowing users to setup their apm processes in as secure a method as possible. +.PP -+The following file types are defined for apm: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the apm, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t apm_exec_t '/srv/apm/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myapm_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for apm: + + +.EX @@ -4590,6 +8090,18 @@ index 0000000..2791aca + +- Set files with the apmd_exec_t type, if you want to transition an executable to the apmd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/apmd, /usr/sbin/acpid, /usr/sbin/powersaved ++ ++.EX ++.PP ++.B apmd_initrc_exec_t ++.EE ++ ++- Set files with the apmd_initrc_exec_t type, if you want to transition an executable to the apmd_initrc_t domain. ++ + +.EX +.PP @@ -4625,11 +8137,23 @@ index 0000000..2791aca + +.EX +.PP ++.B apmd_var_lib_t ++.EE ++ ++- Set files with the apmd_var_lib_t type, if you want to store the apmd files under the /var/lib directory. ++ ++ ++.EX ++.PP +.B apmd_var_run_t +.EE + -+- Set files with the apmd_var_run_t type, if you want to store the apmd files under the /run directory. ++- Set files with the apmd_var_run_t type, if you want to store the apmd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/\.?acpid\.socket, /var/run/apmd\.pid, /var/run/acpid\.pid, /var/run/powersaved\.pid, /var/run/powersave_socket + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -4638,22 +8162,6 @@ index 0000000..2791aca +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -4664,6 +8172,9 @@ index 0000000..2791aca +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -4675,15 +8186,15 @@ index 0000000..2791aca + +.SH "SEE ALSO" +selinux(8), apm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, apmd_selinux(8) ++, setsebool(8), apmd_selinux(8) \ No newline at end of file diff --git a/man/man8/apmd_selinux.8 b/man/man8/apmd_selinux.8 new file mode 100644 -index 0000000..071cf38 +index 0000000..a1a4e47 --- /dev/null +++ b/man/man8/apmd_selinux.8 -@@ -0,0 +1,229 @@ -+.TH "apmd_selinux" "8" "12-11-01" "apmd" "SELinux Policy documentation for apmd" +@@ -0,0 +1,377 @@ ++.TH "apmd_selinux" "8" "13-01-16" "apmd" "SELinux Policy documentation for apmd" +.SH "NAME" +apmd_selinux \- Security Enhanced Linux Policy for the apmd processes +.SH "DESCRIPTION" @@ -4699,7 +8210,9 @@ index 0000000..071cf38 + +.SH "ENTRYPOINTS" + -+The apmd_t SELinux type can be entered via the "apmd_exec_t" file type. The default entrypoint paths for the apmd_t domain are the following:" ++The apmd_t SELinux type can be entered via the \fBapmd_exec_t\fP file type. ++ ++The default entrypoint paths for the apmd_t domain are the following: + +/usr/sbin/apmd, /usr/sbin/acpid, /usr/sbin/powersaved +.SH PROCESS TYPES @@ -4717,74 +8230,124 @@ index 0000000..071cf38 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a apmd_t ++can be used to make the process type apmd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux apmd policy is very flexible allowing users to setup their apmd processes in as secure a method as possible. -+.PP -+The following file types are defined for apmd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. apmd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run apmd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B apmd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the apmd_exec_t type, if you want to transition an executable to the apmd_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B apmd_lock_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the apmd_lock_t type, if you want to treat the files as apmd lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B apmd_log_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the apmd_log_t type, if you want to treat the data as apmd log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B apmd_tmp_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the apmd_tmp_t type, if you want to store apmd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B apmd_unit_file_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the apmd_unit_file_t type, if you want to treat the files as apmd unit content. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B apmd_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the apmd_var_run_t type, if you want to store the apmd files under the /run directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -4799,6 +8362,8 @@ index 0000000..071cf38 +.br +.B apmd_lock_t + ++ /var/lock/subsys/acpid ++.br + +.br +.B apmd_log_t @@ -4811,12 +8376,20 @@ index 0000000..071cf38 + + +.br ++.B apmd_var_lib_t ++ ++ /var/lib/acpi(/.*)? ++.br ++ ++.br +.B apmd_var_run_t + + /var/run/\.?acpid\.socket +.br + /var/run/apmd\.pid +.br ++ /var/run/acpid\.pid ++.br + /var/run/powersaved\.pid +.br + /var/run/powersave_socket @@ -4845,15 +8418,11 @@ index 0000000..071cf38 +.br + +.br -+.B initrc_var_run_t ++.B root_t + -+ /var/run/utmp ++ / +.br -+ /var/run/random-seed -+.br -+ /var/run/runlevel\.dir -+.br -+ /var/run/setmixer_flag ++ /initrd +.br + +.br @@ -4874,21 +8443,108 @@ index 0000000..071cf38 + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux apmd policy is very flexible allowing users to setup their apmd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the apmd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t apmd_exec_t '/srv/apmd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myapmd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for apmd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B apmd_exec_t +.EE + ++- Set files with the apmd_exec_t type, if you want to transition an executable to the apmd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/apmd, /usr/sbin/acpid, /usr/sbin/powersaved ++ ++.EX ++.PP ++.B apmd_initrc_exec_t ++.EE ++ ++- Set files with the apmd_initrc_exec_t type, if you want to transition an executable to the apmd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B apmd_lock_t ++.EE ++ ++- Set files with the apmd_lock_t type, if you want to treat the files as apmd lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B apmd_log_t ++.EE ++ ++- Set files with the apmd_log_t type, if you want to treat the data as apmd log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B apmd_tmp_t ++.EE ++ ++- Set files with the apmd_tmp_t type, if you want to store apmd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B apmd_unit_file_t ++.EE ++ ++- Set files with the apmd_unit_file_t type, if you want to treat the files as apmd unit content. ++ ++ ++.EX ++.PP ++.B apmd_var_lib_t ++.EE ++ ++- Set files with the apmd_var_lib_t type, if you want to store the apmd files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B apmd_var_run_t ++.EE ++ ++- Set files with the apmd_var_run_t type, if you want to store the apmd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/\.?acpid\.socket, /var/run/apmd\.pid, /var/run/acpid\.pid, /var/run/powersaved\.pid, /var/run/powersave_socket ++ +.PP -+If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -4900,6 +8556,9 @@ index 0000000..071cf38 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -4911,15 +8570,15 @@ index 0000000..071cf38 + +.SH "SEE ALSO" +selinux(8), apmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, apm_selinux(8), apm_selinux(8) ++, setsebool(8), apm_selinux(8), apm_selinux(8) \ No newline at end of file diff --git a/man/man8/arpwatch_selinux.8 b/man/man8/arpwatch_selinux.8 new file mode 100644 -index 0000000..d869564 +index 0000000..d61545c --- /dev/null +++ b/man/man8/arpwatch_selinux.8 -@@ -0,0 +1,160 @@ -+.TH "arpwatch_selinux" "8" "12-11-01" "arpwatch" "SELinux Policy documentation for arpwatch" +@@ -0,0 +1,293 @@ ++.TH "arpwatch_selinux" "8" "13-01-16" "arpwatch" "SELinux Policy documentation for arpwatch" +.SH "NAME" +arpwatch_selinux \- Security Enhanced Linux Policy for the arpwatch processes +.SH "DESCRIPTION" @@ -4935,7 +8594,9 @@ index 0000000..d869564 + +.SH "ENTRYPOINTS" + -+The arpwatch_t SELinux type can be entered via the "arpwatch_exec_t" file type. The default entrypoint paths for the arpwatch_t domain are the following:" ++The arpwatch_t SELinux type can be entered via the \fBarpwatch_exec_t\fP file type. ++ ++The default entrypoint paths for the arpwatch_t domain are the following: + +/usr/sbin/arpwatch +.SH PROCESS TYPES @@ -4953,8 +8614,154 @@ index 0000000..d869564 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a arpwatch_t ++can be used to make the process type arpwatch_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. arpwatch policy is extremely flexible and has several booleans that allow you to manipulate the policy and run arpwatch with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the arpwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the arpwatch_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type arpwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B arpwatch_data_t ++ ++ /var/arpwatch(/.*)? ++.br ++ /var/lib/arpwatch(/.*)? ++.br ++ ++.br ++.B arpwatch_tmp_t ++ ++ ++.br ++.B arpwatch_var_run_t ++ ++ /var/run/arpwatch.*\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -4964,7 +8771,20 @@ index 0000000..d869564 +Policy governs the access confined processes have to these files. +SELinux arpwatch policy is very flexible allowing users to setup their arpwatch processes in as secure a method as possible. +.PP -+The following file types are defined for arpwatch: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the arpwatch, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t arpwatch_data_t '/srv/arpwatch/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myarpwatch_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for arpwatch: + + +.EX @@ -4974,6 +8794,10 @@ index 0000000..d869564 + +- Set files with the arpwatch_data_t type, if you want to treat the files as arpwatch content. + ++.br ++.TP 5 ++Paths: ++/var/arpwatch(/.*)?, /var/lib/arpwatch(/.*)? + +.EX +.PP @@ -5012,7 +8836,7 @@ index 0000000..d869564 +.B arpwatch_var_run_t +.EE + -+- Set files with the arpwatch_var_run_t type, if you want to store the arpwatch files under the /run directory. ++- Set files with the arpwatch_var_run_t type, if you want to store the arpwatch files under the /run or /var/run directory. + + +.PP @@ -5022,42 +8846,6 @@ index 0000000..d869564 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type arpwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B arpwatch_data_t -+ -+ /var/arpwatch(/.*)? -+.br -+ /var/lib/arpwatch(/.*)? -+.br -+ -+.br -+.B arpwatch_tmp_t -+ -+ -+.br -+.B arpwatch_var_run_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the arpwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the arpwatch_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -5068,6 +8856,9 @@ index 0000000..d869564 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -5079,13 +8870,15 @@ index 0000000..d869564 + +.SH "SEE ALSO" +selinux(8), arpwatch(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/asterisk_selinux.8 b/man/man8/asterisk_selinux.8 new file mode 100644 -index 0000000..070e49b +index 0000000..e2996fe --- /dev/null +++ b/man/man8/asterisk_selinux.8 -@@ -0,0 +1,228 @@ -+.TH "asterisk_selinux" "8" "12-11-01" "asterisk" "SELinux Policy documentation for asterisk" +@@ -0,0 +1,349 @@ ++.TH "asterisk_selinux" "8" "13-01-16" "asterisk" "SELinux Policy documentation for asterisk" +.SH "NAME" +asterisk_selinux \- Security Enhanced Linux Policy for the asterisk processes +.SH "DESCRIPTION" @@ -5101,7 +8894,9 @@ index 0000000..070e49b + +.SH "ENTRYPOINTS" + -+The asterisk_t SELinux type can be entered via the "asterisk_exec_t" file type. The default entrypoint paths for the asterisk_t domain are the following:" ++The asterisk_t SELinux type can be entered via the \fBasterisk_exec_t\fP file type. ++ ++The default entrypoint paths for the asterisk_t domain are the following: + +/usr/sbin/asterisk +.SH PROCESS TYPES @@ -5119,8 +8914,187 @@ index 0000000..070e49b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a asterisk_t ++can be used to make the process type asterisk_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. asterisk policy is extremely flexible and has several booleans that allow you to manipulate the policy and run asterisk with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the asterisk_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the asterisk_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux asterisk policy is very flexible allowing users to setup their asterisk processes in as secure a method as possible. ++.PP ++The following port types are defined for asterisk: ++ ++.EX ++.TP 5 ++.B asterisk_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 1720 ++.EE ++udp 2427,2727,4569 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type asterisk_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B asterisk_spool_t ++ ++ /var/spool/asterisk(/.*)? ++.br ++ ++.br ++.B asterisk_tmp_t ++ ++ ++.br ++.B asterisk_tmpfs_t ++ ++ ++.br ++.B asterisk_var_lib_t ++ ++ /var/lib/asterisk(/.*)? ++.br ++ ++.br ++.B asterisk_var_run_t ++ ++ /var/run/asterisk.* ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5130,7 +9104,20 @@ index 0000000..070e49b +Policy governs the access confined processes have to these files. +SELinux asterisk policy is very flexible allowing users to setup their asterisk processes in as secure a method as possible. +.PP -+The following file types are defined for asterisk: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the asterisk, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t asterisk_etc_t '/srv/asterisk/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myasterisk_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for asterisk: + + +.EX @@ -5202,7 +9189,7 @@ index 0000000..070e49b +.B asterisk_var_run_t +.EE + -+- Set files with the asterisk_var_run_t type, if you want to store the asterisk files under the /run directory. ++- Set files with the asterisk_var_run_t type, if you want to store the asterisk files under the /run or /var/run directory. + + +.PP @@ -5212,83 +9199,6 @@ index 0000000..070e49b +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux asterisk policy is very flexible allowing users to setup their asterisk processes in as secure a method as possible. -+.PP -+The following port types are defined for asterisk: -+ -+.EX -+.TP 5 -+.B asterisk_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 1720 -+.EE -+udp 2427,2727,4569 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type asterisk_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B asterisk_log_t -+ -+ /var/log/asterisk(/.*)? -+.br -+ -+.br -+.B asterisk_spool_t -+ -+ /var/spool/asterisk(/.*)? -+.br -+ -+.br -+.B asterisk_tmp_t -+ -+ -+.br -+.B asterisk_tmpfs_t -+ -+ -+.br -+.B asterisk_var_lib_t -+ -+ /var/lib/asterisk(/.*)? -+.br -+ -+.br -+.B asterisk_var_run_t -+ -+ /var/run/asterisk(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the asterisk_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the asterisk_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -5302,6 +9212,9 @@ index 0000000..070e49b +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -5313,13 +9226,15 @@ index 0000000..070e49b + +.SH "SEE ALSO" +selinux(8), asterisk(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/audisp_remote_selinux.8 b/man/man8/audisp_remote_selinux.8 new file mode 100644 -index 0000000..e4c6d66 +index 0000000..adbd06c --- /dev/null +++ b/man/man8/audisp_remote_selinux.8 -@@ -0,0 +1,119 @@ -+.TH "audisp_remote_selinux" "8" "12-11-01" "audisp_remote" "SELinux Policy documentation for audisp_remote" +@@ -0,0 +1,217 @@ ++.TH "audisp_remote_selinux" "8" "13-01-16" "audisp_remote" "SELinux Policy documentation for audisp_remote" +.SH "NAME" +audisp_remote_selinux \- Security Enhanced Linux Policy for the audisp_remote processes +.SH "DESCRIPTION" @@ -5335,7 +9250,9 @@ index 0000000..e4c6d66 + +.SH "ENTRYPOINTS" + -+The audisp_remote_t SELinux type can be entered via the "audisp_remote_exec_t" file type. The default entrypoint paths for the audisp_remote_t domain are the following:" ++The audisp_remote_t SELinux type can be entered via the \fBaudisp_remote_exec_t\fP file type. ++ ++The default entrypoint paths for the audisp_remote_t domain are the following: + +/sbin/audisp-remote, /usr/sbin/audisp-remote +.SH PROCESS TYPES @@ -5353,34 +9270,100 @@ index 0000000..e4c6d66 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a audisp_remote_t ++can be used to make the process type audisp_remote_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux audisp_remote policy is very flexible allowing users to setup their audisp_remote processes in as secure a method as possible. -+.PP -+The following file types are defined for audisp_remote: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. audisp_remote policy is extremely flexible and has several booleans that allow you to manipulate the policy and run audisp_remote with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B audisp_remote_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the audisp_remote_exec_t type, if you want to transition an executable to the audisp_remote_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the audisp_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the audisp_remote_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -5400,21 +9383,48 @@ index 0000000..e4c6d66 + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux audisp_remote policy is very flexible allowing users to setup their audisp_remote processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the audisp_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the audisp_remote, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t audisp_remote_exec_t '/srv/audisp_remote/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myaudisp_remote_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for audisp_remote: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B audisp_remote_exec_t +.EE + ++- Set files with the audisp_remote_exec_t type, if you want to transition an executable to the audisp_remote_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/audisp-remote, /usr/sbin/audisp-remote ++ +.PP -+If you want to allow confined applications to run with kerberos for the audisp_remote_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -5426,6 +9436,9 @@ index 0000000..e4c6d66 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -5437,15 +9450,15 @@ index 0000000..e4c6d66 + +.SH "SEE ALSO" +selinux(8), audisp_remote(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, audisp_selinux(8), audisp_selinux(8) ++, setsebool(8), audisp_selinux(8), audisp_selinux(8) \ No newline at end of file diff --git a/man/man8/audisp_selinux.8 b/man/man8/audisp_selinux.8 new file mode 100644 -index 0000000..b50bbfe +index 0000000..d9384fe --- /dev/null +++ b/man/man8/audisp_selinux.8 -@@ -0,0 +1,117 @@ -+.TH "audisp_selinux" "8" "12-11-01" "audisp" "SELinux Policy documentation for audisp" +@@ -0,0 +1,227 @@ ++.TH "audisp_selinux" "8" "13-01-16" "audisp" "SELinux Policy documentation for audisp" +.SH "NAME" +audisp_selinux \- Security Enhanced Linux Policy for the audisp processes +.SH "DESCRIPTION" @@ -5461,7 +9474,9 @@ index 0000000..b50bbfe + +.SH "ENTRYPOINTS" + -+The audisp_t SELinux type can be entered via the "audisp_exec_t" file type. The default entrypoint paths for the audisp_t domain are the following:" ++The audisp_t SELinux type can be entered via the \fBaudisp_exec_t\fP file type. ++ ++The default entrypoint paths for the audisp_t domain are the following: + +/sbin/audispd, /usr/sbin/audispd +.SH PROCESS TYPES @@ -5479,55 +9494,97 @@ index 0000000..b50bbfe +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a audisp_t ++can be used to make the process type audisp_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux audisp policy is very flexible allowing users to setup their audisp processes in as secure a method as possible. -+.PP -+The following file types are defined for audisp: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. audisp policy is extremely flexible and has several booleans that allow you to manipulate the policy and run audisp with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B audisp_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the audisp_exec_t type, if you want to transition an executable to the audisp_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B audisp_remote_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the audisp_remote_exec_t type, if you want to transition an executable to the audisp_remote_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B audisp_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the audisp_var_run_t type, if you want to store the audisp files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the audisp_t, audisp_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the audisp_t, audisp_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -5540,6 +9597,69 @@ index 0000000..b50bbfe +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux audisp policy is very flexible allowing users to setup their audisp processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the audisp, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t audisp_exec_t '/srv/audisp/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myaudisp_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for audisp: ++ ++ ++.EX ++.PP ++.B audisp_exec_t ++.EE ++ ++- Set files with the audisp_exec_t type, if you want to transition an executable to the audisp_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/audispd, /usr/sbin/audispd ++ ++.EX ++.PP ++.B audisp_remote_exec_t ++.EE ++ ++- Set files with the audisp_remote_exec_t type, if you want to transition an executable to the audisp_remote_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/audisp-remote, /usr/sbin/audisp-remote ++ ++.EX ++.PP ++.B audisp_var_run_t ++.EE ++ ++- Set files with the audisp_var_run_t type, if you want to store the audisp files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -5550,6 +9670,9 @@ index 0000000..b50bbfe +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -5561,14 +9684,825 @@ index 0000000..b50bbfe + +.SH "SEE ALSO" +selinux(8), audisp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, audisp_remote_selinux(8) ++, setsebool(8), audisp_remote_selinux(8) +\ No newline at end of file +diff --git a/man/man8/auditadm_dbusd_selinux.8 b/man/man8/auditadm_dbusd_selinux.8 +new file mode 100644 +index 0000000..e4ec183 +--- /dev/null ++++ b/man/man8/auditadm_dbusd_selinux.8 +@@ -0,0 +1,254 @@ ++.TH "auditadm_dbusd_selinux" "8" "13-01-16" "auditadm_dbusd" "SELinux Policy documentation for auditadm_dbusd" ++.SH "NAME" ++auditadm_dbusd_selinux \- Security Enhanced Linux Policy for the auditadm_dbusd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the auditadm_dbusd processes via flexible mandatory access control. ++ ++The auditadm_dbusd processes execute with the auditadm_dbusd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep auditadm_dbusd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The auditadm_dbusd_t SELinux type can be entered via the \fBdbusd_exec_t\fP file type. ++ ++The default entrypoint paths for the auditadm_dbusd_t domain are the following: ++ ++/usr/bin/dbus-daemon(-1)?, /bin/dbus-daemon, /lib/dbus-1/dbus-daemon-launch-helper, /usr/lib/dbus-1/dbus-daemon-launch-helper ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux auditadm_dbusd policy is very flexible allowing users to setup their auditadm_dbusd processes in as secure a method as possible. ++.PP ++The following process types are defined for auditadm_dbusd: ++ ++.EX ++.B auditadm_dbusd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a auditadm_dbusd_t ++can be used to make the process type auditadm_dbusd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. auditadm_dbusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run auditadm_dbusd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the auditadm_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the auditadm_dbusd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type auditadm_dbusd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B session_dbusd_tmp_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmpfs_t ++ ++ /dev/shm/mono.* ++.br ++ /dev/shm/pulse-shm.* ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), auditadm_dbusd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), auditadm_selinux(8), auditadm_selinux(8), auditadm_gkeyringd_selinux(8), auditadm_screen_selinux(8), auditadm_seunshare_selinux(8), auditadm_su_selinux(8), auditadm_sudo_selinux(8), auditadm_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/auditadm_gkeyringd_selinux.8 b/man/man8/auditadm_gkeyringd_selinux.8 +new file mode 100644 +index 0000000..347d1c1 +--- /dev/null ++++ b/man/man8/auditadm_gkeyringd_selinux.8 +@@ -0,0 +1,314 @@ ++.TH "auditadm_gkeyringd_selinux" "8" "13-01-16" "auditadm_gkeyringd" "SELinux Policy documentation for auditadm_gkeyringd" ++.SH "NAME" ++auditadm_gkeyringd_selinux \- Security Enhanced Linux Policy for the auditadm_gkeyringd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the auditadm_gkeyringd processes via flexible mandatory access control. ++ ++The auditadm_gkeyringd processes execute with the auditadm_gkeyringd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep auditadm_gkeyringd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The auditadm_gkeyringd_t SELinux type can be entered via the \fBgkeyringd_exec_t\fP file type. ++ ++The default entrypoint paths for the auditadm_gkeyringd_t domain are the following: ++ ++/usr/bin/gnome-keyring-daemon ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux auditadm_gkeyringd policy is very flexible allowing users to setup their auditadm_gkeyringd processes in as secure a method as possible. ++.PP ++The following process types are defined for auditadm_gkeyringd: ++ ++.EX ++.B auditadm_gkeyringd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a auditadm_gkeyringd_t ++can be used to make the process type auditadm_gkeyringd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. auditadm_gkeyringd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run auditadm_gkeyringd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the auditadm_gkeyringd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the auditadm_gkeyringd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type auditadm_gkeyringd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cache_home_t ++ ++ /root/\.cache(/.*)? ++.br ++ /home/[^/]*/\.nv(/.*)? ++.br ++ /home/[^/]*/\.cache(/.*)? ++.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br ++ /home/dwalsh/\.nv(/.*)? ++.br ++ /home/dwalsh/\.cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.nv(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache(/.*)? ++.br ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B config_home_t ++ ++ /root/\.kde(/.*)? ++.br ++ /root/\.xine(/.*)? ++.br ++ /root/\.config(/.*)? ++.br ++ /var/run/user/[^/]*/dconf(/.*)? ++.br ++ /root/\.Xdefaults ++.br ++ /home/[^/]*/\.kde(/.*)? ++.br ++ /home/[^/]*/\.xine(/.*)? ++.br ++ /home/[^/]*/\.config(/.*)? ++.br ++ /home/[^/]*/\.Xdefaults ++.br ++ /home/pwalsh/\.kde(/.*)? ++.br ++ /home/pwalsh/\.xine(/.*)? ++.br ++ /home/pwalsh/\.config(/.*)? ++.br ++ /home/pwalsh/\.Xdefaults ++.br ++ /home/dwalsh/\.kde(/.*)? ++.br ++ /home/dwalsh/\.xine(/.*)? ++.br ++ /home/dwalsh/\.config(/.*)? ++.br ++ /home/dwalsh/\.Xdefaults ++.br ++ /var/lib/xguest/home/xguest/\.kde(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.xine(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Xdefaults ++.br ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B gkeyringd_gnome_home_t ++ ++ /root/\.gnome2/keyrings(/.*)? ++.br ++ /home/[^/]*/\.gnome2/keyrings(/.*)? ++.br ++ /home/[^/]*/\.local/share/keyrings(/.*)? ++.br ++ /home/pwalsh/\.gnome2/keyrings(/.*)? ++.br ++ /home/pwalsh/\.local/share/keyrings(/.*)? ++.br ++ /home/dwalsh/\.gnome2/keyrings(/.*)? ++.br ++ /home/dwalsh/\.local/share/keyrings(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.gnome2/keyrings(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.local/share/keyrings(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), auditadm_gkeyringd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), auditadm_selinux(8), auditadm_selinux(8), auditadm_dbusd_selinux(8), auditadm_screen_selinux(8), auditadm_seunshare_selinux(8), auditadm_su_selinux(8), auditadm_sudo_selinux(8), auditadm_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/auditadm_screen_selinux.8 b/man/man8/auditadm_screen_selinux.8 +new file mode 100644 +index 0000000..b8041be +--- /dev/null ++++ b/man/man8/auditadm_screen_selinux.8 +@@ -0,0 +1,222 @@ ++.TH "auditadm_screen_selinux" "8" "13-01-16" "auditadm_screen" "SELinux Policy documentation for auditadm_screen" ++.SH "NAME" ++auditadm_screen_selinux \- Security Enhanced Linux Policy for the auditadm_screen processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the auditadm_screen processes via flexible mandatory access control. ++ ++The auditadm_screen processes execute with the auditadm_screen_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep auditadm_screen_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The auditadm_screen_t SELinux type can be entered via the \fBscreen_exec_t\fP file type. ++ ++The default entrypoint paths for the auditadm_screen_t domain are the following: ++ ++/usr/bin/tmux, /usr/bin/screen ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux auditadm_screen policy is very flexible allowing users to setup their auditadm_screen processes in as secure a method as possible. ++.PP ++The following process types are defined for auditadm_screen: ++ ++.EX ++.B auditadm_screen_t ++.EE ++.PP ++Note: ++.B semanage permissive -a auditadm_screen_t ++can be used to make the process type auditadm_screen_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. auditadm_screen policy is extremely flexible and has several booleans that allow you to manipulate the policy and run auditadm_screen with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the auditadm_screen_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the auditadm_screen_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type auditadm_screen_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B user_tmp_type ++ ++ all user tmp files ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), auditadm_screen(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), auditadm_selinux(8), auditadm_selinux(8), auditadm_dbusd_selinux(8), auditadm_gkeyringd_selinux(8), auditadm_seunshare_selinux(8), auditadm_su_selinux(8), auditadm_sudo_selinux(8), auditadm_wine_selinux(8) \ No newline at end of file diff --git a/man/man8/auditadm_selinux.8 b/man/man8/auditadm_selinux.8 new file mode 100644 -index 0000000..42e7075 +index 0000000..843ce8f --- /dev/null +++ b/man/man8/auditadm_selinux.8 -@@ -0,0 +1,242 @@ +@@ -0,0 +1,494 @@ +.TH "auditadm_selinux" "8" "auditadm" "mgrepl@redhat.com" "auditadm SELinux Policy documentation" +.SH "NAME" +auditadm_r \- \fBAudit administrator role\fP - Security Enhanced Linux Policy @@ -5620,6 +10554,234 @@ index 0000000..42e7075 +SELinux policy allows the sysadm_r, secadm_r, staff_r roles can transition to the auditadm_r role. + + ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. auditadm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run auditadm with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether calling user domains can execute Git daemon in the git_session_t domain, you must turn on the git_session_users boolean. Disabled by default. ++ ++.EX ++.B setsebool -P git_session_users 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean. Disabled by default. ++ ++.EX ++.B setsebool -P pppd_for_user 1 ++ ++.EE ++ ++.PP ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Disabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_mysql_connect_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_postgresql_connect_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_rw_noexattrfile 1 ++ ++.EE ++ ++.PP ++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_tcp_server 1 ++ ++.EE ++ ++.PP ++If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_use_ssh_chroot 1 ++ ++.EE ++ ++.PP ++If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_user_share_music 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ssh_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xdm_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ +.SH "MANAGED FILES" + +The SELinux process type auditadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -5661,6 +10823,10 @@ index 0000000..42e7075 + + +.br ++.B cifs_t ++ ++ ++.br +.B games_data_t + + /var/games(/.*)? @@ -5673,6 +10839,8 @@ index 0000000..42e7075 + + /home/[^/]*/\.gnupg/log-socket +.br ++ /home/pwalsh/\.gnupg/log-socket ++.br + /home/dwalsh/\.gnupg/log-socket +.br + /var/lib/xguest/home/xguest/\.gnupg/log-socket @@ -5715,6 +10883,10 @@ index 0000000..42e7075 +.br + /home/[^/]*/\.screenrc +.br ++ /home/pwalsh/\.screen(/.*)? ++.br ++ /home/pwalsh/\.screenrc ++.br + /home/dwalsh/\.screen(/.*)? +.br + /home/dwalsh/\.screenrc @@ -5749,6 +10921,12 @@ index 0000000..42e7075 +.br + /home/[^/]*/\.fonts\.cache-.* +.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br + /home/dwalsh/\.fontconfig(/.*)? +.br + /home/dwalsh/\.fonts/auto(/.*)? @@ -5790,6 +10968,10 @@ index 0000000..42e7075 + /tmp/\.X0-lock +.br + ++.br ++.B xserver_tmpfs_t ++ ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -5800,6 +10982,9 @@ index 0000000..42e7075 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -5811,13 +10996,1317 @@ index 0000000..42e7075 + +.SH "SEE ALSO" +selinux(8), auditadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), auditadm_dbusd_selinux(8), auditadm_gkeyringd_selinux(8), auditadm_screen_selinux(8), auditadm_seunshare_selinux(8), auditadm_su_selinux(8), auditadm_sudo_selinux(8), auditadm_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/auditadm_seunshare_selinux.8 b/man/man8/auditadm_seunshare_selinux.8 +new file mode 100644 +index 0000000..36ff856 +--- /dev/null ++++ b/man/man8/auditadm_seunshare_selinux.8 +@@ -0,0 +1,202 @@ ++.TH "auditadm_seunshare_selinux" "8" "13-01-16" "auditadm_seunshare" "SELinux Policy documentation for auditadm_seunshare" ++.SH "NAME" ++auditadm_seunshare_selinux \- Security Enhanced Linux Policy for the auditadm_seunshare processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the auditadm_seunshare processes via flexible mandatory access control. ++ ++The auditadm_seunshare processes execute with the auditadm_seunshare_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep auditadm_seunshare_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The auditadm_seunshare_t SELinux type can be entered via the \fBseunshare_exec_t\fP file type. ++ ++The default entrypoint paths for the auditadm_seunshare_t domain are the following: ++ ++/usr/sbin/seunshare ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux auditadm_seunshare policy is very flexible allowing users to setup their auditadm_seunshare processes in as secure a method as possible. ++.PP ++The following process types are defined for auditadm_seunshare: ++ ++.EX ++.B auditadm_seunshare_t ++.EE ++.PP ++Note: ++.B semanage permissive -a auditadm_seunshare_t ++can be used to make the process type auditadm_seunshare_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. auditadm_seunshare policy is extremely flexible and has several booleans that allow you to manipulate the policy and run auditadm_seunshare with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the auditadm_seunshare_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the auditadm_seunshare_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type auditadm_seunshare_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_tmpfs_type ++ ++ all sandbox content in tmpfs file systems ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), auditadm_seunshare(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), auditadm_selinux(8), auditadm_selinux(8), auditadm_dbusd_selinux(8), auditadm_gkeyringd_selinux(8), auditadm_screen_selinux(8), auditadm_su_selinux(8), auditadm_sudo_selinux(8), auditadm_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/auditadm_su_selinux.8 b/man/man8/auditadm_su_selinux.8 +new file mode 100644 +index 0000000..4e343d1 +--- /dev/null ++++ b/man/man8/auditadm_su_selinux.8 +@@ -0,0 +1,244 @@ ++.TH "auditadm_su_selinux" "8" "13-01-16" "auditadm_su" "SELinux Policy documentation for auditadm_su" ++.SH "NAME" ++auditadm_su_selinux \- Security Enhanced Linux Policy for the auditadm_su processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the auditadm_su processes via flexible mandatory access control. ++ ++The auditadm_su processes execute with the auditadm_su_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep auditadm_su_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The auditadm_su_t SELinux type can be entered via the \fBsu_exec_t\fP file type. ++ ++The default entrypoint paths for the auditadm_su_t domain are the following: ++ ++/usr/(local/)?bin/ksu, /bin/su, /usr/bin/su, /usr/bin/kdesu ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux auditadm_su policy is very flexible allowing users to setup their auditadm_su processes in as secure a method as possible. ++.PP ++The following process types are defined for auditadm_su: ++ ++.EX ++.B auditadm_su_t, auditadm_sudo_t ++.EE ++.PP ++Note: ++.B semanage permissive -a auditadm_su_t ++can be used to make the process type auditadm_su_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. auditadm_su policy is extremely flexible and has several booleans that allow you to manipulate the policy and run auditadm_su with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to enable polyinstantiated directory support, you must turn on the polyinstantiation_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P polyinstantiation_enabled 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the auditadm_su_t, auditadm_sudo_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the auditadm_su_t, auditadm_sudo_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type auditadm_su_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B lastlog_t ++ ++ /var/log/lastlog.* ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), auditadm_su(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), auditadm_selinux(8), auditadm_selinux(8), auditadm_dbusd_selinux(8), auditadm_gkeyringd_selinux(8), auditadm_screen_selinux(8), auditadm_seunshare_selinux(8), auditadm_sudo_selinux(8), auditadm_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/auditadm_sudo_selinux.8 b/man/man8/auditadm_sudo_selinux.8 +new file mode 100644 +index 0000000..2307872 +--- /dev/null ++++ b/man/man8/auditadm_sudo_selinux.8 +@@ -0,0 +1,326 @@ ++.TH "auditadm_sudo_selinux" "8" "13-01-16" "auditadm_sudo" "SELinux Policy documentation for auditadm_sudo" ++.SH "NAME" ++auditadm_sudo_selinux \- Security Enhanced Linux Policy for the auditadm_sudo processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the auditadm_sudo processes via flexible mandatory access control. ++ ++The auditadm_sudo processes execute with the auditadm_sudo_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep auditadm_sudo_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The auditadm_sudo_t SELinux type can be entered via the \fBsudo_exec_t\fP file type. ++ ++The default entrypoint paths for the auditadm_sudo_t domain are the following: ++ ++/usr/bin/sudo(edit)? ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux auditadm_sudo policy is very flexible allowing users to setup their auditadm_sudo processes in as secure a method as possible. ++.PP ++The following process types are defined for auditadm_sudo: ++ ++.EX ++.B auditadm_sudo_t ++.EE ++.PP ++Note: ++.B semanage permissive -a auditadm_sudo_t ++can be used to make the process type auditadm_sudo_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. auditadm_sudo policy is extremely flexible and has several booleans that allow you to manipulate the policy and run auditadm_sudo with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the auditadm_sudo_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the auditadm_sudo_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type auditadm_sudo_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B auditadm_sudo_tmp_t ++ ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B pam_var_run_t ++ ++ /var/(db|lib|adm)/sudo(/.*)? ++.br ++ /var/run/sudo(/.*)? ++.br ++ /var/run/sepermit(/.*)? ++.br ++ /var/run/pam_mount(/.*)? ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B sudo_db_t ++ ++ /var/db/sudo(/.*)? ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), auditadm_sudo(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), auditadm_selinux(8), auditadm_selinux(8), auditadm_dbusd_selinux(8), auditadm_gkeyringd_selinux(8), auditadm_screen_selinux(8), auditadm_seunshare_selinux(8), auditadm_su_selinux(8), auditadm_su_selinux(8), auditadm_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/auditadm_wine_selinux.8 b/man/man8/auditadm_wine_selinux.8 +new file mode 100644 +index 0000000..c5b5182 +--- /dev/null ++++ b/man/man8/auditadm_wine_selinux.8 +@@ -0,0 +1,502 @@ ++.TH "auditadm_wine_selinux" "8" "13-01-16" "auditadm_wine" "SELinux Policy documentation for auditadm_wine" ++.SH "NAME" ++auditadm_wine_selinux \- Security Enhanced Linux Policy for the auditadm_wine processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the auditadm_wine processes via flexible mandatory access control. ++ ++The auditadm_wine processes execute with the auditadm_wine_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep auditadm_wine_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The auditadm_wine_t SELinux type can be entered via the \fBuser_home_t, wine_exec_t, xsession_exec_t\fP file types. ++ ++The default entrypoint paths for the auditadm_wine_t domain are the following: ++ ++/home/[^/]*/.+, /home/pwalsh/.+, /home/dwalsh/.+, /var/lib/xguest/home/xguest/.+, /usr/bin/wine.*, /opt/teamviewer(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/msiexec, /opt/google/picasa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/progman, /opt/google/picasa(/.*)?/bin/regedit, /opt/google/picasa(/.*)?/bin/regsvr32, /opt/google/picasa(/.*)?/Picasa3/.*exe, /opt/google/picasa(/.*)?/bin/uninstaller, /opt/cxoffice/bin/wine.*, /opt/picasa/wine/bin/wine.*, /usr/bin/msiexec, /usr/bin/notepad, /usr/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller, /home/[^/]*/cxoffice/bin/wine.+, /home/pwalsh/cxoffice/bin/wine.+, /home/dwalsh/cxoffice/bin/wine.+, /var/lib/xguest/home/xguest/cxoffice/bin/wine.+, /etc/gdm(3)?/Xsession, /etc/kde[34]?/kdm/Xreset, /etc/gdm(3)?/PreSession/.*, /etc/kde[34]?/kdm/Xstartup, /etc/kde[34]?/kdm/Xsession, /etc/gdm(3)?/PostSession/.*, /etc/X11/[wx]dm/Xreset.*, /etc/X11/[wxg]dm/Xsession, /etc/X11/Xsession[^/]*, /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.* ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux auditadm_wine policy is very flexible allowing users to setup their auditadm_wine processes in as secure a method as possible. ++.PP ++The following process types are defined for auditadm_wine: ++ ++.EX ++.B auditadm_wine_t ++.EE ++.PP ++Note: ++.B semanage permissive -a auditadm_wine_t ++can be used to make the process type auditadm_wine_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. auditadm_wine policy is extremely flexible and has several booleans that allow you to manipulate the policy and run auditadm_wine with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Disabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_postgresql_connect_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_rw_noexattrfile 1 ++ ++.EE ++ ++.PP ++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_tcp_server 1 ++ ++.EE ++ ++.PP ++If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_user_share_music 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ssh_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xdm_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the auditadm_wine_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the auditadm_wine_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type auditadm_wine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B chrome_sandbox_tmpfs_t ++ ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B games_data_t ++ ++ /var/games(/.*)? ++.br ++ /var/lib/games(/.*)? ++.br ++ ++.br ++.B gpg_agent_tmp_t ++ ++ /home/[^/]*/\.gnupg/log-socket ++.br ++ /home/pwalsh/\.gnupg/log-socket ++.br ++ /home/dwalsh/\.gnupg/log-socket ++.br ++ /var/lib/xguest/home/xguest/\.gnupg/log-socket ++.br ++ ++.br ++.B iceauth_home_t ++ ++ /root/\.DCOP.* ++.br ++ /root/\.ICEauthority.* ++.br ++ /home/[^/]*/\.DCOP.* ++.br ++ /home/[^/]*/\.ICEauthority.* ++.br ++ /home/pwalsh/\.DCOP.* ++.br ++ /home/pwalsh/\.ICEauthority.* ++.br ++ /home/dwalsh/\.DCOP.* ++.br ++ /home/dwalsh/\.ICEauthority.* ++.br ++ /var/lib/xguest/home/xguest/\.DCOP.* ++.br ++ /var/lib/xguest/home/xguest/\.ICEauthority.* ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B mqueue_spool_t ++ ++ /var/spool/(client)?mqueue(/.*)? ++.br ++ /var/spool/mqueue\.in(/.*)? ++.br ++ ++.br ++.B nfsd_rw_t ++ ++ ++.br ++.B noxattrfs ++ ++ all files on file systems which do not support extended attributes ++.br ++ ++.br ++.B usbfs_t ++ ++ ++.br ++.B user_fonts_cache_t ++ ++ /root/\.fontconfig(/.*)? ++.br ++ /root/\.fonts/auto(/.*)? ++.br ++ /root/\.fonts\.cache-.* ++.br ++ /home/[^/]*/\.fontconfig(/.*)? ++.br ++ /home/[^/]*/\.fonts/auto(/.*)? ++.br ++ /home/[^/]*/\.fonts\.cache-.* ++.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br ++ /home/dwalsh/\.fontconfig(/.*)? ++.br ++ /home/dwalsh/\.fonts/auto(/.*)? ++.br ++ /home/dwalsh/\.fonts\.cache-.* ++.br ++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts\.cache-.* ++.br ++ ++.br ++.B user_fonts_t ++ ++ /root/\.fonts(/.*)? ++.br ++ /tmp/\.font-unix(/.*)? ++.br ++ /home/[^/]*/\.fonts(/.*)? ++.br ++ /home/pwalsh/\.fonts(/.*)? ++.br ++ /home/dwalsh/\.fonts(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts(/.*)? ++.br ++ ++.br ++.B user_home_type ++ ++ all user home files ++.br ++ ++.br ++.B user_tmp_type ++ ++ all user tmp files ++.br ++ ++.br ++.B user_tmpfs_type ++ ++ all user content in tmpfs file systems ++.br ++ ++.br ++.B xauth_home_t ++ ++ /root/\.xauth.* ++.br ++ /root/\.Xauth.* ++.br ++ /root/\.serverauth.* ++.br ++ /root/\.Xauthority.* ++.br ++ /var/lib/pqsql/\.xauth.* ++.br ++ /var/lib/pqsql/\.Xauthority.* ++.br ++ /var/lib/nxserver/home/\.xauth.* ++.br ++ /var/lib/nxserver/home/\.Xauthority.* ++.br ++ /home/[^/]*/\.xauth.* ++.br ++ /home/[^/]*/\.Xauth.* ++.br ++ /home/[^/]*/\.serverauth.* ++.br ++ /home/[^/]*/\.Xauthority.* ++.br ++ /home/pwalsh/\.xauth.* ++.br ++ /home/pwalsh/\.Xauth.* ++.br ++ /home/pwalsh/\.serverauth.* ++.br ++ /home/pwalsh/\.Xauthority.* ++.br ++ /home/dwalsh/\.xauth.* ++.br ++ /home/dwalsh/\.Xauth.* ++.br ++ /home/dwalsh/\.serverauth.* ++.br ++ /home/dwalsh/\.Xauthority.* ++.br ++ /var/lib/xguest/home/xguest/\.xauth.* ++.br ++ /var/lib/xguest/home/xguest/\.Xauth.* ++.br ++ /var/lib/xguest/home/xguest/\.serverauth.* ++.br ++ /var/lib/xguest/home/xguest/\.Xauthority.* ++.br ++ ++.br ++.B xdm_tmp_t ++ ++ /tmp/\.X11-unix(/.*)? ++.br ++ /tmp/\.ICE-unix(/.*)? ++.br ++ /tmp/\.X0-lock ++.br ++ ++.br ++.B xserver_tmpfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), auditadm_wine(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), auditadm_selinux(8), auditadm_selinux(8), auditadm_dbusd_selinux(8), auditadm_gkeyringd_selinux(8), auditadm_screen_selinux(8), auditadm_seunshare_selinux(8), auditadm_su_selinux(8), auditadm_sudo_selinux(8) +\ No newline at end of file diff --git a/man/man8/auditctl_selinux.8 b/man/man8/auditctl_selinux.8 new file mode 100644 -index 0000000..5fea87e +index 0000000..4922cbb --- /dev/null +++ b/man/man8/auditctl_selinux.8 -@@ -0,0 +1,86 @@ -+.TH "auditctl_selinux" "8" "12-11-01" "auditctl" "SELinux Policy documentation for auditctl" +@@ -0,0 +1,159 @@ ++.TH "auditctl_selinux" "8" "13-01-16" "auditctl" "SELinux Policy documentation for auditctl" +.SH "NAME" +auditctl_selinux \- Security Enhanced Linux Policy for the auditctl processes +.SH "DESCRIPTION" @@ -5833,7 +12322,9 @@ index 0000000..5fea87e + +.SH "ENTRYPOINTS" + -+The auditctl_t SELinux type can be entered via the "auditctl_exec_t" file type. The default entrypoint paths for the auditctl_t domain are the following:" ++The auditctl_t SELinux type can be entered via the \fBauditctl_exec_t\fP file type. ++ ++The default entrypoint paths for the auditctl_t domain are the following: + +/sbin/auditctl, /usr/sbin/auditctl +.SH PROCESS TYPES @@ -5851,8 +12342,60 @@ index 0000000..5fea87e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a auditctl_t ++can be used to make the process type auditctl_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. auditctl policy is extremely flexible and has several booleans that allow you to manipulate the policy and run auditctl with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5862,7 +12405,20 @@ index 0000000..5fea87e +Policy governs the access confined processes have to these files. +SELinux auditctl policy is very flexible allowing users to setup their auditctl processes in as secure a method as possible. +.PP -+The following file types are defined for auditctl: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the auditctl, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t auditctl_exec_t '/srv/auditctl/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myauditctl_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for auditctl: + + +.EX @@ -5872,6 +12428,10 @@ index 0000000..5fea87e + +- Set files with the auditctl_exec_t type, if you want to transition an executable to the auditctl_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/auditctl, /usr/sbin/auditctl + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -5880,8 +12440,6 @@ index 0000000..5fea87e +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -5892,6 +12450,9 @@ index 0000000..5fea87e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -5903,13 +12464,15 @@ index 0000000..5fea87e + +.SH "SEE ALSO" +selinux(8), auditctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/auditd_selinux.8 b/man/man8/auditd_selinux.8 new file mode 100644 -index 0000000..d1a4a01 +index 0000000..ca48db6 --- /dev/null +++ b/man/man8/auditd_selinux.8 -@@ -0,0 +1,201 @@ -+.TH "auditd_selinux" "8" "12-11-01" "auditd" "SELinux Policy documentation for auditd" +@@ -0,0 +1,350 @@ ++.TH "auditd_selinux" "8" "13-01-16" "auditd" "SELinux Policy documentation for auditd" +.SH "NAME" +auditd_selinux \- Security Enhanced Linux Policy for the auditd processes +.SH "DESCRIPTION" @@ -5925,7 +12488,9 @@ index 0000000..d1a4a01 + +.SH "ENTRYPOINTS" + -+The auditd_t SELinux type can be entered via the "auditd_exec_t" file type. The default entrypoint paths for the auditd_t domain are the following:" ++The auditd_t SELinux type can be entered via the \fBauditd_exec_t\fP file type. ++ ++The default entrypoint paths for the auditd_t domain are the following: + +/sbin/auditd, /usr/sbin/auditd +.SH PROCESS TYPES @@ -5943,74 +12508,124 @@ index 0000000..d1a4a01 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a auditd_t ++can be used to make the process type auditd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux auditd policy is very flexible allowing users to setup their auditd processes in as secure a method as possible. -+.PP -+The following file types are defined for auditd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. auditd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run auditd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B auditd_etc_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the auditd_etc_t type, if you want to store auditd files in the /etc directories. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B auditd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the auditd_exec_t type, if you want to transition an executable to the auditd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B auditd_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the auditd_initrc_exec_t type, if you want to transition an executable to the auditd_initrc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B auditd_log_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the auditd_log_t type, if you want to treat the data as auditd log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B auditd_unit_file_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the auditd_unit_file_t type, if you want to treat the files as auditd unit content. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B auditd_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the auditd_var_run_t type, if you want to store the auditd files under the /run directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -6062,6 +12677,14 @@ index 0000000..d1a4a01 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B systemd_passwd_var_run_t + + /var/run/systemd/ask-password(/.*)? @@ -6069,22 +12692,108 @@ index 0000000..d1a4a01 + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux auditd policy is very flexible allowing users to setup their auditd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the kerberos_enabled boolean. ++auditd policy stores data with multiple different file context types under the /var/log/audit directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/log/audit /srv/audit ++.br ++.B restorecon -R -v /srv/audit ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the auditd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t auditd_etc_t '/srv/auditd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myauditd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for auditd: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B auditd_etc_t +.EE + ++- Set files with the auditd_etc_t type, if you want to store auditd files in the /etc directories. ++ ++ ++.EX ++.PP ++.B auditd_exec_t ++.EE ++ ++- Set files with the auditd_exec_t type, if you want to transition an executable to the auditd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/auditd, /usr/sbin/auditd ++ ++.EX ++.PP ++.B auditd_initrc_exec_t ++.EE ++ ++- Set files with the auditd_initrc_exec_t type, if you want to transition an executable to the auditd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B auditd_log_t ++.EE ++ ++- Set files with the auditd_log_t type, if you want to treat the data as auditd log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/audit(/.*)?, /var/log/audit\.log ++ ++.EX ++.PP ++.B auditd_unit_file_t ++.EE ++ ++- Set files with the auditd_unit_file_t type, if you want to treat the files as auditd unit content. ++ ++ ++.EX ++.PP ++.B auditd_var_run_t ++.EE ++ ++- Set files with the auditd_var_run_t type, if you want to store the auditd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/auditd\.pid, /var/run/auditd_sock, /var/run/audit_events ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -6098,6 +12807,9 @@ index 0000000..d1a4a01 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -6109,15 +12821,15 @@ index 0000000..d1a4a01 + +.SH "SEE ALSO" +selinux(8), auditd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, auditadm_selinux(8), auditctl_selinux(8) ++, setsebool(8), auditadm_selinux(8), auditadm_dbusd_selinux(8), auditadm_gkeyringd_selinux(8), auditadm_screen_selinux(8), auditadm_seunshare_selinux(8), auditadm_su_selinux(8), auditadm_sudo_selinux(8), auditadm_wine_selinux(8), auditctl_selinux(8) \ No newline at end of file diff --git a/man/man8/authconfig_selinux.8 b/man/man8/authconfig_selinux.8 new file mode 100644 -index 0000000..18ad01b +index 0000000..89b81bc --- /dev/null +++ b/man/man8/authconfig_selinux.8 -@@ -0,0 +1,104 @@ -+.TH "authconfig_selinux" "8" "12-11-01" "authconfig" "SELinux Policy documentation for authconfig" +@@ -0,0 +1,229 @@ ++.TH "authconfig_selinux" "8" "13-01-16" "authconfig" "SELinux Policy documentation for authconfig" +.SH "NAME" +authconfig_selinux \- Security Enhanced Linux Policy for the authconfig processes +.SH "DESCRIPTION" @@ -6133,9 +12845,11 @@ index 0000000..18ad01b + +.SH "ENTRYPOINTS" + -+The authconfig_t SELinux type can be entered via the "filesystem_type,authconfig_exec_t,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type" file types. The default entrypoint paths for the authconfig_t domain are the following:" ++The authconfig_t SELinux type can be entered via the \fBsysctl_type, filesystem_type, mtrr_device_t, unlabeled_t, proc_type, file_type, authconfig_exec_t\fP file types. + -+/usr/share/authconfig/authconfig.py, /dev/cpu/mtrr, all files on the system ++The default entrypoint paths for the authconfig_t domain are the following: ++ ++/dev/cpu/mtrr, all files on the system, /usr/share/authconfig/authconfig.py +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -6151,8 +12865,126 @@ index 0000000..18ad01b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a authconfig_t ++can be used to make the process type authconfig_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. authconfig policy is extremely flexible and has several booleans that allow you to manipulate the policy and run authconfig with the tightest access possible. ++ ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE ++ ++.PP ++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_insmod 1 ++ ++.EE ++ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_policyload 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execheap 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type authconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B file_type ++ ++ all files on the system ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6162,7 +12994,20 @@ index 0000000..18ad01b +Policy governs the access confined processes have to these files. +SELinux authconfig policy is very flexible allowing users to setup their authconfig processes in as secure a method as possible. +.PP -+The following file types are defined for authconfig: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the authconfig, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t authconfig_exec_t '/srv/authconfig/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myauthconfig_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for authconfig: + + +.EX @@ -6188,18 +13033,6 @@ index 0000000..18ad01b +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type authconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B file_type -+ -+ all files on the system -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -6210,6 +13043,9 @@ index 0000000..18ad01b +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -6221,13 +13057,15 @@ index 0000000..18ad01b + +.SH "SEE ALSO" +selinux(8), authconfig(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/automount_selinux.8 b/man/man8/automount_selinux.8 new file mode 100644 -index 0000000..c7bbc5a +index 0000000..a982e45 --- /dev/null +++ b/man/man8/automount_selinux.8 -@@ -0,0 +1,176 @@ -+.TH "automount_selinux" "8" "12-11-01" "automount" "SELinux Policy documentation for automount" +@@ -0,0 +1,311 @@ ++.TH "automount_selinux" "8" "13-01-16" "automount" "SELinux Policy documentation for automount" +.SH "NAME" +automount_selinux \- Security Enhanced Linux Policy for the automount processes +.SH "DESCRIPTION" @@ -6243,7 +13081,9 @@ index 0000000..c7bbc5a + +.SH "ENTRYPOINTS" + -+The automount_t SELinux type can be entered via the "automount_exec_t" file type. The default entrypoint paths for the automount_t domain are the following:" ++The automount_t SELinux type can be entered via the \fBautomount_exec_t\fP file type. ++ ++The default entrypoint paths for the automount_t domain are the following: + +/usr/sbin/automount, /etc/apm/event\.d/autofs +.SH PROCESS TYPES @@ -6261,8 +13101,164 @@ index 0000000..c7bbc5a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a automount_t ++can be used to make the process type automount_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. automount policy is extremely flexible and has several booleans that allow you to manipulate the policy and run automount with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the automount_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the automount_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type automount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B automount_lock_t ++ ++ /var/lock/subsys/autofs ++.br ++ ++.br ++.B automount_tmp_t ++ ++ ++.br ++.B automount_var_run_t ++ ++ /var/run/autofs.* ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B samba_var_t ++ ++ /var/nmbd(/.*)? ++.br ++ /var/lib/samba(/.*)? ++.br ++ /var/cache/samba(/.*)? ++.br ++ /var/spool/samba(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6272,7 +13268,20 @@ index 0000000..c7bbc5a +Policy governs the access confined processes have to these files. +SELinux automount policy is very flexible allowing users to setup their automount processes in as secure a method as possible. +.PP -+The following file types are defined for automount: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the automount, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t automount_exec_t '/srv/automount/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myautomount_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for automount: + + +.EX @@ -6282,6 +13291,10 @@ index 0000000..c7bbc5a + +- Set files with the automount_exec_t type, if you want to transition an executable to the automount_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/automount, /etc/apm/event\.d/autofs + +.EX +.PP @@ -6328,7 +13341,7 @@ index 0000000..c7bbc5a +.B automount_var_run_t +.EE + -+- Set files with the automount_var_run_t type, if you want to store the automount files under the /run directory. ++- Set files with the automount_var_run_t type, if you want to store the automount files under the /run or /var/run directory. + + +.PP @@ -6338,50 +13351,6 @@ index 0000000..c7bbc5a +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type automount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B automount_lock_t -+ -+ -+.br -+.B automount_tmp_t -+ -+ -+.br -+.B automount_var_run_t -+ -+ /var/run/autofs.* -+.br -+ -+.br -+.B samba_var_t -+ -+ /var/lib/samba(/.*)? -+.br -+ /var/cache/samba(/.*)? -+.br -+ /var/spool/samba(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the automount_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the automount_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -6392,6 +13361,9 @@ index 0000000..c7bbc5a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -6403,13 +13375,15 @@ index 0000000..c7bbc5a + +.SH "SEE ALSO" +selinux(8), automount(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/avahi_selinux.8 b/man/man8/avahi_selinux.8 new file mode 100644 -index 0000000..e4baa1f +index 0000000..0801436 --- /dev/null +++ b/man/man8/avahi_selinux.8 -@@ -0,0 +1,196 @@ -+.TH "avahi_selinux" "8" "12-11-01" "avahi" "SELinux Policy documentation for avahi" +@@ -0,0 +1,309 @@ ++.TH "avahi_selinux" "8" "13-01-16" "avahi" "SELinux Policy documentation for avahi" +.SH "NAME" +avahi_selinux \- Security Enhanced Linux Policy for the avahi processes +.SH "DESCRIPTION" @@ -6425,7 +13399,9 @@ index 0000000..e4baa1f + +.SH "ENTRYPOINTS" + -+The avahi_t SELinux type can be entered via the "avahi_exec_t" file type. The default entrypoint paths for the avahi_t domain are the following:" ++The avahi_t SELinux type can be entered via the \fBavahi_exec_t\fP file type. ++ ++The default entrypoint paths for the avahi_t domain are the following: + +/usr/sbin/avahi-daemon, /usr/sbin/avahi-autoipd, /usr/sbin/avahi-dnsconfd +.SH PROCESS TYPES @@ -6443,27 +13419,179 @@ index 0000000..e4baa1f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a avahi_t ++can be used to make the process type avahi_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. avahi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run avahi with the tightest access possible. + + +.PP -+If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_dbus_avahi 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean. Disabled by default. + +.EX +.B setsebool -P httpd_dbus_avahi 1 ++ +.EE + ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the avahi_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the avahi_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type avahi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B avahi_var_lib_t ++ ++ /var/lib/avahi-autoipd(/.*)? ++.br ++ ++.br ++.B avahi_var_run_t ++ ++ /var/run/avahi-daemon(/.*)? ++.br ++ ++.br ++.B net_conf_t ++ ++ /etc/hosts[^/]* ++.br ++ /etc/yp\.conf.* ++.br ++ /etc/denyhosts.* ++.br ++ /etc/hosts\.deny.* ++.br ++ /etc/resolv\.conf.* ++.br ++ /etc/sysconfig/networking(/.*)? ++.br ++ /etc/sysconfig/network-scripts(/.*)? ++.br ++ /etc/sysconfig/network-scripts/.*resolv\.conf ++.br ++ /etc/ethers ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -6472,7 +13600,20 @@ index 0000000..e4baa1f +Policy governs the access confined processes have to these files. +SELinux avahi policy is very flexible allowing users to setup their avahi processes in as secure a method as possible. +.PP -+The following file types are defined for avahi: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the avahi, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t avahi_exec_t '/srv/avahi/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myavahi_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for avahi: + + +.EX @@ -6482,6 +13623,10 @@ index 0000000..e4baa1f + +- Set files with the avahi_exec_t type, if you want to transition an executable to the avahi_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/avahi-daemon, /usr/sbin/avahi-autoipd, /usr/sbin/avahi-dnsconfd + +.EX +.PP @@ -6512,7 +13657,7 @@ index 0000000..e4baa1f +.B avahi_var_run_t +.EE + -+- Set files with the avahi_var_run_t type, if you want to store the avahi files under the /run directory. ++- Set files with the avahi_var_run_t type, if you want to store the avahi files under the /run or /var/run directory. + + +.PP @@ -6522,64 +13667,6 @@ index 0000000..e4baa1f +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type avahi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B avahi_var_lib_t -+ -+ /var/lib/avahi-autoipd(/.*)? -+.br -+ -+.br -+.B avahi_var_run_t -+ -+ /var/run/avahi-daemon(/.*)? -+.br -+ -+.br -+.B net_conf_t -+ -+ /etc/ntpd?\.conf.* -+.br -+ /etc/hosts[^/]* -+.br -+ /etc/yp\.conf.* -+.br -+ /etc/denyhosts.* -+.br -+ /etc/hosts\.deny.* -+.br -+ /etc/resolv\.conf.* -+.br -+ /etc/ntp/step-tickers.* -+.br -+ /etc/sysconfig/networking(/.*)? -+.br -+ /etc/sysconfig/network-scripts(/.*)? -+.br -+ /etc/sysconfig/network-scripts/.*resolv\.conf -+.br -+ /etc/ethers -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the avahi_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the avahi_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -6608,11 +13695,11 @@ index 0000000..e4baa1f \ No newline at end of file diff --git a/man/man8/awstats_selinux.8 b/man/man8/awstats_selinux.8 new file mode 100644 -index 0000000..cffff58 +index 0000000..c8a0734 --- /dev/null +++ b/man/man8/awstats_selinux.8 -@@ -0,0 +1,116 @@ -+.TH "awstats_selinux" "8" "12-11-01" "awstats" "SELinux Policy documentation for awstats" +@@ -0,0 +1,193 @@ ++.TH "awstats_selinux" "8" "13-01-16" "awstats" "SELinux Policy documentation for awstats" +.SH "NAME" +awstats_selinux \- Security Enhanced Linux Policy for the awstats processes +.SH "DESCRIPTION" @@ -6628,7 +13715,9 @@ index 0000000..cffff58 + +.SH "ENTRYPOINTS" + -+The awstats_t SELinux type can be entered via the "awstats_exec_t" file type. The default entrypoint paths for the awstats_t domain are the following:" ++The awstats_t SELinux type can be entered via the \fBawstats_exec_t\fP file type. ++ ++The default entrypoint paths for the awstats_t domain are the following: + +/usr/share/awstats/tools/.+\.pl +.SH PROCESS TYPES @@ -6646,8 +13735,82 @@ index 0000000..cffff58 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a awstats_t ++can be used to make the process type awstats_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. awstats policy is extremely flexible and has several booleans that allow you to manipulate the policy and run awstats with the tightest access possible. ++ ++ ++.PP ++If you want to determine whether awstats can purge httpd log files, you must turn on the awstats_purge_apache_log_files boolean. Disabled by default. ++ ++.EX ++.B setsebool -P awstats_purge_apache_log_files 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type awstats_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B awstats_tmp_t ++ ++ ++.br ++.B awstats_var_lib_t ++ ++ /var/lib/awstats(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6657,7 +13820,20 @@ index 0000000..cffff58 +Policy governs the access confined processes have to these files. +SELinux awstats policy is very flexible allowing users to setup their awstats processes in as secure a method as possible. +.PP -+The following file types are defined for awstats: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the awstats, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t awstats_exec_t '/srv/awstats/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myawstats_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for awstats: + + +.EX @@ -6691,22 +13867,6 @@ index 0000000..cffff58 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type awstats_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B awstats_tmp_t -+ -+ -+.br -+.B awstats_var_lib_t -+ -+ /var/lib/awstats(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -6717,6 +13877,9 @@ index 0000000..cffff58 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -6728,13 +13891,15 @@ index 0000000..cffff58 + +.SH "SEE ALSO" +selinux(8), awstats(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/bcfg2_selinux.8 b/man/man8/bcfg2_selinux.8 new file mode 100644 -index 0000000..792558d +index 0000000..82e7f7d --- /dev/null +++ b/man/man8/bcfg2_selinux.8 -@@ -0,0 +1,148 @@ -+.TH "bcfg2_selinux" "8" "12-11-01" "bcfg2" "SELinux Policy documentation for bcfg2" +@@ -0,0 +1,275 @@ ++.TH "bcfg2_selinux" "8" "13-01-16" "bcfg2" "SELinux Policy documentation for bcfg2" +.SH "NAME" +bcfg2_selinux \- Security Enhanced Linux Policy for the bcfg2 processes +.SH "DESCRIPTION" @@ -6750,7 +13915,9 @@ index 0000000..792558d + +.SH "ENTRYPOINTS" + -+The bcfg2_t SELinux type can be entered via the "bcfg2_exec_t" file type. The default entrypoint paths for the bcfg2_t domain are the following:" ++The bcfg2_t SELinux type can be entered via the \fBbcfg2_exec_t\fP file type. ++ ++The default entrypoint paths for the bcfg2_t domain are the following: + +/usr/sbin/bcfg2-server +.SH PROCESS TYPES @@ -6768,8 +13935,148 @@ index 0000000..792558d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a bcfg2_t ++can be used to make the process type bcfg2_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. bcfg2 policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bcfg2 with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the bcfg2_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the bcfg2_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type bcfg2_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B bcfg2_var_lib_t ++ ++ /var/lib/bcfg2(/.*)? ++.br ++ ++.br ++.B bcfg2_var_run_t ++ ++ /var/run/bcfg2-server\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6779,7 +14086,20 @@ index 0000000..792558d +Policy governs the access confined processes have to these files. +SELinux bcfg2 policy is very flexible allowing users to setup their bcfg2 processes in as secure a method as possible. +.PP -+The following file types are defined for bcfg2: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the bcfg2, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t bcfg2_exec_t '/srv/bcfg2/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mybcfg2_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for bcfg2: + + +.EX @@ -6819,7 +14139,7 @@ index 0000000..792558d +.B bcfg2_var_run_t +.EE + -+- Set files with the bcfg2_var_run_t type, if you want to store the bcfg2 files under the /run directory. ++- Set files with the bcfg2_var_run_t type, if you want to store the bcfg2 files under the /run or /var/run directory. + + +.PP @@ -6829,38 +14149,6 @@ index 0000000..792558d +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type bcfg2_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B bcfg2_var_lib_t -+ -+ /var/lib/bcfg2(/.*)? -+.br -+ -+.br -+.B bcfg2_var_run_t -+ -+ /var/run/bcfg2-server\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bcfg2_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the bcfg2_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -6871,6 +14159,9 @@ index 0000000..792558d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -6882,13 +14173,23 @@ index 0000000..792558d + +.SH "SEE ALSO" +selinux(8), bcfg2(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/bind_selinux.8 b/man/man8/bind_selinux.8 +new file mode 100644 +index 0000000..86f9675 +--- /dev/null ++++ b/man/man8/bind_selinux.8 +@@ -0,0 +1 @@ ++.so man8/named_selinux.8 +\ No newline at end of file diff --git a/man/man8/bitlbee_selinux.8 b/man/man8/bitlbee_selinux.8 new file mode 100644 -index 0000000..26fda6e +index 0000000..7774729 --- /dev/null +++ b/man/man8/bitlbee_selinux.8 -@@ -0,0 +1,178 @@ -+.TH "bitlbee_selinux" "8" "12-11-01" "bitlbee" "SELinux Policy documentation for bitlbee" +@@ -0,0 +1,307 @@ ++.TH "bitlbee_selinux" "8" "13-01-16" "bitlbee" "SELinux Policy documentation for bitlbee" +.SH "NAME" +bitlbee_selinux \- Security Enhanced Linux Policy for the bitlbee processes +.SH "DESCRIPTION" @@ -6904,7 +14205,9 @@ index 0000000..26fda6e + +.SH "ENTRYPOINTS" + -+The bitlbee_t SELinux type can be entered via the "bitlbee_exec_t" file type. The default entrypoint paths for the bitlbee_t domain are the following:" ++The bitlbee_t SELinux type can be entered via the \fBbitlbee_exec_t\fP file type. ++ ++The default entrypoint paths for the bitlbee_t domain are the following: + +/usr/bin/bip, /usr/sbin/bitlbee +.SH PROCESS TYPES @@ -6922,8 +14225,156 @@ index 0000000..26fda6e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a bitlbee_t ++can be used to make the process type bitlbee_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. bitlbee policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bitlbee with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the bitlbee_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the bitlbee_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type bitlbee_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B bitlbee_tmp_t ++ ++ ++.br ++.B bitlbee_var_run_t ++ ++ /var/run/bip(/.*)? ++.br ++ /var/run/bitlbee\.pid ++.br ++ /var/run/bitlbee\.sock ++.br ++ ++.br ++.B bitlbee_var_t ++ ++ /var/lib/bitlbee(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6933,7 +14384,20 @@ index 0000000..26fda6e +Policy governs the access confined processes have to these files. +SELinux bitlbee policy is very flexible allowing users to setup their bitlbee processes in as secure a method as possible. +.PP -+The following file types are defined for bitlbee: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the bitlbee, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t bitlbee_conf_t '/srv/bitlbee/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mybitlbee_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for bitlbee: + + +.EX @@ -6951,6 +14415,10 @@ index 0000000..26fda6e + +- Set files with the bitlbee_exec_t type, if you want to transition an executable to the bitlbee_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/bip, /usr/sbin/bitlbee + +.EX +.PP @@ -6981,8 +14449,12 @@ index 0000000..26fda6e +.B bitlbee_var_run_t +.EE + -+- Set files with the bitlbee_var_run_t type, if you want to store the bitlbee files under the /run directory. ++- Set files with the bitlbee_var_run_t type, if you want to store the bitlbee files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/bip(/.*)?, /var/run/bitlbee\.pid, /var/run/bitlbee\.sock + +.EX +.PP @@ -6999,52 +14471,6 @@ index 0000000..26fda6e +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type bitlbee_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B bitlbee_log_t -+ -+ /var/log/bip(/.*)? -+.br -+ -+.br -+.B bitlbee_tmp_t -+ -+ -+.br -+.B bitlbee_var_run_t -+ -+ /var/run/bip(/.*)? -+.br -+ /var/run/bitlbee\.pid -+.br -+ /var/run/bitlbee\.sock -+.br -+ -+.br -+.B bitlbee_var_t -+ -+ /var/lib/bitlbee(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bitlbee_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the bitlbee_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -7055,6 +14481,9 @@ index 0000000..26fda6e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -7066,13 +14495,15 @@ index 0000000..26fda6e + +.SH "SEE ALSO" +selinux(8), bitlbee(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/blktap_selinux.8 b/man/man8/blktap_selinux.8 new file mode 100644 -index 0000000..8a96343 +index 0000000..c5f9936 --- /dev/null +++ b/man/man8/blktap_selinux.8 -@@ -0,0 +1,116 @@ -+.TH "blktap_selinux" "8" "12-11-01" "blktap" "SELinux Policy documentation for blktap" +@@ -0,0 +1,167 @@ ++.TH "blktap_selinux" "8" "13-01-16" "blktap" "SELinux Policy documentation for blktap" +.SH "NAME" +blktap_selinux \- Security Enhanced Linux Policy for the blktap processes +.SH "DESCRIPTION" @@ -7088,7 +14519,9 @@ index 0000000..8a96343 + +.SH "ENTRYPOINTS" + -+The blktap_t SELinux type can be entered via the "blktap_exec_t" file type. The default entrypoint paths for the blktap_t domain are the following:" ++The blktap_t SELinux type can be entered via the \fBblktap_exec_t\fP file type. ++ ++The default entrypoint paths for the blktap_t domain are the following: + +/usr/sbin/tapdisk, /usr/sbin/blktapctrl +.SH PROCESS TYPES @@ -7106,25 +14539,59 @@ index 0000000..8a96343 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a blktap_t ++can be used to make the process type blktap_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. blktap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run blktap with the tightest access possible. + + +.PP -+If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P xend_run_blktap 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + +.PP -+If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean. Enabled by default. + +.EX +.B setsebool -P xend_run_blktap 1 ++ +.EE + +.SH FILE CONTEXTS @@ -7135,7 +14602,20 @@ index 0000000..8a96343 +Policy governs the access confined processes have to these files. +SELinux blktap policy is very flexible allowing users to setup their blktap processes in as secure a method as possible. +.PP -+The following file types are defined for blktap: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the blktap, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t blktap_exec_t '/srv/blktap/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myblktap_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for blktap: + + +.EX @@ -7145,13 +14625,17 @@ index 0000000..8a96343 + +- Set files with the blktap_exec_t type, if you want to transition an executable to the blktap_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/tapdisk, /usr/sbin/blktapctrl + +.EX +.PP +.B blktap_var_run_t +.EE + -+- Set files with the blktap_var_run_t type, if you want to store the blktap files under the /run directory. ++- Set files with the blktap_var_run_t type, if you want to store the blktap files under the /run or /var/run directory. + + +.PP @@ -7161,8 +14645,6 @@ index 0000000..8a96343 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -7191,11 +14673,11 @@ index 0000000..8a96343 \ No newline at end of file diff --git a/man/man8/blueman_selinux.8 b/man/man8/blueman_selinux.8 new file mode 100644 -index 0000000..4098061 +index 0000000..d784b2c --- /dev/null +++ b/man/man8/blueman_selinux.8 -@@ -0,0 +1,118 @@ -+.TH "blueman_selinux" "8" "12-11-01" "blueman" "SELinux Policy documentation for blueman" +@@ -0,0 +1,265 @@ ++.TH "blueman_selinux" "8" "13-01-16" "blueman" "SELinux Policy documentation for blueman" +.SH "NAME" +blueman_selinux \- Security Enhanced Linux Policy for the blueman processes +.SH "DESCRIPTION" @@ -7211,7 +14693,9 @@ index 0000000..4098061 + +.SH "ENTRYPOINTS" + -+The blueman_t SELinux type can be entered via the "blueman_exec_t" file type. The default entrypoint paths for the blueman_t domain are the following:" ++The blueman_t SELinux type can be entered via the \fBblueman_exec_t\fP file type. ++ ++The default entrypoint paths for the blueman_t domain are the following: + +/usr/libexec/blueman-mechanism +.SH PROCESS TYPES @@ -7229,8 +14713,154 @@ index 0000000..4098061 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a blueman_t ++can be used to make the process type blueman_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. blueman policy is extremely flexible and has several booleans that allow you to manipulate the policy and run blueman with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xguest_use_bluetooth 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the blueman_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the blueman_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type blueman_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B blueman_var_lib_t ++ ++ /var/lib/blueman(/.*)? ++.br ++ ++.br ++.B blueman_var_run_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -7240,7 +14870,20 @@ index 0000000..4098061 +Policy governs the access confined processes have to these files. +SELinux blueman policy is very flexible allowing users to setup their blueman processes in as secure a method as possible. +.PP -+The following file types are defined for blueman: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the blueman, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t blueman_exec_t '/srv/blueman/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myblueman_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for blueman: + + +.EX @@ -7259,6 +14902,14 @@ index 0000000..4098061 +- Set files with the blueman_var_lib_t type, if you want to store the blueman files under the /var/lib directory. + + ++.EX ++.PP ++.B blueman_var_run_t ++.EE ++ ++- Set files with the blueman_var_run_t type, if you want to store the blueman files under the /run or /var/run directory. ++ ++ +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext @@ -7266,32 +14917,6 @@ index 0000000..4098061 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type blueman_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B blueman_var_lib_t -+ -+ /var/lib/blueman(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the blueman_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the blueman_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -7302,6 +14927,9 @@ index 0000000..4098061 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -7313,13 +14941,15 @@ index 0000000..4098061 + +.SH "SEE ALSO" +selinux(8), blueman(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/bluetooth_helper_selinux.8 b/man/man8/bluetooth_helper_selinux.8 new file mode 100644 -index 0000000..2fa6a79 +index 0000000..c98f46b --- /dev/null +++ b/man/man8/bluetooth_helper_selinux.8 -@@ -0,0 +1,157 @@ -+.TH "bluetooth_helper_selinux" "8" "12-11-01" "bluetooth_helper" "SELinux Policy documentation for bluetooth_helper" +@@ -0,0 +1,293 @@ ++.TH "bluetooth_helper_selinux" "8" "13-01-16" "bluetooth_helper" "SELinux Policy documentation for bluetooth_helper" +.SH "NAME" +bluetooth_helper_selinux \- Security Enhanced Linux Policy for the bluetooth_helper processes +.SH "DESCRIPTION" @@ -7335,7 +14965,9 @@ index 0000000..2fa6a79 + +.SH "ENTRYPOINTS" + -+The bluetooth_helper_t SELinux type can be entered via the "bluetooth_helper_exec_t" file type. The default entrypoint paths for the bluetooth_helper_t domain are the following:" ++The bluetooth_helper_t SELinux type can be entered via the \fBbluetooth_helper_exec_t\fP file type. ++ ++The default entrypoint paths for the bluetooth_helper_t domain are the following: + +/usr/bin/blue.*pin +.SH PROCESS TYPES @@ -7353,8 +14985,182 @@ index 0000000..2fa6a79 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a bluetooth_helper_t ++can be used to make the process type bluetooth_helper_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. bluetooth_helper policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bluetooth_helper with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the bluetooth_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the bluetooth_helper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type bluetooth_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B bluetooth_helper_tmp_t ++ ++ ++.br ++.B bluetooth_helper_tmpfs_t ++ ++ ++.br ++.B user_fonts_cache_t ++ ++ /root/\.fontconfig(/.*)? ++.br ++ /root/\.fonts/auto(/.*)? ++.br ++ /root/\.fonts\.cache-.* ++.br ++ /home/[^/]*/\.fontconfig(/.*)? ++.br ++ /home/[^/]*/\.fonts/auto(/.*)? ++.br ++ /home/[^/]*/\.fonts\.cache-.* ++.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br ++ /home/dwalsh/\.fontconfig(/.*)? ++.br ++ /home/dwalsh/\.fonts/auto(/.*)? ++.br ++ /home/dwalsh/\.fonts\.cache-.* ++.br ++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts\.cache-.* ++.br ++ ++.br ++.B xserver_tmpfs_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -7364,7 +15170,20 @@ index 0000000..2fa6a79 +Policy governs the access confined processes have to these files. +SELinux bluetooth_helper policy is very flexible allowing users to setup their bluetooth_helper processes in as secure a method as possible. +.PP -+The following file types are defined for bluetooth_helper: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the bluetooth_helper, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t bluetooth_helper_exec_t '/srv/bluetooth_helper/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mybluetooth_helper_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for bluetooth_helper: + + +.EX @@ -7398,62 +15217,6 @@ index 0000000..2fa6a79 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type bluetooth_helper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B bluetooth_helper_tmp_t -+ -+ -+.br -+.B bluetooth_helper_tmpfs_t -+ -+ -+.br -+.B user_fonts_cache_t -+ -+ /root/\.fontconfig(/.*)? -+.br -+ /root/\.fonts/auto(/.*)? -+.br -+ /root/\.fonts\.cache-.* -+.br -+ /home/[^/]*/\.fontconfig(/.*)? -+.br -+ /home/[^/]*/\.fonts/auto(/.*)? -+.br -+ /home/[^/]*/\.fonts\.cache-.* -+.br -+ /home/dwalsh/\.fontconfig(/.*)? -+.br -+ /home/dwalsh/\.fonts/auto(/.*)? -+.br -+ /home/dwalsh/\.fonts\.cache-.* -+.br -+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.fonts\.cache-.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bluetooth_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the bluetooth_helper_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -7464,6 +15227,9 @@ index 0000000..2fa6a79 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -7475,15 +15241,15 @@ index 0000000..2fa6a79 + +.SH "SEE ALSO" +selinux(8), bluetooth_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, bluetooth_selinux(8), bluetooth_selinux(8) ++, setsebool(8), bluetooth_selinux(8), bluetooth_selinux(8) \ No newline at end of file diff --git a/man/man8/bluetooth_selinux.8 b/man/man8/bluetooth_selinux.8 new file mode 100644 -index 0000000..3432420 +index 0000000..3b59782 --- /dev/null +++ b/man/man8/bluetooth_selinux.8 -@@ -0,0 +1,246 @@ -+.TH "bluetooth_selinux" "8" "12-11-01" "bluetooth" "SELinux Policy documentation for bluetooth" +@@ -0,0 +1,373 @@ ++.TH "bluetooth_selinux" "8" "13-01-16" "bluetooth" "SELinux Policy documentation for bluetooth" +.SH "NAME" +bluetooth_selinux \- Security Enhanced Linux Policy for the bluetooth processes +.SH "DESCRIPTION" @@ -7499,7 +15265,9 @@ index 0000000..3432420 + +.SH "ENTRYPOINTS" + -+The bluetooth_t SELinux type can be entered via the "bluetooth_exec_t" file type. The default entrypoint paths for the bluetooth_t domain are the following:" ++The bluetooth_t SELinux type can be entered via the \fBbluetooth_exec_t\fP file type. ++ ++The default entrypoint paths for the bluetooth_t domain are the following: + +/usr/bin/dund, /usr/bin/hidd, /usr/sbin/hcid, /usr/sbin/sdpd, /usr/bin/rfcomm, /usr/sbin/hid2hci, /usr/sbin/hciattach, /usr/sbin/bluetoothd +.SH PROCESS TYPES @@ -7517,27 +15285,179 @@ index 0000000..3432420 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a bluetooth_t ++can be used to make the process type bluetooth_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. bluetooth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bluetooth with the tightest access possible. + + +.PP -+If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P xguest_use_bluetooth 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean. Enabled by default. + +.EX +.B setsebool -P xguest_use_bluetooth 1 ++ +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the bluetooth_t, bluetooth_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the bluetooth_t, bluetooth_helper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type bluetooth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B bluetooth_conf_rw_t ++ ++ /etc/bluetooth/link_key ++.br ++ ++.br ++.B bluetooth_lock_t ++ ++ /var/lock/subsys/bluetoothd ++.br ++ ++.br ++.B bluetooth_tmp_t ++ ++ ++.br ++.B bluetooth_var_lib_t ++ ++ /var/lib/bluetooth(/.*)? ++.br ++ ++.br ++.B bluetooth_var_run_t ++ ++ /var/run/sdp ++.br ++ /var/run/bluetoothd_address ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B usbfs_t ++ ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -7546,7 +15466,20 @@ index 0000000..3432420 +Policy governs the access confined processes have to these files. +SELinux bluetooth policy is very flexible allowing users to setup their bluetooth processes in as secure a method as possible. +.PP -+The following file types are defined for bluetooth: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the bluetooth, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t bluetooth_conf_rw_t '/srv/bluetooth/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mybluetooth_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for bluetooth: + + +.EX @@ -7572,6 +15505,10 @@ index 0000000..3432420 + +- Set files with the bluetooth_exec_t type, if you want to transition an executable to the bluetooth_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/dund, /usr/bin/hidd, /usr/sbin/hcid, /usr/sbin/sdpd, /usr/bin/rfcomm, /usr/sbin/hid2hci, /usr/sbin/hciattach, /usr/sbin/bluetoothd + +.EX +.PP @@ -7604,6 +15541,10 @@ index 0000000..3432420 + +- Set files with the bluetooth_initrc_exec_t type, if you want to transition an executable to the bluetooth_initrc_t domain. + ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/dund, /etc/rc\.d/init\.d/pand, /etc/rc\.d/init\.d/bluetooth + +.EX +.PP @@ -7642,8 +15583,12 @@ index 0000000..3432420 +.B bluetooth_var_run_t +.EE + -+- Set files with the bluetooth_var_run_t type, if you want to store the bluetooth files under the /run directory. ++- Set files with the bluetooth_var_run_t type, if you want to store the bluetooth files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/sdp, /var/run/bluetoothd_address + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -7652,58 +15597,6 @@ index 0000000..3432420 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type bluetooth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B bluetooth_conf_rw_t -+ -+ /etc/bluetooth/link_key -+.br -+ -+.br -+.B bluetooth_lock_t -+ -+ -+.br -+.B bluetooth_tmp_t -+ -+ -+.br -+.B bluetooth_var_lib_t -+ -+ /var/lib/bluetooth(/.*)? -+.br -+ -+.br -+.B bluetooth_var_run_t -+ -+ /var/run/sdp -+.br -+ /var/run/bluetoothd_address -+.br -+ -+.br -+.B usbfs_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bluetooth_t, bluetooth_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the bluetooth_t, bluetooth_helper_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -7730,48 +15623,110 @@ index 0000000..3432420 +selinux(8), bluetooth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) +, setsebool(8), bluetooth_helper_selinux(8) \ No newline at end of file -diff --git a/man/man8/boinc_selinux.8 b/man/man8/boinc_selinux.8 +diff --git a/man/man8/boinc_project_selinux.8 b/man/man8/boinc_project_selinux.8 new file mode 100644 -index 0000000..138247a +index 0000000..a04e063 --- /dev/null -+++ b/man/man8/boinc_selinux.8 -@@ -0,0 +1,219 @@ -+.TH "boinc_selinux" "8" "12-11-01" "boinc" "SELinux Policy documentation for boinc" ++++ b/man/man8/boinc_project_selinux.8 +@@ -0,0 +1,175 @@ ++.TH "boinc_project_selinux" "8" "13-01-16" "boinc_project" "SELinux Policy documentation for boinc_project" +.SH "NAME" -+boinc_selinux \- Security Enhanced Linux Policy for the boinc processes ++boinc_project_selinux \- Security Enhanced Linux Policy for the boinc_project processes +.SH "DESCRIPTION" + -+Security-Enhanced Linux secures the boinc processes via flexible mandatory access control. ++Security-Enhanced Linux secures the boinc_project processes via flexible mandatory access control. + -+The boinc processes execute with the boinc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++The boinc_project processes execute with the boinc_project_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. + +For example: + -+.B ps -eZ | grep boinc_t ++.B ps -eZ | grep boinc_project_t + + +.SH "ENTRYPOINTS" + -+The boinc_t SELinux type can be entered via the "boinc_exec_t" file type. The default entrypoint paths for the boinc_t domain are the following:" ++The boinc_project_t SELinux type can be entered via the \fBboinc_project_var_lib_t\fP file type. + -+/usr/bin/boinc_client ++The default entrypoint paths for the boinc_project_t domain are the following: ++ ++/var/lib/boinc/slots(/.*)?, /var/lib/boinc/projects(/.*)? +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP +You can see the context of a process using the \fB\-Z\fP option to \fBps\bP +.PP +Policy governs the access confined processes have to files. -+SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible. ++SELinux boinc_project policy is very flexible allowing users to setup their boinc_project processes in as secure a method as possible. +.PP -+The following process types are defined for boinc: ++The following process types are defined for boinc_project: + +.EX -+.B boinc_t, boinc_project_t ++.B boinc_project_t +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a boinc_project_t ++can be used to make the process type boinc_project_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. boinc_project policy is extremely flexible and has several booleans that allow you to manipulate the policy and run boinc_project with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type boinc_project_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B boinc_project_tmp_t ++ ++ ++.br ++.B boinc_project_var_lib_t ++ ++ /var/lib/boinc/slots(/.*)? ++.br ++ /var/lib/boinc/projects(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -7779,33 +15734,22 @@ index 0000000..138247a +You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP +Policy governs the access confined processes have to these files. -+SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible. ++SELinux boinc_project policy is very flexible allowing users to setup their boinc_project processes in as secure a method as possible. +.PP -+The following file types are defined for boinc: + -+ -+.EX +.PP -+.B boinc_exec_t -+.EE ++.B STANDARD FILE CONTEXT + -+- Set files with the boinc_exec_t type, if you want to transition an executable to the boinc_t domain. ++SELinux defines the file context types for the boinc_project, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. + ++.B semanage fcontext -a -t boinc_project_tmp_t '/srv/boinc_project/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myboinc_project_content + -+.EX -+.PP -+.B boinc_initrc_exec_t -+.EE ++Note: SELinux often uses regular expressions to specify labels that match multiple files. + -+- Set files with the boinc_initrc_exec_t type, if you want to transition an executable to the boinc_initrc_t domain. -+ -+ -+.EX -+.PP -+.B boinc_log_t -+.EE -+ -+- Set files with the boinc_log_t type, if you want to treat the data as boinc log data, usually stored under the /var/log directory. ++.I The following file types are defined for boinc_project: + + +.EX @@ -7823,38 +15767,10 @@ index 0000000..138247a + +- Set files with the boinc_project_var_lib_t type, if you want to store the boinc project files under the /var/lib directory. + -+ -+.EX -+.PP -+.B boinc_tmp_t -+.EE -+ -+- Set files with the boinc_tmp_t type, if you want to store boinc temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B boinc_tmpfs_t -+.EE -+ -+- Set files with the boinc_tmpfs_t type, if you want to store boinc files on a tmpfs file system. -+ -+ -+.EX -+.PP -+.B boinc_unit_file_t -+.EE -+ -+- Set files with the boinc_unit_file_t type, if you want to treat the files as boinc unit content. -+ -+ -+.EX -+.PP -+.B boinc_var_lib_t -+.EE -+ -+- Set files with the boinc_var_lib_t type, if you want to store the boinc files under the /var/lib directory. -+ ++.br ++.TP 5 ++Paths: ++/var/lib/boinc/slots(/.*)?, /var/lib/boinc/projects(/.*)? + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -7863,6 +15779,153 @@ index 0000000..138247a +.B restorecon +to apply the labels. + ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), boinc_project(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), boinc_selinux(8), boinc_selinux(8) +\ No newline at end of file +diff --git a/man/man8/boinc_selinux.8 b/man/man8/boinc_selinux.8 +new file mode 100644 +index 0000000..39210ee +--- /dev/null ++++ b/man/man8/boinc_selinux.8 +@@ -0,0 +1,337 @@ ++.TH "boinc_selinux" "8" "13-01-16" "boinc" "SELinux Policy documentation for boinc" ++.SH "NAME" ++boinc_selinux \- Security Enhanced Linux Policy for the boinc processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the boinc processes via flexible mandatory access control. ++ ++The boinc processes execute with the boinc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep boinc_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The boinc_t SELinux type can be entered via the \fBboinc_exec_t\fP file type. ++ ++The default entrypoint paths for the boinc_t domain are the following: ++ ++/usr/bin/boinc_client ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible. ++.PP ++The following process types are defined for boinc: ++ ++.EX ++.B boinc_t, boinc_project_t ++.EE ++.PP ++Note: ++.B semanage permissive -a boinc_t ++can be used to make the process type boinc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. boinc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run boinc with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. +.PP @@ -7878,7 +15941,7 @@ index 0000000..138247a + +.EX +.TP 5 -+.B boinc_client_ctrl_port_t ++.B boinc_client_port_t +.TP 10 +.EE + @@ -7886,6 +15949,8 @@ index 0000000..138247a +Default Defined Ports: +tcp 1043 +.EE ++udp 1034 ++.EE + +.EX +.TP 5 @@ -7929,7 +15994,131 @@ index 0000000..138247a + /var/lib/boinc(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux boinc policy is very flexible allowing users to setup their boinc processes in as secure a method as possible. ++.PP ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++boinc policy stores data with multiple different file context types under the /var/lib/boinc directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/boinc /srv/boinc ++.br ++.B restorecon -R -v /srv/boinc ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the boinc, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t boinc_exec_t '/srv/boinc/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myboinc_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for boinc: ++ ++ ++.EX ++.PP ++.B boinc_exec_t ++.EE ++ ++- Set files with the boinc_exec_t type, if you want to transition an executable to the boinc_t domain. ++ ++ ++.EX ++.PP ++.B boinc_initrc_exec_t ++.EE ++ ++- Set files with the boinc_initrc_exec_t type, if you want to transition an executable to the boinc_initrc_t domain. ++ ++ ++.EX ++.PP ++.B boinc_log_t ++.EE ++ ++- Set files with the boinc_log_t type, if you want to treat the data as boinc log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B boinc_project_tmp_t ++.EE ++ ++- Set files with the boinc_project_tmp_t type, if you want to store boinc project temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B boinc_project_var_lib_t ++.EE ++ ++- Set files with the boinc_project_var_lib_t type, if you want to store the boinc project files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/boinc/slots(/.*)?, /var/lib/boinc/projects(/.*)? ++ ++.EX ++.PP ++.B boinc_tmp_t ++.EE ++ ++- Set files with the boinc_tmp_t type, if you want to store boinc temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B boinc_tmpfs_t ++.EE ++ ++- Set files with the boinc_tmpfs_t type, if you want to store boinc files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B boinc_unit_file_t ++.EE ++ ++- Set files with the boinc_unit_file_t type, if you want to treat the files as boinc unit content. ++ ++ ++.EX ++.PP ++.B boinc_var_lib_t ++.EE ++ ++- Set files with the boinc_var_lib_t type, if you want to store the boinc files under the /var/lib directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -7944,6 +16133,9 @@ index 0000000..138247a +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -7955,13 +16147,15 @@ index 0000000..138247a + +.SH "SEE ALSO" +selinux(8), boinc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), boinc_project_selinux(8) +\ No newline at end of file diff --git a/man/man8/bootloader_selinux.8 b/man/man8/bootloader_selinux.8 new file mode 100644 -index 0000000..0e127fd +index 0000000..19afd84 --- /dev/null +++ b/man/man8/bootloader_selinux.8 -@@ -0,0 +1,306 @@ -+.TH "bootloader_selinux" "8" "12-11-01" "bootloader" "SELinux Policy documentation for bootloader" +@@ -0,0 +1,385 @@ ++.TH "bootloader_selinux" "8" "13-01-16" "bootloader" "SELinux Policy documentation for bootloader" +.SH "NAME" +bootloader_selinux \- Security Enhanced Linux Policy for the bootloader processes +.SH "DESCRIPTION" @@ -7977,7 +16171,9 @@ index 0000000..0e127fd + +.SH "ENTRYPOINTS" + -+The bootloader_t SELinux type can be entered via the "bootloader_exec_t" file type. The default entrypoint paths for the bootloader_t domain are the following:" ++The bootloader_t SELinux type can be entered via the \fBbootloader_exec_t\fP file type. ++ ++The default entrypoint paths for the bootloader_t domain are the following: + +/sbin/grub.*, /sbin/lilo.*, /sbin/ybin.*, /usr/sbin/grub.*, /usr/sbin/lilo.*, /usr/sbin/ybin.*, /sbin/zipl, /usr/sbin/zipl +.SH PROCESS TYPES @@ -7995,84 +16191,100 @@ index 0000000..0e127fd +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a bootloader_t ++can be used to make the process type bootloader_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. bootloader policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bootloader with the tightest access possible. + + +.PP -+If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P xdm_exec_bootloader 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P xdm_exec_bootloader 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux bootloader policy is very flexible allowing users to setup their bootloader processes in as secure a method as possible. -+.PP -+The following file types are defined for bootloader: -+ ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B bootloader_etc_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the bootloader_etc_t type, if you want to store bootloader files in the /etc directories. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B bootloader_exec_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the bootloader_exec_t type, if you want to transition an executable to the bootloader_t domain. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B bootloader_tmp_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the bootloader_tmp_t type, if you want to store bootloader temporary files in the /tmp directories. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B bootloader_var_lib_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the bootloader_var_lib_t type, if you want to store the bootloader files under the /var/lib directory. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B bootloader_var_run_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the bootloader_var_run_t type, if you want to store the bootloader files under the /run directory. ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the bootloader_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the bootloader_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -8129,10 +16341,10 @@ index 0000000..0e127fd +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -8141,10 +16353,10 @@ index 0000000..0e127fd +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -8189,8 +16401,6 @@ index 0000000..0e127fd +.br + /var/webmin(/.*)? +.br -+ /var/log/cron[^/]* -+.br + /var/log/secure[^/]* +.br + /opt/zimbra/log(/.*)? @@ -8226,21 +16436,84 @@ index 0000000..0e127fd + /var/named/chroot/var/log +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux bootloader policy is very flexible allowing users to setup their bootloader processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bootloader_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the bootloader, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t bootloader_etc_t '/srv/bootloader/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mybootloader_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for bootloader: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B bootloader_etc_t +.EE + ++- Set files with the bootloader_etc_t type, if you want to store bootloader files in the /etc directories. ++ ++.br ++.TP 5 ++Paths: ++/etc/lilo\.conf.*, /etc/zipl\.conf.*, /etc/yaboot\.conf.*, /etc/default/grub ++ ++.EX ++.PP ++.B bootloader_exec_t ++.EE ++ ++- Set files with the bootloader_exec_t type, if you want to transition an executable to the bootloader_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/grub.*, /sbin/lilo.*, /sbin/ybin.*, /usr/sbin/grub.*, /usr/sbin/lilo.*, /usr/sbin/ybin.*, /sbin/zipl, /usr/sbin/zipl ++ ++.EX ++.PP ++.B bootloader_tmp_t ++.EE ++ ++- Set files with the bootloader_tmp_t type, if you want to store bootloader temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B bootloader_var_lib_t ++.EE ++ ++- Set files with the bootloader_var_lib_t type, if you want to store the bootloader files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B bootloader_var_run_t ++.EE ++ ++- Set files with the bootloader_var_run_t type, if you want to store the bootloader files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the bootloader_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -8270,11 +16543,11 @@ index 0000000..0e127fd \ No newline at end of file diff --git a/man/man8/brctl_selinux.8 b/man/man8/brctl_selinux.8 new file mode 100644 -index 0000000..454e06c +index 0000000..983ed6d --- /dev/null +++ b/man/man8/brctl_selinux.8 -@@ -0,0 +1,96 @@ -+.TH "brctl_selinux" "8" "12-11-01" "brctl" "SELinux Policy documentation for brctl" +@@ -0,0 +1,165 @@ ++.TH "brctl_selinux" "8" "13-01-16" "brctl" "SELinux Policy documentation for brctl" +.SH "NAME" +brctl_selinux \- Security Enhanced Linux Policy for the brctl processes +.SH "DESCRIPTION" @@ -8290,7 +16563,9 @@ index 0000000..454e06c + +.SH "ENTRYPOINTS" + -+The brctl_t SELinux type can be entered via the "brctl_exec_t" file type. The default entrypoint paths for the brctl_t domain are the following:" ++The brctl_t SELinux type can be entered via the \fBbrctl_exec_t\fP file type. ++ ++The default entrypoint paths for the brctl_t domain are the following: + +/usr/sbin/brctl +.SH PROCESS TYPES @@ -8308,8 +16583,70 @@ index 0000000..454e06c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a brctl_t ++can be used to make the process type brctl_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. brctl policy is extremely flexible and has several booleans that allow you to manipulate the policy and run brctl with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type brctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B sysfs_t ++ ++ /sys(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8319,7 +16656,20 @@ index 0000000..454e06c +Policy governs the access confined processes have to these files. +SELinux brctl policy is very flexible allowing users to setup their brctl processes in as secure a method as possible. +.PP -+The following file types are defined for brctl: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the brctl, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t brctl_exec_t '/srv/brctl/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mybrctl_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for brctl: + + +.EX @@ -8337,18 +16687,6 @@ index 0000000..454e06c +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type brctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B sysfs_t -+ -+ /sys(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -8359,6 +16697,9 @@ index 0000000..454e06c +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -8370,13 +16711,135 @@ index 0000000..454e06c + +.SH "SEE ALSO" +selinux(8), brctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/cachefiles_kernel_selinux.8 b/man/man8/cachefiles_kernel_selinux.8 +new file mode 100644 +index 0000000..390a6f5 +--- /dev/null ++++ b/man/man8/cachefiles_kernel_selinux.8 +@@ -0,0 +1,113 @@ ++.TH "cachefiles_kernel_selinux" "8" "13-01-16" "cachefiles_kernel" "SELinux Policy documentation for cachefiles_kernel" ++.SH "NAME" ++cachefiles_kernel_selinux \- Security Enhanced Linux Policy for the cachefiles_kernel processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the cachefiles_kernel processes via flexible mandatory access control. ++ ++The cachefiles_kernel processes execute with the cachefiles_kernel_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep cachefiles_kernel_t ++ ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux cachefiles_kernel policy is very flexible allowing users to setup their cachefiles_kernel processes in as secure a method as possible. ++.PP ++The following process types are defined for cachefiles_kernel: ++ ++.EX ++.B cachefiles_kernel_t ++.EE ++.PP ++Note: ++.B semanage permissive -a cachefiles_kernel_t ++can be used to make the process type cachefiles_kernel_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cachefiles_kernel policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cachefiles_kernel with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cachefiles_kernel_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cachefiles_var_t ++ ++ /var/fscache(/.*)? ++.br ++ /var/cache/fscache(/.*)? ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), cachefiles_kernel(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), cachefilesd_selinux(8) +\ No newline at end of file diff --git a/man/man8/cachefilesd_selinux.8 b/man/man8/cachefilesd_selinux.8 new file mode 100644 -index 0000000..f337f15 +index 0000000..c7fbee4 --- /dev/null +++ b/man/man8/cachefilesd_selinux.8 -@@ -0,0 +1,112 @@ -+.TH "cachefilesd_selinux" "8" "12-11-01" "cachefilesd" "SELinux Policy documentation for cachefilesd" +@@ -0,0 +1,209 @@ ++.TH "cachefilesd_selinux" "8" "13-01-16" "cachefilesd" "SELinux Policy documentation for cachefilesd" +.SH "NAME" +cachefilesd_selinux \- Security Enhanced Linux Policy for the cachefilesd processes +.SH "DESCRIPTION" @@ -8392,7 +16855,9 @@ index 0000000..f337f15 + +.SH "ENTRYPOINTS" + -+The cachefilesd_t SELinux type can be entered via the "cachefilesd_exec_t" file type. The default entrypoint paths for the cachefilesd_t domain are the following:" ++The cachefilesd_t SELinux type can be entered via the \fBcachefilesd_exec_t\fP file type. ++ ++The default entrypoint paths for the cachefilesd_t domain are the following: + +/sbin/cachefilesd, /usr/sbin/cachefilesd +.SH PROCESS TYPES @@ -8410,42 +16875,76 @@ index 0000000..f337f15 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cachefilesd_t ++can be used to make the process type cachefilesd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux cachefilesd policy is very flexible allowing users to setup their cachefilesd processes in as secure a method as possible. -+.PP -+The following file types are defined for cachefilesd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cachefilesd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cachefilesd with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B cachefilesd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the cachefilesd_exec_t type, if you want to transition an executable to the cachefilesd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B cachefilesd_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the cachefilesd_var_run_t type, if you want to store the cachefilesd files under the /run directory. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -8465,7 +16964,64 @@ index 0000000..f337f15 + /var/run/cachefilesd\.pid +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux cachefilesd policy is very flexible allowing users to setup their cachefilesd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cachefilesd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cachefilesd_exec_t '/srv/cachefilesd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycachefilesd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cachefilesd: ++ ++ ++.EX ++.PP ++.B cachefilesd_exec_t ++.EE ++ ++- Set files with the cachefilesd_exec_t type, if you want to transition an executable to the cachefilesd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/cachefilesd, /usr/sbin/cachefilesd ++ ++.EX ++.PP ++.B cachefilesd_var_run_t ++.EE ++ ++- Set files with the cachefilesd_var_run_t type, if you want to store the cachefilesd files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -8477,6 +17033,9 @@ index 0000000..f337f15 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -8488,13 +17047,15 @@ index 0000000..f337f15 + +.SH "SEE ALSO" +selinux(8), cachefilesd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), cachefiles_kernel_selinux(8) +\ No newline at end of file diff --git a/man/man8/calamaris_selinux.8 b/man/man8/calamaris_selinux.8 new file mode 100644 -index 0000000..e3eb81f +index 0000000..370d1d5 --- /dev/null +++ b/man/man8/calamaris_selinux.8 -@@ -0,0 +1,132 @@ -+.TH "calamaris_selinux" "8" "12-11-01" "calamaris" "SELinux Policy documentation for calamaris" +@@ -0,0 +1,227 @@ ++.TH "calamaris_selinux" "8" "13-01-16" "calamaris" "SELinux Policy documentation for calamaris" +.SH "NAME" +calamaris_selinux \- Security Enhanced Linux Policy for the calamaris processes +.SH "DESCRIPTION" @@ -8510,7 +17071,9 @@ index 0000000..e3eb81f + +.SH "ENTRYPOINTS" + -+The calamaris_t SELinux type can be entered via the "calamaris_exec_t" file type. The default entrypoint paths for the calamaris_t domain are the following:" ++The calamaris_t SELinux type can be entered via the \fBcalamaris_exec_t\fP file type. ++ ++The default entrypoint paths for the calamaris_t domain are the following: + +/etc/cron\.daily/calamaris +.SH PROCESS TYPES @@ -8528,8 +17091,116 @@ index 0000000..e3eb81f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a calamaris_t ++can be used to make the process type calamaris_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. calamaris policy is extremely flexible and has several booleans that allow you to manipulate the policy and run calamaris with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the calamaris_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the calamaris_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type calamaris_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B calamaris_log_t ++ ++ /var/log/calamaris(/.*)? ++.br ++ ++.br ++.B calamaris_www_t ++ ++ /var/www/calamaris(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8539,7 +17210,20 @@ index 0000000..e3eb81f +Policy governs the access confined processes have to these files. +SELinux calamaris policy is very flexible allowing users to setup their calamaris processes in as secure a method as possible. +.PP -+The following file types are defined for calamaris: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the calamaris, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t calamaris_exec_t '/srv/calamaris/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycalamaris_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for calamaris: + + +.EX @@ -8573,38 +17257,6 @@ index 0000000..e3eb81f +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type calamaris_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B calamaris_log_t -+ -+ /var/log/calamaris(/.*)? -+.br -+ -+.br -+.B calamaris_www_t -+ -+ /var/www/calamaris(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the calamaris_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the calamaris_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -8615,6 +17267,9 @@ index 0000000..e3eb81f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -8626,13 +17281,15 @@ index 0000000..e3eb81f + +.SH "SEE ALSO" +selinux(8), calamaris(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/callweaver_selinux.8 b/man/man8/callweaver_selinux.8 new file mode 100644 -index 0000000..b1ebf14 +index 0000000..d063b48 --- /dev/null +++ b/man/man8/callweaver_selinux.8 -@@ -0,0 +1,168 @@ -+.TH "callweaver_selinux" "8" "12-11-01" "callweaver" "SELinux Policy documentation for callweaver" +@@ -0,0 +1,289 @@ ++.TH "callweaver_selinux" "8" "13-01-16" "callweaver" "SELinux Policy documentation for callweaver" +.SH "NAME" +callweaver_selinux \- Security Enhanced Linux Policy for the callweaver processes +.SH "DESCRIPTION" @@ -8648,7 +17305,9 @@ index 0000000..b1ebf14 + +.SH "ENTRYPOINTS" + -+The callweaver_t SELinux type can be entered via the "callweaver_exec_t" file type. The default entrypoint paths for the callweaver_t domain are the following:" ++The callweaver_t SELinux type can be entered via the \fBcallweaver_exec_t\fP file type. ++ ++The default entrypoint paths for the callweaver_t domain are the following: + +/usr/sbin/callweaver +.SH PROCESS TYPES @@ -8666,8 +17325,154 @@ index 0000000..b1ebf14 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a callweaver_t ++can be used to make the process type callweaver_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. callweaver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run callweaver with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the callweaver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the callweaver_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type callweaver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B callweaver_spool_t ++ ++ /var/spool/callweaver(/.*)? ++.br ++ ++.br ++.B callweaver_var_lib_t ++ ++ /var/lib/callweaver(/.*)? ++.br ++ ++.br ++.B callweaver_var_run_t ++ ++ /var/run/callweaver(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8677,7 +17482,20 @@ index 0000000..b1ebf14 +Policy governs the access confined processes have to these files. +SELinux callweaver policy is very flexible allowing users to setup their callweaver processes in as secure a method as possible. +.PP -+The following file types are defined for callweaver: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the callweaver, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t callweaver_exec_t '/srv/callweaver/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycallweaver_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for callweaver: + + +.EX @@ -8725,7 +17543,7 @@ index 0000000..b1ebf14 +.B callweaver_var_run_t +.EE + -+- Set files with the callweaver_var_run_t type, if you want to store the callweaver files under the /run directory. ++- Set files with the callweaver_var_run_t type, if you want to store the callweaver files under the /run or /var/run directory. + + +.PP @@ -8735,50 +17553,6 @@ index 0000000..b1ebf14 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type callweaver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B callweaver_log_t -+ -+ /var/log/callweaver(/.*)? -+.br -+ -+.br -+.B callweaver_spool_t -+ -+ /var/spool/callweaver(/.*)? -+.br -+ -+.br -+.B callweaver_var_lib_t -+ -+ /var/lib/callweaver(/.*)? -+.br -+ -+.br -+.B callweaver_var_run_t -+ -+ /var/run/callweaver(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the callweaver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the callweaver_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -8789,6 +17563,9 @@ index 0000000..b1ebf14 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -8800,13 +17577,15 @@ index 0000000..b1ebf14 + +.SH "SEE ALSO" +selinux(8), callweaver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/canna_selinux.8 b/man/man8/canna_selinux.8 new file mode 100644 -index 0000000..73d7f2a +index 0000000..bb41ce1 --- /dev/null +++ b/man/man8/canna_selinux.8 -@@ -0,0 +1,148 @@ -+.TH "canna_selinux" "8" "12-11-01" "canna" "SELinux Policy documentation for canna" +@@ -0,0 +1,257 @@ ++.TH "canna_selinux" "8" "13-01-16" "canna" "SELinux Policy documentation for canna" +.SH "NAME" +canna_selinux \- Security Enhanced Linux Policy for the canna processes +.SH "DESCRIPTION" @@ -8822,7 +17601,9 @@ index 0000000..73d7f2a + +.SH "ENTRYPOINTS" + -+The canna_t SELinux type can be entered via the "canna_exec_t" file type. The default entrypoint paths for the canna_t domain are the following:" ++The canna_t SELinux type can be entered via the \fBcanna_exec_t\fP file type. ++ ++The default entrypoint paths for the canna_t domain are the following: + +/usr/bin/catdic, /usr/sbin/jserver, /usr/bin/cannaping, /usr/sbin/cannaserver +.SH PROCESS TYPES @@ -8840,8 +17621,114 @@ index 0000000..73d7f2a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a canna_t ++can be used to make the process type canna_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. canna policy is extremely flexible and has several booleans that allow you to manipulate the policy and run canna with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type canna_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B canna_var_lib_t ++ ++ /var/lib/wnn/dic(/.*)? ++.br ++ /var/lib/canna/dic(/.*)? ++.br ++ ++.br ++.B canna_var_run_t ++ ++ /var/run/wnn-unix(/.*) ++.br ++ /var/run/\.iroha_unix/.* ++.br ++ /var/run/\.iroha_unix ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8851,7 +17738,20 @@ index 0000000..73d7f2a +Policy governs the access confined processes have to these files. +SELinux canna policy is very flexible allowing users to setup their canna processes in as secure a method as possible. +.PP -+The following file types are defined for canna: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the canna, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t canna_exec_t '/srv/canna/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycanna_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for canna: + + +.EX @@ -8861,6 +17761,10 @@ index 0000000..73d7f2a + +- Set files with the canna_exec_t type, if you want to transition an executable to the canna_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/catdic, /usr/sbin/jserver, /usr/bin/cannaping, /usr/sbin/cannaserver + +.EX +.PP @@ -8877,6 +17781,10 @@ index 0000000..73d7f2a + +- Set files with the canna_log_t type, if you want to treat the data as canna log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/wnn(/.*)?, /var/log/canna(/.*)? + +.EX +.PP @@ -8885,14 +17793,22 @@ index 0000000..73d7f2a + +- Set files with the canna_var_lib_t type, if you want to store the canna files under the /var/lib directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/wnn/dic(/.*)?, /var/lib/canna/dic(/.*)? + +.EX +.PP +.B canna_var_run_t +.EE + -+- Set files with the canna_var_run_t type, if you want to store the canna files under the /run directory. ++- Set files with the canna_var_run_t type, if you want to store the canna files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/wnn-unix(/.*), /var/run/\.iroha_unix/.*, /var/run/\.iroha_unix + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -8901,38 +17817,6 @@ index 0000000..73d7f2a +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type canna_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B canna_log_t -+ -+ /var/log/wnn(/.*)? -+.br -+ /var/log/canna(/.*)? -+.br -+ -+.br -+.B canna_var_lib_t -+ -+ /var/lib/wnn/dic(/.*)? -+.br -+ /var/lib/canna/dic(/.*)? -+.br -+ -+.br -+.B canna_var_run_t -+ -+ /var/run/wnn-unix(/.*)? -+.br -+ /var/run/\.iroha_unix/.* -+.br -+ /var/run/\.iroha_unix -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -8943,6 +17827,9 @@ index 0000000..73d7f2a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -8954,13 +17841,15 @@ index 0000000..73d7f2a + +.SH "SEE ALSO" +selinux(8), canna(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/cardmgr_selinux.8 b/man/man8/cardmgr_selinux.8 new file mode 100644 -index 0000000..8fccf2f +index 0000000..fa8eb0d --- /dev/null +++ b/man/man8/cardmgr_selinux.8 -@@ -0,0 +1,162 @@ -+.TH "cardmgr_selinux" "8" "12-11-01" "cardmgr" "SELinux Policy documentation for cardmgr" +@@ -0,0 +1,259 @@ ++.TH "cardmgr_selinux" "8" "13-01-16" "cardmgr" "SELinux Policy documentation for cardmgr" +.SH "NAME" +cardmgr_selinux \- Security Enhanced Linux Policy for the cardmgr processes +.SH "DESCRIPTION" @@ -8976,9 +17865,11 @@ index 0000000..8fccf2f + +.SH "ENTRYPOINTS" + -+The cardmgr_t SELinux type can be entered via the "cardctl_exec_t,cardmgr_exec_t" file types. The default entrypoint paths for the cardmgr_t domain are the following:" ++The cardmgr_t SELinux type can be entered via the \fBcardmgr_exec_t, cardctl_exec_t\fP file types. + -+/sbin/cardctl, /usr/sbin/cardctl, /sbin/cardmgr, /usr/sbin/cardmgr, /etc/apm/event\.d/pcmcia ++The default entrypoint paths for the cardmgr_t domain are the following: ++ ++/sbin/cardmgr, /usr/sbin/cardmgr, /etc/apm/event\.d/pcmcia, /sbin/cardctl, /usr/sbin/cardctl +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -8994,66 +17885,76 @@ index 0000000..8fccf2f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cardmgr_t ++can be used to make the process type cardmgr_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux cardmgr policy is very flexible allowing users to setup their cardmgr processes in as secure a method as possible. -+.PP -+The following file types are defined for cardmgr: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cardmgr policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cardmgr with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B cardmgr_dev_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the cardmgr_dev_t type, if you want to treat the files as cardmgr dev data. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B cardmgr_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the cardmgr_exec_t type, if you want to transition an executable to the cardmgr_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B cardmgr_lnk_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the cardmgr_lnk_t type, if you want to treat the files as cardmgr lnk data. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B cardmgr_var_lib_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the cardmgr_var_lib_t type, if you want to store the cardmgr files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B cardmgr_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the cardmgr_var_run_t type, if you want to store the cardmgr files under the /run directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -9076,8 +17977,6 @@ index 0000000..8fccf2f +.br +.B net_conf_t + -+ /etc/ntpd?\.conf.* -+.br + /etc/hosts[^/]* +.br + /etc/yp\.conf.* @@ -9088,8 +17987,6 @@ index 0000000..8fccf2f +.br + /etc/resolv\.conf.* +.br -+ /etc/ntp/step-tickers.* -+.br + /etc/sysconfig/networking(/.*)? +.br + /etc/sysconfig/network-scripts(/.*)? @@ -9099,7 +17996,92 @@ index 0000000..8fccf2f + /etc/ethers +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux cardmgr policy is very flexible allowing users to setup their cardmgr processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cardmgr, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cardmgr_dev_t '/srv/cardmgr/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycardmgr_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cardmgr: ++ ++ ++.EX ++.PP ++.B cardmgr_dev_t ++.EE ++ ++- Set files with the cardmgr_dev_t type, if you want to treat the files as cardmgr dev data. ++ ++ ++.EX ++.PP ++.B cardmgr_exec_t ++.EE ++ ++- Set files with the cardmgr_exec_t type, if you want to transition an executable to the cardmgr_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/cardmgr, /usr/sbin/cardmgr, /etc/apm/event\.d/pcmcia ++ ++.EX ++.PP ++.B cardmgr_lnk_t ++.EE ++ ++- Set files with the cardmgr_lnk_t type, if you want to treat the files as cardmgr lnk data. ++ ++ ++.EX ++.PP ++.B cardmgr_var_lib_t ++.EE ++ ++- Set files with the cardmgr_var_lib_t type, if you want to store the cardmgr files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B cardmgr_var_run_t ++.EE ++ ++- Set files with the cardmgr_var_run_t type, if you want to store the cardmgr files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/pcmcia(/.*)?, /var/run/stab, /var/run/cardmgr\.pid ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -9111,6 +18093,9 @@ index 0000000..8fccf2f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -9122,13 +18107,15 @@ index 0000000..8fccf2f + +.SH "SEE ALSO" +selinux(8), cardmgr(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ccs_selinux.8 b/man/man8/ccs_selinux.8 new file mode 100644 -index 0000000..4859e26 +index 0000000..d25a161 --- /dev/null +++ b/man/man8/ccs_selinux.8 -@@ -0,0 +1,172 @@ -+.TH "ccs_selinux" "8" "12-11-01" "ccs" "SELinux Policy documentation for ccs" +@@ -0,0 +1,287 @@ ++.TH "ccs_selinux" "8" "13-01-16" "ccs" "SELinux Policy documentation for ccs" +.SH "NAME" +ccs_selinux \- Security Enhanced Linux Policy for the ccs processes +.SH "DESCRIPTION" @@ -9144,7 +18131,9 @@ index 0000000..4859e26 + +.SH "ENTRYPOINTS" + -+The ccs_t SELinux type can be entered via the "ccs_exec_t" file type. The default entrypoint paths for the ccs_t domain are the following:" ++The ccs_t SELinux type can be entered via the \fBccs_exec_t\fP file type. ++ ++The default entrypoint paths for the ccs_t domain are the following: + +/sbin/ccsd, /usr/sbin/ccsd +.SH PROCESS TYPES @@ -9162,8 +18151,136 @@ index 0000000..4859e26 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ccs_t ++can be used to make the process type ccs_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ccs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ccs with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type ccs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B ccs_tmp_t ++ ++ ++.br ++.B ccs_tmpfs_t ++ ++ ++.br ++.B ccs_var_lib_t ++ ++ /var/lib/cluster/((ccs)|(ccsd)).* ++.br ++ ++.br ++.B ccs_var_run_t ++ ++ /var/run/cluster/((ccs)|(ccsd))\.pid ++.br ++ /var/run/cluster/((ccs)|(ccsd))\.sock ++.br ++ ++.br ++.B cluster_conf_t ++ ++ /etc/cluster(/.*)? ++.br ++ ++.br ++.B file_t ++ ++ ++.br ++.B initrc_tmp_t ++ ++ ++.br ++.B qpidd_tmpfs_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9173,7 +18290,20 @@ index 0000000..4859e26 +Policy governs the access confined processes have to these files. +SELinux ccs policy is very flexible allowing users to setup their ccs processes in as secure a method as possible. +.PP -+The following file types are defined for ccs: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ccs, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ccs_exec_t '/srv/ccs/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myccs_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ccs: + + +.EX @@ -9183,6 +18313,18 @@ index 0000000..4859e26 + +- Set files with the ccs_exec_t type, if you want to transition an executable to the ccs_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/ccsd, /usr/sbin/ccsd ++ ++.EX ++.PP ++.B ccs_initrc_exec_t ++.EE ++ ++- Set files with the ccs_initrc_exec_t type, if you want to transition an executable to the ccs_initrc_t domain. ++ + +.EX +.PP @@ -9221,8 +18363,12 @@ index 0000000..4859e26 +.B ccs_var_run_t +.EE + -+- Set files with the ccs_var_run_t type, if you want to store the ccs files under the /run directory. ++- Set files with the ccs_var_run_t type, if you want to store the ccs files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/cluster/((ccs)|(ccsd))\.pid, /var/run/cluster/((ccs)|(ccsd))\.sock + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -9231,54 +18377,6 @@ index 0000000..4859e26 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type ccs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B ccs_tmp_t -+ -+ -+.br -+.B ccs_tmpfs_t -+ -+ -+.br -+.B ccs_var_lib_t -+ -+ -+.br -+.B ccs_var_log_t -+ -+ -+.br -+.B ccs_var_run_t -+ -+ /var/run/cluster/ccsd\.pid -+.br -+ /var/run/cluster/ccsd\.sock -+.br -+ -+.br -+.B cluster_conf_t -+ -+ /etc/cluster(/.*)? -+.br -+ -+.br -+.B file_t -+ -+ -+.br -+.B initrc_tmp_t -+ -+ -+.br -+.B qpidd_tmpfs_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -9289,6 +18387,9 @@ index 0000000..4859e26 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -9300,13 +18401,15 @@ index 0000000..4859e26 + +.SH "SEE ALSO" +selinux(8), ccs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/cdcc_selinux.8 b/man/man8/cdcc_selinux.8 new file mode 100644 -index 0000000..06454f9 +index 0000000..c947e98 --- /dev/null +++ b/man/man8/cdcc_selinux.8 -@@ -0,0 +1,128 @@ -+.TH "cdcc_selinux" "8" "12-11-01" "cdcc" "SELinux Policy documentation for cdcc" +@@ -0,0 +1,223 @@ ++.TH "cdcc_selinux" "8" "13-01-16" "cdcc" "SELinux Policy documentation for cdcc" +.SH "NAME" +cdcc_selinux \- Security Enhanced Linux Policy for the cdcc processes +.SH "DESCRIPTION" @@ -9322,7 +18425,9 @@ index 0000000..06454f9 + +.SH "ENTRYPOINTS" + -+The cdcc_t SELinux type can be entered via the "cdcc_exec_t" file type. The default entrypoint paths for the cdcc_t domain are the following:" ++The cdcc_t SELinux type can be entered via the \fBcdcc_exec_t\fP file type. ++ ++The default entrypoint paths for the cdcc_t domain are the following: + +/usr/bin/cdcc +.SH PROCESS TYPES @@ -9340,8 +18445,120 @@ index 0000000..06454f9 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cdcc_t ++can be used to make the process type cdcc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cdcc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cdcc with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the cdcc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cdcc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cdcc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cdcc_tmp_t ++ ++ ++.br ++.B dcc_client_map_t ++ ++ /etc/dcc/map ++.br ++ /var/dcc/map ++.br ++ /var/lib/dcc/map ++.br ++ /var/run/dcc/map ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9351,7 +18568,20 @@ index 0000000..06454f9 +Policy governs the access confined processes have to these files. +SELinux cdcc policy is very flexible allowing users to setup their cdcc processes in as secure a method as possible. +.PP -+The following file types are defined for cdcc: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cdcc, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cdcc_exec_t '/srv/cdcc/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycdcc_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cdcc: + + +.EX @@ -9377,42 +18607,6 @@ index 0000000..06454f9 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type cdcc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cdcc_tmp_t -+ -+ -+.br -+.B dcc_client_map_t -+ -+ /etc/dcc/map -+.br -+ /var/dcc/map -+.br -+ /var/lib/dcc/map -+.br -+ /var/run/dcc/map -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cdcc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the cdcc_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -9423,6 +18617,9 @@ index 0000000..06454f9 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -9434,13 +18631,15 @@ index 0000000..06454f9 + +.SH "SEE ALSO" +selinux(8), cdcc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/cdrecord_selinux.8 b/man/man8/cdrecord_selinux.8 new file mode 100644 -index 0000000..f808c03 +index 0000000..9559578 --- /dev/null +++ b/man/man8/cdrecord_selinux.8 -@@ -0,0 +1,108 @@ -+.TH "cdrecord_selinux" "8" "12-11-01" "cdrecord" "SELinux Policy documentation for cdrecord" +@@ -0,0 +1,227 @@ ++.TH "cdrecord_selinux" "8" "13-01-16" "cdrecord" "SELinux Policy documentation for cdrecord" +.SH "NAME" +cdrecord_selinux \- Security Enhanced Linux Policy for the cdrecord processes +.SH "DESCRIPTION" @@ -9456,7 +18655,9 @@ index 0000000..f808c03 + +.SH "ENTRYPOINTS" + -+The cdrecord_t SELinux type can be entered via the "cdrecord_exec_t" file type. The default entrypoint paths for the cdrecord_t domain are the following:" ++The cdrecord_t SELinux type can be entered via the \fBcdrecord_exec_t\fP file type. ++ ++The default entrypoint paths for the cdrecord_t domain are the following: + +/usr/bin/wodim, /usr/bin/cdrecord, /usr/bin/growisofs +.SH PROCESS TYPES @@ -9474,27 +18675,129 @@ index 0000000..f808c03 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cdrecord_t ++can be used to make the process type cdrecord_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. cdrecord policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cdrecord with the tightest access possible. + + +.PP -+If you want to allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files, you must turn on the cdrecord_read_content boolean. ++If you want to determine whether cdrecord can read various content. nfs, samba, removable devices, user temp and untrusted content files, you must turn on the cdrecord_read_content boolean. Disabled by default. + +.EX +.B setsebool -P cdrecord_read_content 1 ++ +.EE + +.PP -+If you want to allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files, you must turn on the cdrecord_read_content boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P cdrecord_read_content 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cdrecord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -9503,7 +18806,20 @@ index 0000000..f808c03 +Policy governs the access confined processes have to these files. +SELinux cdrecord policy is very flexible allowing users to setup their cdrecord processes in as secure a method as possible. +.PP -+The following file types are defined for cdrecord: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cdrecord, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cdrecord_exec_t '/srv/cdrecord/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycdrecord_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cdrecord: + + +.EX @@ -9513,6 +18829,10 @@ index 0000000..f808c03 + +- Set files with the cdrecord_exec_t type, if you want to transition an executable to the cdrecord_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/wodim, /usr/bin/cdrecord, /usr/bin/growisofs + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -9521,8 +18841,6 @@ index 0000000..f808c03 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -9551,11 +18869,11 @@ index 0000000..f808c03 \ No newline at end of file diff --git a/man/man8/certmaster_selinux.8 b/man/man8/certmaster_selinux.8 new file mode 100644 -index 0000000..90729bf +index 0000000..eb49c45 --- /dev/null +++ b/man/man8/certmaster_selinux.8 -@@ -0,0 +1,208 @@ -+.TH "certmaster_selinux" "8" "12-11-01" "certmaster" "SELinux Policy documentation for certmaster" +@@ -0,0 +1,335 @@ ++.TH "certmaster_selinux" "8" "13-01-16" "certmaster" "SELinux Policy documentation for certmaster" +.SH "NAME" +certmaster_selinux \- Security Enhanced Linux Policy for the certmaster processes +.SH "DESCRIPTION" @@ -9571,7 +18889,9 @@ index 0000000..90729bf + +.SH "ENTRYPOINTS" + -+The certmaster_t SELinux type can be entered via the "certmaster_exec_t" file type. The default entrypoint paths for the certmaster_t domain are the following:" ++The certmaster_t SELinux type can be entered via the \fBcertmaster_exec_t\fP file type. ++ ++The default entrypoint paths for the certmaster_t domain are the following: + +/usr/bin/certmaster +.SH PROCESS TYPES @@ -9589,8 +18909,197 @@ index 0000000..90729bf +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a certmaster_t ++can be used to make the process type certmaster_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. certmaster policy is extremely flexible and has several booleans that allow you to manipulate the policy and run certmaster with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the certmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the certmaster_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux certmaster policy is very flexible allowing users to setup their certmaster processes in as secure a method as possible. ++.PP ++The following port types are defined for certmaster: ++ ++.EX ++.TP 5 ++.B certmaster_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 51235 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type certmaster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cert_t ++ ++ /etc/pki(/.*)? ++.br ++ /etc/ssl(/.*)? ++.br ++ /etc/httpd/alias(/.*)? ++.br ++ /usr/share/ssl/certs(/.*)? ++.br ++ /usr/share/ssl/private(/.*)? ++.br ++ /var/named/chroot/etc/pki(/.*)? ++.br ++ /usr/share/ca-certificates(/.*)? ++.br ++ /var/named/chroot/etc/localtime ++.br ++ ++.br ++.B certmaster_etc_rw_t ++ ++ /etc/certmaster(/.*)? ++.br ++ ++.br ++.B certmaster_var_lib_t ++ ++ /var/lib/certmaster(/.*)? ++.br ++ ++.br ++.B certmaster_var_run_t ++ ++ /var/run/certmaster.* ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9600,7 +19109,20 @@ index 0000000..90729bf +Policy governs the access confined processes have to these files. +SELinux certmaster policy is very flexible allowing users to setup their certmaster processes in as secure a method as possible. +.PP -+The following file types are defined for certmaster: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the certmaster, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t certmaster_etc_rw_t '/srv/certmaster/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycertmaster_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for certmaster: + + +.EX @@ -9648,7 +19170,7 @@ index 0000000..90729bf +.B certmaster_var_run_t +.EE + -+- Set files with the certmaster_var_run_t type, if you want to store the certmaster files under the /run directory. ++- Set files with the certmaster_var_run_t type, if you want to store the certmaster files under the /run or /var/run directory. + + +.PP @@ -9658,87 +19180,6 @@ index 0000000..90729bf +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux certmaster policy is very flexible allowing users to setup their certmaster processes in as secure a method as possible. -+.PP -+The following port types are defined for certmaster: -+ -+.EX -+.TP 5 -+.B certmaster_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 51235 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type certmaster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cert_t -+ -+ /etc/pki(/.*)? -+.br -+ /etc/httpd/alias(/.*)? -+.br -+ /usr/share/ssl/certs(/.*)? -+.br -+ /usr/share/ssl/private(/.*)? -+.br -+ /var/named/chroot/etc/pki(/.*)? -+.br -+ -+.br -+.B certmaster_etc_rw_t -+ -+ /etc/certmaster(/.*)? -+.br -+ -+.br -+.B certmaster_var_lib_t -+ -+ /var/lib/certmaster(/.*)? -+.br -+ -+.br -+.B certmaster_var_log_t -+ -+ /var/log/certmaster(/.*)? -+.br -+ -+.br -+.B certmaster_var_run_t -+ -+ /var/run/certmaster.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the certmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the certmaster_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -9752,6 +19193,9 @@ index 0000000..90729bf +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -9763,13 +19207,15 @@ index 0000000..90729bf + +.SH "SEE ALSO" +selinux(8), certmaster(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/certmonger_selinux.8 b/man/man8/certmonger_selinux.8 new file mode 100644 -index 0000000..17c7336 +index 0000000..f856a0e --- /dev/null +++ b/man/man8/certmonger_selinux.8 -@@ -0,0 +1,196 @@ -+.TH "certmonger_selinux" "8" "12-11-01" "certmonger" "SELinux Policy documentation for certmonger" +@@ -0,0 +1,329 @@ ++.TH "certmonger_selinux" "8" "13-01-16" "certmonger" "SELinux Policy documentation for certmonger" +.SH "NAME" +certmonger_selinux \- Security Enhanced Linux Policy for the certmonger processes +.SH "DESCRIPTION" @@ -9785,7 +19231,9 @@ index 0000000..17c7336 + +.SH "ENTRYPOINTS" + -+The certmonger_t SELinux type can be entered via the "certmonger_exec_t" file type. The default entrypoint paths for the certmonger_t domain are the following:" ++The certmonger_t SELinux type can be entered via the \fBcertmonger_exec_t\fP file type. ++ ++The default entrypoint paths for the certmonger_t domain are the following: + +/usr/sbin/certmonger +.SH PROCESS TYPES @@ -9799,12 +19247,206 @@ index 0000000..17c7336 +The following process types are defined for certmonger: + +.EX -+.B certmonger_t ++.B certmonger_unconfined_t, certmonger_t +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a certmonger_t ++can be used to make the process type certmonger_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. certmonger policy is extremely flexible and has several booleans that allow you to manipulate the policy and run certmonger with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the certmonger_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the certmonger_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type certmonger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B auth_cache_t ++ ++ /var/cache/coolkey(/.*)? ++.br ++ ++.br ++.B cert_t ++ ++ /etc/pki(/.*)? ++.br ++ /etc/ssl(/.*)? ++.br ++ /etc/httpd/alias(/.*)? ++.br ++ /usr/share/ssl/certs(/.*)? ++.br ++ /usr/share/ssl/private(/.*)? ++.br ++ /var/named/chroot/etc/pki(/.*)? ++.br ++ /usr/share/ca-certificates(/.*)? ++.br ++ /var/named/chroot/etc/localtime ++.br ++ ++.br ++.B certmonger_var_lib_t ++ ++ /var/lib/certmonger(/.*)? ++.br ++ ++.br ++.B certmonger_var_run_t ++ ++ /var/run/certmonger.* ++.br ++ ++.br ++.B dirsrv_config_t ++ ++ /etc/dirsrv(/.*)? ++.br ++ ++.br ++.B pki_tomcat_cert_t ++ ++ /var/lib/pki-ca/alias(/.*)? ++.br ++ /var/lib/pki-kra/alias(/.*)? ++.br ++ /var/lib/pki-tks/alias(/.*)? ++.br ++ /var/lib/pki-ocsp/alias(/.*)? ++.br ++ /etc/pki/pki-tomcat/alias(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9814,7 +19456,20 @@ index 0000000..17c7336 +Policy governs the access confined processes have to these files. +SELinux certmonger policy is very flexible allowing users to setup their certmonger processes in as secure a method as possible. +.PP -+The following file types are defined for certmonger: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the certmonger, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t certmonger_exec_t '/srv/certmonger/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycertmonger_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for certmonger: + + +.EX @@ -9854,7 +19509,7 @@ index 0000000..17c7336 +.B certmonger_var_run_t +.EE + -+- Set files with the certmonger_var_run_t type, if you want to store the certmonger files under the /run directory. ++- Set files with the certmonger_var_run_t type, if you want to store the certmonger files under the /run or /var/run directory. + + +.PP @@ -9864,86 +19519,6 @@ index 0000000..17c7336 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type certmonger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B auth_cache_t -+ -+ /var/cache/coolkey(/.*)? -+.br -+ -+.br -+.B cert_t -+ -+ /etc/pki(/.*)? -+.br -+ /etc/httpd/alias(/.*)? -+.br -+ /usr/share/ssl/certs(/.*)? -+.br -+ /usr/share/ssl/private(/.*)? -+.br -+ /var/named/chroot/etc/pki(/.*)? -+.br -+ -+.br -+.B certmonger_var_lib_t -+ -+ /var/lib/certmonger(/.*)? -+.br -+ -+.br -+.B certmonger_var_run_t -+ -+ /var/run/certmonger.pid -+.br -+ -+.br -+.B dirsrv_config_t -+ -+ /etc/dirsrv(/.*)? -+.br -+ -+.br -+.B pki_tomcat_cert_t -+ -+ /var/lib/pki-ca/alias(/.*)? -+.br -+ /var/lib/pki-kra/alias(/.*)? -+.br -+ /var/lib/pki-tks/alias(/.*)? -+.br -+ /var/lib/pki-ocsp/alias(/.*)? -+.br -+ /etc/pki/pki-tomcat/alias(/.*)? -+.br -+ -+.br -+.B systemd_passwd_var_run_t -+ -+ /var/run/systemd/ask-password(/.*)? -+.br -+ /var/run/systemd/ask-password-block(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the certmonger_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the certmonger_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -9954,6 +19529,9 @@ index 0000000..17c7336 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -9965,13 +19543,169 @@ index 0000000..17c7336 + +.SH "SEE ALSO" +selinux(8), certmonger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), certmonger_unconfined_selinux(8) +\ No newline at end of file +diff --git a/man/man8/certmonger_unconfined_selinux.8 b/man/man8/certmonger_unconfined_selinux.8 +new file mode 100644 +index 0000000..3bad9e3 +--- /dev/null ++++ b/man/man8/certmonger_unconfined_selinux.8 +@@ -0,0 +1,147 @@ ++.TH "certmonger_unconfined_selinux" "8" "13-01-16" "certmonger_unconfined" "SELinux Policy documentation for certmonger_unconfined" ++.SH "NAME" ++certmonger_unconfined_selinux \- Security Enhanced Linux Policy for the certmonger_unconfined processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the certmonger_unconfined processes via flexible mandatory access control. ++ ++The certmonger_unconfined processes execute with the certmonger_unconfined_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep certmonger_unconfined_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The certmonger_unconfined_t SELinux type can be entered via the \fBcertmonger_unconfined_exec_t\fP file type. ++ ++The default entrypoint paths for the certmonger_unconfined_t domain are the following: ++ ++/usr/lib/ipa/certmonger(/.*)? ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux certmonger_unconfined policy is very flexible allowing users to setup their certmonger_unconfined processes in as secure a method as possible. ++.PP ++The following process types are defined for certmonger_unconfined: ++ ++.EX ++.B certmonger_unconfined_t ++.EE ++.PP ++Note: ++.B semanage permissive -a certmonger_unconfined_t ++can be used to make the process type certmonger_unconfined_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. certmonger_unconfined policy is extremely flexible and has several booleans that allow you to manipulate the policy and run certmonger_unconfined with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux certmonger_unconfined policy is very flexible allowing users to setup their certmonger_unconfined processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the certmonger_unconfined, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t certmonger_unconfined_exec_t '/srv/certmonger_unconfined/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycertmonger_unconfined_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for certmonger_unconfined: ++ ++ ++.EX ++.PP ++.B certmonger_unconfined_exec_t ++.EE ++ ++- Set files with the certmonger_unconfined_exec_t type, if you want to transition an executable to the certmonger_unconfined_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), certmonger_unconfined(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), certmonger_selinux(8), certmonger_selinux(8) +\ No newline at end of file diff --git a/man/man8/certwatch_selinux.8 b/man/man8/certwatch_selinux.8 new file mode 100644 -index 0000000..7655104 +index 0000000..89fb64a --- /dev/null +++ b/man/man8/certwatch_selinux.8 -@@ -0,0 +1,96 @@ -+.TH "certwatch_selinux" "8" "12-11-01" "certwatch" "SELinux Policy documentation for certwatch" +@@ -0,0 +1,157 @@ ++.TH "certwatch_selinux" "8" "13-01-16" "certwatch" "SELinux Policy documentation for certwatch" +.SH "NAME" +certwatch_selinux \- Security Enhanced Linux Policy for the certwatch processes +.SH "DESCRIPTION" @@ -9987,9 +19721,11 @@ index 0000000..7655104 + +.SH "ENTRYPOINTS" + -+The certwatch_t SELinux type can be entered via the "certwatch_exec_t" file type. The default entrypoint paths for the certwatch_t domain are the following:" ++The certwatch_t SELinux type can be entered via the \fBcertwatch_exec_t\fP file type. + -+/usr/bin/certwatch ++The default entrypoint paths for the certwatch_t domain are the following: ++ ++/etc/cron\.daily/certwatch +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -10005,8 +19741,62 @@ index 0000000..7655104 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a certwatch_t ++can be used to make the process type certwatch_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. certwatch policy is extremely flexible and has several booleans that allow you to manipulate the policy and run certwatch with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type certwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B auth_cache_t ++ ++ /var/cache/coolkey(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10016,7 +19806,20 @@ index 0000000..7655104 +Policy governs the access confined processes have to these files. +SELinux certwatch policy is very flexible allowing users to setup their certwatch processes in as secure a method as possible. +.PP -+The following file types are defined for certwatch: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the certwatch, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t certwatch_exec_t '/srv/certwatch/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycertwatch_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for certwatch: + + +.EX @@ -10034,18 +19837,6 @@ index 0000000..7655104 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type certwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B auth_cache_t -+ -+ /var/cache/coolkey(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -10056,6 +19847,9 @@ index 0000000..7655104 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -10067,13 +19861,15 @@ index 0000000..7655104 + +.SH "SEE ALSO" +selinux(8), certwatch(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/cfengine_execd_selinux.8 b/man/man8/cfengine_execd_selinux.8 new file mode 100644 -index 0000000..12fcf8b +index 0000000..362ca04 --- /dev/null +++ b/man/man8/cfengine_execd_selinux.8 -@@ -0,0 +1,117 @@ -+.TH "cfengine_execd_selinux" "8" "12-11-01" "cfengine_execd" "SELinux Policy documentation for cfengine_execd" +@@ -0,0 +1,237 @@ ++.TH "cfengine_execd_selinux" "8" "13-01-16" "cfengine_execd" "SELinux Policy documentation for cfengine_execd" +.SH "NAME" +cfengine_execd_selinux \- Security Enhanced Linux Policy for the cfengine_execd processes +.SH "DESCRIPTION" @@ -10089,7 +19885,9 @@ index 0000000..12fcf8b + +.SH "ENTRYPOINTS" + -+The cfengine_execd_t SELinux type can be entered via the "cfengine_execd_exec_t" file type. The default entrypoint paths for the cfengine_execd_t domain are the following:" ++The cfengine_execd_t SELinux type can be entered via the \fBcfengine_execd_exec_t\fP file type. ++ ++The default entrypoint paths for the cfengine_execd_t domain are the following: + +/usr/sbin/cf-execd +.SH PROCESS TYPES @@ -10107,8 +19905,142 @@ index 0000000..12fcf8b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cfengine_execd_t ++can be used to make the process type cfengine_execd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cfengine_execd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cfengine_execd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the cfengine_execd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cfengine_execd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cfengine_execd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cfengine_var_lib_t ++ ++ /var/cfengine(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10118,7 +20050,20 @@ index 0000000..12fcf8b +Policy governs the access confined processes have to these files. +SELinux cfengine_execd policy is very flexible allowing users to setup their cfengine_execd processes in as secure a method as possible. +.PP -+The following file types are defined for cfengine_execd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cfengine_execd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cfengine_execd_exec_t '/srv/cfengine_execd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycfengine_execd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cfengine_execd: + + +.EX @@ -10136,38 +20081,6 @@ index 0000000..12fcf8b +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type cfengine_execd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cfengine_var_lib_t -+ -+ /var/cfengine(/.*)? -+.br -+ -+.br -+.B cfengine_var_log_t -+ -+ /var/cfengine/outputs(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_execd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the cfengine_execd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -10178,6 +20091,9 @@ index 0000000..12fcf8b +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -10189,15 +20105,15 @@ index 0000000..12fcf8b + +.SH "SEE ALSO" +selinux(8), cfengine_execd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, cfengine_monitord_selinux(8), cfengine_serverd_selinux(8) ++, setsebool(8), cfengine_monitord_selinux(8), cfengine_serverd_selinux(8) \ No newline at end of file diff --git a/man/man8/cfengine_monitord_selinux.8 b/man/man8/cfengine_monitord_selinux.8 new file mode 100644 -index 0000000..e4289e1 +index 0000000..b05b77d --- /dev/null +++ b/man/man8/cfengine_monitord_selinux.8 -@@ -0,0 +1,117 @@ -+.TH "cfengine_monitord_selinux" "8" "12-11-01" "cfengine_monitord" "SELinux Policy documentation for cfengine_monitord" +@@ -0,0 +1,237 @@ ++.TH "cfengine_monitord_selinux" "8" "13-01-16" "cfengine_monitord" "SELinux Policy documentation for cfengine_monitord" +.SH "NAME" +cfengine_monitord_selinux \- Security Enhanced Linux Policy for the cfengine_monitord processes +.SH "DESCRIPTION" @@ -10213,7 +20129,9 @@ index 0000000..e4289e1 + +.SH "ENTRYPOINTS" + -+The cfengine_monitord_t SELinux type can be entered via the "cfengine_monitord_exec_t" file type. The default entrypoint paths for the cfengine_monitord_t domain are the following:" ++The cfengine_monitord_t SELinux type can be entered via the \fBcfengine_monitord_exec_t\fP file type. ++ ++The default entrypoint paths for the cfengine_monitord_t domain are the following: + +/usr/sbin/cf-monitord +.SH PROCESS TYPES @@ -10231,8 +20149,142 @@ index 0000000..e4289e1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cfengine_monitord_t ++can be used to make the process type cfengine_monitord_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cfengine_monitord policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cfengine_monitord with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the cfengine_monitord_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cfengine_monitord_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cfengine_monitord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cfengine_var_lib_t ++ ++ /var/cfengine(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10242,7 +20294,20 @@ index 0000000..e4289e1 +Policy governs the access confined processes have to these files. +SELinux cfengine_monitord policy is very flexible allowing users to setup their cfengine_monitord processes in as secure a method as possible. +.PP -+The following file types are defined for cfengine_monitord: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cfengine_monitord, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cfengine_monitord_exec_t '/srv/cfengine_monitord/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycfengine_monitord_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cfengine_monitord: + + +.EX @@ -10260,38 +20325,6 @@ index 0000000..e4289e1 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type cfengine_monitord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cfengine_var_lib_t -+ -+ /var/cfengine(/.*)? -+.br -+ -+.br -+.B cfengine_var_log_t -+ -+ /var/cfengine/outputs(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_monitord_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the cfengine_monitord_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -10302,6 +20335,9 @@ index 0000000..e4289e1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -10313,15 +20349,15 @@ index 0000000..e4289e1 + +.SH "SEE ALSO" +selinux(8), cfengine_monitord(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, cfengine_execd_selinux(8), cfengine_serverd_selinux(8) ++, setsebool(8), cfengine_execd_selinux(8), cfengine_serverd_selinux(8) \ No newline at end of file diff --git a/man/man8/cfengine_serverd_selinux.8 b/man/man8/cfengine_serverd_selinux.8 new file mode 100644 -index 0000000..55e7b52 +index 0000000..a693278 --- /dev/null +++ b/man/man8/cfengine_serverd_selinux.8 -@@ -0,0 +1,117 @@ -+.TH "cfengine_serverd_selinux" "8" "12-11-01" "cfengine_serverd" "SELinux Policy documentation for cfengine_serverd" +@@ -0,0 +1,237 @@ ++.TH "cfengine_serverd_selinux" "8" "13-01-16" "cfengine_serverd" "SELinux Policy documentation for cfengine_serverd" +.SH "NAME" +cfengine_serverd_selinux \- Security Enhanced Linux Policy for the cfengine_serverd processes +.SH "DESCRIPTION" @@ -10337,7 +20373,9 @@ index 0000000..55e7b52 + +.SH "ENTRYPOINTS" + -+The cfengine_serverd_t SELinux type can be entered via the "cfengine_serverd_exec_t" file type. The default entrypoint paths for the cfengine_serverd_t domain are the following:" ++The cfengine_serverd_t SELinux type can be entered via the \fBcfengine_serverd_exec_t\fP file type. ++ ++The default entrypoint paths for the cfengine_serverd_t domain are the following: + +/usr/sbin/cf-serverd +.SH PROCESS TYPES @@ -10355,8 +20393,142 @@ index 0000000..55e7b52 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cfengine_serverd_t ++can be used to make the process type cfengine_serverd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cfengine_serverd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cfengine_serverd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the cfengine_serverd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cfengine_serverd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cfengine_serverd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cfengine_var_lib_t ++ ++ /var/cfengine(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10366,7 +20538,20 @@ index 0000000..55e7b52 +Policy governs the access confined processes have to these files. +SELinux cfengine_serverd policy is very flexible allowing users to setup their cfengine_serverd processes in as secure a method as possible. +.PP -+The following file types are defined for cfengine_serverd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cfengine_serverd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cfengine_serverd_exec_t '/srv/cfengine_serverd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycfengine_serverd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cfengine_serverd: + + +.EX @@ -10384,38 +20569,6 @@ index 0000000..55e7b52 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type cfengine_serverd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cfengine_var_lib_t -+ -+ /var/cfengine(/.*)? -+.br -+ -+.br -+.B cfengine_var_log_t -+ -+ /var/cfengine/outputs(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_serverd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the cfengine_serverd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -10426,6 +20579,9 @@ index 0000000..55e7b52 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -10437,15 +20593,15 @@ index 0000000..55e7b52 + +.SH "SEE ALSO" +selinux(8), cfengine_serverd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, cfengine_execd_selinux(8), cfengine_monitord_selinux(8) ++, setsebool(8), cfengine_execd_selinux(8), cfengine_monitord_selinux(8) \ No newline at end of file diff --git a/man/man8/cgclear_selinux.8 b/man/man8/cgclear_selinux.8 new file mode 100644 -index 0000000..e92daea +index 0000000..54a56aa --- /dev/null +++ b/man/man8/cgclear_selinux.8 -@@ -0,0 +1,112 @@ -+.TH "cgclear_selinux" "8" "12-11-01" "cgclear" "SELinux Policy documentation for cgclear" +@@ -0,0 +1,243 @@ ++.TH "cgclear_selinux" "8" "13-01-16" "cgclear" "SELinux Policy documentation for cgclear" +.SH "NAME" +cgclear_selinux \- Security Enhanced Linux Policy for the cgclear processes +.SH "DESCRIPTION" @@ -10461,7 +20617,9 @@ index 0000000..e92daea + +.SH "ENTRYPOINTS" + -+The cgclear_t SELinux type can be entered via the "cgclear_exec_t" file type. The default entrypoint paths for the cgclear_t domain are the following:" ++The cgclear_t SELinux type can be entered via the \fBcgclear_exec_t\fP file type. ++ ++The default entrypoint paths for the cgclear_t domain are the following: + +/sbin/cgclear, /usr/sbin/cgclear +.SH PROCESS TYPES @@ -10479,34 +20637,124 @@ index 0000000..e92daea +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cgclear_t ++can be used to make the process type cgclear_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux cgclear policy is very flexible allowing users to setup their cgclear processes in as secure a method as possible. -+.PP -+The following file types are defined for cgclear: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cgclear policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cgclear with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B cgclear_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the cgclear_exec_t type, if you want to transition an executable to the cgclear_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the cgclear_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cgclear_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -10520,21 +20768,56 @@ index 0000000..e92daea + /sys/fs/cgroup +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux cgclear policy is very flexible allowing users to setup their cgclear processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgclear_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cgclear, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cgclear_exec_t '/srv/cgclear/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycgclear_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cgclear: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B cgclear_exec_t +.EE + ++- Set files with the cgclear_exec_t type, if you want to transition an executable to the cgclear_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/cgclear, /usr/sbin/cgclear ++ +.PP -+If you want to allow confined applications to run with kerberos for the cgclear_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -10546,6 +20829,9 @@ index 0000000..e92daea +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -10557,13 +20843,15 @@ index 0000000..e92daea + +.SH "SEE ALSO" +selinux(8), cgclear(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/cgconfig_selinux.8 b/man/man8/cgconfig_selinux.8 new file mode 100644 -index 0000000..8e5f96c +index 0000000..1121979 --- /dev/null +++ b/man/man8/cgconfig_selinux.8 -@@ -0,0 +1,128 @@ -+.TH "cgconfig_selinux" "8" "12-11-01" "cgconfig" "SELinux Policy documentation for cgconfig" +@@ -0,0 +1,263 @@ ++.TH "cgconfig_selinux" "8" "13-01-16" "cgconfig" "SELinux Policy documentation for cgconfig" +.SH "NAME" +cgconfig_selinux \- Security Enhanced Linux Policy for the cgconfig processes +.SH "DESCRIPTION" @@ -10579,7 +20867,9 @@ index 0000000..8e5f96c + +.SH "ENTRYPOINTS" + -+The cgconfig_t SELinux type can be entered via the "cgconfig_exec_t" file type. The default entrypoint paths for the cgconfig_t domain are the following:" ++The cgconfig_t SELinux type can be entered via the \fBcgconfig_exec_t\fP file type. ++ ++The default entrypoint paths for the cgconfig_t domain are the following: + +/sbin/cgconfigparser, /usr/sbin/cgconfigparser +.SH PROCESS TYPES @@ -10597,8 +20887,144 @@ index 0000000..8e5f96c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cgconfig_t ++can be used to make the process type cgconfig_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cgconfig policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cgconfig with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the cgconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cgconfig_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cgconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10608,7 +21034,20 @@ index 0000000..8e5f96c +Policy governs the access confined processes have to these files. +SELinux cgconfig policy is very flexible allowing users to setup their cgconfig processes in as secure a method as possible. +.PP -+The following file types are defined for cgconfig: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cgconfig, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cgconfig_etc_t '/srv/cgconfig/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycgconfig_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cgconfig: + + +.EX @@ -10618,6 +21057,10 @@ index 0000000..8e5f96c + +- Set files with the cgconfig_etc_t type, if you want to store cgconfig files in the /etc directories. + ++.br ++.TP 5 ++Paths: ++/etc/cgconfig\.conf, /etc/sysconfig/cgconfig + +.EX +.PP @@ -10626,6 +21069,10 @@ index 0000000..8e5f96c + +- Set files with the cgconfig_exec_t type, if you want to transition an executable to the cgconfig_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/cgconfigparser, /usr/sbin/cgconfigparser + +.EX +.PP @@ -10642,34 +21089,6 @@ index 0000000..8e5f96c +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type cgconfig_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cgroup_t -+ -+ /cgroup -+.br -+ /sys/fs/cgroup -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the cgconfig_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -10680,6 +21099,9 @@ index 0000000..8e5f96c +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -10691,13 +21113,15 @@ index 0000000..8e5f96c + +.SH "SEE ALSO" +selinux(8), cgconfig(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/cgred_selinux.8 b/man/man8/cgred_selinux.8 new file mode 100644 -index 0000000..dfaff3f +index 0000000..1e58406 --- /dev/null +++ b/man/man8/cgred_selinux.8 -@@ -0,0 +1,148 @@ -+.TH "cgred_selinux" "8" "12-11-01" "cgred" "SELinux Policy documentation for cgred" +@@ -0,0 +1,273 @@ ++.TH "cgred_selinux" "8" "13-01-16" "cgred" "SELinux Policy documentation for cgred" +.SH "NAME" +cgred_selinux \- Security Enhanced Linux Policy for the cgred processes +.SH "DESCRIPTION" @@ -10713,7 +21137,9 @@ index 0000000..dfaff3f + +.SH "ENTRYPOINTS" + -+The cgred_t SELinux type can be entered via the "cgred_exec_t" file type. The default entrypoint paths for the cgred_t domain are the following:" ++The cgred_t SELinux type can be entered via the \fBcgred_exec_t\fP file type. ++ ++The default entrypoint paths for the cgred_t domain are the following: + +/sbin/cgrulesengd, /usr/sbin/cgrulesengd +.SH PROCESS TYPES @@ -10731,8 +21157,150 @@ index 0000000..dfaff3f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cgred_t ++can be used to make the process type cgred_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cgred policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cgred with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the cgred_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cgred_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cgred_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cgred_var_run_t ++ ++ /var/run/cgred.* ++.br ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10742,7 +21310,20 @@ index 0000000..dfaff3f +Policy governs the access confined processes have to these files. +SELinux cgred policy is very flexible allowing users to setup their cgred processes in as secure a method as possible. +.PP -+The following file types are defined for cgred: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cgred, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cgred_exec_t '/srv/cgred/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycgred_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cgred: + + +.EX @@ -10752,6 +21333,10 @@ index 0000000..dfaff3f + +- Set files with the cgred_exec_t type, if you want to transition an executable to the cgred_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/cgrulesengd, /usr/sbin/cgrulesengd + +.EX +.PP @@ -10774,7 +21359,7 @@ index 0000000..dfaff3f +.B cgred_var_run_t +.EE + -+- Set files with the cgred_var_run_t type, if you want to store the cgred files under the /run directory. ++- Set files with the cgred_var_run_t type, if you want to store the cgred files under the /run or /var/run directory. + + +.PP @@ -10784,46 +21369,6 @@ index 0000000..dfaff3f +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type cgred_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cgred_log_t -+ -+ /var/log/cgrulesengd\.log.* -+.br -+ -+.br -+.B cgred_var_run_t -+ -+ /var/run/cgred.* -+.br -+ -+.br -+.B cgroup_t -+ -+ /cgroup -+.br -+ /sys/fs/cgroup -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgred_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the cgred_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -10834,6 +21379,9 @@ index 0000000..dfaff3f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -10845,13 +21393,15 @@ index 0000000..dfaff3f + +.SH "SEE ALSO" +selinux(8), cgred(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/checkpc_selinux.8 b/man/man8/checkpc_selinux.8 new file mode 100644 -index 0000000..72abe95 +index 0000000..4c84247 --- /dev/null +++ b/man/man8/checkpc_selinux.8 -@@ -0,0 +1,112 @@ -+.TH "checkpc_selinux" "8" "12-11-01" "checkpc" "SELinux Policy documentation for checkpc" +@@ -0,0 +1,185 @@ ++.TH "checkpc_selinux" "8" "13-01-16" "checkpc" "SELinux Policy documentation for checkpc" +.SH "NAME" +checkpc_selinux \- Security Enhanced Linux Policy for the checkpc processes +.SH "DESCRIPTION" @@ -10867,7 +21417,9 @@ index 0000000..72abe95 + +.SH "ENTRYPOINTS" + -+The checkpc_t SELinux type can be entered via the "checkpc_exec_t" file type. The default entrypoint paths for the checkpc_t domain are the following:" ++The checkpc_t SELinux type can be entered via the \fBcheckpc_exec_t\fP file type. ++ ++The default entrypoint paths for the checkpc_t domain are the following: + +/usr/sbin/checkpc +.SH PROCESS TYPES @@ -10885,8 +21437,82 @@ index 0000000..72abe95 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a checkpc_t ++can be used to make the process type checkpc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. checkpc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run checkpc with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type checkpc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B print_spool_t ++ ++ /var/spool/lpd(/.*)? ++.br ++ /var/spool/cups(/.*)? ++.br ++ /var/spool/cups-pdf(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10896,7 +21522,20 @@ index 0000000..72abe95 +Policy governs the access confined processes have to these files. +SELinux checkpc policy is very flexible allowing users to setup their checkpc processes in as secure a method as possible. +.PP -+The following file types are defined for checkpc: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the checkpc, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t checkpc_exec_t '/srv/checkpc/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycheckpc_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for checkpc: + + +.EX @@ -10922,26 +21561,6 @@ index 0000000..72abe95 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type checkpc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B checkpc_log_t -+ -+ -+.br -+.B print_spool_t -+ -+ /var/spool/lpd(/.*)? -+.br -+ /var/spool/cups(/.*)? -+.br -+ /var/spool/cups-pdf(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -10952,6 +21571,9 @@ index 0000000..72abe95 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -10963,13 +21585,15 @@ index 0000000..72abe95 + +.SH "SEE ALSO" +selinux(8), checkpc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/checkpolicy_selinux.8 b/man/man8/checkpolicy_selinux.8 new file mode 100644 -index 0000000..b3bbf2c +index 0000000..83da149 --- /dev/null +++ b/man/man8/checkpolicy_selinux.8 -@@ -0,0 +1,102 @@ -+.TH "checkpolicy_selinux" "8" "12-11-01" "checkpolicy" "SELinux Policy documentation for checkpolicy" +@@ -0,0 +1,163 @@ ++.TH "checkpolicy_selinux" "8" "13-01-16" "checkpolicy" "SELinux Policy documentation for checkpolicy" +.SH "NAME" +checkpolicy_selinux \- Security Enhanced Linux Policy for the checkpolicy processes +.SH "DESCRIPTION" @@ -10985,7 +21609,9 @@ index 0000000..b3bbf2c + +.SH "ENTRYPOINTS" + -+The checkpolicy_t SELinux type can be entered via the "checkpolicy_exec_t" file type. The default entrypoint paths for the checkpolicy_t domain are the following:" ++The checkpolicy_t SELinux type can be entered via the \fBcheckpolicy_exec_t\fP file type. ++ ++The default entrypoint paths for the checkpolicy_t domain are the following: + +/usr/bin/checkpolicy +.SH PROCESS TYPES @@ -11003,34 +21629,52 @@ index 0000000..b3bbf2c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a checkpolicy_t ++can be used to make the process type checkpolicy_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux checkpolicy policy is very flexible allowing users to setup their checkpolicy processes in as secure a method as possible. -+.PP -+The following file types are defined for checkpolicy: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. checkpolicy policy is extremely flexible and has several booleans that allow you to manipulate the policy and run checkpolicy with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B checkpolicy_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the checkpolicy_exec_t type, if you want to transition an executable to the checkpolicy_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -11048,7 +21692,44 @@ index 0000000..b3bbf2c + /etc/share/selinux/targeted(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux checkpolicy policy is very flexible allowing users to setup their checkpolicy processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the checkpolicy, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t checkpolicy_exec_t '/srv/checkpolicy/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycheckpolicy_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for checkpolicy: ++ ++ ++.EX ++.PP ++.B checkpolicy_exec_t ++.EE ++ ++- Set files with the checkpolicy_exec_t type, if you want to transition an executable to the checkpolicy_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -11060,6 +21741,9 @@ index 0000000..b3bbf2c +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -11071,13 +21755,15 @@ index 0000000..b3bbf2c + +.SH "SEE ALSO" +selinux(8), checkpolicy(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/chfn_selinux.8 b/man/man8/chfn_selinux.8 new file mode 100644 -index 0000000..9a08bac +index 0000000..c060a8c --- /dev/null +++ b/man/man8/chfn_selinux.8 -@@ -0,0 +1,198 @@ -+.TH "chfn_selinux" "8" "12-11-01" "chfn" "SELinux Policy documentation for chfn" +@@ -0,0 +1,285 @@ ++.TH "chfn_selinux" "8" "13-01-16" "chfn" "SELinux Policy documentation for chfn" +.SH "NAME" +chfn_selinux \- Security Enhanced Linux Policy for the chfn processes +.SH "DESCRIPTION" @@ -11093,7 +21779,9 @@ index 0000000..9a08bac + +.SH "ENTRYPOINTS" + -+The chfn_t SELinux type can be entered via the "chfn_exec_t" file type. The default entrypoint paths for the chfn_t domain are the following:" ++The chfn_t SELinux type can be entered via the \fBchfn_exec_t\fP file type. ++ ++The default entrypoint paths for the chfn_t domain are the following: + +/usr/bin/chfn, /usr/bin/chsh +.SH PROCESS TYPES @@ -11111,34 +21799,100 @@ index 0000000..9a08bac +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a chfn_t ++can be used to make the process type chfn_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux chfn policy is very flexible allowing users to setup their chfn processes in as secure a method as possible. -+.PP -+The following file types are defined for chfn: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. chfn policy is extremely flexible and has several booleans that allow you to manipulate the policy and run chfn with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B chfn_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the chfn_exec_t type, if you want to transition an executable to the chfn_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the chfn_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the chfn_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -11149,12 +21903,12 @@ index 0000000..9a08bac + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B krb5_host_rcache_t @@ -11183,7 +21937,7 @@ index 0000000..9a08bac +.br +.B lastlog_t + -+ /var/log/lastlog ++ /var/log/lastlog.* +.br + +.br @@ -11207,20 +21961,6 @@ index 0000000..9a08bac +.br + +.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br +.B security_t + + /selinux @@ -11233,26 +21973,55 @@ index 0000000..9a08bac +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux chfn policy is very flexible allowing users to setup their chfn processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chfn_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the chfn, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t chfn_exec_t '/srv/chfn/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mychfn_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for chfn: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B chfn_exec_t +.EE + ++- Set files with the chfn_exec_t type, if you want to transition an executable to the chfn_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/chfn, /usr/bin/chsh ++ +.PP -+If you want to allow confined applications to run with kerberos for the chfn_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -11264,6 +22033,9 @@ index 0000000..9a08bac +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -11275,13 +22047,15 @@ index 0000000..9a08bac + +.SH "SEE ALSO" +selinux(8), chfn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/chkpwd_selinux.8 b/man/man8/chkpwd_selinux.8 new file mode 100644 -index 0000000..fa2035e +index 0000000..9a53615 --- /dev/null +++ b/man/man8/chkpwd_selinux.8 -@@ -0,0 +1,100 @@ -+.TH "chkpwd_selinux" "8" "12-11-01" "chkpwd" "SELinux Policy documentation for chkpwd" +@@ -0,0 +1,207 @@ ++.TH "chkpwd_selinux" "8" "13-01-16" "chkpwd" "SELinux Policy documentation for chkpwd" +.SH "NAME" +chkpwd_selinux \- Security Enhanced Linux Policy for the chkpwd processes +.SH "DESCRIPTION" @@ -11297,7 +22071,9 @@ index 0000000..fa2035e + +.SH "ENTRYPOINTS" + -+The chkpwd_t SELinux type can be entered via the "chkpwd_exec_t" file type. The default entrypoint paths for the chkpwd_t domain are the following:" ++The chkpwd_t SELinux type can be entered via the \fBchkpwd_exec_t\fP file type. ++ ++The default entrypoint paths for the chkpwd_t domain are the following: + +/sbin/unix_chkpwd, /sbin/unix_verify, /usr/sbin/validate, /usr/sbin/unix_chkpwd, /usr/sbin/unix_verify +.SH PROCESS TYPES @@ -11315,39 +22091,97 @@ index 0000000..fa2035e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a chkpwd_t ++can be used to make the process type chkpwd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux chkpwd policy is very flexible allowing users to setup their chkpwd processes in as secure a method as possible. -+.PP -+The following file types are defined for chkpwd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. chkpwd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run chkpwd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B chkpwd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the chkpwd_exec_t type, if you want to transition an executable to the chkpwd_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow Apache to use mod_auth_pam, you must turn on the httpd_mod_auth_pam boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_mod_auth_pam 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chkpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the chkpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -11360,6 +22194,49 @@ index 0000000..fa2035e +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux chkpwd policy is very flexible allowing users to setup their chkpwd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the chkpwd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t chkpwd_exec_t '/srv/chkpwd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mychkpwd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for chkpwd: ++ ++ ++.EX ++.PP ++.B chkpwd_exec_t ++.EE ++ ++- Set files with the chkpwd_exec_t type, if you want to transition an executable to the chkpwd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/unix_chkpwd, /sbin/unix_verify, /usr/sbin/validate, /usr/sbin/unix_chkpwd, /usr/sbin/unix_verify ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -11370,6 +22247,9 @@ index 0000000..fa2035e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -11381,13 +22261,15 @@ index 0000000..fa2035e + +.SH "SEE ALSO" +selinux(8), chkpwd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/chrome_sandbox_nacl_selinux.8 b/man/man8/chrome_sandbox_nacl_selinux.8 new file mode 100644 -index 0000000..9f1594b +index 0000000..a3fffc7 --- /dev/null +++ b/man/man8/chrome_sandbox_nacl_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "chrome_sandbox_nacl_selinux" "8" "12-11-01" "chrome_sandbox_nacl" "SELinux Policy documentation for chrome_sandbox_nacl" +@@ -0,0 +1,160 @@ ++.TH "chrome_sandbox_nacl_selinux" "8" "13-01-16" "chrome_sandbox_nacl" "SELinux Policy documentation for chrome_sandbox_nacl" +.SH "NAME" +chrome_sandbox_nacl_selinux \- Security Enhanced Linux Policy for the chrome_sandbox_nacl processes +.SH "DESCRIPTION" @@ -11403,9 +22285,12 @@ index 0000000..9f1594b + +.SH "ENTRYPOINTS" + -+The chrome_sandbox_nacl_t SELinux type can be entered via the "bin_t,chrome_sandbox_nacl_exec_t" file types. The default entrypoint paths for the chrome_sandbox_nacl_t domain are the following:" ++The chrome_sandbox_nacl_t SELinux type can be entered via the \fBbin_t, chrome_sandbox_nacl_exec_t\fP file types. + -+/bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py, /opt/google/chrome/nacl_helper_bootstrap, /usr/lib/chromium-browser/nacl_helper_bootstrap ++The default entrypoint paths for the chrome_sandbox_nacl_t domain are the following: ++ ++All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin. ++/opt/google/chrome/nacl_helper_bootstrap, /usr/lib/chromium-browser/nacl_helper_bootstrap +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -11421,34 +22306,52 @@ index 0000000..9f1594b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a chrome_sandbox_nacl_t ++can be used to make the process type chrome_sandbox_nacl_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux chrome_sandbox_nacl policy is very flexible allowing users to setup their chrome_sandbox_nacl processes in as secure a method as possible. -+.PP -+The following file types are defined for chrome_sandbox_nacl: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. chrome_sandbox_nacl policy is extremely flexible and has several booleans that allow you to manipulate the policy and run chrome_sandbox_nacl with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B chrome_sandbox_nacl_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the chrome_sandbox_nacl_exec_t type, if you want to transition an executable to the chrome_sandbox_nacl_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -11458,7 +22361,48 @@ index 0000000..9f1594b +.B chrome_sandbox_tmpfs_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux chrome_sandbox_nacl policy is very flexible allowing users to setup their chrome_sandbox_nacl processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the chrome_sandbox_nacl, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t chrome_sandbox_nacl_exec_t '/srv/chrome_sandbox_nacl/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mychrome_sandbox_nacl_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for chrome_sandbox_nacl: ++ ++ ++.EX ++.PP ++.B chrome_sandbox_nacl_exec_t ++.EE ++ ++- Set files with the chrome_sandbox_nacl_exec_t type, if you want to transition an executable to the chrome_sandbox_nacl_t domain. ++ ++.br ++.TP 5 ++Paths: ++/opt/google/chrome/nacl_helper_bootstrap, /usr/lib/chromium-browser/nacl_helper_bootstrap ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -11470,6 +22414,9 @@ index 0000000..9f1594b +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -11481,15 +22428,15 @@ index 0000000..9f1594b + +.SH "SEE ALSO" +selinux(8), chrome_sandbox_nacl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, chrome_sandbox_selinux(8), chrome_sandbox_selinux(8) ++, setsebool(8), chrome_sandbox_selinux(8), chrome_sandbox_selinux(8) \ No newline at end of file diff --git a/man/man8/chrome_sandbox_selinux.8 b/man/man8/chrome_sandbox_selinux.8 new file mode 100644 -index 0000000..42c38de +index 0000000..472e081 --- /dev/null +++ b/man/man8/chrome_sandbox_selinux.8 -@@ -0,0 +1,206 @@ -+.TH "chrome_sandbox_selinux" "8" "12-11-01" "chrome_sandbox" "SELinux Policy documentation for chrome_sandbox" +@@ -0,0 +1,473 @@ ++.TH "chrome_sandbox_selinux" "8" "13-01-16" "chrome_sandbox" "SELinux Policy documentation for chrome_sandbox" +.SH "NAME" +chrome_sandbox_selinux \- Security Enhanced Linux Policy for the chrome_sandbox processes +.SH "DESCRIPTION" @@ -11505,7 +22452,9 @@ index 0000000..42c38de + +.SH "ENTRYPOINTS" + -+The chrome_sandbox_t SELinux type can be entered via the "chrome_sandbox_exec_t" file type. The default entrypoint paths for the chrome_sandbox_t domain are the following:" ++The chrome_sandbox_t SELinux type can be entered via the \fBchrome_sandbox_exec_t\fP file type. ++ ++The default entrypoint paths for the chrome_sandbox_t domain are the following: + +/opt/google/chrome/chrome-sandbox, /usr/lib/chromium-browser/chrome-sandbox +.SH PROCESS TYPES @@ -11523,27 +22472,347 @@ index 0000000..42c38de +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a chrome_sandbox_t ++can be used to make the process type chrome_sandbox_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. chrome_sandbox policy is extremely flexible and has several booleans that allow you to manipulate the policy and run chrome_sandbox with the tightest access possible. + + +.PP -+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P unconfined_chrome_sandbox_transition 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + +.PP -+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean. Enabled by default. + +.EX +.B setsebool -P unconfined_chrome_sandbox_transition 1 ++ +.EE + ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type chrome_sandbox_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B chrome_sandbox_tmp_t ++ ++ ++.br ++.B chrome_sandbox_tmpfs_t ++ ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B home_cert_t ++ ++ /root/\.pki(/.*)? ++.br ++ /root/\.cert(/.*)? ++.br ++ /home/[^/]*/.kde/share/apps/networkmanagement/certificates(/.*)? ++.br ++ /home/[^/]*/\.pki(/.*)? ++.br ++ /home/[^/]*/\.cert(/.*)? ++.br ++ /home/pwalsh/.kde/share/apps/networkmanagement/certificates(/.*)? ++.br ++ /home/pwalsh/\.pki(/.*)? ++.br ++ /home/pwalsh/\.cert(/.*)? ++.br ++ /home/dwalsh/.kde/share/apps/networkmanagement/certificates(/.*)? ++.br ++ /home/dwalsh/\.pki(/.*)? ++.br ++ /home/dwalsh/\.cert(/.*)? ++.br ++ /var/lib/xguest/home/xguest/.kde/share/apps/networkmanagement/certificates(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.pki(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cert(/.*)? ++.br ++ ++.br ++.B mozilla_home_t ++ ++ /home/[^/]*/\.lyx(/.*)? ++.br ++ /home/[^/]*/\.java(/.*)? ++.br ++ /home/[^/]*/\.adobe(/.*)? ++.br ++ /home/[^/]*/\.gnash(/.*)? ++.br ++ /home/[^/]*/\.galeon(/.*)? ++.br ++ /home/[^/]*/\.spicec(/.*)? ++.br ++ /home/[^/]*/\.mozilla(/.*)? ++.br ++ /home/[^/]*/\.phoenix(/.*)? ++.br ++ /home/[^/]*/\.netscape(/.*)? ++.br ++ /home/[^/]*/\.ICAClient(/.*)? ++.br ++ /home/[^/]*/\.macromedia(/.*)? ++.br ++ /home/[^/]*/\.thunderbird(/.*)? ++.br ++ /home/[^/]*/\.gcjwebplugin(/.*)? ++.br ++ /home/[^/]*/\.icedteaplugin(/.*)? ++.br ++ /home/[^/]*/zimbrauserdata(/.*)? ++.br ++ /home/[^/]*/\.config/chromium(/.*)? ++.br ++ /home/pwalsh/\.lyx(/.*)? ++.br ++ /home/pwalsh/\.java(/.*)? ++.br ++ /home/pwalsh/\.adobe(/.*)? ++.br ++ /home/pwalsh/\.gnash(/.*)? ++.br ++ /home/pwalsh/\.galeon(/.*)? ++.br ++ /home/pwalsh/\.spicec(/.*)? ++.br ++ /home/pwalsh/\.mozilla(/.*)? ++.br ++ /home/pwalsh/\.phoenix(/.*)? ++.br ++ /home/pwalsh/\.netscape(/.*)? ++.br ++ /home/pwalsh/\.ICAClient(/.*)? ++.br ++ /home/pwalsh/\.macromedia(/.*)? ++.br ++ /home/pwalsh/\.thunderbird(/.*)? ++.br ++ /home/pwalsh/\.gcjwebplugin(/.*)? ++.br ++ /home/pwalsh/\.icedteaplugin(/.*)? ++.br ++ /home/pwalsh/zimbrauserdata(/.*)? ++.br ++ /home/pwalsh/\.config/chromium(/.*)? ++.br ++ /home/dwalsh/\.lyx(/.*)? ++.br ++ /home/dwalsh/\.java(/.*)? ++.br ++ /home/dwalsh/\.adobe(/.*)? ++.br ++ /home/dwalsh/\.gnash(/.*)? ++.br ++ /home/dwalsh/\.galeon(/.*)? ++.br ++ /home/dwalsh/\.spicec(/.*)? ++.br ++ /home/dwalsh/\.mozilla(/.*)? ++.br ++ /home/dwalsh/\.phoenix(/.*)? ++.br ++ /home/dwalsh/\.netscape(/.*)? ++.br ++ /home/dwalsh/\.ICAClient(/.*)? ++.br ++ /home/dwalsh/\.macromedia(/.*)? ++.br ++ /home/dwalsh/\.thunderbird(/.*)? ++.br ++ /home/dwalsh/\.gcjwebplugin(/.*)? ++.br ++ /home/dwalsh/\.icedteaplugin(/.*)? ++.br ++ /home/dwalsh/zimbrauserdata(/.*)? ++.br ++ /home/dwalsh/\.config/chromium(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.lyx(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.java(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.adobe(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.gnash(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.galeon(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.spicec(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.mozilla(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.phoenix(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.netscape(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ICAClient(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.macromedia(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.thunderbird(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)? ++.br ++ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config/chromium(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B user_fonts_cache_t ++ ++ /root/\.fontconfig(/.*)? ++.br ++ /root/\.fonts/auto(/.*)? ++.br ++ /root/\.fonts\.cache-.* ++.br ++ /home/[^/]*/\.fontconfig(/.*)? ++.br ++ /home/[^/]*/\.fonts/auto(/.*)? ++.br ++ /home/[^/]*/\.fonts\.cache-.* ++.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br ++ /home/dwalsh/\.fontconfig(/.*)? ++.br ++ /home/dwalsh/\.fonts/auto(/.*)? ++.br ++ /home/dwalsh/\.fonts\.cache-.* ++.br ++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts\.cache-.* ++.br ++ ++.br ++.B xserver_tmpfs_t ++ ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -11552,7 +22821,20 @@ index 0000000..42c38de +Policy governs the access confined processes have to these files. +SELinux chrome_sandbox policy is very flexible allowing users to setup their chrome_sandbox processes in as secure a method as possible. +.PP -+The following file types are defined for chrome_sandbox: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the chrome_sandbox, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t chrome_sandbox_exec_t '/srv/chrome_sandbox/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mychrome_sandbox_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for chrome_sandbox: + + +.EX @@ -11562,6 +22844,10 @@ index 0000000..42c38de + +- Set files with the chrome_sandbox_exec_t type, if you want to transition an executable to the chrome_sandbox_t domain. + ++.br ++.TP 5 ++Paths: ++/opt/google/chrome/chrome-sandbox, /usr/lib/chromium-browser/chrome-sandbox + +.EX +.PP @@ -11570,6 +22856,10 @@ index 0000000..42c38de + +- Set files with the chrome_sandbox_nacl_exec_t type, if you want to transition an executable to the chrome_sandbox_nacl_t domain. + ++.br ++.TP 5 ++Paths: ++/opt/google/chrome/nacl_helper_bootstrap, /usr/lib/chromium-browser/nacl_helper_bootstrap + +.EX +.PP @@ -11594,82 +22884,6 @@ index 0000000..42c38de +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type chrome_sandbox_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cgroup_t -+ -+ /cgroup -+.br -+ /sys/fs/cgroup -+.br -+ -+.br -+.B chrome_sandbox_tmp_t -+ -+ -+.br -+.B chrome_sandbox_tmpfs_t -+ -+ -+.br -+.B home_cert_t -+ -+ /root/\.pki(/.*)? -+.br -+ /root/\.cert(/.*)? -+.br -+ /home/[^/]*/.kde/share/apps/networkmanagement/certificates(/.*)? -+.br -+ /home/[^/]*/\.pki(/.*)? -+.br -+ /home/[^/]*/\.cert(/.*)? -+.br -+ /home/dwalsh/.kde/share/apps/networkmanagement/certificates(/.*)? -+.br -+ /home/dwalsh/\.pki(/.*)? -+.br -+ /home/dwalsh/\.cert(/.*)? -+.br -+ /var/lib/xguest/home/xguest/.kde/share/apps/networkmanagement/certificates(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.pki(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.cert(/.*)? -+.br -+ -+.br -+.B user_fonts_cache_t -+ -+ /root/\.fontconfig(/.*)? -+.br -+ /root/\.fonts/auto(/.*)? -+.br -+ /root/\.fonts\.cache-.* -+.br -+ /home/[^/]*/\.fontconfig(/.*)? -+.br -+ /home/[^/]*/\.fonts/auto(/.*)? -+.br -+ /home/[^/]*/\.fonts\.cache-.* -+.br -+ /home/dwalsh/\.fontconfig(/.*)? -+.br -+ /home/dwalsh/\.fonts/auto(/.*)? -+.br -+ /home/dwalsh/\.fonts\.cache-.* -+.br -+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.fonts\.cache-.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -11698,11 +22912,11 @@ index 0000000..42c38de \ No newline at end of file diff --git a/man/man8/chronyd_selinux.8 b/man/man8/chronyd_selinux.8 new file mode 100644 -index 0000000..2e165b5 +index 0000000..8785cb6 --- /dev/null +++ b/man/man8/chronyd_selinux.8 -@@ -0,0 +1,216 @@ -+.TH "chronyd_selinux" "8" "12-11-01" "chronyd" "SELinux Policy documentation for chronyd" +@@ -0,0 +1,341 @@ ++.TH "chronyd_selinux" "8" "13-01-16" "chronyd" "SELinux Policy documentation for chronyd" +.SH "NAME" +chronyd_selinux \- Security Enhanced Linux Policy for the chronyd processes +.SH "DESCRIPTION" @@ -11718,7 +22932,9 @@ index 0000000..2e165b5 + +.SH "ENTRYPOINTS" + -+The chronyd_t SELinux type can be entered via the "chronyd_exec_t" file type. The default entrypoint paths for the chronyd_t domain are the following:" ++The chronyd_t SELinux type can be entered via the \fBchronyd_exec_t\fP file type. ++ ++The default entrypoint paths for the chronyd_t domain are the following: + +/usr/sbin/chronyd +.SH PROCESS TYPES @@ -11736,8 +22952,183 @@ index 0000000..2e165b5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a chronyd_t ++can be used to make the process type chronyd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. chronyd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run chronyd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the chronyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the chronyd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux chronyd policy is very flexible allowing users to setup their chronyd processes in as secure a method as possible. ++.PP ++The following port types are defined for chronyd: ++ ++.EX ++.TP 5 ++.B chronyd_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++udp 323 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type chronyd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B chronyd_tmpfs_t ++ ++ ++.br ++.B chronyd_var_lib_t ++ ++ /var/lib/chrony(/.*)? ++.br ++ ++.br ++.B chronyd_var_run_t ++ ++ /var/run/chronyd(/.*) ++.br ++ /var/run/chronyd\.pid ++.br ++ /var/run/chronyd\.sock ++.br ++ ++.br ++.B gpsd_tmpfs_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11747,7 +23138,20 @@ index 0000000..2e165b5 +Policy governs the access confined processes have to these files. +SELinux chronyd policy is very flexible allowing users to setup their chronyd processes in as secure a method as possible. +.PP -+The following file types are defined for chronyd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the chronyd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t chronyd_exec_t '/srv/chronyd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mychronyd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for chronyd: + + +.EX @@ -11811,8 +23215,12 @@ index 0000000..2e165b5 +.B chronyd_var_run_t +.EE + -+- Set files with the chronyd_var_run_t type, if you want to store the chronyd files under the /run directory. ++- Set files with the chronyd_var_run_t type, if you want to store the chronyd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/chronyd(/.*), /var/run/chronyd\.pid, /var/run/chronyd\.sock + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -11821,79 +23229,6 @@ index 0000000..2e165b5 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux chronyd policy is very flexible allowing users to setup their chronyd processes in as secure a method as possible. -+.PP -+The following port types are defined for chronyd: -+ -+.EX -+.TP 5 -+.B chronyd_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+udp 323 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type chronyd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B chronyd_tmpfs_t -+ -+ -+.br -+.B chronyd_var_lib_t -+ -+ /var/lib/chrony(/.*)? -+.br -+ -+.br -+.B chronyd_var_log_t -+ -+ /var/log/chrony(/.*)? -+.br -+ -+.br -+.B chronyd_var_run_t -+ -+ /var/run/chronyd(/.*) -+.br -+ /var/run/chronyd\.pid -+.br -+ /var/run/chronyd\.sock -+.br -+ -+.br -+.B gpsd_tmpfs_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chronyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the chronyd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -11907,6 +23242,9 @@ index 0000000..2e165b5 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -11918,13 +23256,205 @@ index 0000000..2e165b5 + +.SH "SEE ALSO" +selinux(8), chronyd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/chroot_user_selinux.8 b/man/man8/chroot_user_selinux.8 +new file mode 100644 +index 0000000..2135e1c +--- /dev/null ++++ b/man/man8/chroot_user_selinux.8 +@@ -0,0 +1,183 @@ ++.TH "chroot_user_selinux" "8" "13-01-16" "chroot_user" "SELinux Policy documentation for chroot_user" ++.SH "NAME" ++chroot_user_selinux \- Security Enhanced Linux Policy for the chroot_user processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the chroot_user processes via flexible mandatory access control. ++ ++The chroot_user processes execute with the chroot_user_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep chroot_user_t ++ ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux chroot_user policy is very flexible allowing users to setup their chroot_user processes in as secure a method as possible. ++.PP ++The following process types are defined for chroot_user: ++ ++.EX ++.B chroot_user_t ++.EE ++.PP ++Note: ++.B semanage permissive -a chroot_user_t ++can be used to make the process type chroot_user_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. chroot_user policy is extremely flexible and has several booleans that allow you to manipulate the policy and run chroot_user with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ssh_chroot_rw_homedirs 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type chroot_user_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B user_home_type ++ ++ all user home files ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), chroot_user(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ciped_selinux.8 b/man/man8/ciped_selinux.8 new file mode 100644 -index 0000000..7e19c9b +index 0000000..9594c34 --- /dev/null +++ b/man/man8/ciped_selinux.8 -@@ -0,0 +1,86 @@ -+.TH "ciped_selinux" "8" "12-11-01" "ciped" "SELinux Policy documentation for ciped" +@@ -0,0 +1,199 @@ ++.TH "ciped_selinux" "8" "13-01-16" "ciped" "SELinux Policy documentation for ciped" +.SH "NAME" +ciped_selinux \- Security Enhanced Linux Policy for the ciped processes +.SH "DESCRIPTION" @@ -11940,7 +23470,9 @@ index 0000000..7e19c9b + +.SH "ENTRYPOINTS" + -+The ciped_t SELinux type can be entered via the "ciped_exec_t" file type. The default entrypoint paths for the ciped_t domain are the following:" ++The ciped_t SELinux type can be entered via the \fBciped_exec_t\fP file type. ++ ++The default entrypoint paths for the ciped_t domain are the following: + +/usr/sbin/ciped.* +.SH PROCESS TYPES @@ -11958,8 +23490,96 @@ index 0000000..7e19c9b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ciped_t ++can be used to make the process type ciped_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ciped policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ciped with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type ciped_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11969,7 +23589,20 @@ index 0000000..7e19c9b +Policy governs the access confined processes have to these files. +SELinux ciped policy is very flexible allowing users to setup their ciped processes in as secure a method as possible. +.PP -+The following file types are defined for ciped: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ciped, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ciped_exec_t '/srv/ciped/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myciped_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ciped: + + +.EX @@ -11980,6 +23613,14 @@ index 0000000..7e19c9b +- Set files with the ciped_exec_t type, if you want to transition an executable to the ciped_t domain. + + ++.EX ++.PP ++.B ciped_initrc_exec_t ++.EE ++ ++- Set files with the ciped_initrc_exec_t type, if you want to transition an executable to the ciped_initrc_t domain. ++ ++ +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext @@ -11987,8 +23628,6 @@ index 0000000..7e19c9b +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -11999,6 +23638,9 @@ index 0000000..7e19c9b +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -12010,13 +23652,15 @@ index 0000000..7e19c9b + +.SH "SEE ALSO" +selinux(8), ciped(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/clamd_selinux.8 b/man/man8/clamd_selinux.8 new file mode 100644 -index 0000000..26f026b +index 0000000..0d9321a --- /dev/null +++ b/man/man8/clamd_selinux.8 -@@ -0,0 +1,284 @@ -+.TH "clamd_selinux" "8" "12-11-01" "clamd" "SELinux Policy documentation for clamd" +@@ -0,0 +1,383 @@ ++.TH "clamd_selinux" "8" "13-01-16" "clamd" "SELinux Policy documentation for clamd" +.SH "NAME" +clamd_selinux \- Security Enhanced Linux Policy for the clamd processes +.SH "DESCRIPTION" @@ -12032,7 +23676,9 @@ index 0000000..26f026b + +.SH "ENTRYPOINTS" + -+The clamd_t SELinux type can be entered via the "clamd_exec_t" file type. The default entrypoint paths for the clamd_t domain are the following:" ++The clamd_t SELinux type can be entered via the \fBclamd_exec_t\fP file type. ++ ++The default entrypoint paths for the clamd_t domain are the following: + +/usr/sbin/clamd, /usr/sbin/clamav-milter +.SH PROCESS TYPES @@ -12050,136 +23696,140 @@ index 0000000..26f026b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a clamd_t ++can be used to make the process type clamd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. clamd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clamd with the tightest access possible. + + +.PP -+If you want to allow clamd to use JIT compiler, you must turn on the clamd_use_jit boolean. ++If you want to determine whether can clamd use JIT compiler, you must turn on the clamd_use_jit boolean. Disabled by default. + +.EX +.B setsebool -P clamd_use_jit 1 ++ +.EE + +.PP -+If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean. ++If you want to allow antivirus programs to read non security files on a system, you must turn on the antivirus_can_scan_system boolean. Disabled by default. + +.EX -+.B setsebool -P clamscan_can_scan_system 1 ++.B setsebool -P antivirus_can_scan_system 1 ++ +.EE + +.PP -+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P clamscan_read_user_content 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow clamd to use JIT compiler, you must turn on the clamd_use_jit boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P clamd_use_jit 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.B setsebool -P clamscan_can_scan_system 1 ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + +.PP -+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.B setsebool -P clamscan_read_user_content 1 ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux clamd policy is very flexible allowing users to setup their clamd processes in as secure a method as possible. -+.PP -+The following file types are defined for clamd: -+ ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B clamd_etc_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the clamd_etc_t type, if you want to store clamd files in the /etc directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B clamd_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the clamd_exec_t type, if you want to transition an executable to the clamd_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B clamd_initrc_exec_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the clamd_initrc_exec_t type, if you want to transition an executable to the clamd_initrc_t domain. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B clamd_tmp_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the clamd_tmp_t type, if you want to store clamd temporary files in the /tmp directories. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B clamd_unit_file_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the clamd_unit_file_t type, if you want to treat the files as clamd unit content. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B clamd_var_lib_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the clamd_var_lib_t type, if you want to store the clamd files under the /var/lib directory. -+ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.PP -+.B clamd_var_log_t ++.B setsebool -P nis_enabled 1 ++ +.EE + -+- Set files with the clamd_var_log_t type, if you want to treat the data as clamd var log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX -+.PP -+.B clamd_var_run_t ++.B setsebool -P nscd_use_shm 1 ++ +.EE + -+- Set files with the clamd_var_run_t type, if you want to store the clamd files under the /run directory. -+ ++.SH NSSWITCH DOMAIN + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the clamd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the clamd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -12235,14 +23885,6 @@ index 0000000..26f026b +.br + +.br -+.B clamd_var_log_t -+ -+ /var/log/clamd.* -+.br -+ /var/log/clamav.* -+.br -+ -+.br +.B clamd_var_run_t + + /var/run/clamd.* @@ -12251,26 +23893,127 @@ index 0000000..26f026b +.br + /var/run/amavis(d)?/clamd\.pid +.br -+ /var/spool/MailScanner(/.*)? -+.br + /var/spool/amavisd/clamd\.sock +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux clamd policy is very flexible allowing users to setup their clamd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the clamd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the clamd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t clamd_etc_t '/srv/clamd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myclamd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for clamd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B clamd_etc_t +.EE + ++- Set files with the clamd_etc_t type, if you want to store clamd files in the /etc directories. ++ ++ ++.EX ++.PP ++.B clamd_exec_t ++.EE ++ ++- Set files with the clamd_exec_t type, if you want to transition an executable to the clamd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/clamd, /usr/sbin/clamav-milter ++ ++.EX ++.PP ++.B clamd_initrc_exec_t ++.EE ++ ++- Set files with the clamd_initrc_exec_t type, if you want to transition an executable to the clamd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B clamd_tmp_t ++.EE ++ ++- Set files with the clamd_tmp_t type, if you want to store clamd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B clamd_unit_file_t ++.EE ++ ++- Set files with the clamd_unit_file_t type, if you want to treat the files as clamd unit content. ++ ++ ++.EX ++.PP ++.B clamd_var_lib_t ++.EE ++ ++- Set files with the clamd_var_lib_t type, if you want to store the clamd files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/clamav(/.*)?, /var/lib/clamd.*, /var/lib/clamav(/.*)? ++ ++.EX ++.PP ++.B clamd_var_log_t ++.EE ++ ++- Set files with the clamd_var_log_t type, if you want to treat the data as clamd var log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/clamd.*, /var/log/clamav.* ++ ++.EX ++.PP ++.B clamd_var_run_t ++.EE ++ ++- Set files with the clamd_var_run_t type, if you want to store the clamd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/clamd.*, /var/run/clamav.*, /var/run/amavis(d)?/clamd\.pid, /var/spool/amavisd/clamd\.sock ++ +.PP -+If you want to allow confined applications to run with kerberos for the clamd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -12303,11 +24046,11 @@ index 0000000..26f026b \ No newline at end of file diff --git a/man/man8/clamscan_selinux.8 b/man/man8/clamscan_selinux.8 new file mode 100644 -index 0000000..d29a7f2 +index 0000000..62b1460 --- /dev/null +++ b/man/man8/clamscan_selinux.8 -@@ -0,0 +1,160 @@ -+.TH "clamscan_selinux" "8" "12-11-01" "clamscan" "SELinux Policy documentation for clamscan" +@@ -0,0 +1,261 @@ ++.TH "clamscan_selinux" "8" "13-01-16" "clamscan" "SELinux Policy documentation for clamscan" +.SH "NAME" +clamscan_selinux \- Security Enhanced Linux Policy for the clamscan processes +.SH "DESCRIPTION" @@ -12323,7 +24066,9 @@ index 0000000..d29a7f2 + +.SH "ENTRYPOINTS" + -+The clamscan_t SELinux type can be entered via the "clamscan_exec_t" file type. The default entrypoint paths for the clamscan_t domain are the following:" ++The clamscan_t SELinux type can be entered via the \fBclamscan_exec_t\fP file type. ++ ++The default entrypoint paths for the clamscan_t domain are the following: + +/usr/bin/clamscan, /usr/bin/clamdscan +.SH PROCESS TYPES @@ -12341,74 +24086,116 @@ index 0000000..d29a7f2 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a clamscan_t ++can be used to make the process type clamscan_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. clamscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clamscan with the tightest access possible. + + +.PP -+If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean. ++If you want to allow antivirus programs to read non security files on a system, you must turn on the antivirus_can_scan_system boolean. Disabled by default. + +.EX -+.B setsebool -P clamscan_can_scan_system 1 ++.B setsebool -P antivirus_can_scan_system 1 ++ +.EE + +.PP -+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean. ++If you want to determine whether clamscan can read all non-security files, you must turn on the clamav_read_all_non_security_files_clamscan boolean. Disabled by default. + +.EX -+.B setsebool -P clamscan_read_user_content 1 ++.B setsebool -P clamav_read_all_non_security_files_clamscan 1 ++ +.EE + +.PP -+If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean. ++If you want to determine whether clamscan can read user content files, you must turn on the clamav_read_user_content_files_clamscan boolean. Disabled by default. + +.EX -+.B setsebool -P clamscan_can_scan_system 1 ++.B setsebool -P clamav_read_user_content_files_clamscan 1 ++ +.EE + +.PP -+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean. ++If you want to determine whether can clamd use JIT compiler, you must turn on the clamd_use_jit boolean. Disabled by default. + +.EX -+.B setsebool -P clamscan_read_user_content 1 ++.B setsebool -P clamd_use_jit 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux clamscan policy is very flexible allowing users to setup their clamscan processes in as secure a method as possible. -+.PP -+The following file types are defined for clamscan: -+ ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B clamscan_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the clamscan_exec_t type, if you want to transition an executable to the clamscan_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B clamscan_tmp_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the clamscan_tmp_t type, if you want to store clamscan temporary files in the /tmp directories. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -12440,7 +24227,64 @@ index 0000000..d29a7f2 +.B clamscan_tmp_t + + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux clamscan policy is very flexible allowing users to setup their clamscan processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the clamscan, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t clamscan_exec_t '/srv/clamscan/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myclamscan_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for clamscan: ++ ++ ++.EX ++.PP ++.B clamscan_exec_t ++.EE ++ ++- Set files with the clamscan_exec_t type, if you want to transition an executable to the clamscan_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/clamscan, /usr/bin/clamdscan ++ ++.EX ++.PP ++.B clamscan_tmp_t ++.EE ++ ++- Set files with the clamscan_tmp_t type, if you want to store clamscan temporary files in the /tmp directories. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -12470,11 +24314,11 @@ index 0000000..d29a7f2 \ No newline at end of file diff --git a/man/man8/clogd_selinux.8 b/man/man8/clogd_selinux.8 new file mode 100644 -index 0000000..376c775 +index 0000000..ec20083 --- /dev/null +++ b/man/man8/clogd_selinux.8 -@@ -0,0 +1,116 @@ -+.TH "clogd_selinux" "8" "12-11-01" "clogd" "SELinux Policy documentation for clogd" +@@ -0,0 +1,209 @@ ++.TH "clogd_selinux" "8" "13-01-16" "clogd" "SELinux Policy documentation for clogd" +.SH "NAME" +clogd_selinux \- Security Enhanced Linux Policy for the clogd processes +.SH "DESCRIPTION" @@ -12490,7 +24334,9 @@ index 0000000..376c775 + +.SH "ENTRYPOINTS" + -+The clogd_t SELinux type can be entered via the "clogd_exec_t" file type. The default entrypoint paths for the clogd_t domain are the following:" ++The clogd_t SELinux type can be entered via the \fBclogd_exec_t\fP file type. ++ ++The default entrypoint paths for the clogd_t domain are the following: + +/usr/sbin/clogd +.SH PROCESS TYPES @@ -12508,8 +24354,98 @@ index 0000000..376c775 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a clogd_t ++can be used to make the process type clogd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. clogd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clogd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type clogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B clogd_tmpfs_t ++ ++ ++.br ++.B clogd_var_run_t ++ ++ /var/run/clogd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -12519,7 +24455,20 @@ index 0000000..376c775 +Policy governs the access confined processes have to these files. +SELinux clogd policy is very flexible allowing users to setup their clogd processes in as secure a method as possible. +.PP -+The following file types are defined for clogd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the clogd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t clogd_exec_t '/srv/clogd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myclogd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for clogd: + + +.EX @@ -12543,7 +24492,7 @@ index 0000000..376c775 +.B clogd_var_run_t +.EE + -+- Set files with the clogd_var_run_t type, if you want to store the clogd files under the /run directory. ++- Set files with the clogd_var_run_t type, if you want to store the clogd files under the /run or /var/run directory. + + +.PP @@ -12553,22 +24502,6 @@ index 0000000..376c775 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type clogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B clogd_tmpfs_t -+ -+ -+.br -+.B clogd_var_run_t -+ -+ /var/run/clogd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -12579,6 +24512,9 @@ index 0000000..376c775 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -12590,13 +24526,15 @@ index 0000000..376c775 + +.SH "SEE ALSO" +selinux(8), clogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/clvmd_selinux.8 b/man/man8/clvmd_selinux.8 new file mode 100644 -index 0000000..6c83943 +index 0000000..36213b4 --- /dev/null +++ b/man/man8/clvmd_selinux.8 -@@ -0,0 +1,142 @@ -+.TH "clvmd_selinux" "8" "12-11-01" "clvmd" "SELinux Policy documentation for clvmd" +@@ -0,0 +1,269 @@ ++.TH "clvmd_selinux" "8" "13-01-16" "clvmd" "SELinux Policy documentation for clvmd" +.SH "NAME" +clvmd_selinux \- Security Enhanced Linux Policy for the clvmd processes +.SH "DESCRIPTION" @@ -12612,7 +24550,9 @@ index 0000000..6c83943 + +.SH "ENTRYPOINTS" + -+The clvmd_t SELinux type can be entered via the "clvmd_exec_t" file type. The default entrypoint paths for the clvmd_t domain are the following:" ++The clvmd_t SELinux type can be entered via the \fBclvmd_exec_t\fP file type. ++ ++The default entrypoint paths for the clvmd_t domain are the following: + +/usr/sbin/clvmd +.SH PROCESS TYPES @@ -12630,8 +24570,150 @@ index 0000000..6c83943 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a clvmd_t ++can be used to make the process type clvmd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. clvmd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clvmd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the clvmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the clvmd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type clvmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B clvmd_tmpfs_t ++ ++ ++.br ++.B clvmd_var_run_t ++ ++ /var/run/clvmd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -12641,7 +24723,20 @@ index 0000000..6c83943 +Policy governs the access confined processes have to these files. +SELinux clvmd policy is very flexible allowing users to setup their clvmd processes in as secure a method as possible. +.PP -+The following file types are defined for clvmd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the clvmd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t clvmd_exec_t '/srv/clvmd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myclvmd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for clvmd: + + +.EX @@ -12673,7 +24768,7 @@ index 0000000..6c83943 +.B clvmd_var_run_t +.EE + -+- Set files with the clvmd_var_run_t type, if you want to store the clvmd files under the /run directory. ++- Set files with the clvmd_var_run_t type, if you want to store the clvmd files under the /run or /var/run directory. + + +.PP @@ -12683,40 +24778,6 @@ index 0000000..6c83943 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type clvmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B anon_inodefs_t -+ -+ -+.br -+.B clvmd_tmpfs_t -+ -+ -+.br -+.B clvmd_var_run_t -+ -+ /var/run/clvmd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the clvmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the clvmd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -12727,6 +24788,9 @@ index 0000000..6c83943 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -12738,13 +24802,15 @@ index 0000000..6c83943 + +.SH "SEE ALSO" +selinux(8), clvmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/cmirrord_selinux.8 b/man/man8/cmirrord_selinux.8 new file mode 100644 -index 0000000..529b7f4 +index 0000000..920b83d --- /dev/null +++ b/man/man8/cmirrord_selinux.8 -@@ -0,0 +1,124 @@ -+.TH "cmirrord_selinux" "8" "12-11-01" "cmirrord" "SELinux Policy documentation for cmirrord" +@@ -0,0 +1,217 @@ ++.TH "cmirrord_selinux" "8" "13-01-16" "cmirrord" "SELinux Policy documentation for cmirrord" +.SH "NAME" +cmirrord_selinux \- Security Enhanced Linux Policy for the cmirrord processes +.SH "DESCRIPTION" @@ -12760,7 +24826,9 @@ index 0000000..529b7f4 + +.SH "ENTRYPOINTS" + -+The cmirrord_t SELinux type can be entered via the "cmirrord_exec_t" file type. The default entrypoint paths for the cmirrord_t domain are the following:" ++The cmirrord_t SELinux type can be entered via the \fBcmirrord_exec_t\fP file type. ++ ++The default entrypoint paths for the cmirrord_t domain are the following: + +/usr/sbin/cmirrord +.SH PROCESS TYPES @@ -12778,8 +24846,98 @@ index 0000000..529b7f4 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cmirrord_t ++can be used to make the process type cmirrord_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cmirrord policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cmirrord with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cmirrord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cmirrord_tmpfs_t ++ ++ ++.br ++.B cmirrord_var_run_t ++ ++ /var/run/cmirrord\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -12789,7 +24947,20 @@ index 0000000..529b7f4 +Policy governs the access confined processes have to these files. +SELinux cmirrord policy is very flexible allowing users to setup their cmirrord processes in as secure a method as possible. +.PP -+The following file types are defined for cmirrord: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cmirrord, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cmirrord_exec_t '/srv/cmirrord/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycmirrord_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cmirrord: + + +.EX @@ -12821,7 +24992,7 @@ index 0000000..529b7f4 +.B cmirrord_var_run_t +.EE + -+- Set files with the cmirrord_var_run_t type, if you want to store the cmirrord files under the /run directory. ++- Set files with the cmirrord_var_run_t type, if you want to store the cmirrord files under the /run or /var/run directory. + + +.PP @@ -12831,22 +25002,6 @@ index 0000000..529b7f4 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type cmirrord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cmirrord_tmpfs_t -+ -+ -+.br -+.B cmirrord_var_run_t -+ -+ /var/run/cmirrord\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -12857,6 +25012,9 @@ index 0000000..529b7f4 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -12868,13 +25026,15 @@ index 0000000..529b7f4 + +.SH "SEE ALSO" +selinux(8), cmirrord(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/cobblerd_selinux.8 b/man/man8/cobblerd_selinux.8 new file mode 100644 -index 0000000..d1680db +index 0000000..380113f --- /dev/null +++ b/man/man8/cobblerd_selinux.8 -@@ -0,0 +1,391 @@ -+.TH "cobblerd_selinux" "8" "12-11-01" "cobblerd" "SELinux Policy documentation for cobblerd" +@@ -0,0 +1,417 @@ ++.TH "cobblerd_selinux" "8" "13-01-16" "cobblerd" "SELinux Policy documentation for cobblerd" +.SH "NAME" +cobblerd_selinux \- Security Enhanced Linux Policy for the cobblerd processes +.SH "DESCRIPTION" @@ -12890,7 +25050,9 @@ index 0000000..d1680db + +.SH "ENTRYPOINTS" + -+The cobblerd_t SELinux type can be entered via the "cobblerd_exec_t" file type. The default entrypoint paths for the cobblerd_t domain are the following:" ++The cobblerd_t SELinux type can be entered via the \fBcobblerd_exec_t\fP file type. ++ ++The default entrypoint paths for the cobblerd_t domain are the following: + +/usr/bin/cobblerd +.SH PROCESS TYPES @@ -12908,143 +25070,108 @@ index 0000000..d1680db +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cobblerd_t ++can be used to make the process type cobblerd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. cobblerd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cobblerd with the tightest access possible. + + +.PP -+If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean. -+ -+.EX -+.B setsebool -P cobbler_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow Cobbler to connect to the network using TCP, you must turn on the cobbler_can_network_connect boolean. ++If you want to determine whether Cobbler can connect to the network using TCP, you must turn on the cobbler_can_network_connect boolean. Disabled by default. + +.EX +.B setsebool -P cobbler_can_network_connect 1 ++ +.EE + +.PP -+If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean. -+ -+.EX -+.B setsebool -P httpd_can_network_connect_cobbler 1 -+.EE -+ -+.PP -+If you want to allow Cobbler to access cifs file systems, you must turn on the cobbler_use_cifs boolean. ++If you want to determine whether Cobbler can access cifs file systems, you must turn on the cobbler_use_cifs boolean. Disabled by default. + +.EX +.B setsebool -P cobbler_use_cifs 1 ++ +.EE + +.PP -+If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean. ++If you want to determine whether Cobbler can access nfs file systems, you must turn on the cobbler_use_nfs boolean. Disabled by default. + +.EX +.B setsebool -P cobbler_use_nfs 1 ++ +.EE + +.PP -+If you want to allow Cobbler to connect to the network using TCP, you must turn on the cobbler_can_network_connect boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P cobbler_can_network_connect 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_can_network_connect_cobbler 1 ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + +.PP -+If you want to allow Cobbler to access cifs file systems, you must turn on the cobbler_use_cifs boolean. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.B setsebool -P cobbler_use_cifs 1 ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+.SH SHARING FILES -+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. -+.TP -+Allow cobblerd servers to read the /var/cobblerd directory by adding the public_content_t file type to the directory and by restoring the file type. +.PP -+.B -+semanage fcontext -a -t public_content_t "/var/cobblerd(/.*)?" -+.br -+.B restorecon -F -R -v /var/cobblerd -+.pp -+.TP -+Allow cobblerd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_cobblerdd_anon_write boolean to be set. -+.PP -+.B -+semanage fcontext -a -t public_content_rw_t "/var/cobblerd/incoming(/.*)?" -+.br -+.B restorecon -F -R -v /var/cobblerd/incoming -+ -+ -+.PP -+If you want to allow Cobbler to modify public files used for public file transfer services., you must turn on the cobbler_anon_write boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P cobbler_anon_write 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + +.PP -+If you want to allow Cobbler to modify public files used for public file transfer services., you must turn on the cobbler_anon_write boolean. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.B setsebool -P cobbler_anon_write 1 ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux cobblerd policy is very flexible allowing users to setup their cobblerd processes in as secure a method as possible. -+.PP -+The following file types are defined for cobblerd: -+ ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B cobblerd_exec_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the cobblerd_exec_t type, if you want to transition an executable to the cobblerd_t domain. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B cobblerd_initrc_exec_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the cobblerd_initrc_exec_t type, if you want to transition an executable to the cobblerd_initrc_t domain. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B cobblerd_unit_file_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the cobblerd_unit_file_t type, if you want to treat the files as cobblerd unit content. -+ -+ +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -13074,6 +25201,10 @@ index 0000000..d1680db +The SELinux process type cobblerd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br +.B cobbler_tmp_t + + @@ -13082,7 +25213,7 @@ index 0000000..d1680db + + /var/lib/cobbler(/.*)? +.br -+ /var/www/cobbler/pub(/.*)? ++ /var/www/cobbler(/.*)? +.br + /var/lib/tftpboot/etc(/.*)? +.br @@ -13090,22 +25221,10 @@ index 0000000..d1680db +.br + /var/lib/tftpboot/grub(/.*)? +.br -+ /var/www/cobbler/links(/.*)? -+.br + /var/lib/tftpboot/s390x(/.*)? +.br -+ /var/www/cobbler/images(/.*)? -+.br + /var/lib/tftpboot/images(/.*)? +.br -+ /var/www/cobbler/rendered(/.*)? -+.br -+ /var/www/cobbler/ks_mirror(/.*)? -+.br -+ /var/www/cobbler/localmirror(/.*)? -+.br -+ /var/www/cobbler/repo_mirror(/.*)? -+.br + /var/lib/tftpboot/pxelinux\.cfg(/.*)? +.br + /var/lib/tftpboot/yaboot @@ -13118,12 +25237,6 @@ index 0000000..d1680db +.br + +.br -+.B cobbler_var_log_t -+ -+ /var/log/cobbler(/.*)? -+.br -+ -+.br +.B dhcp_etc_t + + /etc/dhcpc.* @@ -13148,10 +25261,6 @@ index 0000000..d1680db +.br + +.br -+.B httpd_cobbler_rw_content_t -+ -+ -+.br +.B named_conf_t + + /etc/rndc.* @@ -13192,8 +25301,6 @@ index 0000000..d1680db +.br +.B net_conf_t + -+ /etc/ntpd?\.conf.* -+.br + /etc/hosts[^/]* +.br + /etc/yp\.conf.* @@ -13204,8 +25311,6 @@ index 0000000..d1680db +.br + /etc/resolv\.conf.* +.br -+ /etc/ntp/step-tickers.* -+.br + /etc/sysconfig/networking(/.*)? +.br + /etc/sysconfig/network-scripts(/.*)? @@ -13216,26 +25321,107 @@ index 0000000..d1680db +.br + +.br ++.B nfs_t ++ ++ ++.br ++.B public_content_rw_t ++ ++ /var/spool/abrt-upload(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B rsync_etc_t + + /etc/rsyncd\.conf +.br + +.br -+.B systemd_passwd_var_run_t -+ -+ /var/run/systemd/ask-password(/.*)? -+.br -+ /var/run/systemd/ask-password-block(/.*)? -+.br -+ -+.br +.B tftpd_etc_t + + /etc/xinetd\.d/tftp +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux cobblerd policy is very flexible allowing users to setup their cobblerd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cobblerd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cobblerd_exec_t '/srv/cobblerd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycobblerd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cobblerd: ++ ++ ++.EX ++.PP ++.B cobblerd_exec_t ++.EE ++ ++- Set files with the cobblerd_exec_t type, if you want to transition an executable to the cobblerd_t domain. ++ ++ ++.EX ++.PP ++.B cobblerd_initrc_exec_t ++.EE ++ ++- Set files with the cobblerd_initrc_exec_t type, if you want to transition an executable to the cobblerd_initrc_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH SHARING FILES ++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. ++.TP ++Allow cobblerd servers to read the /var/cobblerd directory by adding the public_content_t file type to the directory and by restoring the file type. ++.PP ++.B ++semanage fcontext -a -t public_content_t "/var/cobblerd(/.*)?" ++.br ++.B restorecon -F -R -v /var/cobblerd ++.pp ++.TP ++Allow cobblerd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_cobblerdd_anon_write boolean to be set. ++.PP ++.B ++semanage fcontext -a -t public_content_rw_t "/var/cobblerd/incoming(/.*)?" ++.br ++.B restorecon -F -R -v /var/cobblerd/incoming ++ ++ ++.PP ++If you want to determine whether Cobbler can modify public files used for public file transfer services., you must turn on the cobbler_anon_write boolean. ++ ++.EX ++.B setsebool -P cobbler_anon_write 1 ++.EE + +.SH "COMMANDS" +.B semanage fcontext @@ -13268,11 +25454,11 @@ index 0000000..d1680db \ No newline at end of file diff --git a/man/man8/collectd_selinux.8 b/man/man8/collectd_selinux.8 new file mode 100644 -index 0000000..8593a45 +index 0000000..42cb681 --- /dev/null +++ b/man/man8/collectd_selinux.8 -@@ -0,0 +1,156 @@ -+.TH "collectd_selinux" "8" "12-11-01" "collectd" "SELinux Policy documentation for collectd" +@@ -0,0 +1,243 @@ ++.TH "collectd_selinux" "8" "13-01-16" "collectd" "SELinux Policy documentation for collectd" +.SH "NAME" +collectd_selinux \- Security Enhanced Linux Policy for the collectd processes +.SH "DESCRIPTION" @@ -13288,7 +25474,9 @@ index 0000000..8593a45 + +.SH "ENTRYPOINTS" + -+The collectd_t SELinux type can be entered via the "collectd_exec_t" file type. The default entrypoint paths for the collectd_t domain are the following:" ++The collectd_t SELinux type can be entered via the \fBcollectd_exec_t\fP file type. ++ ++The default entrypoint paths for the collectd_t domain are the following: + +/usr/sbin/collectd +.SH PROCESS TYPES @@ -13306,27 +25494,117 @@ index 0000000..8593a45 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a collectd_t ++can be used to make the process type collectd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. collectd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run collectd with the tightest access possible. + + +.PP -+If you want to allow collectd to connect to the network using TCP, you must turn on the collectd_can_network_connect boolean. ++If you want to determine whether collectd can connect to the network using TCP, you must turn on the collectd_tcp_network_connect boolean. Disabled by default. + +.EX -+.B setsebool -P collectd_can_network_connect 1 ++.B setsebool -P collectd_tcp_network_connect 1 ++ +.EE + +.PP -+If you want to allow collectd to connect to the network using TCP, you must turn on the collectd_can_network_connect boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P collectd_can_network_connect 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type collectd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B collectd_var_lib_t ++ ++ /var/lib/collectd(/.*)? ++.br ++ ++.br ++.B collectd_var_run_t ++ ++ /var/run/collectd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -13335,7 +25613,20 @@ index 0000000..8593a45 +Policy governs the access confined processes have to these files. +SELinux collectd policy is very flexible allowing users to setup their collectd processes in as secure a method as possible. +.PP -+The following file types are defined for collectd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the collectd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t collectd_exec_t '/srv/collectd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycollectd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for collectd: + + +.EX @@ -13375,7 +25666,7 @@ index 0000000..8593a45 +.B collectd_var_run_t +.EE + -+- Set files with the collectd_var_run_t type, if you want to store the collectd files under the /run directory. ++- Set files with the collectd_var_run_t type, if you want to store the collectd files under the /run or /var/run directory. + + +.PP @@ -13385,24 +25676,6 @@ index 0000000..8593a45 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type collectd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B collectd_var_lib_t -+ -+ /var/lib/collectd(/.*)? -+.br -+ -+.br -+.B collectd_var_run_t -+ -+ /var/run/collectd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -13431,11 +25704,11 @@ index 0000000..8593a45 \ No newline at end of file diff --git a/man/man8/colord_selinux.8 b/man/man8/colord_selinux.8 new file mode 100644 -index 0000000..5f598b7 +index 0000000..1b31976 --- /dev/null +++ b/man/man8/colord_selinux.8 -@@ -0,0 +1,164 @@ -+.TH "colord_selinux" "8" "12-11-01" "colord" "SELinux Policy documentation for colord" +@@ -0,0 +1,342 @@ ++.TH "colord_selinux" "8" "13-01-16" "colord" "SELinux Policy documentation for colord" +.SH "NAME" +colord_selinux \- Security Enhanced Linux Policy for the colord processes +.SH "DESCRIPTION" @@ -13451,9 +25724,11 @@ index 0000000..5f598b7 + +.SH "ENTRYPOINTS" + -+The colord_t SELinux type can be entered via the "colord_exec_t" file type. The default entrypoint paths for the colord_t domain are the following:" ++The colord_t SELinux type can be entered via the \fBcolord_exec_t\fP file type. + -+/usr/libexec/colord, /usr/libexec/colord-sane ++The default entrypoint paths for the colord_t domain are the following: ++ ++/usr/lib/[^/]*/colord/colord, /usr/lib/[^/]*/colord/colord-sane, /usr/libexec/colord, /usr/libexec/colord-sane +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -13469,8 +25744,196 @@ index 0000000..5f598b7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a colord_t ++can be used to make the process type colord_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. colord policy is extremely flexible and has several booleans that allow you to manipulate the policy and run colord with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the colord_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the colord_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type colord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B colord_tmp_t ++ ++ ++.br ++.B colord_tmpfs_t ++ ++ ++.br ++.B colord_var_lib_t ++ ++ /var/lib/color(/.*)? ++.br ++ /var/lib/colord(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B user_tmpfs_t ++ ++ /dev/shm/mono.* ++.br ++ /dev/shm/pulse-shm.* ++.br ++ ++.br ++.B zoneminder_tmpfs_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13480,7 +25943,31 @@ index 0000000..5f598b7 +Policy governs the access confined processes have to these files. +SELinux colord policy is very flexible allowing users to setup their colord processes in as secure a method as possible. +.PP -+The following file types are defined for colord: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++colord policy stores data with multiple different file context types under the /var/lib/color directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/color /srv/color ++.br ++.B restorecon -R -v /srv/color ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the colord, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t colord_exec_t '/srv/colord/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycolord_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for colord: + + +.EX @@ -13490,6 +25977,10 @@ index 0000000..5f598b7 + +- Set files with the colord_exec_t type, if you want to transition an executable to the colord_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/[^/]*/colord/colord, /usr/lib/[^/]*/colord/colord-sane, /usr/libexec/colord, /usr/libexec/colord-sane + +.EX +.PP @@ -13522,6 +26013,10 @@ index 0000000..5f598b7 + +- Set files with the colord_var_lib_t type, if you want to store the colord files under the /var/lib directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/color(/.*)?, /var/lib/colord(/.*)? + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -13530,54 +26025,6 @@ index 0000000..5f598b7 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type colord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B colord_tmp_t -+ -+ -+.br -+.B colord_tmpfs_t -+ -+ -+.br -+.B colord_var_lib_t -+ -+ /var/lib/color(/.*)? -+.br -+ /var/lib/colord(/.*)? -+.br -+ -+.br -+.B user_tmpfs_t -+ -+ /dev/shm/mono.* -+.br -+ /dev/shm/pulse-shm.* -+.br -+ -+.br -+.B zoneminder_tmpfs_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the colord_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the colord_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -13588,6 +26035,9 @@ index 0000000..5f598b7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -13599,13 +26049,15 @@ index 0000000..5f598b7 + +.SH "SEE ALSO" +selinux(8), colord(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/comsat_selinux.8 b/man/man8/comsat_selinux.8 new file mode 100644 -index 0000000..1301fea +index 0000000..310ea6d --- /dev/null +++ b/man/man8/comsat_selinux.8 -@@ -0,0 +1,154 @@ -+.TH "comsat_selinux" "8" "12-11-01" "comsat" "SELinux Policy documentation for comsat" +@@ -0,0 +1,249 @@ ++.TH "comsat_selinux" "8" "13-01-16" "comsat" "SELinux Policy documentation for comsat" +.SH "NAME" +comsat_selinux \- Security Enhanced Linux Policy for the comsat processes +.SH "DESCRIPTION" @@ -13621,7 +26073,9 @@ index 0000000..1301fea + +.SH "ENTRYPOINTS" + -+The comsat_t SELinux type can be entered via the "comsat_exec_t" file type. The default entrypoint paths for the comsat_t domain are the following:" ++The comsat_t SELinux type can be entered via the \fBcomsat_exec_t\fP file type. ++ ++The default entrypoint paths for the comsat_t domain are the following: + +/usr/sbin/in\.comsat +.SH PROCESS TYPES @@ -13639,50 +26093,100 @@ index 0000000..1301fea +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a comsat_t ++can be used to make the process type comsat_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux comsat policy is very flexible allowing users to setup their comsat processes in as secure a method as possible. -+.PP -+The following file types are defined for comsat: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. comsat policy is extremely flexible and has several booleans that allow you to manipulate the policy and run comsat with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B comsat_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the comsat_exec_t type, if you want to transition an executable to the comsat_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B comsat_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the comsat_tmp_t type, if you want to store comsat temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B comsat_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the comsat_var_run_t type, if you want to store the comsat files under the /run directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the comsat_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the comsat_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -13719,21 +26223,60 @@ index 0000000..1301fea +.B comsat_var_run_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux comsat policy is very flexible allowing users to setup their comsat processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the comsat_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the comsat, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t comsat_exec_t '/srv/comsat/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycomsat_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for comsat: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B comsat_exec_t +.EE + ++- Set files with the comsat_exec_t type, if you want to transition an executable to the comsat_t domain. ++ ++ ++.EX ++.PP ++.B comsat_tmp_t ++.EE ++ ++- Set files with the comsat_tmp_t type, if you want to store comsat temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B comsat_var_run_t ++.EE ++ ++- Set files with the comsat_var_run_t type, if you want to store the comsat files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the comsat_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -13748,6 +26291,9 @@ index 0000000..1301fea +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -13759,13 +26305,15 @@ index 0000000..1301fea + +.SH "SEE ALSO" +selinux(8), comsat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/condor_collector_selinux.8 b/man/man8/condor_collector_selinux.8 new file mode 100644 -index 0000000..7b32989 +index 0000000..b0807ef --- /dev/null +++ b/man/man8/condor_collector_selinux.8 -@@ -0,0 +1,133 @@ -+.TH "condor_collector_selinux" "8" "12-11-01" "condor_collector" "SELinux Policy documentation for condor_collector" +@@ -0,0 +1,261 @@ ++.TH "condor_collector_selinux" "8" "13-01-16" "condor_collector" "SELinux Policy documentation for condor_collector" +.SH "NAME" +condor_collector_selinux \- Security Enhanced Linux Policy for the condor_collector processes +.SH "DESCRIPTION" @@ -13781,7 +26329,9 @@ index 0000000..7b32989 + +.SH "ENTRYPOINTS" + -+The condor_collector_t SELinux type can be entered via the "condor_collector_exec_t" file type. The default entrypoint paths for the condor_collector_t domain are the following:" ++The condor_collector_t SELinux type can be entered via the \fBcondor_collector_exec_t\fP file type. ++ ++The default entrypoint paths for the condor_collector_t domain are the following: + +/usr/sbin/condor_collector +.SH PROCESS TYPES @@ -13799,8 +26349,166 @@ index 0000000..7b32989 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a condor_collector_t ++can be used to make the process type condor_collector_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. condor_collector policy is extremely flexible and has several booleans that allow you to manipulate the policy and run condor_collector with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Condor can connect to the network using TCP, you must turn on the condor_tcp_network_connect boolean. Disabled by default. ++ ++.EX ++.B setsebool -P condor_tcp_network_connect 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the condor_collector_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the condor_collector_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type condor_collector_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B condor_var_lib_t ++ ++ /var/lib/condor(/.*)? ++.br ++ /var/lib/condor/spool(/.*)? ++.br ++ /var/lib/condor/execute(/.*)? ++.br ++ ++.br ++.B condor_var_lock_t ++ ++ /var/lock/condor(/.*)? ++.br ++ ++.br ++.B condor_var_run_t ++ ++ /var/run/condor(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13810,7 +26518,20 @@ index 0000000..7b32989 +Policy governs the access confined processes have to these files. +SELinux condor_collector policy is very flexible allowing users to setup their condor_collector processes in as secure a method as possible. +.PP -+The following file types are defined for condor_collector: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the condor_collector, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t condor_collector_exec_t '/srv/condor_collector/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycondor_collector_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for condor_collector: + + +.EX @@ -13828,54 +26549,6 @@ index 0000000..7b32989 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type condor_collector_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B condor_log_t -+ -+ /var/log/condor(/.*)? -+.br -+ -+.br -+.B condor_var_lib_t -+ -+ /var/lib/condor(/.*)? -+.br -+ /var/lib/condor/spool(/.*)? -+.br -+ /var/lib/condor/execute(/.*)? -+.br -+ -+.br -+.B condor_var_lock_t -+ -+ /var/lock/condor(/.*)? -+.br -+ -+.br -+.B condor_var_run_t -+ -+ /var/run/condor(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_collector_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the condor_collector_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -13886,6 +26559,9 @@ index 0000000..7b32989 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -13897,15 +26573,15 @@ index 0000000..7b32989 + +.SH "SEE ALSO" +selinux(8), condor_collector(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8) ++, setsebool(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8), condor_startd_ssh_selinux(8) \ No newline at end of file diff --git a/man/man8/condor_master_selinux.8 b/man/man8/condor_master_selinux.8 new file mode 100644 -index 0000000..fa4e2d5 +index 0000000..c24d5d6 --- /dev/null +++ b/man/man8/condor_master_selinux.8 -@@ -0,0 +1,119 @@ -+.TH "condor_master_selinux" "8" "12-11-01" "condor_master" "SELinux Policy documentation for condor_master" +@@ -0,0 +1,225 @@ ++.TH "condor_master_selinux" "8" "13-01-16" "condor_master" "SELinux Policy documentation for condor_master" +.SH "NAME" +condor_master_selinux \- Security Enhanced Linux Policy for the condor_master processes +.SH "DESCRIPTION" @@ -13921,7 +26597,9 @@ index 0000000..fa4e2d5 + +.SH "ENTRYPOINTS" + -+The condor_master_t SELinux type can be entered via the "condor_master_exec_t" file type. The default entrypoint paths for the condor_master_t domain are the following:" ++The condor_master_t SELinux type can be entered via the \fBcondor_master_exec_t\fP file type. ++ ++The default entrypoint paths for the condor_master_t domain are the following: + +/usr/sbin/condor_master +.SH PROCESS TYPES @@ -13939,44 +26617,92 @@ index 0000000..fa4e2d5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a condor_master_t ++can be used to make the process type condor_master_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux condor_master policy is very flexible allowing users to setup their condor_master processes in as secure a method as possible. -+.PP -+The following file types are defined for condor_master: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. condor_master policy is extremely flexible and has several booleans that allow you to manipulate the policy and run condor_master with the tightest access possible. + + ++.PP ++If you want to determine whether Condor can connect to the network using TCP, you must turn on the condor_tcp_network_connect boolean. Disabled by default. ++ +.EX -+.PP -+.B condor_master_exec_t ++.B setsebool -P condor_tcp_network_connect 1 ++ +.EE + -+- Set files with the condor_master_exec_t type, if you want to transition an executable to the condor_master_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + +The SELinux process type condor_master_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B condor_log_t ++.B condor_master_tmp_t + -+ /var/log/condor(/.*)? -+.br + +.br +.B condor_var_lib_t @@ -14000,7 +26726,60 @@ index 0000000..fa4e2d5 + /var/run/condor(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux condor_master policy is very flexible allowing users to setup their condor_master processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the condor_master, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t condor_master_exec_t '/srv/condor_master/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycondor_master_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for condor_master: ++ ++ ++.EX ++.PP ++.B condor_master_exec_t ++.EE ++ ++- Set files with the condor_master_exec_t type, if you want to transition an executable to the condor_master_t domain. ++ ++ ++.EX ++.PP ++.B condor_master_tmp_t ++.EE ++ ++- Set files with the condor_master_tmp_t type, if you want to store condor master temporary files in the /tmp directories. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -14012,6 +26791,9 @@ index 0000000..fa4e2d5 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -14023,15 +26805,15 @@ index 0000000..fa4e2d5 + +.SH "SEE ALSO" +selinux(8), condor_master(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, condor_collector_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8) ++, setsebool(8), condor_collector_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8), condor_startd_ssh_selinux(8) \ No newline at end of file diff --git a/man/man8/condor_negotiator_selinux.8 b/man/man8/condor_negotiator_selinux.8 new file mode 100644 -index 0000000..9116018 +index 0000000..680fce0 --- /dev/null +++ b/man/man8/condor_negotiator_selinux.8 -@@ -0,0 +1,133 @@ -+.TH "condor_negotiator_selinux" "8" "12-11-01" "condor_negotiator" "SELinux Policy documentation for condor_negotiator" +@@ -0,0 +1,261 @@ ++.TH "condor_negotiator_selinux" "8" "13-01-16" "condor_negotiator" "SELinux Policy documentation for condor_negotiator" +.SH "NAME" +condor_negotiator_selinux \- Security Enhanced Linux Policy for the condor_negotiator processes +.SH "DESCRIPTION" @@ -14047,7 +26829,9 @@ index 0000000..9116018 + +.SH "ENTRYPOINTS" + -+The condor_negotiator_t SELinux type can be entered via the "condor_negotiator_exec_t" file type. The default entrypoint paths for the condor_negotiator_t domain are the following:" ++The condor_negotiator_t SELinux type can be entered via the \fBcondor_negotiator_exec_t\fP file type. ++ ++The default entrypoint paths for the condor_negotiator_t domain are the following: + +/usr/sbin/condor_negotiator +.SH PROCESS TYPES @@ -14065,8 +26849,166 @@ index 0000000..9116018 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a condor_negotiator_t ++can be used to make the process type condor_negotiator_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. condor_negotiator policy is extremely flexible and has several booleans that allow you to manipulate the policy and run condor_negotiator with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Condor can connect to the network using TCP, you must turn on the condor_tcp_network_connect boolean. Disabled by default. ++ ++.EX ++.B setsebool -P condor_tcp_network_connect 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the condor_negotiator_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the condor_negotiator_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type condor_negotiator_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B condor_var_lib_t ++ ++ /var/lib/condor(/.*)? ++.br ++ /var/lib/condor/spool(/.*)? ++.br ++ /var/lib/condor/execute(/.*)? ++.br ++ ++.br ++.B condor_var_lock_t ++ ++ /var/lock/condor(/.*)? ++.br ++ ++.br ++.B condor_var_run_t ++ ++ /var/run/condor(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -14076,7 +27018,20 @@ index 0000000..9116018 +Policy governs the access confined processes have to these files. +SELinux condor_negotiator policy is very flexible allowing users to setup their condor_negotiator processes in as secure a method as possible. +.PP -+The following file types are defined for condor_negotiator: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the condor_negotiator, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t condor_negotiator_exec_t '/srv/condor_negotiator/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycondor_negotiator_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for condor_negotiator: + + +.EX @@ -14094,54 +27049,6 @@ index 0000000..9116018 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type condor_negotiator_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B condor_log_t -+ -+ /var/log/condor(/.*)? -+.br -+ -+.br -+.B condor_var_lib_t -+ -+ /var/lib/condor(/.*)? -+.br -+ /var/lib/condor/spool(/.*)? -+.br -+ /var/lib/condor/execute(/.*)? -+.br -+ -+.br -+.B condor_var_lock_t -+ -+ /var/lock/condor(/.*)? -+.br -+ -+.br -+.B condor_var_run_t -+ -+ /var/run/condor(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_negotiator_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the condor_negotiator_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -14152,6 +27059,9 @@ index 0000000..9116018 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -14163,15 +27073,15 @@ index 0000000..9116018 + +.SH "SEE ALSO" +selinux(8), condor_negotiator(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, condor_collector_selinux(8), condor_master_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8) ++, setsebool(8), condor_collector_selinux(8), condor_master_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8), condor_startd_ssh_selinux(8) \ No newline at end of file diff --git a/man/man8/condor_procd_selinux.8 b/man/man8/condor_procd_selinux.8 new file mode 100644 -index 0000000..d3e5176 +index 0000000..d90685c --- /dev/null +++ b/man/man8/condor_procd_selinux.8 -@@ -0,0 +1,133 @@ -+.TH "condor_procd_selinux" "8" "12-11-01" "condor_procd" "SELinux Policy documentation for condor_procd" +@@ -0,0 +1,261 @@ ++.TH "condor_procd_selinux" "8" "13-01-16" "condor_procd" "SELinux Policy documentation for condor_procd" +.SH "NAME" +condor_procd_selinux \- Security Enhanced Linux Policy for the condor_procd processes +.SH "DESCRIPTION" @@ -14187,7 +27097,9 @@ index 0000000..d3e5176 + +.SH "ENTRYPOINTS" + -+The condor_procd_t SELinux type can be entered via the "condor_procd_exec_t" file type. The default entrypoint paths for the condor_procd_t domain are the following:" ++The condor_procd_t SELinux type can be entered via the \fBcondor_procd_exec_t\fP file type. ++ ++The default entrypoint paths for the condor_procd_t domain are the following: + +/usr/sbin/condor_procd +.SH PROCESS TYPES @@ -14205,46 +27117,138 @@ index 0000000..d3e5176 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a condor_procd_t ++can be used to make the process type condor_procd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux condor_procd policy is very flexible allowing users to setup their condor_procd processes in as secure a method as possible. -+.PP -+The following file types are defined for condor_procd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. condor_procd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run condor_procd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B condor_procd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the condor_procd_exec_t type, if you want to transition an executable to the condor_procd_t domain. ++.PP ++If you want to determine whether Condor can connect to the network using TCP, you must turn on the condor_tcp_network_connect boolean. Disabled by default. + ++.EX ++.B setsebool -P condor_tcp_network_connect 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the condor_procd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the condor_procd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type condor_procd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B condor_log_t -+ -+ /var/log/condor(/.*)? -+.br -+ -+.br +.B condor_var_lib_t + + /var/lib/condor(/.*)? @@ -14266,21 +27270,52 @@ index 0000000..d3e5176 + /var/run/condor(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux condor_procd policy is very flexible allowing users to setup their condor_procd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_procd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the condor_procd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t condor_procd_exec_t '/srv/condor_procd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycondor_procd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for condor_procd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B condor_procd_exec_t +.EE + ++- Set files with the condor_procd_exec_t type, if you want to transition an executable to the condor_procd_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the condor_procd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -14292,6 +27327,9 @@ index 0000000..d3e5176 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -14303,15 +27341,15 @@ index 0000000..d3e5176 + +.SH "SEE ALSO" +selinux(8), condor_procd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8) ++, setsebool(8), condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8), condor_startd_ssh_selinux(8) \ No newline at end of file diff --git a/man/man8/condor_schedd_selinux.8 b/man/man8/condor_schedd_selinux.8 new file mode 100644 -index 0000000..4b28875 +index 0000000..0234b0c --- /dev/null +++ b/man/man8/condor_schedd_selinux.8 -@@ -0,0 +1,145 @@ -+.TH "condor_schedd_selinux" "8" "12-11-01" "condor_schedd" "SELinux Policy documentation for condor_schedd" +@@ -0,0 +1,273 @@ ++.TH "condor_schedd_selinux" "8" "13-01-16" "condor_schedd" "SELinux Policy documentation for condor_schedd" +.SH "NAME" +condor_schedd_selinux \- Security Enhanced Linux Policy for the condor_schedd processes +.SH "DESCRIPTION" @@ -14327,7 +27365,9 @@ index 0000000..4b28875 + +.SH "ENTRYPOINTS" + -+The condor_schedd_t SELinux type can be entered via the "condor_schedd_exec_t" file type. The default entrypoint paths for the condor_schedd_t domain are the following:" ++The condor_schedd_t SELinux type can be entered via the \fBcondor_schedd_exec_t\fP file type. ++ ++The default entrypoint paths for the condor_schedd_t domain are the following: + +/usr/sbin/condor_schedd +.SH PROCESS TYPES @@ -14345,8 +27385,170 @@ index 0000000..4b28875 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a condor_schedd_t ++can be used to make the process type condor_schedd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. condor_schedd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run condor_schedd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Condor can connect to the network using TCP, you must turn on the condor_tcp_network_connect boolean. Disabled by default. ++ ++.EX ++.B setsebool -P condor_tcp_network_connect 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the condor_schedd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the condor_schedd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type condor_schedd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B condor_schedd_tmp_t ++ ++ ++.br ++.B condor_var_lib_t ++ ++ /var/lib/condor(/.*)? ++.br ++ /var/lib/condor/spool(/.*)? ++.br ++ /var/lib/condor/execute(/.*)? ++.br ++ ++.br ++.B condor_var_lock_t ++ ++ /var/lock/condor(/.*)? ++.br ++ ++.br ++.B condor_var_run_t ++ ++ /var/run/condor(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -14356,7 +27558,20 @@ index 0000000..4b28875 +Policy governs the access confined processes have to these files. +SELinux condor_schedd policy is very flexible allowing users to setup their condor_schedd processes in as secure a method as possible. +.PP -+The following file types are defined for condor_schedd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the condor_schedd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t condor_schedd_exec_t '/srv/condor_schedd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycondor_schedd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for condor_schedd: + + +.EX @@ -14382,18 +27597,211 @@ index 0000000..4b28875 +.B restorecon +to apply the labels. + ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), condor_schedd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_startd_selinux(8), condor_startd_ssh_selinux(8) +\ No newline at end of file +diff --git a/man/man8/condor_startd_selinux.8 b/man/man8/condor_startd_selinux.8 +new file mode 100644 +index 0000000..c2cdef7 +--- /dev/null ++++ b/man/man8/condor_startd_selinux.8 +@@ -0,0 +1,327 @@ ++.TH "condor_startd_selinux" "8" "13-01-16" "condor_startd" "SELinux Policy documentation for condor_startd" ++.SH "NAME" ++condor_startd_selinux \- Security Enhanced Linux Policy for the condor_startd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the condor_startd processes via flexible mandatory access control. ++ ++The condor_startd processes execute with the condor_startd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep condor_startd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The condor_startd_t SELinux type can be entered via the \fBcondor_startd_exec_t\fP file type. ++ ++The default entrypoint paths for the condor_startd_t domain are the following: ++ ++/usr/sbin/condor_startd, /usr/sbin/condor_starter ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux condor_startd policy is very flexible allowing users to setup their condor_startd processes in as secure a method as possible. ++.PP ++The following process types are defined for condor_startd: ++ ++.EX ++.B condor_startd_ssh_t, condor_startd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a condor_startd_t ++can be used to make the process type condor_startd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. condor_startd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run condor_startd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Condor can connect to the network using TCP, you must turn on the condor_tcp_network_connect boolean. Disabled by default. ++ ++.EX ++.B setsebool -P condor_tcp_network_connect 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the condor_startd_t, condor_startd_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the condor_startd_t, condor_startd_ssh_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ +.SH "MANAGED FILES" + -+The SELinux process type condor_schedd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++The SELinux process type condor_startd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B condor_log_t ++.B condor_startd_tmp_t + -+ /var/log/condor(/.*)? -+.br + +.br -+.B condor_schedd_tmp_t ++.B condor_startd_tmpfs_t + + +.br @@ -14418,87 +27826,51 @@ index 0000000..4b28875 + /var/run/condor(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t + -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_schedd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ / ++.br ++ /initrd ++.br + -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.br ++.B ssh_home_t + -+.PP -+If you want to allow confined applications to run with kerberos for the condor_schedd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), condor_schedd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_startd_selinux(8) -\ No newline at end of file -diff --git a/man/man8/condor_startd_selinux.8 b/man/man8/condor_startd_selinux.8 -new file mode 100644 -index 0000000..0413677 ---- /dev/null -+++ b/man/man8/condor_startd_selinux.8 -@@ -0,0 +1,189 @@ -+.TH "condor_startd_selinux" "8" "12-11-01" "condor_startd" "SELinux Policy documentation for condor_startd" -+.SH "NAME" -+condor_startd_selinux \- Security Enhanced Linux Policy for the condor_startd processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the condor_startd processes via flexible mandatory access control. -+ -+The condor_startd processes execute with the condor_startd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep condor_startd_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The condor_startd_t SELinux type can be entered via the "condor_startd_exec_t" file type. The default entrypoint paths for the condor_startd_t domain are the following:" -+ -+/usr/sbin/condor_startd, /usr/sbin/condor_starter -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux condor_startd policy is very flexible allowing users to setup their condor_startd processes in as secure a method as possible. -+.PP -+The following process types are defined for condor_startd: -+ -+.EX -+.B condor_startd_ssh_t, condor_startd_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ /root/\.ssh(/.*)? ++.br ++ /var/lib/pgsql/\.ssh(/.*)? ++.br ++ /var/lib/openshift/[^/]+/\.ssh(/.*)? ++.br ++ /var/lib/amanda/\.ssh(/.*)? ++.br ++ /var/lib/stickshift/[^/]+/\.ssh(/.*)? ++.br ++ /var/lib/gitolite/\.ssh(/.*)? ++.br ++ /var/lib/nocpulse/\.ssh(/.*)? ++.br ++ /var/lib/gitolite3/\.ssh(/.*)? ++.br ++ /root/\.shosts ++.br ++ /home/[^/]*/\.ssh(/.*)? ++.br ++ /home/[^/]*/\.shosts ++.br ++ /home/pwalsh/\.ssh(/.*)? ++.br ++ /home/pwalsh/\.shosts ++.br ++ /home/dwalsh/\.ssh(/.*)? ++.br ++ /home/dwalsh/\.shosts ++.br ++ /var/lib/xguest/home/xguest/\.ssh(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.shosts ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -14508,7 +27880,20 @@ index 0000000..0413677 +Policy governs the access confined processes have to these files. +SELinux condor_startd policy is very flexible allowing users to setup their condor_startd processes in as secure a method as possible. +.PP -+The following file types are defined for condor_startd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the condor_startd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t condor_startd_exec_t '/srv/condor_startd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycondor_startd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for condor_startd: + + +.EX @@ -14518,6 +27903,10 @@ index 0000000..0413677 + +- Set files with the condor_startd_exec_t type, if you want to transition an executable to the condor_startd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/condor_startd, /usr/sbin/condor_starter + +.EX +.PP @@ -14542,23 +27931,172 @@ index 0000000..0413677 +.B restorecon +to apply the labels. + ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), condor_startd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_ssh_selinux(8) +\ No newline at end of file +diff --git a/man/man8/condor_startd_ssh_selinux.8 b/man/man8/condor_startd_ssh_selinux.8 +new file mode 100644 +index 0000000..b0027d3 +--- /dev/null ++++ b/man/man8/condor_startd_ssh_selinux.8 +@@ -0,0 +1,222 @@ ++.TH "condor_startd_ssh_selinux" "8" "13-01-16" "condor_startd_ssh" "SELinux Policy documentation for condor_startd_ssh" ++.SH "NAME" ++condor_startd_ssh_selinux \- Security Enhanced Linux Policy for the condor_startd_ssh processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the condor_startd_ssh processes via flexible mandatory access control. ++ ++The condor_startd_ssh processes execute with the condor_startd_ssh_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep condor_startd_ssh_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The condor_startd_ssh_t SELinux type can be entered via the \fBssh_exec_t\fP file type. ++ ++The default entrypoint paths for the condor_startd_ssh_t domain are the following: ++ ++/usr/bin/ssh ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux condor_startd_ssh policy is very flexible allowing users to setup their condor_startd_ssh processes in as secure a method as possible. ++.PP ++The following process types are defined for condor_startd_ssh: ++ ++.EX ++.B condor_startd_ssh_t ++.EE ++.PP ++Note: ++.B semanage permissive -a condor_startd_ssh_t ++can be used to make the process type condor_startd_ssh_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. condor_startd_ssh policy is extremely flexible and has several booleans that allow you to manipulate the policy and run condor_startd_ssh with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the condor_startd_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the condor_startd_ssh_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ +.SH "MANAGED FILES" + -+The SELinux process type condor_startd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B condor_log_t -+ -+ /var/log/condor(/.*)? -+.br -+ -+.br -+.B condor_startd_tmp_t -+ -+ -+.br -+.B condor_startd_tmpfs_t -+ ++The SELinux process type condor_startd_ssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br +.B condor_var_lib_t @@ -14571,22 +28109,12 @@ index 0000000..0413677 +.br + +.br -+.B condor_var_lock_t -+ -+ /var/lock/condor(/.*)? -+.br -+ -+.br -+.B condor_var_run_t -+ -+ /var/run/condor(/.*)? -+.br -+ -+.br +.B ssh_home_t + + /root/\.ssh(/.*)? +.br ++ /var/lib/pgsql/\.ssh(/.*)? ++.br + /var/lib/openshift/[^/]+/\.ssh(/.*)? +.br + /var/lib/amanda/\.ssh(/.*)? @@ -14605,6 +28133,10 @@ index 0000000..0413677 +.br + /home/[^/]*/\.shosts +.br ++ /home/pwalsh/\.ssh(/.*)? ++.br ++ /home/pwalsh/\.shosts ++.br + /home/dwalsh/\.ssh(/.*)? +.br + /home/dwalsh/\.shosts @@ -14614,21 +28146,19 @@ index 0000000..0413677 + /var/lib/xguest/home/xguest/\.shosts +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B user_tmp_t + -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_startd_t, condor_startd_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the condor_startd_t, condor_startd_ssh_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br + +.SH "COMMANDS" +.B semanage fcontext @@ -14640,6 +28170,9 @@ index 0000000..0413677 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -14650,16 +28183,16 @@ index 0000000..0413677 +by Dan Walsh. + +.SH "SEE ALSO" -+selinux(8), condor_startd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8) ++selinux(8), condor_startd_ssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), condor_collector_selinux(8), condor_master_selinux(8), condor_negotiator_selinux(8), condor_procd_selinux(8), condor_schedd_selinux(8), condor_startd_selinux(8), condor_startd_selinux(8) \ No newline at end of file diff --git a/man/man8/consolekit_selinux.8 b/man/man8/consolekit_selinux.8 new file mode 100644 -index 0000000..5721e3a +index 0000000..9950ad4 --- /dev/null +++ b/man/man8/consolekit_selinux.8 -@@ -0,0 +1,212 @@ -+.TH "consolekit_selinux" "8" "12-11-01" "consolekit" "SELinux Policy documentation for consolekit" +@@ -0,0 +1,310 @@ ++.TH "consolekit_selinux" "8" "13-01-16" "consolekit" "SELinux Policy documentation for consolekit" +.SH "NAME" +consolekit_selinux \- Security Enhanced Linux Policy for the consolekit processes +.SH "DESCRIPTION" @@ -14675,9 +28208,11 @@ index 0000000..5721e3a + +.SH "ENTRYPOINTS" + -+The consolekit_t SELinux type can be entered via the "consolekit_exec_t" file type. The default entrypoint paths for the consolekit_t domain are the following:" ++The consolekit_t SELinux type can be entered via the \fBconsolekit_exec_t\fP file type. ++ ++The default entrypoint paths for the consolekit_t domain are the following: ++ + -+/usr/sbin/console-kit-daemon +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -14693,98 +28228,188 @@ index 0000000..5721e3a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a consolekit_t ++can be used to make the process type consolekit_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux consolekit policy is very flexible allowing users to setup their consolekit processes in as secure a method as possible. -+.PP -+The following file types are defined for consolekit: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. consolekit policy is extremely flexible and has several booleans that allow you to manipulate the policy and run consolekit with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B consolekit_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the consolekit_exec_t type, if you want to transition an executable to the consolekit_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B consolekit_log_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the consolekit_log_t type, if you want to treat the data as consolekit log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B consolekit_tmpfs_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the consolekit_tmpfs_t type, if you want to store consolekit files on a tmpfs file system. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B consolekit_unit_file_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the consolekit_unit_file_t type, if you want to treat the files as consolekit unit content. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B consolekit_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the consolekit_var_run_t type, if you want to store the consolekit files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the consolekit_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the consolekit_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type consolekit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B consolekit_log_t -+ -+ /var/log/ConsoleKit(/.*)? -+.br -+ -+.br +.B consolekit_var_run_t + -+ /var/run/ConsoleKit(/.*)? -+.br -+ /var/run/consolekit\.pid -+.br -+ /var/run/console-kit-daemon\.pid -+.br -+ -+.br -+.B initrc_var_run_t -+ -+ /var/run/utmp -+.br -+ /var/run/random-seed -+.br -+ /var/run/runlevel\.dir -+.br -+ /var/run/setmixer_flag -+.br + +.br +.B pam_var_console_t @@ -14793,6 +28418,14 @@ index 0000000..5721e3a +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B systemd_passwd_var_run_t + + /var/run/systemd/ask-password(/.*)? @@ -14815,6 +28448,12 @@ index 0000000..5721e3a +.br + /home/[^/]*/\.fonts\.cache-.* +.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br + /home/dwalsh/\.fontconfig(/.*)? +.br + /home/dwalsh/\.fonts/auto(/.*)? @@ -14834,21 +28473,9 @@ index 0000000..5721e3a + /var/log/wtmp.* +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B xserver_tmpfs_t + -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the consolekit_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the consolekit_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE + +.SH "COMMANDS" +.B semanage fcontext @@ -14860,6 +28487,9 @@ index 0000000..5721e3a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -14871,113 +28501,15 @@ index 0000000..5721e3a + +.SH "SEE ALSO" +selinux(8), consolekit(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -diff --git a/man/man8/consoletype_selinux.8 b/man/man8/consoletype_selinux.8 -new file mode 100644 -index 0000000..aa2a4e4 ---- /dev/null -+++ b/man/man8/consoletype_selinux.8 -@@ -0,0 +1,94 @@ -+.TH "consoletype_selinux" "8" "12-11-01" "consoletype" "SELinux Policy documentation for consoletype" -+.SH "NAME" -+consoletype_selinux \- Security Enhanced Linux Policy for the consoletype processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the consoletype processes via flexible mandatory access control. -+ -+The consoletype processes execute with the consoletype_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep consoletype_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The consoletype_t SELinux type can be entered via the "consoletype_exec_t" file type. The default entrypoint paths for the consoletype_t domain are the following:" -+ -+/sbin/consoletype, /usr/sbin/consoletype -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux consoletype policy is very flexible allowing users to setup their consoletype processes in as secure a method as possible. -+.PP -+The following process types are defined for consoletype: -+ -+.EX -+.B consoletype_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux consoletype policy is very flexible allowing users to setup their consoletype processes in as secure a method as possible. -+.PP -+The following file types are defined for consoletype: -+ -+ -+.EX -+.PP -+.B consoletype_exec_t -+.EE -+ -+- Set files with the consoletype_exec_t type, if you want to transition an executable to the consoletype_t domain. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ -+.SH "MANAGED FILES" -+ -+The SELinux process type consoletype_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nfs_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), consoletype(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/corosync_selinux.8 b/man/man8/corosync_selinux.8 new file mode 100644 -index 0000000..9f327ae +index 0000000..00c790a --- /dev/null +++ b/man/man8/corosync_selinux.8 -@@ -0,0 +1,270 @@ -+.TH "corosync_selinux" "8" "12-11-01" "corosync" "SELinux Policy documentation for corosync" +@@ -0,0 +1,379 @@ ++.TH "corosync_selinux" "8" "13-01-16" "corosync" "SELinux Policy documentation for corosync" +.SH "NAME" +corosync_selinux \- Security Enhanced Linux Policy for the corosync processes +.SH "DESCRIPTION" @@ -14993,9 +28525,11 @@ index 0000000..9f327ae + +.SH "ENTRYPOINTS" + -+The corosync_t SELinux type can be entered via the "corosync_exec_t" file type. The default entrypoint paths for the corosync_t domain are the following:" ++The corosync_t SELinux type can be entered via the \fBcorosync_exec_t\fP file type. + -+/usr/sbin/corosync, /usr/sbin/ccs_tool, /usr/sbin/cman_tool, /usr/sbin/corosync-notifyd ++The default entrypoint paths for the corosync_t domain are the following: ++ ++/usr/sbin/corosync, /usr/sbin/corosync-notifyd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -15011,8 +28545,220 @@ index 0000000..9f327ae +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a corosync_t ++can be used to make the process type corosync_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. corosync policy is extremely flexible and has several booleans that allow you to manipulate the policy and run corosync with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the corosync_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the corosync_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type corosync_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cluster_tmpfs ++ ++ ++.br ++.B cluster_var_lib_t ++ ++ /var/lib/cluster(/.*)? ++.br ++ ++.br ++.B clvmd_tmpfs_t ++ ++ ++.br ++.B cmirrord_tmpfs_t ++ ++ ++.br ++.B corosync_tmp_t ++ ++ ++.br ++.B corosync_tmpfs_t ++ ++ ++.br ++.B corosync_var_lib_t ++ ++ /var/lib/corosync(/.*)? ++.br ++ ++.br ++.B corosync_var_run_t ++ ++ /var/run/cman_.* ++.br ++ /var/run/rsctmp(/.*)? ++.br ++ /var/run/corosync\.pid ++.br ++ ++.br ++.B initrc_state_t ++ ++ ++.br ++.B initrc_tmp_t ++ ++ ++.br ++.B qpidd_tmpfs_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B tmpfs_t ++ ++ /dev/shm ++.br ++ /lib/udev/devices/shm ++.br ++ /usr/lib/udev/devices/shm ++.br ++ ++.br ++.B user_tmpfs_t ++ ++ /dev/shm/mono.* ++.br ++ /dev/shm/pulse-shm.* ++.br ++ ++.br ++.B var_lib_t ++ ++ /opt/(.*/)?var/lib(/.*)? ++.br ++ /var/lib(/.*)? ++.br ++ ++.br ++.B wdmd_tmpfs_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15022,7 +28768,20 @@ index 0000000..9f327ae +Policy governs the access confined processes have to these files. +SELinux corosync policy is very flexible allowing users to setup their corosync processes in as secure a method as possible. +.PP -+The following file types are defined for corosync: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the corosync, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t corosync_exec_t '/srv/corosync/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycorosync_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for corosync: + + +.EX @@ -15032,6 +28791,10 @@ index 0000000..9f327ae + +- Set files with the corosync_exec_t type, if you want to transition an executable to the corosync_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/corosync, /usr/sbin/corosync-notifyd + +.EX +.PP @@ -15086,8 +28849,12 @@ index 0000000..9f327ae +.B corosync_var_run_t +.EE + -+- Set files with the corosync_var_run_t type, if you want to store the corosync files under the /run directory. ++- Set files with the corosync_var_run_t type, if you want to store the corosync files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/cman_.*, /var/run/rsctmp(/.*)?, /var/run/corosync\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -15096,136 +28863,6 @@ index 0000000..9f327ae +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type corosync_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cluster_tmpfs -+ -+ -+.br -+.B cluster_var_lib_t -+ -+ /var/lib/cluster(/.*)? -+.br -+ -+.br -+.B clvmd_tmpfs_t -+ -+ -+.br -+.B cmirrord_tmpfs_t -+ -+ -+.br -+.B corosync_tmp_t -+ -+ -+.br -+.B corosync_tmpfs_t -+ -+ -+.br -+.B corosync_var_lib_t -+ -+ /var/lib/corosync(/.*)? -+.br -+ -+.br -+.B corosync_var_log_t -+ -+ /var/log/cluster/corosync\.log.* -+.br -+ -+.br -+.B corosync_var_run_t -+ -+ /var/run/cman_.* -+.br -+ /var/run/rsctmp(/.*)? -+.br -+ /var/run/corosync\.pid -+.br -+ -+.br -+.B initrc_state_t -+ -+ -+.br -+.B initrc_tmp_t -+ -+ -+.br -+.B qpidd_tmpfs_t -+ -+ -+.br -+.B rgmanager_tmpfs_t -+ -+ -+.br -+.B rgmanager_var_lib_t -+ -+ /usr/lib(64)?/heartbeat(/.*)? -+.br -+ /var/lib/heartbeat(/.*)? -+.br -+ -+.br -+.B rgmanager_var_run_t -+ -+ /var/run/heartbeat(/.*)? -+.br -+ /var/run/cpglockd\.pid -+.br -+ /var/run/rgmanager\.pid -+.br -+ /var/run/cluster/rgmanager\.sk -+.br -+ -+.br -+.B tmpfs_t -+ -+ /dev/shm -+.br -+ /lib/udev/devices/shm -+.br -+ /usr/lib/udev/devices/shm -+.br -+ -+.br -+.B user_tmpfs_t -+ -+ /dev/shm/mono.* -+.br -+ /dev/shm/pulse-shm.* -+.br -+ -+.br -+.B var_lib_t -+ -+ /opt/(.*/)?var/lib(/.*)? -+.br -+ /var/lib(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the corosync_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the corosync_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -15236,6 +28873,9 @@ index 0000000..9f327ae +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -15247,13 +28887,15 @@ index 0000000..9f327ae + +.SH "SEE ALSO" +selinux(8), corosync(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/couchdb_selinux.8 b/man/man8/couchdb_selinux.8 new file mode 100644 -index 0000000..c703391 +index 0000000..5b8cab4 --- /dev/null +++ b/man/man8/couchdb_selinux.8 -@@ -0,0 +1,202 @@ -+.TH "couchdb_selinux" "8" "12-11-01" "couchdb" "SELinux Policy documentation for couchdb" +@@ -0,0 +1,331 @@ ++.TH "couchdb_selinux" "8" "13-01-16" "couchdb" "SELinux Policy documentation for couchdb" +.SH "NAME" +couchdb_selinux \- Security Enhanced Linux Policy for the couchdb processes +.SH "DESCRIPTION" @@ -15269,7 +28911,9 @@ index 0000000..c703391 + +.SH "ENTRYPOINTS" + -+The couchdb_t SELinux type can be entered via the "couchdb_exec_t" file type. The default entrypoint paths for the couchdb_t domain are the following:" ++The couchdb_t SELinux type can be entered via the \fBcouchdb_exec_t\fP file type. ++ ++The default entrypoint paths for the couchdb_t domain are the following: + +/usr/bin/couchdb +.SH PROCESS TYPES @@ -15287,8 +28931,177 @@ index 0000000..c703391 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a couchdb_t ++can be used to make the process type couchdb_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. couchdb policy is extremely flexible and has several booleans that allow you to manipulate the policy and run couchdb with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the couchdb_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the couchdb_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible. ++.PP ++The following port types are defined for couchdb: ++ ++.EX ++.TP 5 ++.B couchdb_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 5984 ++.EE ++udp 5984 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type couchdb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B couchdb_tmp_t ++ ++ ++.br ++.B couchdb_var_lib_t ++ ++ /var/lib/couchdb(/.*)? ++.br ++ ++.br ++.B couchdb_var_run_t ++ ++ /var/run/couchdb(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15298,15 +29111,28 @@ index 0000000..c703391 +Policy governs the access confined processes have to these files. +SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible. +.PP -+The following file types are defined for couchdb: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the couchdb, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t couchdb_conf_t '/srv/couchdb/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycouchdb_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for couchdb: + + +.EX +.PP -+.B couchdb_etc_t ++.B couchdb_conf_t +.EE + -+- Set files with the couchdb_etc_t type, if you want to store couchdb files in the /etc directories. ++- Set files with the couchdb_conf_t type, if you want to treat the files as couchdb configuration data, usually stored under the /etc directory. + + +.EX @@ -15319,6 +29145,14 @@ index 0000000..c703391 + +.EX +.PP ++.B couchdb_initrc_exec_t ++.EE ++ ++- Set files with the couchdb_initrc_exec_t type, if you want to transition an executable to the couchdb_initrc_t domain. ++ ++ ++.EX ++.PP +.B couchdb_log_t +.EE + @@ -15354,7 +29188,7 @@ index 0000000..c703391 +.B couchdb_var_run_t +.EE + -+- Set files with the couchdb_var_run_t type, if you want to store the couchdb files under the /run directory. ++- Set files with the couchdb_var_run_t type, if you want to store the couchdb files under the /run or /var/run directory. + + +.PP @@ -15364,73 +29198,6 @@ index 0000000..c703391 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux couchdb policy is very flexible allowing users to setup their couchdb processes in as secure a method as possible. -+.PP -+The following port types are defined for couchdb: -+ -+.EX -+.TP 5 -+.B couchdb_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 5984 -+.EE -+udp 5984 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type couchdb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B couchdb_log_t -+ -+ /var/log/couchdb(/.*)? -+.br -+ -+.br -+.B couchdb_tmp_t -+ -+ -+.br -+.B couchdb_var_lib_t -+ -+ /var/lib/couchdb(/.*)? -+.br -+ -+.br -+.B couchdb_var_run_t -+ -+ /var/run/couchdb(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the couchdb_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the couchdb_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -15444,6 +29211,9 @@ index 0000000..c703391 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -15455,13 +29225,15 @@ index 0000000..c703391 + +.SH "SEE ALSO" +selinux(8), couchdb(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/courier_authdaemon_selinux.8 b/man/man8/courier_authdaemon_selinux.8 new file mode 100644 -index 0000000..f5cc833 +index 0000000..df835b8 --- /dev/null +++ b/man/man8/courier_authdaemon_selinux.8 -@@ -0,0 +1,137 @@ -+.TH "courier_authdaemon_selinux" "8" "12-11-01" "courier_authdaemon" "SELinux Policy documentation for courier_authdaemon" +@@ -0,0 +1,247 @@ ++.TH "courier_authdaemon_selinux" "8" "13-01-16" "courier_authdaemon" "SELinux Policy documentation for courier_authdaemon" +.SH "NAME" +courier_authdaemon_selinux \- Security Enhanced Linux Policy for the courier_authdaemon processes +.SH "DESCRIPTION" @@ -15477,7 +29249,9 @@ index 0000000..f5cc833 + +.SH "ENTRYPOINTS" + -+The courier_authdaemon_t SELinux type can be entered via the "courier_authdaemon_exec_t" file type. The default entrypoint paths for the courier_authdaemon_t domain are the following:" ++The courier_authdaemon_t SELinux type can be entered via the \fBcourier_authdaemon_exec_t\fP file type. ++ ++The default entrypoint paths for the courier_authdaemon_t domain are the following: + +/usr/lib/courier/authlib/.*, /usr/sbin/authdaemond +.SH PROCESS TYPES @@ -15495,75 +29269,113 @@ index 0000000..f5cc833 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a courier_authdaemon_t ++can be used to make the process type courier_authdaemon_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux courier_authdaemon policy is very flexible allowing users to setup their courier_authdaemon processes in as secure a method as possible. -+.PP -+The following file types are defined for courier_authdaemon: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. courier_authdaemon policy is extremely flexible and has several booleans that allow you to manipulate the policy and run courier_authdaemon with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B courier_authdaemon_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the courier_authdaemon_exec_t type, if you want to transition an executable to the courier_authdaemon_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + -+.SH "MANAGED FILES" ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 + -+The SELinux process type courier_authdaemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++.EE + -+.br -+.B courier_var_run_t ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + -+ /var/run/courier(/.*)? -+.br ++.EX ++.B setsebool -P daemons_use_tty 1 + -+.br -+.B faillog_t ++.EE + -+ /var/log/btmp.* -+.br -+ /var/run/faillock(/.*)? -+.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + -+.br -+.B pcscd_var_run_t ++.EX ++.B setsebool -P deny_ptrace 1 + -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the courier_authdaemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the courier_authdaemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -15576,6 +29388,73 @@ index 0000000..f5cc833 +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH "MANAGED FILES" ++ ++The SELinux process type courier_authdaemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux courier_authdaemon policy is very flexible allowing users to setup their courier_authdaemon processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the courier_authdaemon, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t courier_authdaemon_exec_t '/srv/courier_authdaemon/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycourier_authdaemon_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for courier_authdaemon: ++ ++ ++.EX ++.PP ++.B courier_authdaemon_exec_t ++.EE ++ ++- Set files with the courier_authdaemon_exec_t type, if you want to transition an executable to the courier_authdaemon_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/courier/authlib/.*, /usr/sbin/authdaemond ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -15586,6 +29465,9 @@ index 0000000..f5cc833 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -15597,15 +29479,15 @@ index 0000000..f5cc833 + +.SH "SEE ALSO" +selinux(8), courier_authdaemon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, courier_pcp_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8) ++, setsebool(8), courier_pcp_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8) \ No newline at end of file diff --git a/man/man8/courier_pcp_selinux.8 b/man/man8/courier_pcp_selinux.8 new file mode 100644 -index 0000000..526d096 +index 0000000..6dfa43c --- /dev/null +++ b/man/man8/courier_pcp_selinux.8 -@@ -0,0 +1,97 @@ -+.TH "courier_pcp_selinux" "8" "12-11-01" "courier_pcp" "SELinux Policy documentation for courier_pcp" +@@ -0,0 +1,183 @@ ++.TH "courier_pcp_selinux" "8" "13-01-16" "courier_pcp" "SELinux Policy documentation for courier_pcp" +.SH "NAME" +courier_pcp_selinux \- Security Enhanced Linux Policy for the courier_pcp processes +.SH "DESCRIPTION" @@ -15621,7 +29503,9 @@ index 0000000..526d096 + +.SH "ENTRYPOINTS" + -+The courier_pcp_t SELinux type can be entered via the "courier_pcp_exec_t" file type. The default entrypoint paths for the courier_pcp_t domain are the following:" ++The courier_pcp_t SELinux type can be entered via the \fBcourier_pcp_exec_t\fP file type. ++ ++The default entrypoint paths for the courier_pcp_t domain are the following: + +/usr/lib/courier/courier/pcpd +.SH PROCESS TYPES @@ -15639,8 +29523,88 @@ index 0000000..526d096 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a courier_pcp_t ++can be used to make the process type courier_pcp_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. courier_pcp policy is extremely flexible and has several booleans that allow you to manipulate the policy and run courier_pcp with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type courier_pcp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15650,7 +29614,20 @@ index 0000000..526d096 +Policy governs the access confined processes have to these files. +SELinux courier_pcp policy is very flexible allowing users to setup their courier_pcp processes in as secure a method as possible. +.PP -+The following file types are defined for courier_pcp: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the courier_pcp, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t courier_pcp_exec_t '/srv/courier_pcp/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycourier_pcp_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for courier_pcp: + + +.EX @@ -15668,18 +29645,6 @@ index 0000000..526d096 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type courier_pcp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B courier_var_run_t -+ -+ /var/run/courier(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -15690,6 +29655,9 @@ index 0000000..526d096 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -15701,15 +29669,15 @@ index 0000000..526d096 + +.SH "SEE ALSO" +selinux(8), courier_pcp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, courier_authdaemon_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8) ++, setsebool(8), courier_authdaemon_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8) \ No newline at end of file diff --git a/man/man8/courier_pop_selinux.8 b/man/man8/courier_pop_selinux.8 new file mode 100644 -index 0000000..5652da7 +index 0000000..904a658 --- /dev/null +++ b/man/man8/courier_pop_selinux.8 -@@ -0,0 +1,107 @@ -+.TH "courier_pop_selinux" "8" "12-11-01" "courier_pop" "SELinux Policy documentation for courier_pop" +@@ -0,0 +1,199 @@ ++.TH "courier_pop_selinux" "8" "13-01-16" "courier_pop" "SELinux Policy documentation for courier_pop" +.SH "NAME" +courier_pop_selinux \- Security Enhanced Linux Policy for the courier_pop processes +.SH "DESCRIPTION" @@ -15725,7 +29693,9 @@ index 0000000..5652da7 + +.SH "ENTRYPOINTS" + -+The courier_pop_t SELinux type can be entered via the "courier_pop_exec_t" file type. The default entrypoint paths for the courier_pop_t domain are the following:" ++The courier_pop_t SELinux type can be entered via the \fBcourier_pop_exec_t\fP file type. ++ ++The default entrypoint paths for the courier_pop_t domain are the following: + +/usr/lib/courier/courier/courierpop.*, /usr/bin/imapd, /usr/lib/courier/imapd, /usr/lib/courier/pop3d, /usr/lib/courier/courier/imaplogin +.SH PROCESS TYPES @@ -15743,8 +29713,100 @@ index 0000000..5652da7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a courier_pop_t ++can be used to make the process type courier_pop_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. courier_pop policy is extremely flexible and has several booleans that allow you to manipulate the policy and run courier_pop with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type courier_pop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15754,7 +29816,20 @@ index 0000000..5652da7 +Policy governs the access confined processes have to these files. +SELinux courier_pop policy is very flexible allowing users to setup their courier_pop processes in as secure a method as possible. +.PP -+The following file types are defined for courier_pop: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the courier_pop, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t courier_pop_exec_t '/srv/courier_pop/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycourier_pop_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for courier_pop: + + +.EX @@ -15764,6 +29839,10 @@ index 0000000..5652da7 + +- Set files with the courier_pop_exec_t type, if you want to transition an executable to the courier_pop_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/courier/courier/courierpop.*, /usr/bin/imapd, /usr/lib/courier/imapd, /usr/lib/courier/pop3d, /usr/lib/courier/courier/imaplogin + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -15772,28 +29851,6 @@ index 0000000..5652da7 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type courier_pop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B courier_var_run_t -+ -+ /var/run/courier(/.*)? -+.br -+ -+.br -+.B user_home_t -+ -+ /home/[^/]*/.+ -+.br -+ /home/dwalsh/.+ -+.br -+ /var/lib/xguest/home/xguest/.+ -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -15804,6 +29861,9 @@ index 0000000..5652da7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -15815,15 +29875,15 @@ index 0000000..5652da7 + +.SH "SEE ALSO" +selinux(8), courier_pop(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8) ++, setsebool(8), courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_sqwebmail_selinux(8), courier_tcpd_selinux(8) \ No newline at end of file diff --git a/man/man8/courier_sqwebmail_selinux.8 b/man/man8/courier_sqwebmail_selinux.8 new file mode 100644 -index 0000000..6151335 +index 0000000..2e4e3bb --- /dev/null +++ b/man/man8/courier_sqwebmail_selinux.8 -@@ -0,0 +1,97 @@ -+.TH "courier_sqwebmail_selinux" "8" "12-11-01" "courier_sqwebmail" "SELinux Policy documentation for courier_sqwebmail" +@@ -0,0 +1,144 @@ ++.TH "courier_sqwebmail_selinux" "8" "13-01-16" "courier_sqwebmail" "SELinux Policy documentation for courier_sqwebmail" +.SH "NAME" +courier_sqwebmail_selinux \- Security Enhanced Linux Policy for the courier_sqwebmail processes +.SH "DESCRIPTION" @@ -15839,7 +29899,9 @@ index 0000000..6151335 + +.SH "ENTRYPOINTS" + -+The courier_sqwebmail_t SELinux type can be entered via the "courier_sqwebmail_exec_t" file type. The default entrypoint paths for the courier_sqwebmail_t domain are the following:" ++The courier_sqwebmail_t SELinux type can be entered via the \fBcourier_sqwebmail_exec_t\fP file type. ++ ++The default entrypoint paths for the courier_sqwebmail_t domain are the following: + + +.SH PROCESS TYPES @@ -15857,46 +29919,88 @@ index 0000000..6151335 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a courier_sqwebmail_t ++can be used to make the process type courier_sqwebmail_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux courier_sqwebmail policy is very flexible allowing users to setup their courier_sqwebmail processes in as secure a method as possible. -+.PP -+The following file types are defined for courier_sqwebmail: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. courier_sqwebmail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run courier_sqwebmail with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B courier_sqwebmail_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the courier_sqwebmail_exec_t type, if you want to transition an executable to the courier_sqwebmail_t domain. ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + +The SELinux process type courier_sqwebmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B courier_var_run_t ++.B root_t + -+ /var/run/courier(/.*)? ++ / ++.br ++ /initrd +.br -+ -+.SH NSSWITCH DOMAIN + +.SH "COMMANDS" +.B semanage fcontext @@ -15908,6 +30012,9 @@ index 0000000..6151335 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -15919,15 +30026,15 @@ index 0000000..6151335 + +.SH "SEE ALSO" +selinux(8), courier_sqwebmail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_pop_selinux(8), courier_tcpd_selinux(8) ++, setsebool(8), courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_pop_selinux(8), courier_tcpd_selinux(8) \ No newline at end of file diff --git a/man/man8/courier_tcpd_selinux.8 b/man/man8/courier_tcpd_selinux.8 new file mode 100644 -index 0000000..6794aff +index 0000000..54aabf6 --- /dev/null +++ b/man/man8/courier_tcpd_selinux.8 -@@ -0,0 +1,105 @@ -+.TH "courier_tcpd_selinux" "8" "12-11-01" "courier_tcpd" "SELinux Policy documentation for courier_tcpd" +@@ -0,0 +1,191 @@ ++.TH "courier_tcpd_selinux" "8" "13-01-16" "courier_tcpd" "SELinux Policy documentation for courier_tcpd" +.SH "NAME" +courier_tcpd_selinux \- Security Enhanced Linux Policy for the courier_tcpd processes +.SH "DESCRIPTION" @@ -15943,7 +30050,9 @@ index 0000000..6794aff + +.SH "ENTRYPOINTS" + -+The courier_tcpd_t SELinux type can be entered via the "courier_tcpd_exec_t" file type. The default entrypoint paths for the courier_tcpd_t domain are the following:" ++The courier_tcpd_t SELinux type can be entered via the \fBcourier_tcpd_exec_t\fP file type. ++ ++The default entrypoint paths for the courier_tcpd_t domain are the following: + +/usr/sbin/couriertcpd +.SH PROCESS TYPES @@ -15961,8 +30070,96 @@ index 0000000..6794aff +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a courier_tcpd_t ++can be used to make the process type courier_tcpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. courier_tcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run courier_tcpd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type courier_tcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B courier_var_lib_t ++ ++ /var/lib/courier(/.*)? ++.br ++ /var/lib/courier-imap(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15972,7 +30169,20 @@ index 0000000..6794aff +Policy governs the access confined processes have to these files. +SELinux courier_tcpd policy is very flexible allowing users to setup their courier_tcpd processes in as secure a method as possible. +.PP -+The following file types are defined for courier_tcpd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the courier_tcpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t courier_tcpd_exec_t '/srv/courier_tcpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycourier_tcpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for courier_tcpd: + + +.EX @@ -15990,26 +30200,6 @@ index 0000000..6794aff +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type courier_tcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B courier_var_lib_t -+ -+ /var/lib/courier(/.*)? -+.br -+ /var/lib/courier-imap(/.*)? -+.br -+ -+.br -+.B courier_var_run_t -+ -+ /var/run/courier(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -16020,6 +30210,9 @@ index 0000000..6794aff +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -16031,15 +30224,15 @@ index 0000000..6794aff + +.SH "SEE ALSO" +selinux(8), courier_tcpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8) ++, setsebool(8), courier_authdaemon_selinux(8), courier_pcp_selinux(8), courier_pop_selinux(8), courier_sqwebmail_selinux(8) \ No newline at end of file diff --git a/man/man8/cpucontrol_selinux.8 b/man/man8/cpucontrol_selinux.8 new file mode 100644 -index 0000000..f81f173 +index 0000000..8970b71 --- /dev/null +++ b/man/man8/cpucontrol_selinux.8 -@@ -0,0 +1,94 @@ -+.TH "cpucontrol_selinux" "8" "12-11-01" "cpucontrol" "SELinux Policy documentation for cpucontrol" +@@ -0,0 +1,175 @@ ++.TH "cpucontrol_selinux" "8" "13-01-16" "cpucontrol" "SELinux Policy documentation for cpucontrol" +.SH "NAME" +cpucontrol_selinux \- Security Enhanced Linux Policy for the cpucontrol processes +.SH "DESCRIPTION" @@ -16055,7 +30248,9 @@ index 0000000..f81f173 + +.SH "ENTRYPOINTS" + -+The cpucontrol_t SELinux type can be entered via the "cpucontrol_exec_t" file type. The default entrypoint paths for the cpucontrol_t domain are the following:" ++The cpucontrol_t SELinux type can be entered via the \fBcpucontrol_exec_t\fP file type. ++ ++The default entrypoint paths for the cpucontrol_t domain are the following: + +/sbin/microcode_ctl, /usr/sbin/microcode_ctl +.SH PROCESS TYPES @@ -16073,8 +30268,68 @@ index 0000000..f81f173 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cpucontrol_t ++can be used to make the process type cpucontrol_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cpucontrol policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cpucontrol with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -16084,7 +30339,20 @@ index 0000000..f81f173 +Policy governs the access confined processes have to these files. +SELinux cpucontrol policy is very flexible allowing users to setup their cpucontrol processes in as secure a method as possible. +.PP -+The following file types are defined for cpucontrol: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cpucontrol, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cpucontrol_conf_t '/srv/cpucontrol/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycpucontrol_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cpucontrol: + + +.EX @@ -16102,6 +30370,10 @@ index 0000000..f81f173 + +- Set files with the cpucontrol_exec_t type, if you want to transition an executable to the cpucontrol_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/microcode_ctl, /usr/sbin/microcode_ctl + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -16110,8 +30382,6 @@ index 0000000..f81f173 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -16122,6 +30392,9 @@ index 0000000..f81f173 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -16133,13 +30406,15 @@ index 0000000..f81f173 + +.SH "SEE ALSO" +selinux(8), cpucontrol(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/cpufreqselector_selinux.8 b/man/man8/cpufreqselector_selinux.8 new file mode 100644 -index 0000000..764592d +index 0000000..ab3174f --- /dev/null +++ b/man/man8/cpufreqselector_selinux.8 -@@ -0,0 +1,96 @@ -+.TH "cpufreqselector_selinux" "8" "12-11-01" "cpufreqselector" "SELinux Policy documentation for cpufreqselector" +@@ -0,0 +1,189 @@ ++.TH "cpufreqselector_selinux" "8" "13-01-16" "cpufreqselector" "SELinux Policy documentation for cpufreqselector" +.SH "NAME" +cpufreqselector_selinux \- Security Enhanced Linux Policy for the cpufreqselector processes +.SH "DESCRIPTION" @@ -16155,7 +30430,9 @@ index 0000000..764592d + +.SH "ENTRYPOINTS" + -+The cpufreqselector_t SELinux type can be entered via the "cpufreqselector_exec_t" file type. The default entrypoint paths for the cpufreqselector_t domain are the following:" ++The cpufreqselector_t SELinux type can be entered via the \fBcpufreqselector_exec_t\fP file type. ++ ++The default entrypoint paths for the cpufreqselector_t domain are the following: + +/usr/bin/cpufreq-selector +.SH PROCESS TYPES @@ -16173,8 +30450,94 @@ index 0000000..764592d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cpufreqselector_t ++can be used to make the process type cpufreqselector_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cpufreqselector policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cpufreqselector with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cpufreqselector_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sysfs_t ++ ++ /sys(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -16184,7 +30547,20 @@ index 0000000..764592d +Policy governs the access confined processes have to these files. +SELinux cpufreqselector policy is very flexible allowing users to setup their cpufreqselector processes in as secure a method as possible. +.PP -+The following file types are defined for cpufreqselector: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cpufreqselector, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cpufreqselector_exec_t '/srv/cpufreqselector/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycpufreqselector_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cpufreqselector: + + +.EX @@ -16202,18 +30578,6 @@ index 0000000..764592d +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type cpufreqselector_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B sysfs_t -+ -+ /sys(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -16224,6 +30588,9 @@ index 0000000..764592d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -16235,13 +30602,15 @@ index 0000000..764592d + +.SH "SEE ALSO" +selinux(8), cpufreqselector(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/cpuspeed_selinux.8 b/man/man8/cpuspeed_selinux.8 new file mode 100644 -index 0000000..ec9dfce +index 0000000..b8dcdb8 --- /dev/null +++ b/man/man8/cpuspeed_selinux.8 -@@ -0,0 +1,110 @@ -+.TH "cpuspeed_selinux" "8" "12-11-01" "cpuspeed" "SELinux Policy documentation for cpuspeed" +@@ -0,0 +1,191 @@ ++.TH "cpuspeed_selinux" "8" "13-01-16" "cpuspeed" "SELinux Policy documentation for cpuspeed" +.SH "NAME" +cpuspeed_selinux \- Security Enhanced Linux Policy for the cpuspeed processes +.SH "DESCRIPTION" @@ -16257,7 +30626,9 @@ index 0000000..ec9dfce + +.SH "ENTRYPOINTS" + -+The cpuspeed_t SELinux type can be entered via the "cpuspeed_exec_t" file type. The default entrypoint paths for the cpuspeed_t domain are the following:" ++The cpuspeed_t SELinux type can be entered via the \fBcpuspeed_exec_t\fP file type. ++ ++The default entrypoint paths for the cpuspeed_t domain are the following: + +/usr/sbin/cpufreqd, /usr/sbin/cpuspeed, /usr/sbin/powernowd +.SH PROCESS TYPES @@ -16275,42 +30646,68 @@ index 0000000..ec9dfce +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cpuspeed_t ++can be used to make the process type cpuspeed_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux cpuspeed policy is very flexible allowing users to setup their cpuspeed processes in as secure a method as possible. -+.PP -+The following file types are defined for cpuspeed: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cpuspeed policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cpuspeed with the tightest access possible. + + ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ +.EX -+.PP -+.B cpuspeed_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the cpuspeed_exec_t type, if you want to transition an executable to the cpuspeed_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B cpuspeed_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the cpuspeed_var_run_t type, if you want to store the cpuspeed files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -16328,7 +30725,56 @@ index 0000000..ec9dfce + /sys(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux cpuspeed policy is very flexible allowing users to setup their cpuspeed processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cpuspeed, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cpuspeed_exec_t '/srv/cpuspeed/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycpuspeed_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cpuspeed: ++ ++ ++.EX ++.PP ++.B cpuspeed_exec_t ++.EE ++ ++- Set files with the cpuspeed_exec_t type, if you want to transition an executable to the cpuspeed_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/cpufreqd, /usr/sbin/cpuspeed, /usr/sbin/powernowd ++ ++.EX ++.PP ++.B cpuspeed_var_run_t ++.EE ++ ++- Set files with the cpuspeed_var_run_t type, if you want to store the cpuspeed files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -16340,6 +30786,9 @@ index 0000000..ec9dfce +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -16351,13 +30800,15 @@ index 0000000..ec9dfce + +.SH "SEE ALSO" +selinux(8), cpuspeed(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/crack_selinux.8 b/man/man8/crack_selinux.8 new file mode 100644 -index 0000000..49919a6 +index 0000000..5f19315 --- /dev/null +++ b/man/man8/crack_selinux.8 -@@ -0,0 +1,120 @@ -+.TH "crack_selinux" "8" "12-11-01" "crack" "SELinux Policy documentation for crack" +@@ -0,0 +1,189 @@ ++.TH "crack_selinux" "8" "13-01-16" "crack" "SELinux Policy documentation for crack" +.SH "NAME" +crack_selinux \- Security Enhanced Linux Policy for the crack processes +.SH "DESCRIPTION" @@ -16373,7 +30824,9 @@ index 0000000..49919a6 + +.SH "ENTRYPOINTS" + -+The crack_t SELinux type can be entered via the "crack_exec_t" file type. The default entrypoint paths for the crack_t domain are the following:" ++The crack_t SELinux type can be entered via the \fBcrack_exec_t\fP file type. ++ ++The default entrypoint paths for the crack_t domain are the following: + +/usr/sbin/crack_[a-z]*, /usr/sbin/cracklib-[a-z]* +.SH PROCESS TYPES @@ -16391,50 +30844,52 @@ index 0000000..49919a6 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a crack_t ++can be used to make the process type crack_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux crack policy is very flexible allowing users to setup their crack processes in as secure a method as possible. -+.PP -+The following file types are defined for crack: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. crack policy is extremely flexible and has several booleans that allow you to manipulate the policy and run crack with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B crack_db_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the crack_db_t type, if you want to treat the files as crack database content. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B crack_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the crack_exec_t type, if you want to transition an executable to the crack_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B crack_tmp_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the crack_tmp_t type, if you want to store crack temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -16454,7 +30909,68 @@ index 0000000..49919a6 +.B crack_tmp_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux crack policy is very flexible allowing users to setup their crack processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the crack, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t crack_db_t '/srv/crack/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycrack_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for crack: ++ ++ ++.EX ++.PP ++.B crack_db_t ++.EE ++ ++- Set files with the crack_db_t type, if you want to treat the files as crack database content. ++ ++.br ++.TP 5 ++Paths: ++/usr/share/cracklib(/.*)?, /var/cache/cracklib(/.*)?, /usr/lib/cracklib_dict.* ++ ++.EX ++.PP ++.B crack_exec_t ++.EE ++ ++- Set files with the crack_exec_t type, if you want to transition an executable to the crack_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/crack_[a-z]*, /usr/sbin/cracklib-[a-z]* ++ ++.EX ++.PP ++.B crack_tmp_t ++.EE ++ ++- Set files with the crack_tmp_t type, if you want to store crack temporary files in the /tmp directories. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -16466,6 +30982,9 @@ index 0000000..49919a6 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -16477,13 +30996,15 @@ index 0000000..49919a6 + +.SH "SEE ALSO" +selinux(8), crack(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/crond_selinux.8 b/man/man8/crond_selinux.8 new file mode 100644 -index 0000000..0f4955a +index 0000000..57fee60 --- /dev/null +++ b/man/man8/crond_selinux.8 -@@ -0,0 +1,310 @@ -+.TH "crond_selinux" "8" "12-11-01" "crond" "SELinux Policy documentation for crond" +@@ -0,0 +1,441 @@ ++.TH "crond_selinux" "8" "13-01-16" "crond" "SELinux Policy documentation for crond" +.SH "NAME" +crond_selinux \- Security Enhanced Linux Policy for the crond processes +.SH "DESCRIPTION" @@ -16499,7 +31020,9 @@ index 0000000..0f4955a + +.SH "ENTRYPOINTS" + -+The crond_t SELinux type can be entered via the "crond_exec_t" file type. The default entrypoint paths for the crond_t domain are the following:" ++The crond_t SELinux type can be entered via the \fBcrond_exec_t\fP file type. ++ ++The default entrypoint paths for the crond_t domain are the following: + +/usr/sbin/cron(d)?, /usr/sbin/atd, /usr/sbin/fcron +.SH PROCESS TYPES @@ -16517,98 +31040,164 @@ index 0000000..0f4955a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a crond_t ++can be used to make the process type crond_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. crond policy is extremely flexible and has several booleans that allow you to manipulate the policy and run crond with the tightest access possible. + + +.PP -+If you want to enable extra rules in the cron domain to support fcron, you must turn on the fcron_crond boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to enable extra rules in the cron domain to support fcron, you must turn on the fcron_crond boolean. Disabled by default. + +.EX +.B setsebool -P fcron_crond 1 ++ +.EE + +.PP -+If you want to allow system cron jobs to relabel filesystem for restoring file contexts, you must turn on the cron_can_relabel boolean. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.B setsebool -P cron_can_relabel 1 ++.B setsebool -P fips_mode 1 ++ +.EE + +.PP -+If you want to enable extra rules in the cron domain to support fcron, you must turn on the fcron_crond boolean. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.B setsebool -P fcron_crond 1 ++.B setsebool -P global_ssp 1 ++ +.EE + +.PP -+If you want to allow system cron jobs to relabel filesystem for restoring file contexts, you must turn on the cron_can_relabel boolean. ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.B setsebool -P cron_can_relabel 1 ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux crond policy is very flexible allowing users to setup their crond processes in as secure a method as possible. -+.PP -+The following file types are defined for crond: -+ ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.PP -+.B crond_exec_t ++.B setsebool -P nis_enabled 1 ++ +.EE + -+- Set files with the crond_exec_t type, if you want to transition an executable to the crond_t domain. -+ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX -+.PP -+.B crond_initrc_exec_t ++.B setsebool -P nscd_use_shm 1 ++ +.EE + -+- Set files with the crond_initrc_exec_t type, if you want to transition an executable to the crond_initrc_t domain. -+ ++.PP ++If you want to enable polyinstantiated directory support, you must turn on the polyinstantiation_enabled boolean. Enabled by default. + +.EX -+.PP -+.B crond_tmp_t ++.B setsebool -P polyinstantiation_enabled 1 ++ +.EE + -+- Set files with the crond_tmp_t type, if you want to store crond temporary files in the /tmp directories. -+ ++.PP ++If you want to allow a user to login as an unconfined domain, you must turn on the unconfined_login boolean. Enabled by default. + +.EX -+.PP -+.B crond_unit_file_t ++.B setsebool -P unconfined_login 1 ++ +.EE + -+- Set files with the crond_unit_file_t type, if you want to treat the files as crond unit content. -+ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. + +.EX -+.PP -+.B crond_var_run_t ++.B setsebool -P use_nfs_home_dirs 1 ++ +.EE + -+- Set files with the crond_var_run_t type, if you want to store the crond files under the /run directory. ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. + ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the crontab_t, crond_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the crontab_t, crond_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -16663,12 +31252,12 @@ index 0000000..0f4955a + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B initrc_var_run_t @@ -16683,17 +31272,11 @@ index 0000000..0f4955a +.br + +.br -+.B pcscd_var_run_t ++.B root_t + -+ /var/run/pcscd(/.*)? ++ / +.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm ++ /initrd +.br + +.br @@ -16749,24 +31332,93 @@ index 0000000..0f4955a +.br + /var/lib/pam_shield(/.*)? +.br ++ /var/opt/quest/vas/vasd(/.*)? ++.br + /var/lib/google-authenticator(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux crond policy is very flexible allowing users to setup their crond processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the crontab_t, crond_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the crond, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t crond_exec_t '/srv/crond/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycrond_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for crond: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B crond_exec_t +.EE + ++- Set files with the crond_exec_t type, if you want to transition an executable to the crond_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/cron(d)?, /usr/sbin/atd, /usr/sbin/fcron ++ ++.EX ++.PP ++.B crond_initrc_exec_t ++.EE ++ ++- Set files with the crond_initrc_exec_t type, if you want to transition an executable to the crond_initrc_t domain. ++ ++ ++.EX ++.PP ++.B crond_tmp_t ++.EE ++ ++- Set files with the crond_tmp_t type, if you want to store crond temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B crond_unit_file_t ++.EE ++ ++- Set files with the crond_unit_file_t type, if you want to treat the files as crond unit content. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/systemd/system/atd.*, /usr/lib/systemd/system/crond.* ++ ++.EX ++.PP ++.B crond_var_run_t ++.EE ++ ++- Set files with the crond_var_run_t type, if you want to store the crond files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/.*cron.*, /var/run/crond?\.pid, /var/run/crond?\.reboot, /var/run/atd\.pid, /var/run/fcron\.pid, /var/run/fcron\.fifo, /var/run/anacron\.pid ++ +.PP -+If you want to allow confined applications to run with kerberos for the crontab_t, crond_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -16792,15 +31444,168 @@ index 0000000..0f4955a + +.SH "SEE ALSO" +selinux(8), crond(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8), crontab_selinux(8) ++, setsebool(8), cronjob_selinux(8), crontab_selinux(8) +\ No newline at end of file +diff --git a/man/man8/cronjob_selinux.8 b/man/man8/cronjob_selinux.8 +new file mode 100644 +index 0000000..1d41d85 +--- /dev/null ++++ b/man/man8/cronjob_selinux.8 +@@ -0,0 +1,146 @@ ++.TH "cronjob_selinux" "8" "13-01-16" "cronjob" "SELinux Policy documentation for cronjob" ++.SH "NAME" ++cronjob_selinux \- Security Enhanced Linux Policy for the cronjob processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the cronjob processes via flexible mandatory access control. ++ ++The cronjob processes execute with the cronjob_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep cronjob_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The cronjob_t SELinux type can be entered via the \fBuser_cron_spool_t, shell_exec_t\fP file types. ++ ++The default entrypoint paths for the cronjob_t domain are the following: ++ ++/var/spool/at(/.*)?, /var/spool/cron, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux cronjob policy is very flexible allowing users to setup their cronjob processes in as secure a method as possible. ++.PP ++The following process types are defined for cronjob: ++ ++.EX ++.B cronjob_t ++.EE ++.PP ++Note: ++.B semanage permissive -a cronjob_t ++can be used to make the process type cronjob_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cronjob policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cronjob with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cronjob_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), cronjob(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) \ No newline at end of file diff --git a/man/man8/crontab_selinux.8 b/man/man8/crontab_selinux.8 new file mode 100644 -index 0000000..8d67b77 +index 0000000..94272bf --- /dev/null +++ b/man/man8/crontab_selinux.8 -@@ -0,0 +1,190 @@ -+.TH "crontab_selinux" "8" "12-11-01" "crontab" "SELinux Policy documentation for crontab" +@@ -0,0 +1,311 @@ ++.TH "crontab_selinux" "8" "13-01-16" "crontab" "SELinux Policy documentation for crontab" +.SH "NAME" +crontab_selinux \- Security Enhanced Linux Policy for the crontab processes +.SH "DESCRIPTION" @@ -16816,7 +31621,9 @@ index 0000000..8d67b77 + +.SH "ENTRYPOINTS" + -+The crontab_t SELinux type can be entered via the "crontab_exec_t" file type. The default entrypoint paths for the crontab_t domain are the following:" ++The crontab_t SELinux type can be entered via the \fBcrontab_exec_t\fP file type. ++ ++The default entrypoint paths for the crontab_t domain are the following: + +/usr/bin/(f)?crontab, /usr/bin/at, /usr/sbin/fcronsighup +.SH PROCESS TYPES @@ -16834,42 +31641,132 @@ index 0000000..8d67b77 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a crontab_t ++can be used to make the process type crontab_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux crontab policy is very flexible allowing users to setup their crontab processes in as secure a method as possible. -+.PP -+The following file types are defined for crontab: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. crontab policy is extremely flexible and has several booleans that allow you to manipulate the policy and run crontab with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B crontab_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the crontab_exec_t type, if you want to transition an executable to the crontab_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B crontab_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the crontab_tmp_t type, if you want to store crontab temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the crontab_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the crontab_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -16892,26 +31789,12 @@ index 0000000..8d67b77 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br + +.br +.B user_cron_spool_t @@ -16928,6 +31811,8 @@ index 0000000..8d67b77 +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest @@ -16950,24 +31835,61 @@ index 0000000..8d67b77 +.br + /var/lib/pam_shield(/.*)? +.br ++ /var/opt/quest/vas/vasd(/.*)? ++.br + /var/lib/google-authenticator(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux crontab policy is very flexible allowing users to setup their crontab processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the crontab_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the crontab, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t crontab_exec_t '/srv/crontab/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycrontab_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for crontab: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B crontab_exec_t +.EE + ++- Set files with the crontab_exec_t type, if you want to transition an executable to the crontab_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/(f)?crontab, /usr/bin/at, /usr/sbin/fcronsighup ++ ++.EX ++.PP ++.B crontab_tmp_t ++.EE ++ ++- Set files with the crontab_tmp_t type, if you want to store crontab temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the crontab_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -16979,6 +31901,9 @@ index 0000000..8d67b77 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -16990,13 +31915,15 @@ index 0000000..8d67b77 + +.SH "SEE ALSO" +selinux(8), crontab(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ctdbd_selinux.8 b/man/man8/ctdbd_selinux.8 new file mode 100644 -index 0000000..33d0469 +index 0000000..cb780a6 --- /dev/null +++ b/man/man8/ctdbd_selinux.8 -@@ -0,0 +1,232 @@ -+.TH "ctdbd_selinux" "8" "12-11-01" "ctdbd" "SELinux Policy documentation for ctdbd" +@@ -0,0 +1,305 @@ ++.TH "ctdbd_selinux" "8" "13-01-16" "ctdbd" "SELinux Policy documentation for ctdbd" +.SH "NAME" +ctdbd_selinux \- Security Enhanced Linux Policy for the ctdbd processes +.SH "DESCRIPTION" @@ -17012,7 +31939,9 @@ index 0000000..33d0469 + +.SH "ENTRYPOINTS" + -+The ctdbd_t SELinux type can be entered via the "ctdbd_exec_t" file type. The default entrypoint paths for the ctdbd_t domain are the following:" ++The ctdbd_t SELinux type can be entered via the \fBctdbd_exec_t\fP file type. ++ ++The default entrypoint paths for the ctdbd_t domain are the following: + +/usr/sbin/ctdbd +.SH PROCESS TYPES @@ -17030,8 +31959,155 @@ index 0000000..33d0469 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ctdbd_t ++can be used to make the process type ctdbd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ctdbd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ctdbd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux ctdbd policy is very flexible allowing users to setup their ctdbd processes in as secure a method as possible. ++.PP ++The following port types are defined for ctdbd: ++ ++.EX ++.TP 5 ++.B ctdb_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 4379 ++.EE ++udp 4397 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type ctdbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B ctdbd_spool_t ++ ++ /var/spool/ctdb(/.*)? ++.br ++ ++.br ++.B ctdbd_tmp_t ++ ++ ++.br ++.B ctdbd_var_lib_t ++ ++ /var/lib/ctdbd(/.*)? ++.br ++ ++.br ++.B ctdbd_var_run_t ++ ++ /var/run/ctdbd(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B samba_var_t ++ ++ /var/nmbd(/.*)? ++.br ++ /var/lib/samba(/.*)? ++.br ++ /var/cache/samba(/.*)? ++.br ++ /var/spool/samba(/.*)? ++.br ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -17041,7 +32117,20 @@ index 0000000..33d0469 +Policy governs the access confined processes have to these files. +SELinux ctdbd policy is very flexible allowing users to setup their ctdbd processes in as secure a method as possible. +.PP -+The following file types are defined for ctdbd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ctdbd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ctdbd_exec_t '/srv/ctdbd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myctdbd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ctdbd: + + +.EX @@ -17067,6 +32156,10 @@ index 0000000..33d0469 + +- Set files with the ctdbd_log_t type, if you want to treat the data as ctdbd log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/ctdb\.log.*, /var/log/log\.ctdb.* + +.EX +.PP @@ -17097,7 +32190,7 @@ index 0000000..33d0469 +.B ctdbd_var_run_t +.EE + -+- Set files with the ctdbd_var_run_t type, if you want to store the ctdbd files under the /run directory. ++- Set files with the ctdbd_var_run_t type, if you want to store the ctdbd files under the /run or /var/run directory. + + +.PP @@ -17107,103 +32200,6 @@ index 0000000..33d0469 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux ctdbd policy is very flexible allowing users to setup their ctdbd processes in as secure a method as possible. -+.PP -+The following port types are defined for ctdbd: -+ -+.EX -+.TP 5 -+.B ctdb_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 4379 -+.EE -+udp 4379 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type ctdbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B ctdbd_log_t -+ -+ /var/log/log\.ctdb -+.br -+ -+.br -+.B ctdbd_spool_t -+ -+ /var/spool/ctdb(/.*)? -+.br -+ -+.br -+.B ctdbd_tmp_t -+ -+ -+.br -+.B ctdbd_var_lib_t -+ -+ /etc/ctdb(/.*)? -+.br -+ /var/ctdb(/.*)? -+.br -+ /var/ctdbd(/.*)? -+.br -+ /var/lib/ctdbd(/.*)? -+.br -+ -+.br -+.B ctdbd_var_run_t -+ -+ /var/run/ctdbd(/.*)? -+.br -+ -+.br -+.B samba_var_t -+ -+ /var/lib/samba(/.*)? -+.br -+ /var/cache/samba(/.*)? -+.br -+ /var/spool/samba(/.*)? -+.br -+ -+.br -+.B systemd_passwd_var_run_t -+ -+ /var/run/systemd/ask-password(/.*)? -+.br -+ /var/run/systemd/ask-password-block(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ctdbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the ctdbd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -17217,6 +32213,9 @@ index 0000000..33d0469 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -17228,13 +32227,15 @@ index 0000000..33d0469 + +.SH "SEE ALSO" +selinux(8), ctdbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/cups_pdf_selinux.8 b/man/man8/cups_pdf_selinux.8 new file mode 100644 -index 0000000..da4a09b +index 0000000..d13ec61 --- /dev/null +++ b/man/man8/cups_pdf_selinux.8 -@@ -0,0 +1,151 @@ -+.TH "cups_pdf_selinux" "8" "12-11-01" "cups_pdf" "SELinux Policy documentation for cups_pdf" +@@ -0,0 +1,301 @@ ++.TH "cups_pdf_selinux" "8" "13-01-16" "cups_pdf" "SELinux Policy documentation for cups_pdf" +.SH "NAME" +cups_pdf_selinux \- Security Enhanced Linux Policy for the cups_pdf processes +.SH "DESCRIPTION" @@ -17250,7 +32251,9 @@ index 0000000..da4a09b + +.SH "ENTRYPOINTS" + -+The cups_pdf_t SELinux type can be entered via the "cups_pdf_exec_t" file type. The default entrypoint paths for the cups_pdf_t domain are the following:" ++The cups_pdf_t SELinux type can be entered via the \fBcups_pdf_exec_t\fP file type. ++ ++The default entrypoint paths for the cups_pdf_t domain are the following: + +/usr/lib/cups/backend/cups-pdf +.SH PROCESS TYPES @@ -17268,8 +32271,198 @@ index 0000000..da4a09b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cups_pdf_t ++can be used to make the process type cups_pdf_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cups_pdf policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cups_pdf with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the cups_pdf_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cups_pdf_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cups_pdf_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B cups_pdf_tmp_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B print_spool_t ++ ++ /var/spool/lpd(/.*)? ++.br ++ /var/spool/cups(/.*)? ++.br ++ /var/spool/cups-pdf(/.*)? ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -17279,7 +32472,20 @@ index 0000000..da4a09b +Policy governs the access confined processes have to these files. +SELinux cups_pdf policy is very flexible allowing users to setup their cups_pdf processes in as secure a method as possible. +.PP -+The following file types are defined for cups_pdf: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cups_pdf, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cups_pdf_exec_t '/srv/cups_pdf/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycups_pdf_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cups_pdf: + + +.EX @@ -17305,64 +32511,6 @@ index 0000000..da4a09b +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type cups_pdf_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B anon_inodefs_t -+ -+ -+.br -+.B cups_pdf_tmp_t -+ -+ -+.br -+.B cupsd_log_t -+ -+ /var/log/cups(/.*)? -+.br -+ /usr/Brother/fax/.*\.log.* -+.br -+ /var/log/turboprint.* -+.br -+ -+.br -+.B print_spool_t -+ -+ /var/spool/lpd(/.*)? -+.br -+ /var/spool/cups(/.*)? -+.br -+ /var/spool/cups-pdf(/.*)? -+.br -+ -+.br -+.B user_home_t -+ -+ /home/[^/]*/.+ -+.br -+ /home/dwalsh/.+ -+.br -+ /var/lib/xguest/home/xguest/.+ -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cups_pdf_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the cups_pdf_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -17373,6 +32521,9 @@ index 0000000..da4a09b +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -17384,15 +32535,15 @@ index 0000000..da4a09b + +.SH "SEE ALSO" +selinux(8), cups_pdf(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, cupsd_selinux(8), cupsd_config_selinux(8), cupsd_lpd_selinux(8) ++, setsebool(8), cupsd_selinux(8), cupsd_config_selinux(8), cupsd_lpd_selinux(8) \ No newline at end of file diff --git a/man/man8/cupsd_config_selinux.8 b/man/man8/cupsd_config_selinux.8 new file mode 100644 -index 0000000..a3e48d3 +index 0000000..4766470 --- /dev/null +++ b/man/man8/cupsd_config_selinux.8 -@@ -0,0 +1,207 @@ -+.TH "cupsd_config_selinux" "8" "12-11-01" "cupsd_config" "SELinux Policy documentation for cupsd_config" +@@ -0,0 +1,331 @@ ++.TH "cupsd_config_selinux" "8" "13-01-16" "cupsd_config" "SELinux Policy documentation for cupsd_config" +.SH "NAME" +cupsd_config_selinux \- Security Enhanced Linux Policy for the cupsd_config processes +.SH "DESCRIPTION" @@ -17408,9 +32559,11 @@ index 0000000..a3e48d3 + +.SH "ENTRYPOINTS" + -+The cupsd_config_t SELinux type can be entered via the "cupsd_config_exec_t" file type. The default entrypoint paths for the cupsd_config_t domain are the following:" ++The cupsd_config_t SELinux type can be entered via the \fBcupsd_config_exec_t\fP file type. + -+/usr/sbin/hal_lpadmin, /usr/libexec/hal_lpadmin, /usr/bin/cups-config-daemon, /usr/sbin/printconf-backend, /lib/udev/udev-configure-printer, /usr/lib/udev/udev-configure-printer, /usr/libexec/cups-pk-helper-mechanism ++The default entrypoint paths for the cupsd_config_t domain are the following: ++ ++/usr/sbin/hal_lpadmin, /usr/libexec/hal_lpadmin, /usr/bin/cups-config-daemon, /usr/sbin/printconf-backend, /usr/lib/udev/udev-configure-printer, /usr/libexec/cups-pk-helper-mechanism +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -17426,42 +32579,124 @@ index 0000000..a3e48d3 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cupsd_config_t ++can be used to make the process type cupsd_config_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux cupsd_config policy is very flexible allowing users to setup their cupsd_config processes in as secure a method as possible. -+.PP -+The following file types are defined for cupsd_config: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cupsd_config policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cupsd_config with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B cupsd_config_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the cupsd_config_exec_t type, if you want to transition an executable to the cupsd_config_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B cupsd_config_var_run_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the cupsd_config_var_run_t type, if you want to store the cupsd config files under the /run directory. ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the cupsd_config_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cupsd_config_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -17482,16 +32717,6 @@ index 0000000..a3e48d3 +.br + +.br -+.B cupsd_log_t -+ -+ /var/log/cups(/.*)? -+.br -+ /usr/Brother/fax/.*\.log.* -+.br -+ /var/log/turboprint.* -+.br -+ -+.br +.B cupsd_rw_etc_t + + /etc/printcap.* @@ -17530,6 +32755,8 @@ index 0000000..a3e48d3 +.br + /etc/cups/subscriptions.* +.br ++ /etc/opt/brother/Printers/(.*/)?inf(/.*)? ++.br + /usr/local/linuxprinter/ppd(/.*)? +.br + /var/cache/alchemist/printconf.* @@ -17550,32 +32777,77 @@ index 0000000..a3e48d3 + + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B user_tmp_t + + /var/run/user(/.*)? +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux cupsd_config policy is very flexible allowing users to setup their cupsd_config processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cupsd_config_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cupsd_config, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cupsd_config_exec_t '/srv/cupsd_config/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycupsd_config_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cupsd_config: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B cupsd_config_exec_t +.EE + ++- Set files with the cupsd_config_exec_t type, if you want to transition an executable to the cupsd_config_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/hal_lpadmin, /usr/libexec/hal_lpadmin, /usr/bin/cups-config-daemon, /usr/sbin/printconf-backend, /usr/lib/udev/udev-configure-printer, /usr/libexec/cups-pk-helper-mechanism ++ ++.EX ++.PP ++.B cupsd_config_var_run_t ++.EE ++ ++- Set files with the cupsd_config_var_run_t type, if you want to store the cupsd config files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the cupsd_config_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -17587,6 +32859,9 @@ index 0000000..a3e48d3 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -17598,15 +32873,15 @@ index 0000000..a3e48d3 + +.SH "SEE ALSO" +selinux(8), cupsd_config(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, cupsd_selinux(8), cupsd_selinux(8), cupsd_lpd_selinux(8) ++, setsebool(8), cupsd_selinux(8), cupsd_selinux(8), cupsd_lpd_selinux(8) \ No newline at end of file diff --git a/man/man8/cupsd_lpd_selinux.8 b/man/man8/cupsd_lpd_selinux.8 new file mode 100644 -index 0000000..73ded99 +index 0000000..e680cba --- /dev/null +++ b/man/man8/cupsd_lpd_selinux.8 -@@ -0,0 +1,129 @@ -+.TH "cupsd_lpd_selinux" "8" "12-11-01" "cupsd_lpd" "SELinux Policy documentation for cupsd_lpd" +@@ -0,0 +1,223 @@ ++.TH "cupsd_lpd_selinux" "8" "13-01-16" "cupsd_lpd" "SELinux Policy documentation for cupsd_lpd" +.SH "NAME" +cupsd_lpd_selinux \- Security Enhanced Linux Policy for the cupsd_lpd processes +.SH "DESCRIPTION" @@ -17622,7 +32897,9 @@ index 0000000..73ded99 + +.SH "ENTRYPOINTS" + -+The cupsd_lpd_t SELinux type can be entered via the "cupsd_lpd_exec_t" file type. The default entrypoint paths for the cupsd_lpd_t domain are the following:" ++The cupsd_lpd_t SELinux type can be entered via the \fBcupsd_lpd_exec_t\fP file type. ++ ++The default entrypoint paths for the cupsd_lpd_t domain are the following: + +/usr/lib/cups/daemon/cups-lpd +.SH PROCESS TYPES @@ -17640,8 +32917,112 @@ index 0000000..73ded99 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cupsd_lpd_t ++can be used to make the process type cupsd_lpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cupsd_lpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cupsd_lpd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the cupsd_lpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cupsd_lpd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cupsd_lpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cupsd_lpd_tmp_t ++ ++ ++.br ++.B cupsd_lpd_var_run_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -17651,7 +33032,20 @@ index 0000000..73ded99 +Policy governs the access confined processes have to these files. +SELinux cupsd_lpd policy is very flexible allowing users to setup their cupsd_lpd processes in as secure a method as possible. +.PP -+The following file types are defined for cupsd_lpd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cupsd_lpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cupsd_lpd_exec_t '/srv/cupsd_lpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycupsd_lpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cupsd_lpd: + + +.EX @@ -17675,7 +33069,7 @@ index 0000000..73ded99 +.B cupsd_lpd_var_run_t +.EE + -+- Set files with the cupsd_lpd_var_run_t type, if you want to store the cupsd lpd files under the /run directory. ++- Set files with the cupsd_lpd_var_run_t type, if you want to store the cupsd lpd files under the /run or /var/run directory. + + +.PP @@ -17685,34 +33079,6 @@ index 0000000..73ded99 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type cupsd_lpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cupsd_lpd_tmp_t -+ -+ -+.br -+.B cupsd_lpd_var_run_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cupsd_lpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the cupsd_lpd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -17723,6 +33089,9 @@ index 0000000..73ded99 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -17734,15 +33103,15 @@ index 0000000..73ded99 + +.SH "SEE ALSO" +selinux(8), cupsd_lpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, cupsd_selinux(8), cupsd_selinux(8), cupsd_config_selinux(8) ++, setsebool(8), cupsd_selinux(8), cupsd_selinux(8), cupsd_config_selinux(8) \ No newline at end of file diff --git a/man/man8/cupsd_selinux.8 b/man/man8/cupsd_selinux.8 new file mode 100644 -index 0000000..89d22a6 +index 0000000..3c25dda --- /dev/null +++ b/man/man8/cupsd_selinux.8 -@@ -0,0 +1,387 @@ -+.TH "cupsd_selinux" "8" "12-11-01" "cupsd" "SELinux Policy documentation for cupsd" +@@ -0,0 +1,513 @@ ++.TH "cupsd_selinux" "8" "13-01-16" "cupsd" "SELinux Policy documentation for cupsd" +.SH "NAME" +cupsd_selinux \- Security Enhanced Linux Policy for the cupsd processes +.SH "DESCRIPTION" @@ -17758,7 +33127,9 @@ index 0000000..89d22a6 + +.SH "ENTRYPOINTS" + -+The cupsd_t SELinux type can be entered via the "cupsd_exec_t" file type. The default entrypoint paths for the cupsd_t domain are the following:" ++The cupsd_t SELinux type can be entered via the \fBcupsd_exec_t\fP file type. ++ ++The default entrypoint paths for the cupsd_t domain are the following: + +/usr/sbin/cupsd +.SH PROCESS TYPES @@ -17776,8 +33147,286 @@ index 0000000..89d22a6 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cupsd_t ++can be used to make the process type cupsd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cupsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cupsd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cupsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cupsd_interface_t ++ ++ /etc/cups/interfaces(/.*)? ++.br ++ ++.br ++.B cupsd_lock_t ++ ++ ++.br ++.B cupsd_rw_etc_t ++ ++ /etc/printcap.* ++.br ++ /etc/cups/ppd(/.*)? ++.br ++ /usr/Brother/(.*/)?inf(/.*)? ++.br ++ /usr/Printer/(.*/)?inf(/.*)? ++.br ++ /usr/lib/bjlib(/.*)? ++.br ++ /var/lib/iscan(/.*)? ++.br ++ /var/cache/cups(/.*)? ++.br ++ /etc/cups/certs/.* ++.br ++ /etc/opt/Brother/(.*/)?inf(/.*)? ++.br ++ /etc/cups/lpoptions.* ++.br ++ /var/cache/foomatic(/.*)? ++.br ++ /etc/cups/cupsd\.conf.* ++.br ++ /var/lib/cups/certs/.* ++.br ++ /opt/gutenprint/ppds(/.*)? ++.br ++ /opt/brother/Printers(.*/)?inf(/.*)? ++.br ++ /etc/cups/classes\.conf.* ++.br ++ /etc/cups/printers\.conf.* ++.br ++ /etc/cups/subscriptions.* ++.br ++ /etc/opt/brother/Printers/(.*/)?inf(/.*)? ++.br ++ /usr/local/linuxprinter/ppd(/.*)? ++.br ++ /var/cache/alchemist/printconf.* ++.br ++ /etc/alchemist/namespace/printconf(/.*)? ++.br ++ /etc/cups/certs ++.br ++ /etc/cups/ppds\.dat ++.br ++ /var/lib/cups/certs ++.br ++ /usr/share/foomatic/db/oldprinterids ++.br ++ ++.br ++.B cupsd_tmp_t ++ ++ ++.br ++.B cupsd_var_run_t ++ ++ /var/ccpd(/.*)? ++.br ++ /var/ekpd(/.*)? ++.br ++ /var/run/cups(/.*)? ++.br ++ /var/turboprint(/.*)? ++.br ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B print_spool_t ++ ++ /var/spool/lpd(/.*)? ++.br ++ /var/spool/cups(/.*)? ++.br ++ /var/spool/cups-pdf(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B samba_var_t ++ ++ /var/nmbd(/.*)? ++.br ++ /var/lib/samba(/.*)? ++.br ++ /var/cache/samba(/.*)? ++.br ++ /var/spool/samba(/.*)? ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B usbfs_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -17787,7 +33436,20 @@ index 0000000..89d22a6 +Policy governs the access confined processes have to these files. +SELinux cupsd policy is very flexible allowing users to setup their cupsd processes in as secure a method as possible. +.PP -+The following file types are defined for cupsd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cupsd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cupsd_config_exec_t '/srv/cupsd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycupsd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cupsd: + + +.EX @@ -17797,13 +33459,17 @@ index 0000000..89d22a6 + +- Set files with the cupsd_config_exec_t type, if you want to transition an executable to the cupsd_config_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/hal_lpadmin, /usr/libexec/hal_lpadmin, /usr/bin/cups-config-daemon, /usr/sbin/printconf-backend, /usr/lib/udev/udev-configure-printer, /usr/libexec/cups-pk-helper-mechanism + +.EX +.PP +.B cupsd_config_var_run_t +.EE + -+- Set files with the cupsd_config_var_run_t type, if you want to store the cupsd config files under the /run directory. ++- Set files with the cupsd_config_var_run_t type, if you want to store the cupsd config files under the /run or /var/run directory. + + +.EX @@ -17813,6 +33479,10 @@ index 0000000..89d22a6 + +- Set files with the cupsd_etc_t type, if you want to store cupsd files in the /etc directories. + ++.br ++.TP 5 ++Paths: ++/etc/cups(/.*)?, /usr/share/cups(/.*)? + +.EX +.PP @@ -17853,6 +33523,10 @@ index 0000000..89d22a6 + +- Set files with the cupsd_log_t type, if you want to treat the data as cupsd log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/cups(/.*)?, /usr/Brother/fax/.*\.log.*, /var/log/turboprint.* + +.EX +.PP @@ -17875,7 +33549,7 @@ index 0000000..89d22a6 +.B cupsd_lpd_var_run_t +.EE + -+- Set files with the cupsd_lpd_var_run_t type, if you want to store the cupsd lpd files under the /run directory. ++- Set files with the cupsd_lpd_var_run_t type, if you want to store the cupsd lpd files under the /run or /var/run directory. + + +.EX @@ -17885,6 +33559,10 @@ index 0000000..89d22a6 + +- Set files with the cupsd_rw_etc_t type, if you want to store cupsd rw files in the /etc directories. + ++.br ++.TP 5 ++Paths: ++/etc/printcap.*, /etc/cups/ppd(/.*)?, /usr/Brother/(.*/)?inf(/.*)?, /usr/Printer/(.*/)?inf(/.*)?, /usr/lib/bjlib(/.*)?, /var/lib/iscan(/.*)?, /var/cache/cups(/.*)?, /etc/cups/certs/.*, /etc/opt/Brother/(.*/)?inf(/.*)?, /etc/cups/lpoptions.*, /var/cache/foomatic(/.*)?, /etc/cups/cupsd\.conf.*, /var/lib/cups/certs/.*, /opt/gutenprint/ppds(/.*)?, /opt/brother/Printers(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /etc/cups/printers\.conf.*, /etc/cups/subscriptions.*, /etc/opt/brother/Printers/(.*/)?inf(/.*)?, /usr/local/linuxprinter/ppd(/.*)?, /var/cache/alchemist/printconf.*, /etc/alchemist/namespace/printconf(/.*)?, /etc/cups/certs, /etc/cups/ppds\.dat, /var/lib/cups/certs, /usr/share/foomatic/db/oldprinterids + +.EX +.PP @@ -17907,8 +33585,12 @@ index 0000000..89d22a6 +.B cupsd_var_run_t +.EE + -+- Set files with the cupsd_var_run_t type, if you want to store the cupsd files under the /run directory. ++- Set files with the cupsd_var_run_t type, if you want to store the cupsd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/ccpd(/.*)?, /var/ekpd(/.*)?, /var/run/cups(/.*)?, /var/turboprint(/.*)? + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -17917,196 +33599,6 @@ index 0000000..89d22a6 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type cupsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cupsd_interface_t -+ -+ /etc/cups/interfaces(/.*)? -+.br -+ -+.br -+.B cupsd_lock_t -+ -+ -+.br -+.B cupsd_log_t -+ -+ /var/log/cups(/.*)? -+.br -+ /usr/Brother/fax/.*\.log.* -+.br -+ /var/log/turboprint.* -+.br -+ -+.br -+.B cupsd_rw_etc_t -+ -+ /etc/printcap.* -+.br -+ /etc/cups/ppd(/.*)? -+.br -+ /usr/Brother/(.*/)?inf(/.*)? -+.br -+ /usr/Printer/(.*/)?inf(/.*)? -+.br -+ /usr/lib/bjlib(/.*)? -+.br -+ /var/lib/iscan(/.*)? -+.br -+ /var/cache/cups(/.*)? -+.br -+ /etc/cups/certs/.* -+.br -+ /etc/opt/Brother/(.*/)?inf(/.*)? -+.br -+ /etc/cups/lpoptions.* -+.br -+ /var/cache/foomatic(/.*)? -+.br -+ /etc/cups/cupsd\.conf.* -+.br -+ /var/lib/cups/certs/.* -+.br -+ /opt/gutenprint/ppds(/.*)? -+.br -+ /opt/brother/Printers(.*/)?inf(/.*)? -+.br -+ /etc/cups/classes\.conf.* -+.br -+ /etc/cups/printers\.conf.* -+.br -+ /etc/cups/subscriptions.* -+.br -+ /usr/local/linuxprinter/ppd(/.*)? -+.br -+ /var/cache/alchemist/printconf.* -+.br -+ /etc/alchemist/namespace/printconf(/.*)? -+.br -+ /etc/cups/certs -+.br -+ /etc/cups/ppds\.dat -+.br -+ /var/lib/cups/certs -+.br -+ /usr/share/foomatic/db/oldprinterids -+.br -+ -+.br -+.B cupsd_tmp_t -+ -+ -+.br -+.B cupsd_var_run_t -+ -+ /var/ccpd(/.*)? -+.br -+ /var/ekpd(/.*)? -+.br -+ /var/run/cups(/.*)? -+.br -+ /var/turboprint(/.*)? -+.br -+ -+.br -+.B faillog_t -+ -+ /var/log/btmp.* -+.br -+ /var/run/faillock(/.*)? -+.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br -+ -+.br -+.B krb5_host_rcache_t -+ -+ /var/cache/krb5rcache(/.*)? -+.br -+ /var/tmp/nfs_0 -+.br -+ /var/tmp/DNS_25 -+.br -+ /var/tmp/host_0 -+.br -+ /var/tmp/imap_0 -+.br -+ /var/tmp/HTTP_23 -+.br -+ /var/tmp/HTTP_48 -+.br -+ /var/tmp/ldap_55 -+.br -+ /var/tmp/ldap_487 -+.br -+ /var/tmp/ldapmap1_0 -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br -+.B print_spool_t -+ -+ /var/spool/lpd(/.*)? -+.br -+ /var/spool/cups(/.*)? -+.br -+ /var/spool/cups-pdf(/.*)? -+.br -+ -+.br -+.B samba_var_t -+ -+ /var/lib/samba(/.*)? -+.br -+ /var/cache/samba(/.*)? -+.br -+ /var/spool/samba(/.*)? -+.br -+ -+.br -+.B security_t -+ -+ /selinux -+.br -+ -+.br -+.B usbfs_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -18117,6 +33609,9 @@ index 0000000..89d22a6 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -18128,15 +33623,15 @@ index 0000000..89d22a6 + +.SH "SEE ALSO" +selinux(8), cupsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, cups_pdf_selinux(8), cupsd_config_selinux(8), cupsd_lpd_selinux(8) ++, setsebool(8), cups_pdf_selinux(8), cupsd_config_selinux(8), cupsd_lpd_selinux(8) \ No newline at end of file diff --git a/man/man8/cvs_selinux.8 b/man/man8/cvs_selinux.8 new file mode 100644 -index 0000000..c477853 +index 0000000..bf6b85d --- /dev/null +++ b/man/man8/cvs_selinux.8 -@@ -0,0 +1,236 @@ -+.TH "cvs_selinux" "8" "12-11-01" "cvs" "SELinux Policy documentation for cvs" +@@ -0,0 +1,309 @@ ++.TH "cvs_selinux" "8" "13-01-16" "cvs" "SELinux Policy documentation for cvs" +.SH "NAME" +cvs_selinux \- Security Enhanced Linux Policy for the cvs processes +.SH "DESCRIPTION" @@ -18152,7 +33647,9 @@ index 0000000..c477853 + +.SH "ENTRYPOINTS" + -+The cvs_t SELinux type can be entered via the "cvs_exec_t" file type. The default entrypoint paths for the cvs_t domain are the following:" ++The cvs_t SELinux type can be entered via the \fBcvs_exec_t\fP file type. ++ ++The default entrypoint paths for the cvs_t domain are the following: + +/usr/bin/cvs +.SH PROCESS TYPES @@ -18170,92 +33667,108 @@ index 0000000..c477853 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cvs_t ++can be used to make the process type cvs_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. cvs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cvs with the tightest access possible. + + +.PP -+If you want to allow cvs daemon to read shadow, you must turn on the cvs_read_shadow boolean. ++If you want to determine whether cvs can read shadow password files, you must turn on the cvs_read_shadow boolean. Disabled by default. + +.EX +.B setsebool -P cvs_read_shadow 1 ++ +.EE + +.PP -+If you want to allow cvs daemon to read shadow, you must turn on the cvs_read_shadow boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P cvs_read_shadow 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux cvs policy is very flexible allowing users to setup their cvs processes in as secure a method as possible. -+.PP -+The following file types are defined for cvs: -+ ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B cvs_data_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the cvs_data_t type, if you want to treat the files as cvs content. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B cvs_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the cvs_exec_t type, if you want to transition an executable to the cvs_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B cvs_initrc_exec_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the cvs_initrc_exec_t type, if you want to transition an executable to the cvs_initrc_t domain. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B cvs_keytab_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the cvs_keytab_t type, if you want to treat the files as kerberos keytab files. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B cvs_tmp_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the cvs_tmp_t type, if you want to store cvs temporary files in the /tmp directories. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B cvs_var_run_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the cvs_var_run_t type, if you want to store the cvs files under the /run directory. ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the cvs_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cvs_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -18301,48 +33814,103 @@ index 0000000..c477853 +.br +.B cvs_var_run_t + ++ /var/run/cvs\.pid ++.br + +.br +.B faillog_t + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux cvs policy is very flexible allowing users to setup their cvs processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cvs_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cvs, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cvs_data_t '/srv/cvs/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycvs_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cvs: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B cvs_data_t +.EE + ++- Set files with the cvs_data_t type, if you want to treat the files as cvs content. ++ ++.br ++.TP 5 ++Paths: ++/opt/cvs(/.*)?, /var/cvs(/.*)? ++ ++.EX ++.PP ++.B cvs_exec_t ++.EE ++ ++- Set files with the cvs_exec_t type, if you want to transition an executable to the cvs_t domain. ++ ++ ++.EX ++.PP ++.B cvs_initrc_exec_t ++.EE ++ ++- Set files with the cvs_initrc_exec_t type, if you want to transition an executable to the cvs_initrc_t domain. ++ ++ ++.EX ++.PP ++.B cvs_keytab_t ++.EE ++ ++- Set files with the cvs_keytab_t type, if you want to treat the files as kerberos keytab files. ++ ++ ++.EX ++.PP ++.B cvs_tmp_t ++.EE ++ ++- Set files with the cvs_tmp_t type, if you want to store cvs temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B cvs_var_run_t ++.EE ++ ++- Set files with the cvs_var_run_t type, if you want to store the cvs files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the cvs_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -18375,11 +33943,11 @@ index 0000000..c477853 \ No newline at end of file diff --git a/man/man8/cyphesis_selinux.8 b/man/man8/cyphesis_selinux.8 new file mode 100644 -index 0000000..247c016 +index 0000000..4631526 --- /dev/null +++ b/man/man8/cyphesis_selinux.8 -@@ -0,0 +1,154 @@ -+.TH "cyphesis_selinux" "8" "12-11-01" "cyphesis" "SELinux Policy documentation for cyphesis" +@@ -0,0 +1,265 @@ ++.TH "cyphesis_selinux" "8" "13-01-16" "cyphesis" "SELinux Policy documentation for cyphesis" +.SH "NAME" +cyphesis_selinux \- Security Enhanced Linux Policy for the cyphesis processes +.SH "DESCRIPTION" @@ -18395,7 +33963,9 @@ index 0000000..247c016 + +.SH "ENTRYPOINTS" + -+The cyphesis_t SELinux type can be entered via the "cyphesis_exec_t" file type. The default entrypoint paths for the cyphesis_t domain are the following:" ++The cyphesis_t SELinux type can be entered via the \fBcyphesis_exec_t\fP file type. ++ ++The default entrypoint paths for the cyphesis_t domain are the following: + +/usr/bin/cyphesis +.SH PROCESS TYPES @@ -18413,58 +33983,92 @@ index 0000000..247c016 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cyphesis_t ++can be used to make the process type cyphesis_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux cyphesis policy is very flexible allowing users to setup their cyphesis processes in as secure a method as possible. -+.PP -+The following file types are defined for cyphesis: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cyphesis policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cyphesis with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B cyphesis_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the cyphesis_exec_t type, if you want to transition an executable to the cyphesis_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B cyphesis_log_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the cyphesis_log_t type, if you want to treat the data as cyphesis log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B cyphesis_tmp_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the cyphesis_tmp_t type, if you want to store cyphesis temporary files in the /tmp directories. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B cyphesis_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the cyphesis_var_run_t type, if you want to store the cyphesis files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -18496,18 +34100,89 @@ index 0000000..247c016 +The SELinux process type cyphesis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B cyphesis_log_t -+ -+ /var/log/cyphesis(/.*)? -+.br -+ -+.br +.B cyphesis_var_run_t + + /var/run/cyphesis(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux cyphesis policy is very flexible allowing users to setup their cyphesis processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cyphesis, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cyphesis_exec_t '/srv/cyphesis/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycyphesis_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cyphesis: ++ ++ ++.EX ++.PP ++.B cyphesis_exec_t ++.EE ++ ++- Set files with the cyphesis_exec_t type, if you want to transition an executable to the cyphesis_t domain. ++ ++ ++.EX ++.PP ++.B cyphesis_initrc_exec_t ++.EE ++ ++- Set files with the cyphesis_initrc_exec_t type, if you want to transition an executable to the cyphesis_initrc_t domain. ++ ++ ++.EX ++.PP ++.B cyphesis_log_t ++.EE ++ ++- Set files with the cyphesis_log_t type, if you want to treat the data as cyphesis log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B cyphesis_tmp_t ++.EE ++ ++- Set files with the cyphesis_tmp_t type, if you want to store cyphesis temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B cyphesis_var_run_t ++.EE ++ ++- Set files with the cyphesis_var_run_t type, if you want to store the cyphesis files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -18522,6 +34197,9 @@ index 0000000..247c016 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -18533,13 +34211,15 @@ index 0000000..247c016 + +.SH "SEE ALSO" +selinux(8), cyphesis(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/cyrus_selinux.8 b/man/man8/cyrus_selinux.8 new file mode 100644 -index 0000000..96f6359 +index 0000000..e8e411b --- /dev/null +++ b/man/man8/cyrus_selinux.8 -@@ -0,0 +1,170 @@ -+.TH "cyrus_selinux" "8" "12-11-01" "cyrus" "SELinux Policy documentation for cyrus" +@@ -0,0 +1,307 @@ ++.TH "cyrus_selinux" "8" "13-01-16" "cyrus" "SELinux Policy documentation for cyrus" +.SH "NAME" +cyrus_selinux \- Security Enhanced Linux Policy for the cyrus processes +.SH "DESCRIPTION" @@ -18555,7 +34235,9 @@ index 0000000..96f6359 + +.SH "ENTRYPOINTS" + -+The cyrus_t SELinux type can be entered via the "cyrus_exec_t" file type. The default entrypoint paths for the cyrus_t domain are the following:" ++The cyrus_t SELinux type can be entered via the \fBcyrus_exec_t\fP file type. ++ ++The default entrypoint paths for the cyrus_t domain are the following: + +/usr/lib/cyrus/master, /usr/lib/cyrus-imapd/cyrus-master +.SH PROCESS TYPES @@ -18573,8 +34255,164 @@ index 0000000..96f6359 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a cyrus_t ++can be used to make the process type cyrus_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. cyrus policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cyrus with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the cyrus_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cyrus_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type cyrus_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cyrus_tmp_t ++ ++ ++.br ++.B cyrus_var_lib_t ++ ++ /var/imap(/.*)? ++.br ++ /var/lib/imap(/.*)? ++.br ++ ++.br ++.B cyrus_var_run_t ++ ++ /var/run/cyrus.* ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -18584,7 +34422,20 @@ index 0000000..96f6359 +Policy governs the access confined processes have to these files. +SELinux cyrus policy is very flexible allowing users to setup their cyrus processes in as secure a method as possible. +.PP -+The following file types are defined for cyrus: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the cyrus, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t cyrus_exec_t '/srv/cyrus/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mycyrus_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for cyrus: + + +.EX @@ -18594,6 +34445,10 @@ index 0000000..96f6359 + +- Set files with the cyrus_exec_t type, if you want to transition an executable to the cyrus_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/cyrus/master, /usr/lib/cyrus-imapd/cyrus-master + +.EX +.PP @@ -18626,13 +34481,17 @@ index 0000000..96f6359 + +- Set files with the cyrus_var_lib_t type, if you want to store the cyrus files under the /var/lib directory. + ++.br ++.TP 5 ++Paths: ++/var/imap(/.*)?, /var/lib/imap(/.*)? + +.EX +.PP +.B cyrus_var_run_t +.EE + -+- Set files with the cyrus_var_run_t type, if you want to store the cyrus files under the /run directory. ++- Set files with the cyrus_var_run_t type, if you want to store the cyrus files under the /run or /var/run directory. + + +.PP @@ -18642,52 +34501,6 @@ index 0000000..96f6359 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type cyrus_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cyrus_tmp_t -+ -+ -+.br -+.B cyrus_var_lib_t -+ -+ /var/imap(/.*)? -+.br -+ /var/lib/imap(/.*)? -+.br -+ -+.br -+.B cyrus_var_run_t -+ -+ -+.br -+.B mail_spool_t -+ -+ /var/mail(/.*)? -+.br -+ /var/spool/imap(/.*)? -+.br -+ /var/spool/mail(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cyrus_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the cyrus_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -18698,6 +34511,9 @@ index 0000000..96f6359 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -18709,15 +34525,17 @@ index 0000000..96f6359 + +.SH "SEE ALSO" +selinux(8), cyrus(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/dbadm_selinux.8 b/man/man8/dbadm_selinux.8 new file mode 100644 -index 0000000..db93ad7 +index 0000000..4be248d --- /dev/null +++ b/man/man8/dbadm_selinux.8 -@@ -0,0 +1,225 @@ +@@ -0,0 +1,357 @@ +.TH "dbadm_selinux" "8" "dbadm" "mgrepl@redhat.com" "dbadm SELinux Policy documentation" +.SH "NAME" -+dbadm_r \- \fBDatabase administrator role\fP - Security Enhanced Linux Policy ++dbadm_r \- \fBDatabase administrator role.\fP - Security Enhanced Linux Policy + +.SH DESCRIPTION + @@ -18762,45 +34580,147 @@ index 0000000..db93ad7 + + +.PP -+If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean. -+ -+.EX -+.B setsebool -P postgresql_selinux_unconfined_dbadm 1 -+.EE -+ -+.PP -+If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean. ++If you want to determine whether dbadm can manage generic user files, you must turn on the dbadm_manage_user_files boolean. Disabled by default. + +.EX +.B setsebool -P dbadm_manage_user_files 1 ++ +.EE + +.PP -+If you want to allow dbadm to read files in users home directories, you must turn on the dbadm_read_user_files boolean. ++If you want to determine whether dbadm can read generic user files, you must turn on the dbadm_read_user_files boolean. Disabled by default. + +.EX +.B setsebool -P dbadm_read_user_files 1 ++ +.EE + +.PP -+If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean. Enabled by default. + +.EX +.B setsebool -P postgresql_selinux_unconfined_dbadm 1 ++ +.EE + +.PP -+If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean. ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Enabled by default. + +.EX -+.B setsebool -P dbadm_manage_user_files 1 ++.B setsebool -P secure_mode 1 ++ +.EE + +.PP -+If you want to allow dbadm to read files in users home directories, you must turn on the dbadm_read_user_files boolean. ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. + +.EX -+.B setsebool -P dbadm_read_user_files 1 ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ssh_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xdm_sysadm_login 1 ++ +.EE + +.SH "MANAGED FILES" @@ -18828,6 +34748,8 @@ index 0000000..db93ad7 +.br + /home/[^/]*/\.my\.cnf +.br ++ /home/pwalsh/\.my\.cnf ++.br + /home/dwalsh/\.my\.cnf +.br + /var/lib/xguest/home/xguest/\.my\.cnf @@ -18894,6 +34816,8 @@ index 0000000..db93ad7 +.br + /var/log/sepostgresql\.log.* +.br ++ /var/lib/pgsql/data/pg_log(/.*)? ++.br + /var/lib/sepgsql/pgstartup\.log +.br + @@ -18915,6 +34839,32 @@ index 0000000..db93ad7 + /var/run/systemd/ask-password-block(/.*)? +.br + ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -18939,15 +34889,348 @@ index 0000000..db93ad7 + +.SH "SEE ALSO" +selinux(8), dbadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8) ++, setsebool(8), dbadm_sudo_selinux(8) +\ No newline at end of file +diff --git a/man/man8/dbadm_sudo_selinux.8 b/man/man8/dbadm_sudo_selinux.8 +new file mode 100644 +index 0000000..d0dda07 +--- /dev/null ++++ b/man/man8/dbadm_sudo_selinux.8 +@@ -0,0 +1,326 @@ ++.TH "dbadm_sudo_selinux" "8" "13-01-16" "dbadm_sudo" "SELinux Policy documentation for dbadm_sudo" ++.SH "NAME" ++dbadm_sudo_selinux \- Security Enhanced Linux Policy for the dbadm_sudo processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the dbadm_sudo processes via flexible mandatory access control. ++ ++The dbadm_sudo processes execute with the dbadm_sudo_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep dbadm_sudo_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The dbadm_sudo_t SELinux type can be entered via the \fBsudo_exec_t\fP file type. ++ ++The default entrypoint paths for the dbadm_sudo_t domain are the following: ++ ++/usr/bin/sudo(edit)? ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux dbadm_sudo policy is very flexible allowing users to setup their dbadm_sudo processes in as secure a method as possible. ++.PP ++The following process types are defined for dbadm_sudo: ++ ++.EX ++.B dbadm_sudo_t ++.EE ++.PP ++Note: ++.B semanage permissive -a dbadm_sudo_t ++can be used to make the process type dbadm_sudo_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dbadm_sudo policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dbadm_sudo with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dbadm_sudo_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dbadm_sudo_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type dbadm_sudo_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B dbadm_sudo_tmp_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B pam_var_run_t ++ ++ /var/(db|lib|adm)/sudo(/.*)? ++.br ++ /var/run/sudo(/.*)? ++.br ++ /var/run/sepermit(/.*)? ++.br ++ /var/run/pam_mount(/.*)? ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B sudo_db_t ++ ++ /var/db/sudo(/.*)? ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), dbadm_sudo(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), dbadm_selinux(8), dbadm_selinux(8) \ No newline at end of file diff --git a/man/man8/dbskkd_selinux.8 b/man/man8/dbskkd_selinux.8 new file mode 100644 -index 0000000..be5dff8 +index 0000000..87cb419 --- /dev/null +++ b/man/man8/dbskkd_selinux.8 -@@ -0,0 +1,154 @@ -+.TH "dbskkd_selinux" "8" "12-11-01" "dbskkd" "SELinux Policy documentation for dbskkd" +@@ -0,0 +1,249 @@ ++.TH "dbskkd_selinux" "8" "13-01-16" "dbskkd" "SELinux Policy documentation for dbskkd" +.SH "NAME" +dbskkd_selinux \- Security Enhanced Linux Policy for the dbskkd processes +.SH "DESCRIPTION" @@ -18963,7 +35246,9 @@ index 0000000..be5dff8 + +.SH "ENTRYPOINTS" + -+The dbskkd_t SELinux type can be entered via the "dbskkd_exec_t" file type. The default entrypoint paths for the dbskkd_t domain are the following:" ++The dbskkd_t SELinux type can be entered via the \fBdbskkd_exec_t\fP file type. ++ ++The default entrypoint paths for the dbskkd_t domain are the following: + +/usr/sbin/dbskkd-cdb +.SH PROCESS TYPES @@ -18981,50 +35266,100 @@ index 0000000..be5dff8 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dbskkd_t ++can be used to make the process type dbskkd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dbskkd policy is very flexible allowing users to setup their dbskkd processes in as secure a method as possible. -+.PP -+The following file types are defined for dbskkd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dbskkd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dbskkd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B dbskkd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the dbskkd_exec_t type, if you want to transition an executable to the dbskkd_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B dbskkd_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the dbskkd_tmp_t type, if you want to store dbskkd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B dbskkd_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the dbskkd_var_run_t type, if you want to store the dbskkd files under the /run directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dbskkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dbskkd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -19061,21 +35396,60 @@ index 0000000..be5dff8 +.B dbskkd_var_run_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dbskkd policy is very flexible allowing users to setup their dbskkd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dbskkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dbskkd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dbskkd_exec_t '/srv/dbskkd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydbskkd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dbskkd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B dbskkd_exec_t +.EE + ++- Set files with the dbskkd_exec_t type, if you want to transition an executable to the dbskkd_t domain. ++ ++ ++.EX ++.PP ++.B dbskkd_tmp_t ++.EE ++ ++- Set files with the dbskkd_tmp_t type, if you want to store dbskkd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B dbskkd_var_run_t ++.EE ++ ++- Set files with the dbskkd_var_run_t type, if you want to store the dbskkd files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the dbskkd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -19090,6 +35464,9 @@ index 0000000..be5dff8 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -19101,13 +35478,15 @@ index 0000000..be5dff8 + +.SH "SEE ALSO" +selinux(8), dbskkd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/dcc_client_selinux.8 b/man/man8/dcc_client_selinux.8 new file mode 100644 -index 0000000..bba5677 +index 0000000..cc05fd5 --- /dev/null +++ b/man/man8/dcc_client_selinux.8 -@@ -0,0 +1,147 @@ -+.TH "dcc_client_selinux" "8" "12-11-01" "dcc_client" "SELinux Policy documentation for dcc_client" +@@ -0,0 +1,245 @@ ++.TH "dcc_client_selinux" "8" "13-01-16" "dcc_client" "SELinux Policy documentation for dcc_client" +.SH "NAME" +dcc_client_selinux \- Security Enhanced Linux Policy for the dcc_client processes +.SH "DESCRIPTION" @@ -19123,7 +35502,9 @@ index 0000000..bba5677 + +.SH "ENTRYPOINTS" + -+The dcc_client_t SELinux type can be entered via the "dcc_client_exec_t" file type. The default entrypoint paths for the dcc_client_t domain are the following:" ++The dcc_client_t SELinux type can be entered via the \fBdcc_client_exec_t\fP file type. ++ ++The default entrypoint paths for the dcc_client_t domain are the following: + +/usr/bin/dccproc +.SH PROCESS TYPES @@ -19141,50 +35522,100 @@ index 0000000..bba5677 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dcc_client_t ++can be used to make the process type dcc_client_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dcc_client policy is very flexible allowing users to setup their dcc_client processes in as secure a method as possible. -+.PP -+The following file types are defined for dcc_client: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dcc_client policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dcc_client with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B dcc_client_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the dcc_client_exec_t type, if you want to transition an executable to the dcc_client_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B dcc_client_map_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the dcc_client_map_t type, if you want to treat the files as dcc client map data. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B dcc_client_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the dcc_client_tmp_t type, if you want to store dcc client temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dcc_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dcc_client_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -19216,21 +35647,64 @@ index 0000000..bba5677 + /var/lib/dcc(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dcc_client policy is very flexible allowing users to setup their dcc_client processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dcc_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dcc_client, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dcc_client_exec_t '/srv/dcc_client/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydcc_client_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dcc_client: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B dcc_client_exec_t +.EE + ++- Set files with the dcc_client_exec_t type, if you want to transition an executable to the dcc_client_t domain. ++ ++ ++.EX ++.PP ++.B dcc_client_map_t ++.EE ++ ++- Set files with the dcc_client_map_t type, if you want to treat the files as dcc client map data. ++ ++.br ++.TP 5 ++Paths: ++/etc/dcc/map, /var/dcc/map, /var/lib/dcc/map, /var/run/dcc/map ++ ++.EX ++.PP ++.B dcc_client_tmp_t ++.EE ++ ++- Set files with the dcc_client_tmp_t type, if you want to store dcc client temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the dcc_client_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -19242,6 +35716,9 @@ index 0000000..bba5677 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -19253,15 +35730,15 @@ index 0000000..bba5677 + +.SH "SEE ALSO" +selinux(8), dcc_client(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, dcc_dbclean_selinux(8), dccd_selinux(8), dccifd_selinux(8), dccm_selinux(8) ++, setsebool(8), dcc_dbclean_selinux(8), dccd_selinux(8), dccifd_selinux(8), dccm_selinux(8) \ No newline at end of file diff --git a/man/man8/dcc_dbclean_selinux.8 b/man/man8/dcc_dbclean_selinux.8 new file mode 100644 -index 0000000..e4168aa +index 0000000..c9fe28f --- /dev/null +++ b/man/man8/dcc_dbclean_selinux.8 -@@ -0,0 +1,139 @@ -+.TH "dcc_dbclean_selinux" "8" "12-11-01" "dcc_dbclean" "SELinux Policy documentation for dcc_dbclean" +@@ -0,0 +1,237 @@ ++.TH "dcc_dbclean_selinux" "8" "13-01-16" "dcc_dbclean" "SELinux Policy documentation for dcc_dbclean" +.SH "NAME" +dcc_dbclean_selinux \- Security Enhanced Linux Policy for the dcc_dbclean processes +.SH "DESCRIPTION" @@ -19277,9 +35754,11 @@ index 0000000..e4168aa + +.SH "ENTRYPOINTS" + -+The dcc_dbclean_t SELinux type can be entered via the "dcc_dbclean_exec_t" file type. The default entrypoint paths for the dcc_dbclean_t domain are the following:" ++The dcc_dbclean_t SELinux type can be entered via the \fBdcc_dbclean_exec_t\fP file type. + -+/usr/libexec/dcc/dbclean ++The default entrypoint paths for the dcc_dbclean_t domain are the following: ++ ++/usr/sbin/dbclean, /usr/libexec/dcc/dbclean +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -19295,42 +35774,100 @@ index 0000000..e4168aa +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dcc_dbclean_t ++can be used to make the process type dcc_dbclean_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dcc_dbclean policy is very flexible allowing users to setup their dcc_dbclean processes in as secure a method as possible. -+.PP -+The following file types are defined for dcc_dbclean: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dcc_dbclean policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dcc_dbclean with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B dcc_dbclean_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the dcc_dbclean_exec_t type, if you want to transition an executable to the dcc_dbclean_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B dcc_dbclean_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the dcc_dbclean_tmp_t type, if you want to store dcc dbclean temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dcc_dbclean_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dcc_dbclean_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -19362,21 +35899,56 @@ index 0000000..e4168aa + /var/lib/dcc(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dcc_dbclean policy is very flexible allowing users to setup their dcc_dbclean processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dcc_dbclean_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dcc_dbclean, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dcc_dbclean_exec_t '/srv/dcc_dbclean/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydcc_dbclean_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dcc_dbclean: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B dcc_dbclean_exec_t +.EE + ++- Set files with the dcc_dbclean_exec_t type, if you want to transition an executable to the dcc_dbclean_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/dbclean, /usr/libexec/dcc/dbclean ++ ++.EX ++.PP ++.B dcc_dbclean_tmp_t ++.EE ++ ++- Set files with the dcc_dbclean_tmp_t type, if you want to store dcc dbclean temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the dcc_dbclean_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -19388,6 +35960,9 @@ index 0000000..e4168aa +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -19399,15 +35974,15 @@ index 0000000..e4168aa + +.SH "SEE ALSO" +selinux(8), dcc_dbclean(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, dcc_client_selinux(8), dccd_selinux(8), dccifd_selinux(8), dccm_selinux(8) ++, setsebool(8), dcc_client_selinux(8), dccd_selinux(8), dccifd_selinux(8), dccm_selinux(8) \ No newline at end of file diff --git a/man/man8/dccd_selinux.8 b/man/man8/dccd_selinux.8 new file mode 100644 -index 0000000..ea14c8d +index 0000000..76cec1a --- /dev/null +++ b/man/man8/dccd_selinux.8 -@@ -0,0 +1,190 @@ -+.TH "dccd_selinux" "8" "12-11-01" "dccd" "SELinux Policy documentation for dccd" +@@ -0,0 +1,320 @@ ++.TH "dccd_selinux" "8" "13-01-16" "dccd" "SELinux Policy documentation for dccd" +.SH "NAME" +dccd_selinux \- Security Enhanced Linux Policy for the dccd processes +.SH "DESCRIPTION" @@ -19423,9 +35998,11 @@ index 0000000..ea14c8d + +.SH "ENTRYPOINTS" + -+The dccd_t SELinux type can be entered via the "dccd_exec_t" file type. The default entrypoint paths for the dccd_t domain are the following:" ++The dccd_t SELinux type can be entered via the \fBdccd_exec_t\fP file type. + -+/usr/libexec/dcc/dccd ++The default entrypoint paths for the dccd_t domain are the following: ++ ++/usr/sbin/dccd, /usr/libexec/dcc/dccd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -19441,50 +36018,124 @@ index 0000000..ea14c8d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dccd_t ++can be used to make the process type dccd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible. -+.PP -+The following file types are defined for dccd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dccd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dccd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B dccd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the dccd_exec_t type, if you want to transition an executable to the dccd_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B dccd_tmp_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the dccd_tmp_t type, if you want to store dccd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B dccd_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the dccd_var_run_t type, if you want to store the dccd files under the /run directory. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -19556,21 +36207,72 @@ index 0000000..ea14c8d +.B dccd_var_run_t + + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dccd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dccd_exec_t '/srv/dccd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydccd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dccd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B dccd_exec_t +.EE + ++- Set files with the dccd_exec_t type, if you want to transition an executable to the dccd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/dccd, /usr/libexec/dcc/dccd ++ ++.EX ++.PP ++.B dccd_tmp_t ++.EE ++ ++- Set files with the dccd_tmp_t type, if you want to store dccd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B dccd_var_run_t ++.EE ++ ++- Set files with the dccd_var_run_t type, if you want to store the dccd files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -19585,6 +36287,9 @@ index 0000000..ea14c8d +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -19596,15 +36301,15 @@ index 0000000..ea14c8d + +.SH "SEE ALSO" +selinux(8), dccd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, dcc_client_selinux(8), dcc_dbclean_selinux(8), dccifd_selinux(8), dccm_selinux(8) ++, setsebool(8), dcc_client_selinux(8), dcc_dbclean_selinux(8), dccifd_selinux(8), dccm_selinux(8) \ No newline at end of file diff --git a/man/man8/dccifd_selinux.8 b/man/man8/dccifd_selinux.8 new file mode 100644 -index 0000000..3c8baf4 +index 0000000..7bcfa41 --- /dev/null +++ b/man/man8/dccifd_selinux.8 -@@ -0,0 +1,154 @@ -+.TH "dccifd_selinux" "8" "12-11-01" "dccifd" "SELinux Policy documentation for dccifd" +@@ -0,0 +1,289 @@ ++.TH "dccifd_selinux" "8" "13-01-16" "dccifd" "SELinux Policy documentation for dccifd" +.SH "NAME" +dccifd_selinux \- Security Enhanced Linux Policy for the dccifd processes +.SH "DESCRIPTION" @@ -19620,9 +36325,11 @@ index 0000000..3c8baf4 + +.SH "ENTRYPOINTS" + -+The dccifd_t SELinux type can be entered via the "dccifd_exec_t" file type. The default entrypoint paths for the dccifd_t domain are the following:" ++The dccifd_t SELinux type can be entered via the \fBdccifd_exec_t\fP file type. + -+/usr/libexec/dcc/dccifd ++The default entrypoint paths for the dccifd_t domain are the following: ++ ++/usr/sbin/dccifd, /usr/libexec/dcc/dccifd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -19638,50 +36345,124 @@ index 0000000..3c8baf4 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dccifd_t ++can be used to make the process type dccifd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dccifd policy is very flexible allowing users to setup their dccifd processes in as secure a method as possible. -+.PP -+The following file types are defined for dccifd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dccifd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dccifd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B dccifd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the dccifd_exec_t type, if you want to transition an executable to the dccifd_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B dccifd_tmp_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the dccifd_tmp_t type, if you want to store dccifd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B dccifd_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the dccifd_var_run_t type, if you want to store the dccifd files under the /run directory. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dccifd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dccifd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -19721,21 +36502,76 @@ index 0000000..3c8baf4 + /var/run/dcc/dccifd +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dccifd policy is very flexible allowing users to setup their dccifd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccifd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dccifd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dccifd_exec_t '/srv/dccifd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydccifd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dccifd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B dccifd_exec_t +.EE + ++- Set files with the dccifd_exec_t type, if you want to transition an executable to the dccifd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/dccifd, /usr/libexec/dcc/dccifd ++ ++.EX ++.PP ++.B dccifd_tmp_t ++.EE ++ ++- Set files with the dccifd_tmp_t type, if you want to store dccifd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B dccifd_var_run_t ++.EE ++ ++- Set files with the dccifd_var_run_t type, if you want to store the dccifd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/etc/dcc/dccifd, /var/run/dcc/dccifd ++ +.PP -+If you want to allow confined applications to run with kerberos for the dccifd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -19747,6 +36583,9 @@ index 0000000..3c8baf4 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -19758,13 +36597,15 @@ index 0000000..3c8baf4 + +.SH "SEE ALSO" +selinux(8), dccifd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/dccm_selinux.8 b/man/man8/dccm_selinux.8 new file mode 100644 -index 0000000..58a004a +index 0000000..d452ca3 --- /dev/null +++ b/man/man8/dccm_selinux.8 -@@ -0,0 +1,178 @@ -+.TH "dccm_selinux" "8" "12-11-01" "dccm" "SELinux Policy documentation for dccm" +@@ -0,0 +1,309 @@ ++.TH "dccm_selinux" "8" "13-01-16" "dccm" "SELinux Policy documentation for dccm" +.SH "NAME" +dccm_selinux \- Security Enhanced Linux Policy for the dccm processes +.SH "DESCRIPTION" @@ -19780,9 +36621,11 @@ index 0000000..58a004a + +.SH "ENTRYPOINTS" + -+The dccm_t SELinux type can be entered via the "dccm_exec_t" file type. The default entrypoint paths for the dccm_t domain are the following:" ++The dccm_t SELinux type can be entered via the \fBdccm_exec_t\fP file type. + -+/usr/libexec/dcc/dccm ++The default entrypoint paths for the dccm_t domain are the following: ++ ++/usr/sbin/dccm, /usr/libexec/dcc/dccm +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -19798,50 +36641,124 @@ index 0000000..58a004a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dccm_t ++can be used to make the process type dccm_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dccm policy is very flexible allowing users to setup their dccm processes in as secure a method as possible. -+.PP -+The following file types are defined for dccm: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dccm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dccm with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B dccm_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the dccm_exec_t type, if you want to transition an executable to the dccm_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B dccm_tmp_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the dccm_tmp_t type, if you want to store dccm temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B dccm_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the dccm_var_run_t type, if you want to store the dccm files under the /run directory. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dccm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dccm_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -19902,21 +36819,72 @@ index 0000000..58a004a +.B dccm_var_run_t + + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dccm policy is very flexible allowing users to setup their dccm processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dccm, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dccm_exec_t '/srv/dccm/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydccm_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dccm: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B dccm_exec_t +.EE + ++- Set files with the dccm_exec_t type, if you want to transition an executable to the dccm_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/dccm, /usr/libexec/dcc/dccm ++ ++.EX ++.PP ++.B dccm_tmp_t ++.EE ++ ++- Set files with the dccm_tmp_t type, if you want to store dccm temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B dccm_var_run_t ++.EE ++ ++- Set files with the dccm_var_run_t type, if you want to store the dccm files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the dccm_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -19931,6 +36899,9 @@ index 0000000..58a004a +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -19942,13 +36913,15 @@ index 0000000..58a004a + +.SH "SEE ALSO" +selinux(8), dccm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/dcerpcd_selinux.8 b/man/man8/dcerpcd_selinux.8 new file mode 100644 -index 0000000..857f141 +index 0000000..c6d567b --- /dev/null +++ b/man/man8/dcerpcd_selinux.8 -@@ -0,0 +1,124 @@ -+.TH "dcerpcd_selinux" "8" "12-11-01" "dcerpcd" "SELinux Policy documentation for dcerpcd" +@@ -0,0 +1,231 @@ ++.TH "dcerpcd_selinux" "8" "13-01-16" "dcerpcd" "SELinux Policy documentation for dcerpcd" +.SH "NAME" +dcerpcd_selinux \- Security Enhanced Linux Policy for the dcerpcd processes +.SH "DESCRIPTION" @@ -19964,9 +36937,11 @@ index 0000000..857f141 + +.SH "ENTRYPOINTS" + -+The dcerpcd_t SELinux type can be entered via the "dcerpcd_exec_t" file type. The default entrypoint paths for the dcerpcd_t domain are the following:" ++The dcerpcd_t SELinux type can be entered via the \fBdcerpcd_exec_t\fP file type. + -+/usr/sbin/dcerpcd ++The default entrypoint paths for the dcerpcd_t domain are the following: ++ ++/usr/sbin/dcerpcd, /opt/likewise/sbin/dcerpcd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -19982,8 +36957,100 @@ index 0000000..857f141 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dcerpcd_t ++can be used to make the process type dcerpcd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dcerpcd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dcerpcd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type dcerpcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B dcerpcd_var_lib_t ++ ++ /var/lib/likewise/run/rpcdep\.dat ++.br ++ /var/lib/likewise-open/run/rpcdep\.dat ++.br ++ ++.br ++.B dcerpcd_var_run_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -19993,7 +37060,20 @@ index 0000000..857f141 +Policy governs the access confined processes have to these files. +SELinux dcerpcd policy is very flexible allowing users to setup their dcerpcd processes in as secure a method as possible. +.PP -+The following file types are defined for dcerpcd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dcerpcd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dcerpcd_exec_t '/srv/dcerpcd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydcerpcd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dcerpcd: + + +.EX @@ -20003,6 +37083,10 @@ index 0000000..857f141 + +- Set files with the dcerpcd_exec_t type, if you want to transition an executable to the dcerpcd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/dcerpcd, /opt/likewise/sbin/dcerpcd + +.EX +.PP @@ -20011,13 +37095,17 @@ index 0000000..857f141 + +- Set files with the dcerpcd_var_lib_t type, if you want to store the dcerpcd files under the /var/lib directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/likewise/run/rpcdep\.dat, /var/lib/likewise-open/run/rpcdep\.dat + +.EX +.PP +.B dcerpcd_var_run_t +.EE + -+- Set files with the dcerpcd_var_run_t type, if you want to store the dcerpcd files under the /run directory. ++- Set files with the dcerpcd_var_run_t type, if you want to store the dcerpcd files under the /run or /var/run directory. + + +.EX @@ -20027,6 +37115,10 @@ index 0000000..857f141 + +- Set files with the dcerpcd_var_socket_t type, if you want to treat the files as dcerpcd var socket data. + ++.br ++.TP 5 ++Paths: ++/var/lib/likewise/rpc/epmapper, /var/lib/likewise-open/rpc/epmapper + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -20035,22 +37127,6 @@ index 0000000..857f141 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type dcerpcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B dcerpcd_var_lib_t -+ -+ /var/lib/likewise-open/run/rpcdep.dat -+.br -+ -+.br -+.B dcerpcd_var_run_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -20061,6 +37137,9 @@ index 0000000..857f141 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -20072,13 +37151,15 @@ index 0000000..857f141 + +.SH "SEE ALSO" +selinux(8), dcerpcd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ddclient_selinux.8 b/man/man8/ddclient_selinux.8 new file mode 100644 -index 0000000..43a6aa0 +index 0000000..e7b7538 --- /dev/null +++ b/man/man8/ddclient_selinux.8 -@@ -0,0 +1,176 @@ -+.TH "ddclient_selinux" "8" "12-11-01" "ddclient" "SELinux Policy documentation for ddclient" +@@ -0,0 +1,283 @@ ++.TH "ddclient_selinux" "8" "13-01-16" "ddclient" "SELinux Policy documentation for ddclient" +.SH "NAME" +ddclient_selinux \- Security Enhanced Linux Policy for the ddclient processes +.SH "DESCRIPTION" @@ -20094,7 +37175,9 @@ index 0000000..43a6aa0 + +.SH "ENTRYPOINTS" + -+The ddclient_t SELinux type can be entered via the "ddclient_exec_t" file type. The default entrypoint paths for the ddclient_t domain are the following:" ++The ddclient_t SELinux type can be entered via the \fBddclient_exec_t\fP file type. ++ ++The default entrypoint paths for the ddclient_t domain are the following: + +/usr/sbin/ddtcd, /usr/sbin/ddclient +.SH PROCESS TYPES @@ -20112,8 +37195,120 @@ index 0000000..43a6aa0 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ddclient_t ++can be used to make the process type ddclient_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ddclient policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ddclient with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type ddclient_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B ddclient_tmp_t ++ ++ ++.br ++.B ddclient_var_lib_t ++ ++ /var/lib/ddt-client(/.*)? ++.br ++ ++.br ++.B ddclient_var_run_t ++ ++ /var/run/ddtcd\.pid ++.br ++ /var/run/ddclient\.pid ++.br ++ ++.br ++.B ddclient_var_t ++ ++ /var/cache/ddclient(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -20123,7 +37318,20 @@ index 0000000..43a6aa0 +Policy governs the access confined processes have to these files. +SELinux ddclient policy is very flexible allowing users to setup their ddclient processes in as secure a method as possible. +.PP -+The following file types are defined for ddclient: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ddclient, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ddclient_etc_t '/srv/ddclient/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myddclient_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ddclient: + + +.EX @@ -20133,6 +37341,10 @@ index 0000000..43a6aa0 + +- Set files with the ddclient_etc_t type, if you want to store ddclient files in the /etc directories. + ++.br ++.TP 5 ++Paths: ++/etc/ddtcd\.conf, /etc/ddclient\.conf + +.EX +.PP @@ -20141,6 +37353,10 @@ index 0000000..43a6aa0 + +- Set files with the ddclient_exec_t type, if you want to transition an executable to the ddclient_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/ddtcd, /usr/sbin/ddclient + +.EX +.PP @@ -20179,8 +37395,12 @@ index 0000000..43a6aa0 +.B ddclient_var_run_t +.EE + -+- Set files with the ddclient_var_run_t type, if you want to store the ddclient files under the /run directory. ++- Set files with the ddclient_var_run_t type, if you want to store the ddclient files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/ddtcd\.pid, /var/run/ddclient\.pid + +.EX +.PP @@ -20197,42 +37417,6 @@ index 0000000..43a6aa0 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type ddclient_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B ddclient_log_t -+ -+ /var/log/ddtcd\.log.* -+.br -+ -+.br -+.B ddclient_tmp_t -+ -+ -+.br -+.B ddclient_var_lib_t -+ -+ /var/lib/ddt-client(/.*)? -+.br -+ -+.br -+.B ddclient_var_run_t -+ -+ /var/run/ddtcd\.pid -+.br -+ /var/run/ddclient\.pid -+.br -+ -+.br -+.B ddclient_var_t -+ -+ /var/cache/ddclient(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -20243,6 +37427,9 @@ index 0000000..43a6aa0 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -20254,13 +37441,15 @@ index 0000000..43a6aa0 + +.SH "SEE ALSO" +selinux(8), ddclient(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/deltacloudd_selinux.8 b/man/man8/deltacloudd_selinux.8 new file mode 100644 -index 0000000..c0b2b2f +index 0000000..2ac7358 --- /dev/null +++ b/man/man8/deltacloudd_selinux.8 -@@ -0,0 +1,142 @@ -+.TH "deltacloudd_selinux" "8" "12-11-01" "deltacloudd" "SELinux Policy documentation for deltacloudd" +@@ -0,0 +1,269 @@ ++.TH "deltacloudd_selinux" "8" "13-01-16" "deltacloudd" "SELinux Policy documentation for deltacloudd" +.SH "NAME" +deltacloudd_selinux \- Security Enhanced Linux Policy for the deltacloudd processes +.SH "DESCRIPTION" @@ -20276,7 +37465,9 @@ index 0000000..c0b2b2f + +.SH "ENTRYPOINTS" + -+The deltacloudd_t SELinux type can be entered via the "deltacloudd_exec_t" file type. The default entrypoint paths for the deltacloudd_t domain are the following:" ++The deltacloudd_t SELinux type can be entered via the \fBdeltacloudd_exec_t\fP file type. ++ ++The default entrypoint paths for the deltacloudd_t domain are the following: + +/usr/bin/deltacloudd +.SH PROCESS TYPES @@ -20294,8 +37485,150 @@ index 0000000..c0b2b2f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a deltacloudd_t ++can be used to make the process type deltacloudd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. deltacloudd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run deltacloudd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the deltacloudd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the deltacloudd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type deltacloudd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B deltacloudd_log_t ++ ++ /var/log/deltacloud-core(/.*)? ++.br ++ ++.br ++.B deltacloudd_tmp_t ++ ++ ++.br ++.B deltacloudd_var_run_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -20305,7 +37638,20 @@ index 0000000..c0b2b2f +Policy governs the access confined processes have to these files. +SELinux deltacloudd policy is very flexible allowing users to setup their deltacloudd processes in as secure a method as possible. +.PP -+The following file types are defined for deltacloudd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the deltacloudd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t deltacloudd_exec_t '/srv/deltacloudd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydeltacloudd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for deltacloudd: + + +.EX @@ -20337,7 +37683,7 @@ index 0000000..c0b2b2f +.B deltacloudd_var_run_t +.EE + -+- Set files with the deltacloudd_var_run_t type, if you want to store the deltacloudd files under the /run directory. ++- Set files with the deltacloudd_var_run_t type, if you want to store the deltacloudd files under the /run or /var/run directory. + + +.PP @@ -20347,40 +37693,6 @@ index 0000000..c0b2b2f +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type deltacloudd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B deltacloudd_log_t -+ -+ /var/log/deltacloud-core(/.*)? -+.br -+ -+.br -+.B deltacloudd_tmp_t -+ -+ -+.br -+.B deltacloudd_var_run_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the deltacloudd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the deltacloudd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -20391,6 +37703,9 @@ index 0000000..c0b2b2f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -20402,13 +37717,15 @@ index 0000000..c0b2b2f + +.SH "SEE ALSO" +selinux(8), deltacloudd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/denyhosts_selinux.8 b/man/man8/denyhosts_selinux.8 new file mode 100644 -index 0000000..ec75026 +index 0000000..5eb9c7a --- /dev/null +++ b/man/man8/denyhosts_selinux.8 -@@ -0,0 +1,174 @@ -+.TH "denyhosts_selinux" "8" "12-11-01" "denyhosts" "SELinux Policy documentation for denyhosts" +@@ -0,0 +1,297 @@ ++.TH "denyhosts_selinux" "8" "13-01-16" "denyhosts" "SELinux Policy documentation for denyhosts" +.SH "NAME" +denyhosts_selinux \- Security Enhanced Linux Policy for the denyhosts processes +.SH "DESCRIPTION" @@ -20424,7 +37741,9 @@ index 0000000..ec75026 + +.SH "ENTRYPOINTS" + -+The denyhosts_t SELinux type can be entered via the "denyhosts_exec_t" file type. The default entrypoint paths for the denyhosts_t domain are the following:" ++The denyhosts_t SELinux type can be entered via the \fBdenyhosts_exec_t\fP file type. ++ ++The default entrypoint paths for the denyhosts_t domain are the following: + +/usr/bin/denyhosts\.py +.SH PROCESS TYPES @@ -20442,8 +37761,170 @@ index 0000000..ec75026 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a denyhosts_t ++can be used to make the process type denyhosts_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. denyhosts policy is extremely flexible and has several booleans that allow you to manipulate the policy and run denyhosts with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the denyhosts_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the denyhosts_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type denyhosts_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B denyhosts_var_lib_t ++ ++ /var/lib/denyhosts(/.*)? ++.br ++ ++.br ++.B denyhosts_var_lock_t ++ ++ /var/lock/subsys/denyhosts ++.br ++ ++.br ++.B net_conf_t ++ ++ /etc/hosts[^/]* ++.br ++ /etc/yp\.conf.* ++.br ++ /etc/denyhosts.* ++.br ++ /etc/hosts\.deny.* ++.br ++ /etc/resolv\.conf.* ++.br ++ /etc/sysconfig/networking(/.*)? ++.br ++ /etc/sysconfig/network-scripts(/.*)? ++.br ++ /etc/sysconfig/network-scripts/.*resolv\.conf ++.br ++ /etc/ethers ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -20453,7 +37934,20 @@ index 0000000..ec75026 +Policy governs the access confined processes have to these files. +SELinux denyhosts policy is very flexible allowing users to setup their denyhosts processes in as secure a method as possible. +.PP -+The following file types are defined for denyhosts: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the denyhosts, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t denyhosts_exec_t '/srv/denyhosts/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydenyhosts_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for denyhosts: + + +.EX @@ -20503,64 +37997,6 @@ index 0000000..ec75026 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type denyhosts_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B denyhosts_var_lib_t -+ -+ /var/lib/denyhosts(/.*)? -+.br -+ -+.br -+.B denyhosts_var_lock_t -+ -+ /var/lock/subsys/denyhosts -+.br -+ -+.br -+.B net_conf_t -+ -+ /etc/ntpd?\.conf.* -+.br -+ /etc/hosts[^/]* -+.br -+ /etc/yp\.conf.* -+.br -+ /etc/denyhosts.* -+.br -+ /etc/hosts\.deny.* -+.br -+ /etc/resolv\.conf.* -+.br -+ /etc/ntp/step-tickers.* -+.br -+ /etc/sysconfig/networking(/.*)? -+.br -+ /etc/sysconfig/network-scripts(/.*)? -+.br -+ /etc/sysconfig/network-scripts/.*resolv\.conf -+.br -+ /etc/ethers -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the denyhosts_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the denyhosts_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -20571,6 +38007,9 @@ index 0000000..ec75026 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -20582,13 +38021,15 @@ index 0000000..ec75026 + +.SH "SEE ALSO" +selinux(8), denyhosts(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/depmod_selinux.8 b/man/man8/depmod_selinux.8 new file mode 100644 -index 0000000..86e670e +index 0000000..c7fa9fa --- /dev/null +++ b/man/man8/depmod_selinux.8 -@@ -0,0 +1,112 @@ -+.TH "depmod_selinux" "8" "12-11-01" "depmod" "SELinux Policy documentation for depmod" +@@ -0,0 +1,219 @@ ++.TH "depmod_selinux" "8" "13-01-16" "depmod" "SELinux Policy documentation for depmod" +.SH "NAME" +depmod_selinux \- Security Enhanced Linux Policy for the depmod processes +.SH "DESCRIPTION" @@ -20604,7 +38045,9 @@ index 0000000..86e670e + +.SH "ENTRYPOINTS" + -+The depmod_t SELinux type can be entered via the "depmod_exec_t" file type. The default entrypoint paths for the depmod_t domain are the following:" ++The depmod_t SELinux type can be entered via the \fBdepmod_exec_t\fP file type. ++ ++The default entrypoint paths for the depmod_t domain are the following: + +/sbin/depmod.*, /usr/sbin/depmod.* +.SH PROCESS TYPES @@ -20622,34 +38065,92 @@ index 0000000..86e670e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a depmod_t ++can be used to make the process type depmod_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux depmod policy is very flexible allowing users to setup their depmod processes in as secure a method as possible. -+.PP -+The following file types are defined for depmod: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. depmod policy is extremely flexible and has several booleans that allow you to manipulate the policy and run depmod with the tightest access possible. + + ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ +.EX -+.PP -+.B depmod_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the depmod_exec_t type, if you want to transition an executable to the depmod_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -20672,12 +38173,55 @@ index 0000000..86e670e +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux depmod policy is very flexible allowing users to setup their depmod processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the depmod, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t depmod_exec_t '/srv/depmod/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydepmod_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for depmod: ++ ++ ++.EX ++.PP ++.B depmod_exec_t ++.EE ++ ++- Set files with the depmod_exec_t type, if you want to transition an executable to the depmod_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/depmod.*, /usr/sbin/depmod.* ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -20689,6 +38233,9 @@ index 0000000..86e670e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -20700,13 +38247,15 @@ index 0000000..86e670e + +.SH "SEE ALSO" +selinux(8), depmod(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/devicekit_disk_selinux.8 b/man/man8/devicekit_disk_selinux.8 new file mode 100644 -index 0000000..cbce236 +index 0000000..1a6f42a --- /dev/null +++ b/man/man8/devicekit_disk_selinux.8 -@@ -0,0 +1,163 @@ -+.TH "devicekit_disk_selinux" "8" "12-11-01" "devicekit_disk" "SELinux Policy documentation for devicekit_disk" +@@ -0,0 +1,293 @@ ++.TH "devicekit_disk_selinux" "8" "13-01-16" "devicekit_disk" "SELinux Policy documentation for devicekit_disk" +.SH "NAME" +devicekit_disk_selinux \- Security Enhanced Linux Policy for the devicekit_disk processes +.SH "DESCRIPTION" @@ -20722,7 +38271,9 @@ index 0000000..cbce236 + +.SH "ENTRYPOINTS" + -+The devicekit_disk_t SELinux type can be entered via the "devicekit_disk_exec_t" file type. The default entrypoint paths for the devicekit_disk_t domain are the following:" ++The devicekit_disk_t SELinux type can be entered via the \fBdevicekit_disk_exec_t\fP file type. ++ ++The default entrypoint paths for the devicekit_disk_t domain are the following: + +/lib/udisks2/udisksd, /lib/udev/udisks-part-id, /usr/lib/udisks2/udisksd, /usr/libexec/udisks-daemon, /usr/lib/udev/udisks-part-id, /usr/lib/udisks/udisks-daemon, /usr/libexec/devkit-disks-daemon +.SH PROCESS TYPES @@ -20740,34 +38291,124 @@ index 0000000..cbce236 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a devicekit_disk_t ++can be used to make the process type devicekit_disk_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux devicekit_disk policy is very flexible allowing users to setup their devicekit_disk processes in as secure a method as possible. -+.PP -+The following file types are defined for devicekit_disk: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. devicekit_disk policy is extremely flexible and has several booleans that allow you to manipulate the policy and run devicekit_disk with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B devicekit_disk_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the devicekit_disk_exec_t type, if you want to transition an executable to the devicekit_disk_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the devicekit_disk_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the devicekit_disk_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -20820,6 +38461,14 @@ index 0000000..cbce236 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B sysfs_t + + /sys(/.*)? @@ -20831,21 +38480,48 @@ index 0000000..cbce236 + all virtual image files +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux devicekit_disk policy is very flexible allowing users to setup their devicekit_disk processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_disk_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the devicekit_disk, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t devicekit_disk_exec_t '/srv/devicekit_disk/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydevicekit_disk_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for devicekit_disk: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B devicekit_disk_exec_t +.EE + ++- Set files with the devicekit_disk_exec_t type, if you want to transition an executable to the devicekit_disk_t domain. ++ ++.br ++.TP 5 ++Paths: ++/lib/udisks2/udisksd, /lib/udev/udisks-part-id, /usr/lib/udisks2/udisksd, /usr/libexec/udisks-daemon, /usr/lib/udev/udisks-part-id, /usr/lib/udisks/udisks-daemon, /usr/libexec/devkit-disks-daemon ++ +.PP -+If you want to allow confined applications to run with kerberos for the devicekit_disk_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -20857,6 +38533,9 @@ index 0000000..cbce236 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -20868,15 +38547,15 @@ index 0000000..cbce236 + +.SH "SEE ALSO" +selinux(8), devicekit_disk(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, devicekit_selinux(8), devicekit_selinux(8), devicekit_power_selinux(8) ++, setsebool(8), devicekit_selinux(8), devicekit_selinux(8), devicekit_power_selinux(8) \ No newline at end of file diff --git a/man/man8/devicekit_power_selinux.8 b/man/man8/devicekit_power_selinux.8 new file mode 100644 -index 0000000..ef9c4c3 +index 0000000..06e3857 --- /dev/null +++ b/man/man8/devicekit_power_selinux.8 -@@ -0,0 +1,193 @@ -+.TH "devicekit_power_selinux" "8" "12-11-01" "devicekit_power" "SELinux Policy documentation for devicekit_power" +@@ -0,0 +1,331 @@ ++.TH "devicekit_power_selinux" "8" "13-01-16" "devicekit_power" "SELinux Policy documentation for devicekit_power" +.SH "NAME" +devicekit_power_selinux \- Security Enhanced Linux Policy for the devicekit_power processes +.SH "DESCRIPTION" @@ -20892,9 +38571,11 @@ index 0000000..ef9c4c3 + +.SH "ENTRYPOINTS" + -+The devicekit_power_t SELinux type can be entered via the "devicekit_power_exec_t" file type. The default entrypoint paths for the devicekit_power_t domain are the following:" ++The devicekit_power_t SELinux type can be entered via the \fBdevicekit_power_exec_t\fP file type. + -+/usr/libexec/upowerd, /usr/libexec/devkit-power-daemon ++The default entrypoint paths for the devicekit_power_t domain are the following: ++ ++/usr/libexec/upowerd, /usr/lib/upower/upowerd, /usr/libexec/devkit-power-daemon +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -20910,34 +38591,124 @@ index 0000000..ef9c4c3 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a devicekit_power_t ++can be used to make the process type devicekit_power_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux devicekit_power policy is very flexible allowing users to setup their devicekit_power processes in as secure a method as possible. -+.PP -+The following file types are defined for devicekit_power: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. devicekit_power policy is extremely flexible and has several booleans that allow you to manipulate the policy and run devicekit_power with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B devicekit_power_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the devicekit_power_exec_t type, if you want to transition an executable to the devicekit_power_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the devicekit_power_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the devicekit_power_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -20964,6 +38735,14 @@ index 0000000..ef9c4c3 +.br + /home/[^/]*/\.Xdefaults +.br ++ /home/pwalsh/\.kde(/.*)? ++.br ++ /home/pwalsh/\.xine(/.*)? ++.br ++ /home/pwalsh/\.config(/.*)? ++.br ++ /home/pwalsh/\.Xdefaults ++.br + /home/dwalsh/\.kde(/.*)? +.br + /home/dwalsh/\.xine(/.*)? @@ -21018,6 +38797,14 @@ index 0000000..ef9c4c3 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B sysfs_t + + /sys(/.*)? @@ -21031,21 +38818,48 @@ index 0000000..ef9c4c3 + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux devicekit_power policy is very flexible allowing users to setup their devicekit_power processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_power_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the devicekit_power, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t devicekit_power_exec_t '/srv/devicekit_power/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydevicekit_power_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for devicekit_power: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B devicekit_power_exec_t +.EE + ++- Set files with the devicekit_power_exec_t type, if you want to transition an executable to the devicekit_power_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/upowerd, /usr/lib/upower/upowerd, /usr/libexec/devkit-power-daemon ++ +.PP -+If you want to allow confined applications to run with kerberos for the devicekit_power_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -21057,6 +38871,9 @@ index 0000000..ef9c4c3 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -21068,15 +38885,15 @@ index 0000000..ef9c4c3 + +.SH "SEE ALSO" +selinux(8), devicekit_power(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, devicekit_selinux(8), devicekit_selinux(8), devicekit_disk_selinux(8) ++, setsebool(8), devicekit_selinux(8), devicekit_selinux(8), devicekit_disk_selinux(8) \ No newline at end of file diff --git a/man/man8/devicekit_selinux.8 b/man/man8/devicekit_selinux.8 new file mode 100644 -index 0000000..94f8331 +index 0000000..71e7e82 --- /dev/null +++ b/man/man8/devicekit_selinux.8 -@@ -0,0 +1,167 @@ -+.TH "devicekit_selinux" "8" "12-11-01" "devicekit" "SELinux Policy documentation for devicekit" +@@ -0,0 +1,281 @@ ++.TH "devicekit_selinux" "8" "13-01-16" "devicekit" "SELinux Policy documentation for devicekit" +.SH "NAME" +devicekit_selinux \- Security Enhanced Linux Policy for the devicekit processes +.SH "DESCRIPTION" @@ -21092,7 +38909,9 @@ index 0000000..94f8331 + +.SH "ENTRYPOINTS" + -+The devicekit_t SELinux type can be entered via the "devicekit_exec_t" file type. The default entrypoint paths for the devicekit_t domain are the following:" ++The devicekit_t SELinux type can be entered via the \fBdevicekit_exec_t\fP file type. ++ ++The default entrypoint paths for the devicekit_t domain are the following: + +/usr/libexec/devkit-daemon +.SH PROCESS TYPES @@ -21110,82 +38929,92 @@ index 0000000..94f8331 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a devicekit_t ++can be used to make the process type devicekit_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux devicekit policy is very flexible allowing users to setup their devicekit processes in as secure a method as possible. -+.PP -+The following file types are defined for devicekit: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. devicekit policy is extremely flexible and has several booleans that allow you to manipulate the policy and run devicekit with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B devicekit_disk_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the devicekit_disk_exec_t type, if you want to transition an executable to the devicekit_disk_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B devicekit_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the devicekit_exec_t type, if you want to transition an executable to the devicekit_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B devicekit_power_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the devicekit_power_exec_t type, if you want to transition an executable to the devicekit_power_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B devicekit_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the devicekit_tmp_t type, if you want to store devicekit temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B devicekit_var_lib_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the devicekit_var_lib_t type, if you want to store the devicekit files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B devicekit_var_log_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the devicekit_var_log_t type, if you want to treat the data as devicekit var log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B devicekit_var_run_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the devicekit_var_run_t type, if you want to store the devicekit files under the /run directory. ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the devicekit_disk_t, devicekit_power_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the devicekit_disk_t, devicekit_power_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -21205,21 +39034,120 @@ index 0000000..94f8331 + /var/run/DeviceKit-disks(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux devicekit policy is very flexible allowing users to setup their devicekit processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_disk_t, devicekit_power_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the devicekit, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t devicekit_disk_exec_t '/srv/devicekit/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydevicekit_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for devicekit: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B devicekit_disk_exec_t +.EE + ++- Set files with the devicekit_disk_exec_t type, if you want to transition an executable to the devicekit_disk_t domain. ++ ++.br ++.TP 5 ++Paths: ++/lib/udisks2/udisksd, /lib/udev/udisks-part-id, /usr/lib/udisks2/udisksd, /usr/libexec/udisks-daemon, /usr/lib/udev/udisks-part-id, /usr/lib/udisks/udisks-daemon, /usr/libexec/devkit-disks-daemon ++ ++.EX ++.PP ++.B devicekit_exec_t ++.EE ++ ++- Set files with the devicekit_exec_t type, if you want to transition an executable to the devicekit_t domain. ++ ++ ++.EX ++.PP ++.B devicekit_power_exec_t ++.EE ++ ++- Set files with the devicekit_power_exec_t type, if you want to transition an executable to the devicekit_power_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/upowerd, /usr/lib/upower/upowerd, /usr/libexec/devkit-power-daemon ++ ++.EX ++.PP ++.B devicekit_tmp_t ++.EE ++ ++- Set files with the devicekit_tmp_t type, if you want to store devicekit temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B devicekit_var_lib_t ++.EE ++ ++- Set files with the devicekit_var_lib_t type, if you want to store the devicekit files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/udisks.*, /var/lib/upower(/.*)?, /var/lib/DeviceKit-.* ++ ++.EX ++.PP ++.B devicekit_var_log_t ++.EE ++ ++- Set files with the devicekit_var_log_t type, if you want to treat the data as devicekit var log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/pm-suspend\.log.*, /var/log/pm-powersave\.log.* ++ ++.EX ++.PP ++.B devicekit_var_run_t ++.EE ++ ++- Set files with the devicekit_var_run_t type, if you want to store the devicekit files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/udisks.*, /var/run/devkit(/.*)?, /var/run/upower(/.*)?, /var/run/pm-utils(/.*)?, /var/run/DeviceKit-disks(/.*)? ++ +.PP -+If you want to allow confined applications to run with kerberos for the devicekit_disk_t, devicekit_power_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -21231,6 +39159,9 @@ index 0000000..94f8331 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -21242,15 +39173,15 @@ index 0000000..94f8331 + +.SH "SEE ALSO" +selinux(8), devicekit(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, devicekit_disk_selinux(8), devicekit_power_selinux(8) ++, setsebool(8), devicekit_disk_selinux(8), devicekit_power_selinux(8) \ No newline at end of file diff --git a/man/man8/dhcpc_selinux.8 b/man/man8/dhcpc_selinux.8 new file mode 100644 -index 0000000..b0c446f +index 0000000..6a40501 --- /dev/null +++ b/man/man8/dhcpc_selinux.8 -@@ -0,0 +1,256 @@ -+.TH "dhcpc_selinux" "8" "12-11-01" "dhcpc" "SELinux Policy documentation for dhcpc" +@@ -0,0 +1,397 @@ ++.TH "dhcpc_selinux" "8" "13-01-16" "dhcpc" "SELinux Policy documentation for dhcpc" +.SH "NAME" +dhcpc_selinux \- Security Enhanced Linux Policy for the dhcpc processes +.SH "DESCRIPTION" @@ -21266,7 +39197,9 @@ index 0000000..b0c446f + +.SH "ENTRYPOINTS" + -+The dhcpc_t SELinux type can be entered via the "dhcpc_exec_t" file type. The default entrypoint paths for the dhcpc_t domain are the following:" ++The dhcpc_t SELinux type can be entered via the \fBdhcpc_exec_t\fP file type. ++ ++The default entrypoint paths for the dhcpc_t domain are the following: + +/sbin/dhclient.*, /usr/sbin/dhclient.*, /sbin/pump, /sbin/dhcdbd, /sbin/dhcpcd, /usr/sbin/pump, /usr/sbin/dhcdbd, /usr/sbin/dhcpcd +.SH PROCESS TYPES @@ -21284,84 +39217,132 @@ index 0000000..b0c446f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dhcpc_t ++can be used to make the process type dhcpc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. dhcpc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpc with the tightest access possible. + + +.PP -+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean. ++If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean. Disabled by default. + +.EX +.B setsebool -P dhcpc_exec_iptables 1 ++ +.EE + +.PP -+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P dhcpc_exec_iptables 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dhcpc policy is very flexible allowing users to setup their dhcpc processes in as secure a method as possible. -+.PP -+The following file types are defined for dhcpc: -+ ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B dhcpc_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the dhcpc_exec_t type, if you want to transition an executable to the dhcpc_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B dhcpc_helper_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the dhcpc_helper_exec_t type, if you want to transition an executable to the dhcpc_helper_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B dhcpc_state_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the dhcpc_state_t type, if you want to treat the files as dhcpc state data. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B dhcpc_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the dhcpc_tmp_t type, if you want to store dhcpc temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B dhcpc_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the dhcpc_var_run_t type, if you want to store the dhcpc files under the /run directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dhcpc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -21384,15 +39365,35 @@ index 0000000..b0c446f + + +Default Defined Ports: -+tcp 68,546 ++tcp 68,546,5546 +.EE -+udp 68,546 ++udp 68,546,5546 +.EE +.SH "MANAGED FILES" + +The SELinux process type dhcpc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B NetworkManager_var_lib_t ++ ++ /var/lib/wicd(/.*)? ++.br ++ /var/lib/NetworkManager(/.*)? ++.br ++ /etc/dhcp/wired-settings.conf ++.br ++ /etc/wicd/wired-settings.conf ++.br ++ /etc/dhcp/manager-settings.conf ++.br ++ /etc/wicd/manager-settings.conf ++.br ++ /etc/dhcp/wireless-settings.conf ++.br ++ /etc/wicd/wireless-settings.conf ++.br ++ ++.br +.B dhcpc_state_t + + /var/lib/dhcp3?/dhclient.* @@ -21431,8 +39432,6 @@ index 0000000..b0c446f +.br +.B net_conf_t + -+ /etc/ntpd?\.conf.* -+.br + /etc/hosts[^/]* +.br + /etc/yp\.conf.* @@ -21443,8 +39442,6 @@ index 0000000..b0c446f +.br + /etc/resolv\.conf.* +.br -+ /etc/ntp/step-tickers.* -+.br + /etc/sysconfig/networking(/.*)? +.br + /etc/sysconfig/network-scripts(/.*)? @@ -21455,6 +39452,14 @@ index 0000000..b0c446f +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B systemd_passwd_var_run_t + + /var/run/systemd/ask-password(/.*)? @@ -21462,21 +39467,88 @@ index 0000000..b0c446f + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dhcpc policy is very flexible allowing users to setup their dhcpc processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dhcpc, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dhcpc_exec_t '/srv/dhcpc/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydhcpc_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dhcpc: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B dhcpc_exec_t +.EE + ++- Set files with the dhcpc_exec_t type, if you want to transition an executable to the dhcpc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/dhclient.*, /usr/sbin/dhclient.*, /sbin/pump, /sbin/dhcdbd, /sbin/dhcpcd, /usr/sbin/pump, /usr/sbin/dhcdbd, /usr/sbin/dhcpcd ++ ++.EX ++.PP ++.B dhcpc_helper_exec_t ++.EE ++ ++- Set files with the dhcpc_helper_exec_t type, if you want to transition an executable to the dhcpc_helper_t domain. ++ ++ ++.EX ++.PP ++.B dhcpc_state_t ++.EE ++ ++- Set files with the dhcpc_state_t type, if you want to treat the files as dhcpc state data. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/dhcp3?/dhclient.*, /var/lib/dhcpcd(/.*)?, /var/lib/dhclient(/.*)?, /var/lib/wifiroamd(/.*)? ++ ++.EX ++.PP ++.B dhcpc_tmp_t ++.EE ++ ++- Set files with the dhcpc_tmp_t type, if you want to store dhcpc temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B dhcpc_var_run_t ++.EE ++ ++- Set files with the dhcpc_var_run_t type, if you want to store the dhcpc files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/dhcpcd(/.*)?, /var/run/dhclient.* ++ +.PP -+If you want to allow confined applications to run with kerberos for the dhcpc_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -21509,11 +39581,11 @@ index 0000000..b0c446f \ No newline at end of file diff --git a/man/man8/dhcpd_selinux.8 b/man/man8/dhcpd_selinux.8 new file mode 100644 -index 0000000..73cc04d +index 0000000..75c2434 --- /dev/null +++ b/man/man8/dhcpd_selinux.8 -@@ -0,0 +1,239 @@ -+.TH "dhcpd_selinux" "8" "12-11-01" "dhcpd" "SELinux Policy documentation for dhcpd" +@@ -0,0 +1,342 @@ ++.TH "dhcpd_selinux" "8" "13-01-16" "dhcpd" "SELinux Policy documentation for dhcpd" +.SH "NAME" +dhcpd_selinux \- Security Enhanced Linux Policy for the dhcpd processes +.SH "DESCRIPTION" @@ -21529,7 +39601,9 @@ index 0000000..73cc04d + +.SH "ENTRYPOINTS" + -+The dhcpd_t SELinux type can be entered via the "dhcpd_exec_t" file type. The default entrypoint paths for the dhcpd_t domain are the following:" ++The dhcpd_t SELinux type can be entered via the \fBdhcpd_exec_t\fP file type. ++ ++The default entrypoint paths for the dhcpd_t domain are the following: + +/usr/sbin/dhcpd.* +.SH PROCESS TYPES @@ -21547,106 +39621,132 @@ index 0000000..73cc04d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dhcpd_t ++can be used to make the process type dhcpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. dhcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpd with the tightest access possible. + + +.PP -+If you want to allow DHCP daemon to use LDAP backends, you must turn on the dhcpd_use_ldap boolean. ++If you want to determine whether DHCP daemon can use LDAP backends, you must turn on the dhcpd_use_ldap boolean. Disabled by default. + +.EX +.B setsebool -P dhcpd_use_ldap 1 ++ +.EE + +.PP -+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P dhcpc_exec_iptables 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow DHCP daemon to use LDAP backends, you must turn on the dhcpd_use_ldap boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P dhcpd_use_ldap 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.B setsebool -P dhcpc_exec_iptables 1 ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible. -+.PP -+The following file types are defined for dhcpd: -+ ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B dhcpd_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the dhcpd_exec_t type, if you want to transition an executable to the dhcpd_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B dhcpd_initrc_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the dhcpd_initrc_exec_t type, if you want to transition an executable to the dhcpd_initrc_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B dhcpd_state_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the dhcpd_state_t type, if you want to treat the files as dhcpd state data. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B dhcpd_tmp_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the dhcpd_tmp_t type, if you want to store dhcpd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B dhcpd_unit_file_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the dhcpd_unit_file_t type, if you want to treat the files as dhcpd unit content. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B dhcpd_var_run_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the dhcpd_var_run_t type, if you want to store the dhcpd files under the /run directory. ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dhcpd_t, dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dhcpd_t, dhcpc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -21669,9 +39769,9 @@ index 0000000..73cc04d + + +Default Defined Ports: -+tcp 68,546 ++tcp 68,546,5546 +.EE -+udp 68,546 ++udp 68,546,5546 +.EE + +.EX @@ -21708,21 +39808,96 @@ index 0000000..73cc04d + /var/run/dhcpd(6)?\.pid +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dhcpd_t, dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dhcpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dhcpd_exec_t '/srv/dhcpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydhcpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dhcpd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B dhcpd_exec_t +.EE + ++- Set files with the dhcpd_exec_t type, if you want to transition an executable to the dhcpd_t domain. ++ ++ ++.EX ++.PP ++.B dhcpd_initrc_exec_t ++.EE ++ ++- Set files with the dhcpd_initrc_exec_t type, if you want to transition an executable to the dhcpd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B dhcpd_state_t ++.EE ++ ++- Set files with the dhcpd_state_t type, if you want to treat the files as dhcpd state data. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/dhcp(3)?/dhcpd\.leases.*, /var/lib/dhcpd(/.*)? ++ ++.EX ++.PP ++.B dhcpd_tmp_t ++.EE ++ ++- Set files with the dhcpd_tmp_t type, if you want to store dhcpd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B dhcpd_unit_file_t ++.EE ++ ++- Set files with the dhcpd_unit_file_t type, if you want to treat the files as dhcpd unit content. ++ ++ ++.EX ++.PP ++.B dhcpd_var_run_t ++.EE ++ ++- Set files with the dhcpd_var_run_t type, if you want to store the dhcpd files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the dhcpd_t, dhcpc_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -21755,11 +39930,11 @@ index 0000000..73cc04d \ No newline at end of file diff --git a/man/man8/dictd_selinux.8 b/man/man8/dictd_selinux.8 new file mode 100644 -index 0000000..cb1309a +index 0000000..a7a10b3 --- /dev/null +++ b/man/man8/dictd_selinux.8 -@@ -0,0 +1,168 @@ -+.TH "dictd_selinux" "8" "12-11-01" "dictd" "SELinux Policy documentation for dictd" +@@ -0,0 +1,295 @@ ++.TH "dictd_selinux" "8" "13-01-16" "dictd" "SELinux Policy documentation for dictd" +.SH "NAME" +dictd_selinux \- Security Enhanced Linux Policy for the dictd processes +.SH "DESCRIPTION" @@ -21775,7 +39950,9 @@ index 0000000..cb1309a + +.SH "ENTRYPOINTS" + -+The dictd_t SELinux type can be entered via the "dictd_exec_t" file type. The default entrypoint paths for the dictd_t domain are the following:" ++The dictd_t SELinux type can be entered via the \fBdictd_exec_t\fP file type. ++ ++The default entrypoint paths for the dictd_t domain are the following: + +/usr/sbin/dictd +.SH PROCESS TYPES @@ -21793,8 +39970,165 @@ index 0000000..cb1309a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dictd_t ++can be used to make the process type dictd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dictd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dictd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dictd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dictd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux dictd policy is very flexible allowing users to setup their dictd processes in as secure a method as possible. ++.PP ++The following port types are defined for dictd: ++ ++.EX ++.TP 5 ++.B dict_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 2628 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type dictd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B dictd_var_run_t ++ ++ /var/run/dictd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -21804,7 +40138,20 @@ index 0000000..cb1309a +Policy governs the access confined processes have to these files. +SELinux dictd policy is very flexible allowing users to setup their dictd processes in as secure a method as possible. +.PP -+The following file types are defined for dictd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dictd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dictd_etc_t '/srv/dictd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydictd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dictd: + + +.EX @@ -21844,7 +40191,7 @@ index 0000000..cb1309a +.B dictd_var_run_t +.EE + -+- Set files with the dictd_var_run_t type, if you want to store the dictd files under the /run directory. ++- Set files with the dictd_var_run_t type, if you want to store the dictd files under the /run or /var/run directory. + + +.PP @@ -21854,55 +40201,6 @@ index 0000000..cb1309a +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux dictd policy is very flexible allowing users to setup their dictd processes in as secure a method as possible. -+.PP -+The following port types are defined for dictd: -+ -+.EX -+.TP 5 -+.B dict_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 2628 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type dictd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B dictd_var_run_t -+ -+ /var/run/dictd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dictd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the dictd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -21916,6 +40214,9 @@ index 0000000..cb1309a +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -21927,13 +40228,15 @@ index 0000000..cb1309a + +.SH "SEE ALSO" +selinux(8), dictd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/dirsrv_selinux.8 b/man/man8/dirsrv_selinux.8 new file mode 100644 -index 0000000..301dd74 +index 0000000..c159e40 --- /dev/null +++ b/man/man8/dirsrv_selinux.8 -@@ -0,0 +1,333 @@ -+.TH "dirsrv_selinux" "8" "12-11-01" "dirsrv" "SELinux Policy documentation for dirsrv" +@@ -0,0 +1,468 @@ ++.TH "dirsrv_selinux" "8" "13-01-16" "dirsrv" "SELinux Policy documentation for dirsrv" +.SH "NAME" +dirsrv_selinux \- Security Enhanced Linux Policy for the dirsrv processes +.SH "DESCRIPTION" @@ -21949,7 +40252,9 @@ index 0000000..301dd74 + +.SH "ENTRYPOINTS" + -+The dirsrv_t SELinux type can be entered via the "dirsrv_exec_t" file type. The default entrypoint paths for the dirsrv_t domain are the following:" ++The dirsrv_t SELinux type can be entered via the \fBdirsrv_exec_t\fP file type. ++ ++The default entrypoint paths for the dirsrv_t domain are the following: + +/usr/sbin/ns-slapd +.SH PROCESS TYPES @@ -21967,163 +40272,125 @@ index 0000000..301dd74 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dirsrv_t ++can be used to make the process type dirsrv_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dirsrv policy is very flexible allowing users to setup their dirsrv processes in as secure a method as possible. -+.PP -+The following file types are defined for dirsrv: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dirsrv policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dirsrv with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B dirsrv_config_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the dirsrv_config_t type, if you want to treat the files as dirsrv configuration data, usually stored under the /etc directory. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B dirsrv_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the dirsrv_exec_t type, if you want to transition an executable to the dirsrv_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B dirsrv_share_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the dirsrv_share_t type, if you want to treat the files as dirsrv share data. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B dirsrv_snmp_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the dirsrv_snmp_exec_t type, if you want to transition an executable to the dirsrv_snmp_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B dirsrv_snmp_var_log_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the dirsrv_snmp_var_log_t type, if you want to treat the data as dirsrv snmp var log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B dirsrv_snmp_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the dirsrv_snmp_var_run_t type, if you want to store the dirsrv snmp files under the /run directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B dirsrv_tmp_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the dirsrv_tmp_t type, if you want to store dirsrv temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B dirsrv_tmpfs_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the dirsrv_tmpfs_t type, if you want to store dirsrv files on a tmpfs file system. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B dirsrv_var_lib_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the dirsrv_var_lib_t type, if you want to store the dirsrv files under the /var/lib directory. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B dirsrv_var_lock_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the dirsrv_var_lock_t type, if you want to treat the files as dirsrv var lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.PP -+.B dirsrv_var_log_t ++.B setsebool -P nis_enabled 1 ++ +.EE + -+- Set files with the dirsrv_var_log_t type, if you want to treat the data as dirsrv var log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. + +.EX -+.PP -+.B dirsrv_var_run_t ++.B setsebool -P nscd_use_shm 1 ++ +.EE + -+- Set files with the dirsrv_var_run_t type, if you want to store the dirsrv files under the /run directory. ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dirsrv_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B dirsrvadmin_config_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the dirsrvadmin_config_t type, if you want to treat the files as dirsrvadmin configuration data, usually stored under the /etc directory. -+ ++.PP ++If you want to allow confined applications to run with kerberos for the dirsrv_t, you must turn on the kerberos_enabled boolean. + +.EX -+.PP -+.B dirsrvadmin_exec_t ++.B setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the dirsrvadmin_exec_t type, if you want to transition an executable to the dirsrvadmin_t domain. -+ -+ -+.EX -+.PP -+.B dirsrvadmin_lock_t -+.EE -+ -+- Set files with the dirsrvadmin_lock_t type, if you want to treat the files as dirsrvadmin lock data, stored under the /var/lock directory -+ -+ -+.EX -+.PP -+.B dirsrvadmin_tmp_t -+.EE -+ -+- Set files with the dirsrvadmin_tmp_t type, if you want to store dirsrvadmin temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B dirsrvadmin_unconfined_script_exec_t -+.EE -+ -+- Set files with the dirsrvadmin_unconfined_script_exec_t type, if you want to transition an executable to the dirsrvadmin_unconfined_script_t domain. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH "MANAGED FILES" + +The SELinux process type dirsrv_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -22171,12 +40438,12 @@ index 0000000..301dd74 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B krb5_host_rcache_t @@ -22205,21 +40472,15 @@ index 0000000..301dd74 +.br +.B lastlog_t + -+ /var/log/lastlog ++ /var/log/lastlog.* +.br + +.br -+.B pcscd_var_run_t ++.B root_t + -+ /var/run/pcscd(/.*)? ++ / +.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm ++ /initrd +.br + +.br @@ -22228,97 +40489,63 @@ index 0000000..301dd74 + /selinux +.br + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dirsrv_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the dirsrv_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), dirsrv(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, dirsrv_snmp_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_unconfined_script_selinux(8) -\ No newline at end of file -diff --git a/man/man8/dirsrv_snmp_selinux.8 b/man/man8/dirsrv_snmp_selinux.8 -new file mode 100644 -index 0000000..658d718 ---- /dev/null -+++ b/man/man8/dirsrv_snmp_selinux.8 -@@ -0,0 +1,137 @@ -+.TH "dirsrv_snmp_selinux" "8" "12-11-01" "dirsrv_snmp" "SELinux Policy documentation for dirsrv_snmp" -+.SH "NAME" -+dirsrv_snmp_selinux \- Security Enhanced Linux Policy for the dirsrv_snmp processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the dirsrv_snmp processes via flexible mandatory access control. -+ -+The dirsrv_snmp processes execute with the dirsrv_snmp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep dirsrv_snmp_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The dirsrv_snmp_t SELinux type can be entered via the "dirsrv_snmp_exec_t" file type. The default entrypoint paths for the dirsrv_snmp_t domain are the following:" -+ -+/usr/sbin/ldap-agent-bin -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux dirsrv_snmp policy is very flexible allowing users to setup their dirsrv_snmp processes in as secure a method as possible. -+.PP -+The following process types are defined for dirsrv_snmp: -+ -+.EX -+.B dirsrv_snmp_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP +You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP +Policy governs the access confined processes have to these files. -+SELinux dirsrv_snmp policy is very flexible allowing users to setup their dirsrv_snmp processes in as secure a method as possible. ++SELinux dirsrv policy is very flexible allowing users to setup their dirsrv processes in as secure a method as possible. +.PP -+The following file types are defined for dirsrv_snmp: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++dirsrv policy stores data with multiple different file context types under the /var/log/dirsrv directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/log/dirsrv /srv/dirsrv ++.br ++.B restorecon -R -v /srv/dirsrv ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dirsrv, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dirsrv_config_t '/srv/dirsrv/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydirsrv_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dirsrv: ++ ++ ++.EX ++.PP ++.B dirsrv_config_t ++.EE ++ ++- Set files with the dirsrv_config_t type, if you want to treat the files as dirsrv configuration data, usually stored under the /etc directory. ++ ++ ++.EX ++.PP ++.B dirsrv_exec_t ++.EE ++ ++- Set files with the dirsrv_exec_t type, if you want to transition an executable to the dirsrv_t domain. ++ ++ ++.EX ++.PP ++.B dirsrv_share_t ++.EE ++ ++- Set files with the dirsrv_share_t type, if you want to treat the files as dirsrv share data. + + +.EX @@ -22342,127 +40569,55 @@ index 0000000..658d718 +.B dirsrv_snmp_var_run_t +.EE + -+- Set files with the dirsrv_snmp_var_run_t type, if you want to store the dirsrv snmp files under the /run directory. ++- Set files with the dirsrv_snmp_var_run_t type, if you want to store the dirsrv snmp files under the /run or /var/run directory. + + -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ -+.SH "MANAGED FILES" -+ -+The SELinux process type dirsrv_snmp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B dirsrv_snmp_var_log_t -+ -+ /var/log/dirsrv/ldap-agent.log.* -+.br -+ -+.br -+.B dirsrv_snmp_var_run_t -+ -+ /var/run/ldap-agent\.pid -+.br -+ -+.br -+.B dirsrv_tmpfs_t -+ -+ -+.br -+.B snmpd_var_lib_t -+ -+ /var/agentx(/.*)? -+.br -+ /var/lib/snmp(/.*)? -+.br -+ /var/net-snmp(/.*)? -+.br -+ /var/lib/net-snmp(/.*)? -+.br -+ /usr/share/snmp/mibs/\.index -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), dirsrv_snmp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, dirsrv_selinux(8), dirsrv_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_unconfined_script_selinux(8) -\ No newline at end of file -diff --git a/man/man8/dirsrvadmin_selinux.8 b/man/man8/dirsrvadmin_selinux.8 -new file mode 100644 -index 0000000..02df63f ---- /dev/null -+++ b/man/man8/dirsrvadmin_selinux.8 -@@ -0,0 +1,127 @@ -+.TH "dirsrvadmin_selinux" "8" "12-11-01" "dirsrvadmin" "SELinux Policy documentation for dirsrvadmin" -+.SH "NAME" -+dirsrvadmin_selinux \- Security Enhanced Linux Policy for the dirsrvadmin processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the dirsrvadmin processes via flexible mandatory access control. -+ -+The dirsrvadmin processes execute with the dirsrvadmin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep dirsrvadmin_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The dirsrvadmin_t SELinux type can be entered via the "shell_exec_t,dirsrvadmin_exec_t" file types. The default entrypoint paths for the dirsrvadmin_t domain are the following:" -+ -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/sbin/stop-ds-admin, /usr/sbin/start-ds-admin, /usr/sbin/restart-ds-admin -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux dirsrvadmin policy is very flexible allowing users to setup their dirsrvadmin processes in as secure a method as possible. -+.PP -+The following process types are defined for dirsrvadmin: -+ +.EX -+.B dirsrvadmin_unconfined_script_t, dirsrvadmin_t ++.PP ++.B dirsrv_tmp_t +.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. ++- Set files with the dirsrv_tmp_t type, if you want to store dirsrv temporary files in the /tmp directories. ++ ++ ++.EX +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.B dirsrv_tmpfs_t ++.EE ++ ++- Set files with the dirsrv_tmpfs_t type, if you want to store dirsrv files on a tmpfs file system. ++ ++ ++.EX +.PP -+Policy governs the access confined processes have to these files. -+SELinux dirsrvadmin policy is very flexible allowing users to setup their dirsrvadmin processes in as secure a method as possible. ++.B dirsrv_var_lib_t ++.EE ++ ++- Set files with the dirsrv_var_lib_t type, if you want to store the dirsrv files under the /var/lib directory. ++ ++ ++.EX +.PP -+The following file types are defined for dirsrvadmin: ++.B dirsrv_var_lock_t ++.EE ++ ++- Set files with the dirsrv_var_lock_t type, if you want to treat the files as dirsrv var lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B dirsrv_var_log_t ++.EE ++ ++- Set files with the dirsrv_var_log_t type, if you want to treat the data as dirsrv var log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B dirsrv_var_run_t ++.EE ++ ++- Set files with the dirsrv_var_run_t type, if you want to store the dirsrv files under the /run or /var/run directory. + + +.EX @@ -22472,6 +40627,10 @@ index 0000000..02df63f + +- Set files with the dirsrvadmin_config_t type, if you want to treat the files as dirsrvadmin configuration data, usually stored under the /etc directory. + ++.br ++.TP 5 ++Paths: ++/etc/dirsrv/dsgw(/.*)?, /etc/dirsrv/admin-serv(/.*)? + +.EX +.PP @@ -22480,6 +40639,10 @@ index 0000000..02df63f + +- Set files with the dirsrvadmin_exec_t type, if you want to transition an executable to the dirsrvadmin_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/stop-ds-admin, /usr/sbin/start-ds-admin, /usr/sbin/restart-ds-admin + +.EX +.PP @@ -22504,6 +40667,10 @@ index 0000000..02df63f + +- Set files with the dirsrvadmin_unconfined_script_exec_t type, if you want to transition an executable to the dirsrvadmin_unconfined_script_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/dirsrv/cgi-bin/ds_create, /usr/lib/dirsrv/cgi-bin/ds_remove + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -22512,16 +40679,6 @@ index 0000000..02df63f +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type dirsrvadmin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B dirsrvadmin_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -22532,6 +40689,493 @@ index 0000000..02df63f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), dirsrv(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), dirsrv_snmp_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_unconfined_script_selinux(8) +\ No newline at end of file +diff --git a/man/man8/dirsrv_snmp_selinux.8 b/man/man8/dirsrv_snmp_selinux.8 +new file mode 100644 +index 0000000..a0051a0 +--- /dev/null ++++ b/man/man8/dirsrv_snmp_selinux.8 +@@ -0,0 +1,239 @@ ++.TH "dirsrv_snmp_selinux" "8" "13-01-16" "dirsrv_snmp" "SELinux Policy documentation for dirsrv_snmp" ++.SH "NAME" ++dirsrv_snmp_selinux \- Security Enhanced Linux Policy for the dirsrv_snmp processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the dirsrv_snmp processes via flexible mandatory access control. ++ ++The dirsrv_snmp processes execute with the dirsrv_snmp_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep dirsrv_snmp_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The dirsrv_snmp_t SELinux type can be entered via the \fBdirsrv_snmp_exec_t\fP file type. ++ ++The default entrypoint paths for the dirsrv_snmp_t domain are the following: ++ ++/usr/sbin/ldap-agent-bin ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux dirsrv_snmp policy is very flexible allowing users to setup their dirsrv_snmp processes in as secure a method as possible. ++.PP ++The following process types are defined for dirsrv_snmp: ++ ++.EX ++.B dirsrv_snmp_t ++.EE ++.PP ++Note: ++.B semanage permissive -a dirsrv_snmp_t ++can be used to make the process type dirsrv_snmp_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dirsrv_snmp policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dirsrv_snmp with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type dirsrv_snmp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B dirsrv_snmp_var_log_t ++ ++ /var/log/dirsrv/ldap-agent.log.* ++.br ++ ++.br ++.B dirsrv_snmp_var_run_t ++ ++ /var/run/ldap-agent\.pid ++.br ++ ++.br ++.B dirsrv_tmpfs_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B snmpd_var_lib_t ++ ++ /var/agentx(/.*)? ++.br ++ /var/net-snmp(/.*) ++.br ++ /var/lib/snmp(/.*)? ++.br ++ /var/net-snmp(/.*)? ++.br ++ /var/lib/net-snmp(/.*)? ++.br ++ /usr/share/snmp/mibs/\.index ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dirsrv_snmp policy is very flexible allowing users to setup their dirsrv_snmp processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dirsrv_snmp, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dirsrv_snmp_exec_t '/srv/dirsrv_snmp/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydirsrv_snmp_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dirsrv_snmp: ++ ++ ++.EX ++.PP ++.B dirsrv_snmp_exec_t ++.EE ++ ++- Set files with the dirsrv_snmp_exec_t type, if you want to transition an executable to the dirsrv_snmp_t domain. ++ ++ ++.EX ++.PP ++.B dirsrv_snmp_var_log_t ++.EE ++ ++- Set files with the dirsrv_snmp_var_log_t type, if you want to treat the data as dirsrv snmp var log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B dirsrv_snmp_var_run_t ++.EE ++ ++- Set files with the dirsrv_snmp_var_run_t type, if you want to store the dirsrv snmp files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), dirsrv_snmp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), dirsrv_selinux(8), dirsrv_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_unconfined_script_selinux(8) +\ No newline at end of file +diff --git a/man/man8/dirsrvadmin_selinux.8 b/man/man8/dirsrvadmin_selinux.8 +new file mode 100644 +index 0000000..3fabbcd +--- /dev/null ++++ b/man/man8/dirsrvadmin_selinux.8 +@@ -0,0 +1,231 @@ ++.TH "dirsrvadmin_selinux" "8" "13-01-16" "dirsrvadmin" "SELinux Policy documentation for dirsrvadmin" ++.SH "NAME" ++dirsrvadmin_selinux \- Security Enhanced Linux Policy for the dirsrvadmin processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the dirsrvadmin processes via flexible mandatory access control. ++ ++The dirsrvadmin processes execute with the dirsrvadmin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep dirsrvadmin_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The dirsrvadmin_t SELinux type can be entered via the \fBshell_exec_t, dirsrvadmin_exec_t\fP file types. ++ ++The default entrypoint paths for the dirsrvadmin_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/sbin/stop-ds-admin, /usr/sbin/start-ds-admin, /usr/sbin/restart-ds-admin ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux dirsrvadmin policy is very flexible allowing users to setup their dirsrvadmin processes in as secure a method as possible. ++.PP ++The following process types are defined for dirsrvadmin: ++ ++.EX ++.B dirsrvadmin_unconfined_script_t, dirsrvadmin_t ++.EE ++.PP ++Note: ++.B semanage permissive -a dirsrvadmin_t ++can be used to make the process type dirsrvadmin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dirsrvadmin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dirsrvadmin with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type dirsrvadmin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B dirsrvadmin_tmp_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dirsrvadmin policy is very flexible allowing users to setup their dirsrvadmin processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dirsrvadmin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dirsrvadmin_config_t '/srv/dirsrvadmin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydirsrvadmin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dirsrvadmin: ++ ++ ++.EX ++.PP ++.B dirsrvadmin_config_t ++.EE ++ ++- Set files with the dirsrvadmin_config_t type, if you want to treat the files as dirsrvadmin configuration data, usually stored under the /etc directory. ++ ++.br ++.TP 5 ++Paths: ++/etc/dirsrv/dsgw(/.*)?, /etc/dirsrv/admin-serv(/.*)? ++ ++.EX ++.PP ++.B dirsrvadmin_exec_t ++.EE ++ ++- Set files with the dirsrvadmin_exec_t type, if you want to transition an executable to the dirsrvadmin_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/stop-ds-admin, /usr/sbin/start-ds-admin, /usr/sbin/restart-ds-admin ++ ++.EX ++.PP ++.B dirsrvadmin_lock_t ++.EE ++ ++- Set files with the dirsrvadmin_lock_t type, if you want to treat the files as dirsrvadmin lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B dirsrvadmin_tmp_t ++.EE ++ ++- Set files with the dirsrvadmin_tmp_t type, if you want to store dirsrvadmin temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B dirsrvadmin_unconfined_script_exec_t ++.EE ++ ++- Set files with the dirsrvadmin_unconfined_script_exec_t type, if you want to transition an executable to the dirsrvadmin_unconfined_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/dirsrv/cgi-bin/ds_create, /usr/lib/dirsrv/cgi-bin/ds_remove ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -22543,15 +41187,15 @@ index 0000000..02df63f + +.SH "SEE ALSO" +selinux(8), dirsrvadmin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, dirsrv_selinux(8), dirsrvadmin_unconfined_script_selinux(8) ++, setsebool(8), dirsrv_selinux(8), dirsrvadmin_unconfined_script_selinux(8) \ No newline at end of file diff --git a/man/man8/dirsrvadmin_unconfined_script_selinux.8 b/man/man8/dirsrvadmin_unconfined_script_selinux.8 new file mode 100644 -index 0000000..bd60dd5 +index 0000000..fd28a5d --- /dev/null +++ b/man/man8/dirsrvadmin_unconfined_script_selinux.8 -@@ -0,0 +1,127 @@ -+.TH "dirsrvadmin_unconfined_script_selinux" "8" "12-11-01" "dirsrvadmin_unconfined_script" "SELinux Policy documentation for dirsrvadmin_unconfined_script" +@@ -0,0 +1,191 @@ ++.TH "dirsrvadmin_unconfined_script_selinux" "8" "13-01-16" "dirsrvadmin_unconfined_script" "SELinux Policy documentation for dirsrvadmin_unconfined_script" +.SH "NAME" +dirsrvadmin_unconfined_script_selinux \- Security Enhanced Linux Policy for the dirsrvadmin_unconfined_script processes +.SH "DESCRIPTION" @@ -22567,9 +41211,11 @@ index 0000000..bd60dd5 + +.SH "ENTRYPOINTS" + -+The dirsrvadmin_unconfined_script_t SELinux type can be entered via the "dirsrvadmin_unconfined_script_exec_t,shell_exec_t" file types. The default entrypoint paths for the dirsrvadmin_unconfined_script_t domain are the following:" ++The dirsrvadmin_unconfined_script_t SELinux type can be entered via the \fBshell_exec_t, dirsrvadmin_unconfined_script_exec_t\fP file types. + -+/usr/lib/dirsrv/cgi-bin/ds_create, /usr/lib/dirsrv/cgi-bin/ds_remove, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell ++The default entrypoint paths for the dirsrvadmin_unconfined_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/dirsrv/cgi-bin/ds_create, /usr/lib/dirsrv/cgi-bin/ds_remove +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -22585,34 +41231,52 @@ index 0000000..bd60dd5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dirsrvadmin_unconfined_script_t ++can be used to make the process type dirsrvadmin_unconfined_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dirsrvadmin_unconfined_script policy is very flexible allowing users to setup their dirsrvadmin_unconfined_script processes in as secure a method as possible. -+.PP -+The following file types are defined for dirsrvadmin_unconfined_script: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dirsrvadmin_unconfined_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dirsrvadmin_unconfined_script with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B dirsrvadmin_unconfined_script_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the dirsrvadmin_unconfined_script_exec_t type, if you want to transition an executable to the dirsrvadmin_unconfined_script_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -22654,7 +41318,48 @@ index 0000000..bd60dd5 +.B dirsrvadmin_tmp_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dirsrvadmin_unconfined_script policy is very flexible allowing users to setup their dirsrvadmin_unconfined_script processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dirsrvadmin_unconfined_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dirsrvadmin_unconfined_script_exec_t '/srv/dirsrvadmin_unconfined_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydirsrvadmin_unconfined_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dirsrvadmin_unconfined_script: ++ ++ ++.EX ++.PP ++.B dirsrvadmin_unconfined_script_exec_t ++.EE ++ ++- Set files with the dirsrvadmin_unconfined_script_exec_t type, if you want to transition an executable to the dirsrvadmin_unconfined_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/dirsrv/cgi-bin/ds_create, /usr/lib/dirsrv/cgi-bin/ds_remove ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -22666,6 +41371,9 @@ index 0000000..bd60dd5 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -22677,15 +41385,15 @@ index 0000000..bd60dd5 + +.SH "SEE ALSO" +selinux(8), dirsrvadmin_unconfined_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, dirsrv_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_selinux(8) ++, setsebool(8), dirsrv_selinux(8), dirsrvadmin_selinux(8), dirsrvadmin_selinux(8) \ No newline at end of file diff --git a/man/man8/disk_munin_plugin_selinux.8 b/man/man8/disk_munin_plugin_selinux.8 new file mode 100644 -index 0000000..1679709 +index 0000000..4b1cebc --- /dev/null +++ b/man/man8/disk_munin_plugin_selinux.8 -@@ -0,0 +1,114 @@ -+.TH "disk_munin_plugin_selinux" "8" "12-11-01" "disk_munin_plugin" "SELinux Policy documentation for disk_munin_plugin" +@@ -0,0 +1,187 @@ ++.TH "disk_munin_plugin_selinux" "8" "13-01-16" "disk_munin_plugin" "SELinux Policy documentation for disk_munin_plugin" +.SH "NAME" +disk_munin_plugin_selinux \- Security Enhanced Linux Policy for the disk_munin_plugin processes +.SH "DESCRIPTION" @@ -22701,7 +41409,9 @@ index 0000000..1679709 + +.SH "ENTRYPOINTS" + -+The disk_munin_plugin_t SELinux type can be entered via the "disk_munin_plugin_exec_t" file type. The default entrypoint paths for the disk_munin_plugin_t domain are the following:" ++The disk_munin_plugin_t SELinux type can be entered via the \fBdisk_munin_plugin_exec_t\fP file type. ++ ++The default entrypoint paths for the disk_munin_plugin_t domain are the following: + +/usr/share/munin/plugins/df.*, /usr/share/munin/plugins/smart_.*, /usr/share/munin/plugins/hddtemp.*, /usr/share/munin/plugins/diskstat.* +.SH PROCESS TYPES @@ -22719,42 +41429,60 @@ index 0000000..1679709 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a disk_munin_plugin_t ++can be used to make the process type disk_munin_plugin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux disk_munin_plugin policy is very flexible allowing users to setup their disk_munin_plugin processes in as secure a method as possible. -+.PP -+The following file types are defined for disk_munin_plugin: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. disk_munin_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run disk_munin_plugin with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B disk_munin_plugin_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the disk_munin_plugin_exec_t type, if you want to transition an executable to the disk_munin_plugin_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B disk_munin_plugin_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the disk_munin_plugin_tmp_t type, if you want to store disk munin plugin temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -22776,7 +41504,56 @@ index 0000000..1679709 + /var/lib/munin(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux disk_munin_plugin policy is very flexible allowing users to setup their disk_munin_plugin processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the disk_munin_plugin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t disk_munin_plugin_exec_t '/srv/disk_munin_plugin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydisk_munin_plugin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for disk_munin_plugin: ++ ++ ++.EX ++.PP ++.B disk_munin_plugin_exec_t ++.EE ++ ++- Set files with the disk_munin_plugin_exec_t type, if you want to transition an executable to the disk_munin_plugin_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/share/munin/plugins/df.*, /usr/share/munin/plugins/smart_.*, /usr/share/munin/plugins/hddtemp.*, /usr/share/munin/plugins/diskstat.* ++ ++.EX ++.PP ++.B disk_munin_plugin_tmp_t ++.EE ++ ++- Set files with the disk_munin_plugin_tmp_t type, if you want to store disk munin plugin temporary files in the /tmp directories. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -22788,6 +41565,9 @@ index 0000000..1679709 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -22799,13 +41579,15 @@ index 0000000..1679709 + +.SH "SEE ALSO" +selinux(8), disk_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/dkim_milter_selinux.8 b/man/man8/dkim_milter_selinux.8 new file mode 100644 -index 0000000..813e538 +index 0000000..bb3da0f --- /dev/null +++ b/man/man8/dkim_milter_selinux.8 -@@ -0,0 +1,132 @@ -+.TH "dkim_milter_selinux" "8" "12-11-01" "dkim_milter" "SELinux Policy documentation for dkim_milter" +@@ -0,0 +1,267 @@ ++.TH "dkim_milter_selinux" "8" "13-01-16" "dkim_milter" "SELinux Policy documentation for dkim_milter" +.SH "NAME" +dkim_milter_selinux \- Security Enhanced Linux Policy for the dkim_milter processes +.SH "DESCRIPTION" @@ -22821,7 +41603,9 @@ index 0000000..813e538 + +.SH "ENTRYPOINTS" + -+The dkim_milter_t SELinux type can be entered via the "dkim_milter_exec_t" file type. The default entrypoint paths for the dkim_milter_t domain are the following:" ++The dkim_milter_t SELinux type can be entered via the \fBdkim_milter_exec_t\fP file type. ++ ++The default entrypoint paths for the dkim_milter_t domain are the following: + +/usr/sbin/opendkim, /usr/sbin/dkim-filter +.SH PROCESS TYPES @@ -22839,50 +41623,124 @@ index 0000000..813e538 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dkim_milter_t ++can be used to make the process type dkim_milter_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dkim_milter policy is very flexible allowing users to setup their dkim_milter processes in as secure a method as possible. -+.PP -+The following file types are defined for dkim_milter: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dkim_milter policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dkim_milter with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B dkim_milter_data_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the dkim_milter_data_t type, if you want to treat the files as dkim milter content. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B dkim_milter_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the dkim_milter_exec_t type, if you want to transition an executable to the dkim_milter_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B dkim_milter_private_key_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the dkim_milter_private_key_t type, if you want to treat the files as dkim milter private key data. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dkim_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dkim_milter_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -22900,21 +41758,76 @@ index 0000000..813e538 + /var/run/dkim-milter(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dkim_milter policy is very flexible allowing users to setup their dkim_milter processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dkim_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dkim_milter, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dkim_milter_data_t '/srv/dkim_milter/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydkim_milter_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dkim_milter: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B dkim_milter_data_t +.EE + ++- Set files with the dkim_milter_data_t type, if you want to treat the files as dkim milter content. ++ ++.br ++.TP 5 ++Paths: ++/var/run/opendkim(/.*)?, /var/spool/opendkim(/.*)?, /var/lib/dkim-milter(/.*)?, /var/run/dkim-milter(/.*)? ++ ++.EX ++.PP ++.B dkim_milter_exec_t ++.EE ++ ++- Set files with the dkim_milter_exec_t type, if you want to transition an executable to the dkim_milter_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/opendkim, /usr/sbin/dkim-filter ++ ++.EX ++.PP ++.B dkim_milter_private_key_t ++.EE ++ ++- Set files with the dkim_milter_private_key_t type, if you want to treat the files as dkim milter private key data. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the dkim_milter_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -22926,6 +41839,9 @@ index 0000000..813e538 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -22937,13 +41853,15 @@ index 0000000..813e538 + +.SH "SEE ALSO" +selinux(8), dkim_milter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/dlm_controld_selinux.8 b/man/man8/dlm_controld_selinux.8 new file mode 100644 -index 0000000..25e4869 +index 0000000..d35544c --- /dev/null +++ b/man/man8/dlm_controld_selinux.8 -@@ -0,0 +1,168 @@ -+.TH "dlm_controld_selinux" "8" "12-11-01" "dlm_controld" "SELinux Policy documentation for dlm_controld" +@@ -0,0 +1,320 @@ ++.TH "dlm_controld_selinux" "8" "13-01-16" "dlm_controld" "SELinux Policy documentation for dlm_controld" +.SH "NAME" +dlm_controld_selinux \- Security Enhanced Linux Policy for the dlm_controld processes +.SH "DESCRIPTION" @@ -22959,7 +41877,9 @@ index 0000000..25e4869 + +.SH "ENTRYPOINTS" + -+The dlm_controld_t SELinux type can be entered via the "dlm_controld_exec_t" file type. The default entrypoint paths for the dlm_controld_t domain are the following:" ++The dlm_controld_t SELinux type can be entered via the \fBdlm_controld_exec_t\fP file type. ++ ++The default entrypoint paths for the dlm_controld_t domain are the following: + +/usr/sbin/dlm_controld +.SH PROCESS TYPES @@ -22977,8 +41897,174 @@ index 0000000..25e4869 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dlm_controld_t ++can be used to make the process type dlm_controld_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dlm_controld policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dlm_controld with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dlm_controld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dlm_controld_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type dlm_controld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B configfs_t ++ ++ ++.br ++.B corosync_tmpfs_t ++ ++ ++.br ++.B dlm_controld_tmpfs_t ++ ++ ++.br ++.B dlm_controld_var_log_t ++ ++ /var/log/dlm_controld(/.*)? ++.br ++ /var/log/cluster/dlm_controld\.log.* ++.br ++ ++.br ++.B dlm_controld_var_run_t ++ ++ /var/run/dlm_controld(/.*)? ++.br ++ /var/run/dlm_controld\.pid ++.br ++ ++.br ++.B initrc_tmp_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sysfs_t ++ ++ /sys(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -22988,7 +42074,31 @@ index 0000000..25e4869 +Policy governs the access confined processes have to these files. +SELinux dlm_controld policy is very flexible allowing users to setup their dlm_controld processes in as secure a method as possible. +.PP -+The following file types are defined for dlm_controld: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++dlm_controld policy stores data with multiple different file context types under the /var/run/dlm_controld directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/dlm_controld /srv/dlm_controld ++.br ++.B restorecon -R -v /srv/dlm_controld ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dlm_controld, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dlm_controld_exec_t '/srv/dlm_controld/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydlm_controld_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dlm_controld: + + +.EX @@ -23001,6 +42111,14 @@ index 0000000..25e4869 + +.EX +.PP ++.B dlm_controld_initrc_exec_t ++.EE ++ ++- Set files with the dlm_controld_initrc_exec_t type, if you want to transition an executable to the dlm_controld_initrc_t domain. ++ ++ ++.EX ++.PP +.B dlm_controld_tmpfs_t +.EE + @@ -23014,14 +42132,22 @@ index 0000000..25e4869 + +- Set files with the dlm_controld_var_log_t type, if you want to treat the data as dlm controld var log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/dlm_controld(/.*)?, /var/log/cluster/dlm_controld\.log.* + +.EX +.PP +.B dlm_controld_var_run_t +.EE + -+- Set files with the dlm_controld_var_run_t type, if you want to store the dlm controld files under the /run directory. ++- Set files with the dlm_controld_var_run_t type, if you want to store the dlm controld files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/dlm_controld(/.*)?, /var/run/dlm_controld\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -23030,66 +42156,6 @@ index 0000000..25e4869 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type dlm_controld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cluster_var_lib_t -+ -+ /var/lib/cluster(/.*)? -+.br -+ -+.br -+.B configfs_t -+ -+ -+.br -+.B corosync_tmpfs_t -+ -+ -+.br -+.B dlm_controld_tmpfs_t -+ -+ -+.br -+.B dlm_controld_var_log_t -+ -+ /var/log/cluster/dlm_controld\.log.* -+.br -+ -+.br -+.B dlm_controld_var_run_t -+ -+ /var/run/dlm_controld\.pid -+.br -+ -+.br -+.B initrc_tmp_t -+ -+ -+.br -+.B sysfs_t -+ -+ /sys(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dlm_controld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the dlm_controld_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -23100,6 +42166,9 @@ index 0000000..25e4869 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -23111,13 +42180,15 @@ index 0000000..25e4869 + +.SH "SEE ALSO" +selinux(8), dlm_controld(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/dmesg_selinux.8 b/man/man8/dmesg_selinux.8 new file mode 100644 -index 0000000..c7d7b6d +index 0000000..f8d4b6d --- /dev/null +++ b/man/man8/dmesg_selinux.8 -@@ -0,0 +1,136 @@ -+.TH "dmesg_selinux" "8" "12-11-01" "dmesg" "SELinux Policy documentation for dmesg" +@@ -0,0 +1,207 @@ ++.TH "dmesg_selinux" "8" "13-01-16" "dmesg" "SELinux Policy documentation for dmesg" +.SH "NAME" +dmesg_selinux \- Security Enhanced Linux Policy for the dmesg processes +.SH "DESCRIPTION" @@ -23133,7 +42204,9 @@ index 0000000..c7d7b6d + +.SH "ENTRYPOINTS" + -+The dmesg_t SELinux type can be entered via the "dmesg_exec_t" file type. The default entrypoint paths for the dmesg_t domain are the following:" ++The dmesg_t SELinux type can be entered via the \fBdmesg_exec_t\fP file type. ++ ++The default entrypoint paths for the dmesg_t domain are the following: + +/bin/dmesg, /usr/bin/dmesg +.SH PROCESS TYPES @@ -23151,34 +42224,60 @@ index 0000000..c7d7b6d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dmesg_t ++can be used to make the process type dmesg_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dmesg policy is very flexible allowing users to setup their dmesg processes in as secure a method as possible. -+.PP -+The following file types are defined for dmesg: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dmesg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dmesg with the tightest access possible. + + ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ +.EX -+.PP -+.B dmesg_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the dmesg_exec_t type, if you want to transition an executable to the dmesg_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -23193,8 +42292,6 @@ index 0000000..c7d7b6d +.br + /var/webmin(/.*)? +.br -+ /var/log/cron[^/]* -+.br + /var/log/secure[^/]* +.br + /opt/zimbra/log(/.*)? @@ -23230,7 +42327,48 @@ index 0000000..c7d7b6d + /var/named/chroot/var/log +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dmesg policy is very flexible allowing users to setup their dmesg processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dmesg, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dmesg_exec_t '/srv/dmesg/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydmesg_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dmesg: ++ ++ ++.EX ++.PP ++.B dmesg_exec_t ++.EE ++ ++- Set files with the dmesg_exec_t type, if you want to transition an executable to the dmesg_t domain. ++ ++.br ++.TP 5 ++Paths: ++/bin/dmesg, /usr/bin/dmesg ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -23242,6 +42380,9 @@ index 0000000..c7d7b6d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -23253,13 +42394,15 @@ index 0000000..c7d7b6d + +.SH "SEE ALSO" +selinux(8), dmesg(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/dmidecode_selinux.8 b/man/man8/dmidecode_selinux.8 new file mode 100644 -index 0000000..e29cd1c +index 0000000..ea164a0 --- /dev/null +++ b/man/man8/dmidecode_selinux.8 -@@ -0,0 +1,86 @@ -+.TH "dmidecode_selinux" "8" "12-11-01" "dmidecode" "SELinux Policy documentation for dmidecode" +@@ -0,0 +1,151 @@ ++.TH "dmidecode_selinux" "8" "13-01-16" "dmidecode" "SELinux Policy documentation for dmidecode" +.SH "NAME" +dmidecode_selinux \- Security Enhanced Linux Policy for the dmidecode processes +.SH "DESCRIPTION" @@ -23275,9 +42418,11 @@ index 0000000..e29cd1c + +.SH "ENTRYPOINTS" + -+The dmidecode_t SELinux type can be entered via the "dmidecode_exec_t" file type. The default entrypoint paths for the dmidecode_t domain are the following:" ++The dmidecode_t SELinux type can be entered via the \fBdmidecode_exec_t\fP file type. + -+/usr/sbin/dmidecode, /usr/sbin/ownership, /usr/sbin/vpddecode ++The default entrypoint paths for the dmidecode_t domain are the following: ++ ++/usr/sbin/dmidecode, /usr/sbin/ownership, /usr/sbin/vpddecode, /usr/sbin/biosdecode +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -23293,8 +42438,52 @@ index 0000000..e29cd1c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dmidecode_t ++can be used to make the process type dmidecode_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dmidecode policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dmidecode with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23304,7 +42493,20 @@ index 0000000..e29cd1c +Policy governs the access confined processes have to these files. +SELinux dmidecode policy is very flexible allowing users to setup their dmidecode processes in as secure a method as possible. +.PP -+The following file types are defined for dmidecode: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dmidecode, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dmidecode_exec_t '/srv/dmidecode/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydmidecode_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dmidecode: + + +.EX @@ -23314,6 +42516,10 @@ index 0000000..e29cd1c + +- Set files with the dmidecode_exec_t type, if you want to transition an executable to the dmidecode_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/dmidecode, /usr/sbin/ownership, /usr/sbin/vpddecode, /usr/sbin/biosdecode + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -23322,8 +42528,6 @@ index 0000000..e29cd1c +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -23334,6 +42538,9 @@ index 0000000..e29cd1c +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -23345,13 +42552,15 @@ index 0000000..e29cd1c + +.SH "SEE ALSO" +selinux(8), dmidecode(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/dnsmasq_selinux.8 b/man/man8/dnsmasq_selinux.8 new file mode 100644 -index 0000000..5a65f36 +index 0000000..6364ad3 --- /dev/null +++ b/man/man8/dnsmasq_selinux.8 -@@ -0,0 +1,200 @@ -+.TH "dnsmasq_selinux" "8" "12-11-01" "dnsmasq" "SELinux Policy documentation for dnsmasq" +@@ -0,0 +1,329 @@ ++.TH "dnsmasq_selinux" "8" "13-01-16" "dnsmasq" "SELinux Policy documentation for dnsmasq" +.SH "NAME" +dnsmasq_selinux \- Security Enhanced Linux Policy for the dnsmasq processes +.SH "DESCRIPTION" @@ -23367,7 +42576,9 @@ index 0000000..5a65f36 + +.SH "ENTRYPOINTS" + -+The dnsmasq_t SELinux type can be entered via the "dnsmasq_exec_t" file type. The default entrypoint paths for the dnsmasq_t domain are the following:" ++The dnsmasq_t SELinux type can be entered via the \fBdnsmasq_exec_t\fP file type. ++ ++The default entrypoint paths for the dnsmasq_t domain are the following: + +/usr/sbin/dnsmasq +.SH PROCESS TYPES @@ -23385,8 +42596,178 @@ index 0000000..5a65f36 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dnsmasq_t ++can be used to make the process type dnsmasq_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dnsmasq policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dnsmasq with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dnsmasq_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dnsmasq_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type dnsmasq_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B crond_var_run_t ++ ++ /var/run/.*cron.* ++.br ++ /var/run/crond?\.pid ++.br ++ /var/run/crond?\.reboot ++.br ++ /var/run/atd\.pid ++.br ++ /var/run/fcron\.pid ++.br ++ /var/run/fcron\.fifo ++.br ++ /var/run/anacron\.pid ++.br ++ ++.br ++.B dnsmasq_lease_t ++ ++ /var/lib/dnsmasq(/.*)? ++.br ++ /var/lib/misc/dnsmasq\.leases ++.br ++ ++.br ++.B dnsmasq_var_run_t ++ ++ /var/run/dnsmasq.* ++.br ++ /var/run/libvirt/network(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B virt_var_lib_t ++ ++ /var/lib/oz(/.*)? ++.br ++ /var/lib/libvirt(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23396,7 +42777,20 @@ index 0000000..5a65f36 +Policy governs the access confined processes have to these files. +SELinux dnsmasq policy is very flexible allowing users to setup their dnsmasq processes in as secure a method as possible. +.PP -+The following file types are defined for dnsmasq: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dnsmasq, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dnsmasq_etc_t '/srv/dnsmasq/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydnsmasq_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dnsmasq: + + +.EX @@ -23430,6 +42824,10 @@ index 0000000..5a65f36 + +- Set files with the dnsmasq_lease_t type, if you want to treat the files as dnsmasq lease data. + ++.br ++.TP 5 ++Paths: ++/var/lib/dnsmasq(/.*)?, /var/lib/misc/dnsmasq\.leases + +.EX +.PP @@ -23452,8 +42850,12 @@ index 0000000..5a65f36 +.B dnsmasq_var_run_t +.EE + -+- Set files with the dnsmasq_var_run_t type, if you want to store the dnsmasq files under the /run directory. ++- Set files with the dnsmasq_var_run_t type, if you want to store the dnsmasq files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/dnsmasq.*, /var/run/libvirt/network(/.*)? + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -23462,74 +42864,6 @@ index 0000000..5a65f36 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type dnsmasq_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B crond_var_run_t -+ -+ /var/run/.*cron.* -+.br -+ /var/run/crond?\.pid -+.br -+ /var/run/crond?\.reboot -+.br -+ /var/run/atd\.pid -+.br -+ /var/run/fcron\.pid -+.br -+ /var/run/fcron\.fifo -+.br -+ /var/run/anacron\.pid -+.br -+ -+.br -+.B dnsmasq_lease_t -+ -+ /var/lib/dnsmasq(/.*)? -+.br -+ /var/lib/misc/dnsmasq\.leases -+.br -+ -+.br -+.B dnsmasq_var_log_t -+ -+ /var/log/dnsmasq.* -+.br -+ -+.br -+.B dnsmasq_var_run_t -+ -+ /var/run/libvirt/network(/.*)? -+.br -+ /var/run/dnsmasq\.pid -+.br -+ -+.br -+.B virt_var_lib_t -+ -+ /var/lib/oz(/.*)? -+.br -+ /var/lib/libvirt(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dnsmasq_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the dnsmasq_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -23540,6 +42874,9 @@ index 0000000..5a65f36 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -23551,13 +42888,15 @@ index 0000000..5a65f36 + +.SH "SEE ALSO" +selinux(8), dnsmasq(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/dnssec_trigger_selinux.8 b/man/man8/dnssec_trigger_selinux.8 new file mode 100644 -index 0000000..d5478bf +index 0000000..8d165a1 --- /dev/null +++ b/man/man8/dnssec_trigger_selinux.8 -@@ -0,0 +1,130 @@ -+.TH "dnssec_trigger_selinux" "8" "12-11-01" "dnssec_trigger" "SELinux Policy documentation for dnssec_trigger" +@@ -0,0 +1,227 @@ ++.TH "dnssec_trigger_selinux" "8" "13-01-16" "dnssec_trigger" "SELinux Policy documentation for dnssec_trigger" +.SH "NAME" +dnssec_trigger_selinux \- Security Enhanced Linux Policy for the dnssec_trigger processes +.SH "DESCRIPTION" @@ -23573,7 +42912,9 @@ index 0000000..d5478bf + +.SH "ENTRYPOINTS" + -+The dnssec_trigger_t SELinux type can be entered via the "dnssec_trigger_exec_t" file type. The default entrypoint paths for the dnssec_trigger_t domain are the following:" ++The dnssec_trigger_t SELinux type can be entered via the \fBdnssec_trigger_exec_t\fP file type. ++ ++The default entrypoint paths for the dnssec_trigger_t domain are the following: + +/usr/sbin/dnssec-triggerd +.SH PROCESS TYPES @@ -23591,8 +42932,124 @@ index 0000000..d5478bf +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dnssec_trigger_t ++can be used to make the process type dnssec_trigger_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dnssec_trigger policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dnssec_trigger with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type dnssec_trigger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B dnssec_trigger_var_run_t ++ ++ /var/run/dnssec.* ++.br ++ ++.br ++.B net_conf_t ++ ++ /etc/hosts[^/]* ++.br ++ /etc/yp\.conf.* ++.br ++ /etc/denyhosts.* ++.br ++ /etc/hosts\.deny.* ++.br ++ /etc/resolv\.conf.* ++.br ++ /etc/sysconfig/networking(/.*)? ++.br ++ /etc/sysconfig/network-scripts(/.*)? ++.br ++ /etc/sysconfig/network-scripts/.*resolv\.conf ++.br ++ /etc/ethers ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23602,7 +43059,20 @@ index 0000000..d5478bf +Policy governs the access confined processes have to these files. +SELinux dnssec_trigger policy is very flexible allowing users to setup their dnssec_trigger processes in as secure a method as possible. +.PP -+The following file types are defined for dnssec_trigger: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dnssec_trigger, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dnssec_trigger_exec_t '/srv/dnssec_trigger/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydnssec_trigger_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dnssec_trigger: + + +.EX @@ -23618,7 +43088,7 @@ index 0000000..d5478bf +.B dnssec_trigger_var_run_t +.EE + -+- Set files with the dnssec_trigger_var_run_t type, if you want to store the dnssec trigger files under the /run directory. ++- Set files with the dnssec_trigger_var_run_t type, if you want to store the dnssec trigger files under the /run or /var/run directory. + + +.PP @@ -23628,44 +43098,6 @@ index 0000000..d5478bf +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type dnssec_trigger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B dnssec_trigger_var_run_t -+ -+ /var/run/dnssec.* -+.br -+ -+.br -+.B net_conf_t -+ -+ /etc/ntpd?\.conf.* -+.br -+ /etc/hosts[^/]* -+.br -+ /etc/yp\.conf.* -+.br -+ /etc/denyhosts.* -+.br -+ /etc/hosts\.deny.* -+.br -+ /etc/resolv\.conf.* -+.br -+ /etc/ntp/step-tickers.* -+.br -+ /etc/sysconfig/networking(/.*)? -+.br -+ /etc/sysconfig/network-scripts(/.*)? -+.br -+ /etc/sysconfig/network-scripts/.*resolv\.conf -+.br -+ /etc/ethers -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -23676,6 +43108,9 @@ index 0000000..d5478bf +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -23687,13 +43122,15 @@ index 0000000..d5478bf + +.SH "SEE ALSO" +selinux(8), dnssec_trigger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/dovecot_auth_selinux.8 b/man/man8/dovecot_auth_selinux.8 new file mode 100644 -index 0000000..6411b0a +index 0000000..81a2b09 --- /dev/null +++ b/man/man8/dovecot_auth_selinux.8 -@@ -0,0 +1,155 @@ -+.TH "dovecot_auth_selinux" "8" "12-11-01" "dovecot_auth" "SELinux Policy documentation for dovecot_auth" +@@ -0,0 +1,239 @@ ++.TH "dovecot_auth_selinux" "8" "13-01-16" "dovecot_auth" "SELinux Policy documentation for dovecot_auth" +.SH "NAME" +dovecot_auth_selinux \- Security Enhanced Linux Policy for the dovecot_auth processes +.SH "DESCRIPTION" @@ -23709,7 +43146,9 @@ index 0000000..6411b0a + +.SH "ENTRYPOINTS" + -+The dovecot_auth_t SELinux type can be entered via the "dovecot_auth_exec_t" file type. The default entrypoint paths for the dovecot_auth_t domain are the following:" ++The dovecot_auth_t SELinux type can be entered via the \fBdovecot_auth_exec_t\fP file type. ++ ++The default entrypoint paths for the dovecot_auth_t domain are the following: + +/usr/libexec/dovecot/auth, /usr/libexec/dovecot/dovecot-auth +.SH PROCESS TYPES @@ -23727,8 +43166,132 @@ index 0000000..6411b0a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dovecot_auth_t ++can be used to make the process type dovecot_auth_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dovecot_auth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dovecot_auth with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dovecot_auth_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dovecot_auth_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type dovecot_auth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B dovecot_auth_tmp_t ++ ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23738,7 +43301,20 @@ index 0000000..6411b0a +Policy governs the access confined processes have to these files. +SELinux dovecot_auth policy is very flexible allowing users to setup their dovecot_auth processes in as secure a method as possible. +.PP -+The following file types are defined for dovecot_auth: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dovecot_auth, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dovecot_auth_exec_t '/srv/dovecot_auth/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydovecot_auth_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dovecot_auth: + + +.EX @@ -23748,6 +43324,10 @@ index 0000000..6411b0a + +- Set files with the dovecot_auth_exec_t type, if you want to transition an executable to the dovecot_auth_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/libexec/dovecot/auth, /usr/libexec/dovecot/dovecot-auth + +.EX +.PP @@ -23764,68 +43344,6 @@ index 0000000..6411b0a +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type dovecot_auth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B dovecot_auth_tmp_t -+ -+ -+.br -+.B faillog_t -+ -+ /var/log/btmp.* -+.br -+ /var/run/faillock(/.*)? -+.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br -+ -+.br -+.B initrc_var_run_t -+ -+ /var/run/utmp -+.br -+ /var/run/random-seed -+.br -+ /var/run/runlevel\.dir -+.br -+ /var/run/setmixer_flag -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_auth_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the dovecot_auth_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -23836,6 +43354,9 @@ index 0000000..6411b0a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -23847,15 +43368,15 @@ index 0000000..6411b0a + +.SH "SEE ALSO" +selinux(8), dovecot_auth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, dovecot_selinux(8), dovecot_selinux(8), dovecot_deliver_selinux(8) ++, setsebool(8), dovecot_selinux(8), dovecot_selinux(8), dovecot_deliver_selinux(8) \ No newline at end of file diff --git a/man/man8/dovecot_deliver_selinux.8 b/man/man8/dovecot_deliver_selinux.8 new file mode 100644 -index 0000000..fa12a80 +index 0000000..c78c133 --- /dev/null +++ b/man/man8/dovecot_deliver_selinux.8 -@@ -0,0 +1,157 @@ -+.TH "dovecot_deliver_selinux" "8" "12-11-01" "dovecot_deliver" "SELinux Policy documentation for dovecot_deliver" +@@ -0,0 +1,333 @@ ++.TH "dovecot_deliver_selinux" "8" "13-01-16" "dovecot_deliver" "SELinux Policy documentation for dovecot_deliver" +.SH "NAME" +dovecot_deliver_selinux \- Security Enhanced Linux Policy for the dovecot_deliver processes +.SH "DESCRIPTION" @@ -23871,7 +43392,9 @@ index 0000000..fa12a80 + +.SH "ENTRYPOINTS" + -+The dovecot_deliver_t SELinux type can be entered via the "dovecot_deliver_exec_t" file type. The default entrypoint paths for the dovecot_deliver_t domain are the following:" ++The dovecot_deliver_t SELinux type can be entered via the \fBdovecot_deliver_exec_t\fP file type. ++ ++The default entrypoint paths for the dovecot_deliver_t domain are the following: + +/usr/libexec/dovecot/deliver, /usr/libexec/dovecot/dovecot-lda +.SH PROCESS TYPES @@ -23889,54 +43412,150 @@ index 0000000..fa12a80 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dovecot_deliver_t ++can be used to make the process type dovecot_deliver_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dovecot_deliver policy is very flexible allowing users to setup their dovecot_deliver processes in as secure a method as possible. -+.PP -+The following file types are defined for dovecot_deliver: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dovecot_deliver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dovecot_deliver with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B dovecot_deliver_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the dovecot_deliver_exec_t type, if you want to transition an executable to the dovecot_deliver_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B dovecot_deliver_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the dovecot_deliver_tmp_t type, if you want to store dovecot deliver temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dovecot_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dovecot_deliver_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type dovecot_deliver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br +.B data_home_t + + /root/\.local/share(/.*)? +.br + /home/[^/]*/\.local/share(/.*)? +.br ++ /home/pwalsh/\.local/share(/.*)? ++.br + /home/dwalsh/\.local/share(/.*)? +.br + /var/lib/xguest/home/xguest/\.local/share(/.*)? @@ -23953,42 +43572,117 @@ index 0000000..fa12a80 +.br + +.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br +.B mail_home_rw_t + + /root/Maildir(/.*)? +.br ++ /home/[^/]*/.maildir(/.*)? ++.br + /home/[^/]*/Maildir(/.*)? +.br ++ /home/pwalsh/.maildir(/.*)? ++.br ++ /home/pwalsh/Maildir(/.*)? ++.br ++ /home/dwalsh/.maildir(/.*)? ++.br + /home/dwalsh/Maildir(/.*)? +.br ++ /var/lib/xguest/home/xguest/.maildir(/.*)? ++.br + /var/lib/xguest/home/xguest/Maildir(/.*)? +.br + +.br ++.B nfs_t ++ ++ ++.br +.B user_home_t + + /home/[^/]*/.+ +.br ++ /home/pwalsh/.+ ++.br + /home/dwalsh/.+ +.br + /var/lib/xguest/home/xguest/.+ +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dovecot_deliver policy is very flexible allowing users to setup their dovecot_deliver processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dovecot_deliver, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dovecot_deliver_exec_t '/srv/dovecot_deliver/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydovecot_deliver_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dovecot_deliver: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B dovecot_deliver_exec_t +.EE + ++- Set files with the dovecot_deliver_exec_t type, if you want to transition an executable to the dovecot_deliver_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/dovecot/deliver, /usr/libexec/dovecot/dovecot-lda ++ ++.EX ++.PP ++.B dovecot_deliver_tmp_t ++.EE ++ ++- Set files with the dovecot_deliver_tmp_t type, if you want to store dovecot deliver temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the dovecot_deliver_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -24000,6 +43694,9 @@ index 0000000..fa12a80 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -24011,15 +43708,15 @@ index 0000000..fa12a80 + +.SH "SEE ALSO" +selinux(8), dovecot_deliver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, dovecot_selinux(8), dovecot_selinux(8), dovecot_auth_selinux(8) ++, setsebool(8), dovecot_selinux(8), dovecot_selinux(8), dovecot_auth_selinux(8) \ No newline at end of file diff --git a/man/man8/dovecot_selinux.8 b/man/man8/dovecot_selinux.8 new file mode 100644 -index 0000000..d61a836 +index 0000000..aeac1be --- /dev/null +++ b/man/man8/dovecot_selinux.8 -@@ -0,0 +1,317 @@ -+.TH "dovecot_selinux" "8" "12-11-01" "dovecot" "SELinux Policy documentation for dovecot" +@@ -0,0 +1,556 @@ ++.TH "dovecot_selinux" "8" "13-01-16" "dovecot" "SELinux Policy documentation for dovecot" +.SH "NAME" +dovecot_selinux \- Security Enhanced Linux Policy for the dovecot processes +.SH "DESCRIPTION" @@ -24035,7 +43732,9 @@ index 0000000..d61a836 + +.SH "ENTRYPOINTS" + -+The dovecot_t SELinux type can be entered via the "dovecot_exec_t" file type. The default entrypoint paths for the dovecot_t domain are the following:" ++The dovecot_t SELinux type can be entered via the \fBdovecot_exec_t\fP file type. ++ ++The default entrypoint paths for the dovecot_t domain are the following: + +/usr/sbin/dovecot +.SH PROCESS TYPES @@ -24053,8 +43752,314 @@ index 0000000..d61a836 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dovecot_t ++can be used to make the process type dovecot_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dovecot policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dovecot with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type dovecot_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B data_home_t ++ ++ /root/\.local/share(/.*)? ++.br ++ /home/[^/]*/\.local/share(/.*)? ++.br ++ /home/pwalsh/\.local/share(/.*)? ++.br ++ /home/dwalsh/\.local/share(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.local/share(/.*)? ++.br ++ ++.br ++.B dovecot_spool_t ++ ++ /var/spool/dovecot(/.*)? ++.br ++ ++.br ++.B dovecot_tmp_t ++ ++ ++.br ++.B dovecot_var_lib_t ++ ++ /var/lib/dovecot(/.*)? ++.br ++ /var/run/dovecot/login/ssl-parameters.dat ++.br ++ ++.br ++.B dovecot_var_log_t ++ ++ /var/log/dovecot(/.*)? ++.br ++ /var/log/dovecot\.log.* ++.br ++ ++.br ++.B dovecot_var_run_t ++ ++ /var/run/dovecot(-login)?(/.*)? ++.br ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B mail_home_rw_t ++ ++ /root/Maildir(/.*)? ++.br ++ /home/[^/]*/.maildir(/.*)? ++.br ++ /home/[^/]*/Maildir(/.*)? ++.br ++ /home/pwalsh/.maildir(/.*)? ++.br ++ /home/pwalsh/Maildir(/.*)? ++.br ++ /home/dwalsh/.maildir(/.*)? ++.br ++ /home/dwalsh/Maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/.maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/Maildir(/.*)? ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24064,7 +44069,31 @@ index 0000000..d61a836 +Policy governs the access confined processes have to these files. +SELinux dovecot policy is very flexible allowing users to setup their dovecot processes in as secure a method as possible. +.PP -+The following file types are defined for dovecot: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++dovecot policy stores data with multiple different file context types under the /var/log/dovecot directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/log/dovecot /srv/dovecot ++.br ++.B restorecon -R -v /srv/dovecot ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dovecot, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dovecot_auth_exec_t '/srv/dovecot/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydovecot_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dovecot: + + +.EX @@ -24074,6 +44103,10 @@ index 0000000..d61a836 + +- Set files with the dovecot_auth_exec_t type, if you want to transition an executable to the dovecot_auth_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/libexec/dovecot/auth, /usr/libexec/dovecot/dovecot-auth + +.EX +.PP @@ -24090,6 +44123,10 @@ index 0000000..d61a836 + +- Set files with the dovecot_cert_t type, if you want to treat the files as dovecot certificate data. + ++.br ++.TP 5 ++Paths: ++/etc/pki/dovecot(/.*)?, /usr/share/ssl/certs/dovecot\.pem, /usr/share/ssl/private/dovecot\.pem + +.EX +.PP @@ -24098,6 +44135,10 @@ index 0000000..d61a836 + +- Set files with the dovecot_deliver_exec_t type, if you want to transition an executable to the dovecot_deliver_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/libexec/dovecot/deliver, /usr/libexec/dovecot/dovecot-lda + +.EX +.PP @@ -24114,6 +44155,10 @@ index 0000000..d61a836 + +- Set files with the dovecot_etc_t type, if you want to store dovecot files in the /etc directories. + ++.br ++.TP 5 ++Paths: ++/etc/dovecot(/.*)?, /etc/dovecot\.conf.* + +.EX +.PP @@ -24170,6 +44215,10 @@ index 0000000..d61a836 + +- Set files with the dovecot_var_lib_t type, if you want to store the dovecot files under the /var/lib directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/dovecot(/.*)?, /var/run/dovecot/login/ssl-parameters.dat + +.EX +.PP @@ -24178,13 +44227,17 @@ index 0000000..d61a836 + +- Set files with the dovecot_var_log_t type, if you want to treat the data as dovecot var log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/dovecot(/.*)?, /var/log/dovecot\.log.* + +.EX +.PP +.B dovecot_var_run_t +.EE + -+- Set files with the dovecot_var_run_t type, if you want to store the dovecot files under the /run directory. ++- Set files with the dovecot_var_run_t type, if you want to store the dovecot files under the /run or /var/run directory. + + +.PP @@ -24194,126 +44247,6 @@ index 0000000..d61a836 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type dovecot_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B data_home_t -+ -+ /root/\.local/share(/.*)? -+.br -+ /home/[^/]*/\.local/share(/.*)? -+.br -+ /home/dwalsh/\.local/share(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.local/share(/.*)? -+.br -+ -+.br -+.B dovecot_spool_t -+ -+ /var/spool/dovecot(/.*)? -+.br -+ -+.br -+.B dovecot_tmp_t -+ -+ -+.br -+.B dovecot_var_lib_t -+ -+ /var/lib/dovecot(/.*)? -+.br -+ /var/run/dovecot/login/ssl-parameters.dat -+.br -+ -+.br -+.B dovecot_var_log_t -+ -+ /var/log/dovecot(/.*)? -+.br -+ /var/log/dovecot\.log.* -+.br -+ -+.br -+.B dovecot_var_run_t -+ -+ /var/run/dovecot(-login)?(/.*)? -+.br -+ -+.br -+.B krb5_host_rcache_t -+ -+ /var/cache/krb5rcache(/.*)? -+.br -+ /var/tmp/nfs_0 -+.br -+ /var/tmp/DNS_25 -+.br -+ /var/tmp/host_0 -+.br -+ /var/tmp/imap_0 -+.br -+ /var/tmp/HTTP_23 -+.br -+ /var/tmp/HTTP_48 -+.br -+ /var/tmp/ldap_55 -+.br -+ /var/tmp/ldap_487 -+.br -+ /var/tmp/ldapmap1_0 -+.br -+ -+.br -+.B mail_home_rw_t -+ -+ /root/Maildir(/.*)? -+.br -+ /home/[^/]*/Maildir(/.*)? -+.br -+ /home/dwalsh/Maildir(/.*)? -+.br -+ /var/lib/xguest/home/xguest/Maildir(/.*)? -+.br -+ -+.br -+.B mail_spool_t -+ -+ /var/mail(/.*)? -+.br -+ /var/spool/imap(/.*)? -+.br -+ /var/spool/mail(/.*)? -+.br -+ -+.br -+.B user_home_t -+ -+ /home/[^/]*/.+ -+.br -+ /home/dwalsh/.+ -+.br -+ /var/lib/xguest/home/xguest/.+ -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -24324,6 +44257,9 @@ index 0000000..d61a836 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -24335,15 +44271,15 @@ index 0000000..d61a836 + +.SH "SEE ALSO" +selinux(8), dovecot(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, dovecot_auth_selinux(8), dovecot_deliver_selinux(8) ++, setsebool(8), dovecot_auth_selinux(8), dovecot_deliver_selinux(8) \ No newline at end of file diff --git a/man/man8/drbd_selinux.8 b/man/man8/drbd_selinux.8 new file mode 100644 -index 0000000..0306d2e +index 0000000..9ba7041 --- /dev/null +++ b/man/man8/drbd_selinux.8 -@@ -0,0 +1,116 @@ -+.TH "drbd_selinux" "8" "12-11-01" "drbd" "SELinux Policy documentation for drbd" +@@ -0,0 +1,231 @@ ++.TH "drbd_selinux" "8" "13-01-16" "drbd" "SELinux Policy documentation for drbd" +.SH "NAME" +drbd_selinux \- Security Enhanced Linux Policy for the drbd processes +.SH "DESCRIPTION" @@ -24359,7 +44295,9 @@ index 0000000..0306d2e + +.SH "ENTRYPOINTS" + -+The drbd_t SELinux type can be entered via the "drbd_exec_t" file type. The default entrypoint paths for the drbd_t domain are the following:" ++The drbd_t SELinux type can be entered via the \fBdrbd_exec_t\fP file type. ++ ++The default entrypoint paths for the drbd_t domain are the following: + +/usr/lib/ocf/resource.\d/linbit/drbd, /sbin/drbdadm, /sbin/drbdsetup, /usr/sbin/drbdadm, /usr/sbin/drbdsetup +.SH PROCESS TYPES @@ -24377,8 +44315,108 @@ index 0000000..0306d2e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a drbd_t ++can be used to make the process type drbd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. drbd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run drbd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type drbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B drbd_lock_t ++ ++ /var/lock/subsys/drbd ++.br ++ ++.br ++.B drbd_var_lib_t ++ ++ /var/lib/drbd(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24388,7 +44426,20 @@ index 0000000..0306d2e +Policy governs the access confined processes have to these files. +SELinux drbd policy is very flexible allowing users to setup their drbd processes in as secure a method as possible. +.PP -+The following file types are defined for drbd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the drbd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t drbd_exec_t '/srv/drbd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydrbd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for drbd: + + +.EX @@ -24398,6 +44449,18 @@ index 0000000..0306d2e + +- Set files with the drbd_exec_t type, if you want to transition an executable to the drbd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/ocf/resource.\d/linbit/drbd, /sbin/drbdadm, /sbin/drbdsetup, /usr/sbin/drbdadm, /usr/sbin/drbdsetup ++ ++.EX ++.PP ++.B drbd_initrc_exec_t ++.EE ++ ++- Set files with the drbd_initrc_exec_t type, if you want to transition an executable to the drbd_initrc_t domain. ++ + +.EX +.PP @@ -24422,22 +44485,6 @@ index 0000000..0306d2e +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type drbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B drbd_lock_t -+ -+ -+.br -+.B drbd_var_lib_t -+ -+ /var/lib/drbd(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -24448,6 +44495,9 @@ index 0000000..0306d2e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -24459,13 +44509,15 @@ index 0000000..0306d2e + +.SH "SEE ALSO" +selinux(8), drbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/dspam_selinux.8 b/man/man8/dspam_selinux.8 new file mode 100644 -index 0000000..64cf453 +index 0000000..d767a1d --- /dev/null +++ b/man/man8/dspam_selinux.8 -@@ -0,0 +1,166 @@ -+.TH "dspam_selinux" "8" "12-11-01" "dspam" "SELinux Policy documentation for dspam" +@@ -0,0 +1,279 @@ ++.TH "dspam_selinux" "8" "13-01-16" "dspam" "SELinux Policy documentation for dspam" +.SH "NAME" +dspam_selinux \- Security Enhanced Linux Policy for the dspam processes +.SH "DESCRIPTION" @@ -24481,7 +44533,9 @@ index 0000000..64cf453 + +.SH "ENTRYPOINTS" + -+The dspam_t SELinux type can be entered via the "dspam_exec_t" file type. The default entrypoint paths for the dspam_t domain are the following:" ++The dspam_t SELinux type can be entered via the \fBdspam_exec_t\fP file type. ++ ++The default entrypoint paths for the dspam_t domain are the following: + +/usr/bin/dspam +.SH PROCESS TYPES @@ -24499,8 +44553,152 @@ index 0000000..64cf453 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a dspam_t ++can be used to make the process type dspam_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. dspam policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dspam with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the dspam_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dspam_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type dspam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B dspam_var_lib_t ++ ++ /var/lib/dspam(/.*)? ++.br ++ ++.br ++.B dspam_var_run_t ++ ++ /var/run/dspam(/.*)? ++.br ++ ++.br ++.B httpd_dspam_rw_content_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24510,7 +44708,20 @@ index 0000000..64cf453 +Policy governs the access confined processes have to these files. +SELinux dspam policy is very flexible allowing users to setup their dspam processes in as secure a method as possible. +.PP -+The following file types are defined for dspam: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the dspam, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t dspam_exec_t '/srv/dspam/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mydspam_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for dspam: + + +.EX @@ -24539,14 +44750,6 @@ index 0000000..64cf453 + +.EX +.PP -+.B dspam_tmp_t -+.EE -+ -+- Set files with the dspam_tmp_t type, if you want to store dspam temporary files in the /tmp directories. -+ -+ -+.EX -+.PP +.B dspam_var_lib_t +.EE + @@ -24558,7 +44761,7 @@ index 0000000..64cf453 +.B dspam_var_run_t +.EE + -+- Set files with the dspam_var_run_t type, if you want to store the dspam files under the /run directory. ++- Set files with the dspam_var_run_t type, if you want to store the dspam files under the /run or /var/run directory. + + +.PP @@ -24568,48 +44771,6 @@ index 0000000..64cf453 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type dspam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B dspam_log_t -+ -+ /var/log/dspam(/.*)? -+.br -+ -+.br -+.B dspam_var_lib_t -+ -+ /var/lib/dspam(/.*)? -+.br -+ -+.br -+.B dspam_var_run_t -+ -+ /var/run/dspam(/.*)? -+.br -+ -+.br -+.B httpd_dspam_rw_content_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dspam_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the dspam_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -24620,6 +44781,9 @@ index 0000000..64cf453 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -24631,13 +44795,15 @@ index 0000000..64cf453 + +.SH "SEE ALSO" +selinux(8), dspam(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/entropyd_selinux.8 b/man/man8/entropyd_selinux.8 new file mode 100644 -index 0000000..0035e75 +index 0000000..22f8d1e --- /dev/null +++ b/man/man8/entropyd_selinux.8 -@@ -0,0 +1,142 @@ -+.TH "entropyd_selinux" "8" "12-11-01" "entropyd" "SELinux Policy documentation for entropyd" +@@ -0,0 +1,271 @@ ++.TH "entropyd_selinux" "8" "13-01-16" "entropyd" "SELinux Policy documentation for entropyd" +.SH "NAME" +entropyd_selinux \- Security Enhanced Linux Policy for the entropyd processes +.SH "DESCRIPTION" @@ -24653,7 +44819,9 @@ index 0000000..0035e75 + +.SH "ENTRYPOINTS" + -+The entropyd_t SELinux type can be entered via the "entropyd_exec_t" file type. The default entrypoint paths for the entropyd_t domain are the following:" ++The entropyd_t SELinux type can be entered via the \fBentropyd_exec_t\fP file type. ++ ++The default entrypoint paths for the entropyd_t domain are the following: + +/usr/sbin/haveged, /usr/sbin/audio-entropyd +.SH PROCESS TYPES @@ -24671,60 +44839,132 @@ index 0000000..0035e75 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a entropyd_t ++can be used to make the process type entropyd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. entropyd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run entropyd with the tightest access possible. + + +.PP -+If you want to allow the use of the audio devices as the source for the entropy feeds, you must turn on the entropyd_use_audio boolean. ++If you want to determine whether entropyd can use audio devices as the source for the entropy feeds, you must turn on the entropyd_use_audio boolean. Disabled by default. + +.EX +.B setsebool -P entropyd_use_audio 1 ++ +.EE + +.PP -+If you want to allow the use of the audio devices as the source for the entropy feeds, you must turn on the entropyd_use_audio boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P entropyd_use_audio 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux entropyd policy is very flexible allowing users to setup their entropyd processes in as secure a method as possible. -+.PP -+The following file types are defined for entropyd: -+ ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B entropyd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the entropyd_exec_t type, if you want to transition an executable to the entropyd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B entropyd_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the entropyd_var_run_t type, if you want to store the entropyd files under the /run directory. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the entropyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the entropyd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -24738,21 +44978,76 @@ index 0000000..0035e75 + /var/run/audio-entropyd\.pid +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux entropyd policy is very flexible allowing users to setup their entropyd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the entropyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the entropyd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t entropyd_exec_t '/srv/entropyd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myentropyd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for entropyd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B entropyd_exec_t +.EE + ++- Set files with the entropyd_exec_t type, if you want to transition an executable to the entropyd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/haveged, /usr/sbin/audio-entropyd ++ ++.EX ++.PP ++.B entropyd_initrc_exec_t ++.EE ++ ++- Set files with the entropyd_initrc_exec_t type, if you want to transition an executable to the entropyd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B entropyd_var_run_t ++.EE ++ ++- Set files with the entropyd_var_run_t type, if you want to store the entropyd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/haveged\.pid, /var/run/audio-entropyd\.pid ++ +.PP -+If you want to allow confined applications to run with kerberos for the entropyd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -24782,11 +45077,11 @@ index 0000000..0035e75 \ No newline at end of file diff --git a/man/man8/eventlogd_selinux.8 b/man/man8/eventlogd_selinux.8 new file mode 100644 -index 0000000..755e81c +index 0000000..669eac4 --- /dev/null +++ b/man/man8/eventlogd_selinux.8 -@@ -0,0 +1,126 @@ -+.TH "eventlogd_selinux" "8" "12-11-01" "eventlogd" "SELinux Policy documentation for eventlogd" +@@ -0,0 +1,233 @@ ++.TH "eventlogd_selinux" "8" "13-01-16" "eventlogd" "SELinux Policy documentation for eventlogd" +.SH "NAME" +eventlogd_selinux \- Security Enhanced Linux Policy for the eventlogd processes +.SH "DESCRIPTION" @@ -24802,9 +45097,11 @@ index 0000000..755e81c + +.SH "ENTRYPOINTS" + -+The eventlogd_t SELinux type can be entered via the "eventlogd_exec_t" file type. The default entrypoint paths for the eventlogd_t domain are the following:" ++The eventlogd_t SELinux type can be entered via the \fBeventlogd_exec_t\fP file type. + -+/usr/sbin/eventlogd ++The default entrypoint paths for the eventlogd_t domain are the following: ++ ++/usr/sbin/eventlogd, /opt/likewise/sbin/eventlogd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -24820,8 +45117,102 @@ index 0000000..755e81c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a eventlogd_t ++can be used to make the process type eventlogd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. eventlogd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run eventlogd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type eventlogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B eventlogd_var_lib_t ++ ++ /var/lib/likewise/db/lwi_events\.db ++.br ++ /var/lib/likewise-open/db/lwi_events\.db ++.br ++ ++.br ++.B eventlogd_var_run_t ++ ++ /var/run/eventlogd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24831,7 +45222,20 @@ index 0000000..755e81c +Policy governs the access confined processes have to these files. +SELinux eventlogd policy is very flexible allowing users to setup their eventlogd processes in as secure a method as possible. +.PP -+The following file types are defined for eventlogd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the eventlogd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t eventlogd_exec_t '/srv/eventlogd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myeventlogd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for eventlogd: + + +.EX @@ -24841,6 +45245,10 @@ index 0000000..755e81c + +- Set files with the eventlogd_exec_t type, if you want to transition an executable to the eventlogd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/eventlogd, /opt/likewise/sbin/eventlogd + +.EX +.PP @@ -24849,13 +45257,17 @@ index 0000000..755e81c + +- Set files with the eventlogd_var_lib_t type, if you want to store the eventlogd files under the /var/lib directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/likewise/db/lwi_events\.db, /var/lib/likewise-open/db/lwi_events\.db + +.EX +.PP +.B eventlogd_var_run_t +.EE + -+- Set files with the eventlogd_var_run_t type, if you want to store the eventlogd files under the /run directory. ++- Set files with the eventlogd_var_run_t type, if you want to store the eventlogd files under the /run or /var/run directory. + + +.EX @@ -24865,6 +45277,10 @@ index 0000000..755e81c + +- Set files with the eventlogd_var_socket_t type, if you want to treat the files as eventlogd var socket data. + ++.br ++.TP 5 ++Paths: ++/var/lib/likewise/\.eventlog, /var/lib/likewise/rpc/socket, /var/lib/likewise-open/\.eventlog, /var/lib/likewise-open/rpc/socket + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -24873,24 +45289,6 @@ index 0000000..755e81c +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type eventlogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B eventlogd_var_lib_t -+ -+ /var/lib/likewise-open/db/lwi_events.db -+.br -+ -+.br -+.B eventlogd_var_run_t -+ -+ /var/run/eventlogd.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -24901,6 +45299,9 @@ index 0000000..755e81c +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -24912,13 +45313,15 @@ index 0000000..755e81c + +.SH "SEE ALSO" +selinux(8), eventlogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/evtchnd_selinux.8 b/man/man8/evtchnd_selinux.8 new file mode 100644 -index 0000000..85b3690 +index 0000000..efb207c --- /dev/null +++ b/man/man8/evtchnd_selinux.8 -@@ -0,0 +1,120 @@ -+.TH "evtchnd_selinux" "8" "12-11-01" "evtchnd" "SELinux Policy documentation for evtchnd" +@@ -0,0 +1,217 @@ ++.TH "evtchnd_selinux" "8" "13-01-16" "evtchnd" "SELinux Policy documentation for evtchnd" +.SH "NAME" +evtchnd_selinux \- Security Enhanced Linux Policy for the evtchnd processes +.SH "DESCRIPTION" @@ -24934,7 +45337,9 @@ index 0000000..85b3690 + +.SH "ENTRYPOINTS" + -+The evtchnd_t SELinux type can be entered via the "evtchnd_exec_t" file type. The default entrypoint paths for the evtchnd_t domain are the following:" ++The evtchnd_t SELinux type can be entered via the \fBevtchnd_exec_t\fP file type. ++ ++The default entrypoint paths for the evtchnd_t domain are the following: + +/usr/sbin/evtchnd +.SH PROCESS TYPES @@ -24952,8 +45357,102 @@ index 0000000..85b3690 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a evtchnd_t ++can be used to make the process type evtchnd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. evtchnd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run evtchnd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type evtchnd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B evtchnd_var_log_t ++ ++ /var/log/evtchnd\.log.* ++.br ++ ++.br ++.B evtchnd_var_run_t ++ ++ /var/run/evtchnd ++.br ++ /var/run/evtchnd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24963,7 +45462,20 @@ index 0000000..85b3690 +Policy governs the access confined processes have to these files. +SELinux evtchnd policy is very flexible allowing users to setup their evtchnd processes in as secure a method as possible. +.PP -+The following file types are defined for evtchnd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the evtchnd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t evtchnd_exec_t '/srv/evtchnd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myevtchnd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for evtchnd: + + +.EX @@ -24987,8 +45499,12 @@ index 0000000..85b3690 +.B evtchnd_var_run_t +.EE + -+- Set files with the evtchnd_var_run_t type, if you want to store the evtchnd files under the /run directory. ++- Set files with the evtchnd_var_run_t type, if you want to store the evtchnd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/evtchnd, /var/run/evtchnd\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -24997,26 +45513,6 @@ index 0000000..85b3690 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type evtchnd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B evtchnd_var_log_t -+ -+ /var/log/evtchnd\.log.* -+.br -+ -+.br -+.B evtchnd_var_run_t -+ -+ /var/run/evtchnd -+.br -+ /var/run/evtchnd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -25027,6 +45523,9 @@ index 0000000..85b3690 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -25038,13 +45537,15 @@ index 0000000..85b3690 + +.SH "SEE ALSO" +selinux(8), evtchnd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/exim_selinux.8 b/man/man8/exim_selinux.8 new file mode 100644 -index 0000000..f156767 +index 0000000..6b70ed5 --- /dev/null +++ b/man/man8/exim_selinux.8 -@@ -0,0 +1,270 @@ -+.TH "exim_selinux" "8" "12-11-01" "exim" "SELinux Policy documentation for exim" +@@ -0,0 +1,492 @@ ++.TH "exim_selinux" "8" "13-01-16" "exim" "SELinux Policy documentation for exim" +.SH "NAME" +exim_selinux \- Security Enhanced Linux Policy for the exim processes +.SH "DESCRIPTION" @@ -25060,7 +45561,9 @@ index 0000000..f156767 + +.SH "ENTRYPOINTS" + -+The exim_t SELinux type can be entered via the "exim_exec_t" file type. The default entrypoint paths for the exim_t domain are the following:" ++The exim_t SELinux type can be entered via the \fBexim_exec_t\fP file type. ++ ++The default entrypoint paths for the exim_t domain are the following: + +/usr/sbin/exim[0-9]?, /usr/sbin/exim_tidydb +.SH PROCESS TYPES @@ -25078,55 +45581,331 @@ index 0000000..f156767 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a exim_t ++can be used to make the process type exim_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. exim policy is extremely flexible and has several booleans that allow you to manipulate the policy and run exim with the tightest access possible. + + +.PP -+If you want to allow exim to connect to databases (postgres, mysql), you must turn on the exim_can_connect_db boolean. ++If you want to determine whether exim can connect to databases, you must turn on the exim_can_connect_db boolean. Disabled by default. + +.EX +.B setsebool -P exim_can_connect_db 1 ++ +.EE + +.PP -+If you want to allow exim to create, read, write, and delete unprivileged user files, you must turn on the exim_manage_user_files boolean. ++If you want to determine whether exim can create, read, write, and delete generic user content files, you must turn on the exim_manage_user_files boolean. Disabled by default. + +.EX +.B setsebool -P exim_manage_user_files 1 ++ +.EE + +.PP -+If you want to allow exim to read unprivileged user files, you must turn on the exim_read_user_files boolean. ++If you want to determine whether exim can read generic user content files, you must turn on the exim_read_user_files boolean. Disabled by default. + +.EX +.B setsebool -P exim_read_user_files 1 ++ +.EE + +.PP -+If you want to allow exim to connect to databases (postgres, mysql), you must turn on the exim_can_connect_db boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P exim_can_connect_db 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow exim to create, read, write, and delete unprivileged user files, you must turn on the exim_manage_user_files boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P exim_manage_user_files 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow exim to read unprivileged user files, you must turn on the exim_read_user_files boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.B setsebool -P exim_read_user_files 1 ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Gitosis can send mail, you must turn on the gitosis_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P gitosis_can_sendmail 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_sendmail 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the exim_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the exim_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type exim_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B arpwatch_tmp_t ++ ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B dovecot_spool_t ++ ++ /var/spool/dovecot(/.*)? ++.br ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B exim_spool_t ++ ++ /var/spool/exim[0-9]?(/.*)? ++.br ++ ++.br ++.B exim_tmp_t ++ ++ ++.br ++.B exim_var_run_t ++ ++ /var/run/exim[0-9]?\.pid ++.br ++ /var/run/exim[0-9]?(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B mail_home_rw_t ++ ++ /root/Maildir(/.*)? ++.br ++ /home/[^/]*/.maildir(/.*)? ++.br ++ /home/[^/]*/Maildir(/.*)? ++.br ++ /home/pwalsh/.maildir(/.*)? ++.br ++ /home/pwalsh/Maildir(/.*)? ++.br ++ /home/dwalsh/.maildir(/.*)? ++.br ++ /home/dwalsh/Maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/.maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/Maildir(/.*)? ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sendmail_tmp_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -25135,7 +45914,31 @@ index 0000000..f156767 +Policy governs the access confined processes have to these files. +SELinux exim policy is very flexible allowing users to setup their exim processes in as secure a method as possible. +.PP -+The following file types are defined for exim: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++exim policy stores data with multiple different file context types under the /var/run/exim[0-9]? directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/exim[0-9]? /srv/exim[0-9]? ++.br ++.B restorecon -R -v /srv/exim[0-9]? ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the exim, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t exim_exec_t '/srv/exim/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myexim_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for exim: + + +.EX @@ -25145,6 +45948,10 @@ index 0000000..f156767 + +- Set files with the exim_exec_t type, if you want to transition an executable to the exim_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/exim[0-9]?, /usr/sbin/exim_tidydb + +.EX +.PP @@ -25191,8 +45998,12 @@ index 0000000..f156767 +.B exim_var_run_t +.EE + -+- Set files with the exim_var_run_t type, if you want to store the exim files under the /run directory. ++- Set files with the exim_var_run_t type, if you want to store the exim files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/exim[0-9]?\.pid, /var/run/exim[0-9]?(/.*)? + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -25201,94 +46012,6 @@ index 0000000..f156767 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type exim_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B arpwatch_tmp_t -+ -+ -+.br -+.B dovecot_spool_t -+ -+ /var/spool/dovecot(/.*)? -+.br -+ -+.br -+.B exim_log_t -+ -+ /var/log/exim[0-9]?(/.*)? -+.br -+ -+.br -+.B exim_spool_t -+ -+ /var/spool/exim[0-9]?(/.*)? -+.br -+ -+.br -+.B exim_tmp_t -+ -+ -+.br -+.B exim_var_run_t -+ -+ /var/run/exim[0-9]?\.pid -+.br -+ -+.br -+.B mail_home_rw_t -+ -+ /root/Maildir(/.*)? -+.br -+ /home/[^/]*/Maildir(/.*)? -+.br -+ /home/dwalsh/Maildir(/.*)? -+.br -+ /var/lib/xguest/home/xguest/Maildir(/.*)? -+.br -+ -+.br -+.B mail_spool_t -+ -+ /var/mail(/.*)? -+.br -+ /var/spool/imap(/.*)? -+.br -+ /var/spool/mail(/.*)? -+.br -+ -+.br -+.B sendmail_tmp_t -+ -+ -+.br -+.B user_home_t -+ -+ /home/[^/]*/.+ -+.br -+ /home/dwalsh/.+ -+.br -+ /var/lib/xguest/home/xguest/.+ -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the exim_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the exim_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -25317,11 +46040,11 @@ index 0000000..f156767 \ No newline at end of file diff --git a/man/man8/fail2ban_client_selinux.8 b/man/man8/fail2ban_client_selinux.8 new file mode 100644 -index 0000000..965514d +index 0000000..5a3e9c2 --- /dev/null +++ b/man/man8/fail2ban_client_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "fail2ban_client_selinux" "8" "12-11-01" "fail2ban_client" "SELinux Policy documentation for fail2ban_client" +@@ -0,0 +1,155 @@ ++.TH "fail2ban_client_selinux" "8" "13-01-16" "fail2ban_client" "SELinux Policy documentation for fail2ban_client" +.SH "NAME" +fail2ban_client_selinux \- Security Enhanced Linux Policy for the fail2ban_client processes +.SH "DESCRIPTION" @@ -25337,9 +46060,11 @@ index 0000000..965514d + +.SH "ENTRYPOINTS" + -+The fail2ban_client_t SELinux type can be entered via the "fail2ban_client_exec_t" file type. The default entrypoint paths for the fail2ban_client_t domain are the following:" ++The fail2ban_client_t SELinux type can be entered via the \fBfail2ban_client_exec_t\fP file type. + ++The default entrypoint paths for the fail2ban_client_t domain are the following: + ++/usr/bin/fail2ban-client +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -25355,8 +46080,60 @@ index 0000000..965514d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a fail2ban_client_t ++can be used to make the process type fail2ban_client_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. fail2ban_client policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fail2ban_client with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25366,7 +46143,20 @@ index 0000000..965514d +Policy governs the access confined processes have to these files. +SELinux fail2ban_client policy is very flexible allowing users to setup their fail2ban_client processes in as secure a method as possible. +.PP -+The following file types are defined for fail2ban_client: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the fail2ban_client, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t fail2ban_client_exec_t '/srv/fail2ban_client/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myfail2ban_client_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for fail2ban_client: + + +.EX @@ -25384,8 +46174,6 @@ index 0000000..965514d +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -25396,6 +46184,9 @@ index 0000000..965514d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -25407,15 +46198,15 @@ index 0000000..965514d + +.SH "SEE ALSO" +selinux(8), fail2ban_client(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, fail2ban_selinux(8), fail2ban_selinux(8) ++, setsebool(8), fail2ban_selinux(8), fail2ban_selinux(8) \ No newline at end of file diff --git a/man/man8/fail2ban_selinux.8 b/man/man8/fail2ban_selinux.8 new file mode 100644 -index 0000000..d71d700 +index 0000000..dbe3ff8 --- /dev/null +++ b/man/man8/fail2ban_selinux.8 -@@ -0,0 +1,201 @@ -+.TH "fail2ban_selinux" "8" "12-11-01" "fail2ban" "SELinux Policy documentation for fail2ban" +@@ -0,0 +1,321 @@ ++.TH "fail2ban_selinux" "8" "13-01-16" "fail2ban" "SELinux Policy documentation for fail2ban" +.SH "NAME" +fail2ban_selinux \- Security Enhanced Linux Policy for the fail2ban processes +.SH "DESCRIPTION" @@ -25431,7 +46222,9 @@ index 0000000..d71d700 + +.SH "ENTRYPOINTS" + -+The fail2ban_t SELinux type can be entered via the "fail2ban_exec_t" file type. The default entrypoint paths for the fail2ban_t domain are the following:" ++The fail2ban_t SELinux type can be entered via the \fBfail2ban_exec_t\fP file type. ++ ++The default entrypoint paths for the fail2ban_t domain are the following: + +/usr/bin/fail2ban, /usr/bin/fail2ban-server +.SH PROCESS TYPES @@ -25449,8 +46242,174 @@ index 0000000..d71d700 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a fail2ban_t ++can be used to make the process type fail2ban_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. fail2ban policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fail2ban with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the fail2ban_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the fail2ban_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type fail2ban_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B fail2ban_tmp_t ++ ++ ++.br ++.B fail2ban_var_lib_t ++ ++ /var/lib/fail2ban(/.*)? ++.br ++ ++.br ++.B fail2ban_var_run_t ++ ++ /var/run/fail2ban.* ++.br ++ ++.br ++.B net_conf_t ++ ++ /etc/hosts[^/]* ++.br ++ /etc/yp\.conf.* ++.br ++ /etc/denyhosts.* ++.br ++ /etc/hosts\.deny.* ++.br ++ /etc/resolv\.conf.* ++.br ++ /etc/sysconfig/networking(/.*)? ++.br ++ /etc/sysconfig/network-scripts(/.*)? ++.br ++ /etc/sysconfig/network-scripts/.*resolv\.conf ++.br ++ /etc/ethers ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25460,7 +46419,20 @@ index 0000000..d71d700 +Policy governs the access confined processes have to these files. +SELinux fail2ban policy is very flexible allowing users to setup their fail2ban processes in as secure a method as possible. +.PP -+The following file types are defined for fail2ban: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the fail2ban, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t fail2ban_client_exec_t '/srv/fail2ban/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myfail2ban_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for fail2ban: + + +.EX @@ -25478,6 +46450,10 @@ index 0000000..d71d700 + +- Set files with the fail2ban_exec_t type, if you want to transition an executable to the fail2ban_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/fail2ban, /usr/bin/fail2ban-server + +.EX +.PP @@ -25516,7 +46492,7 @@ index 0000000..d71d700 +.B fail2ban_var_run_t +.EE + -+- Set files with the fail2ban_var_run_t type, if you want to store the fail2ban files under the /run directory. ++- Set files with the fail2ban_var_run_t type, if you want to store the fail2ban files under the /run or /var/run directory. + + +.PP @@ -25526,74 +46502,6 @@ index 0000000..d71d700 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type fail2ban_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B fail2ban_log_t -+ -+ /var/log/fail2ban\.log.* -+.br -+ -+.br -+.B fail2ban_tmp_t -+ -+ -+.br -+.B fail2ban_var_lib_t -+ -+ /var/lib/fail2ban(/.*)? -+.br -+ -+.br -+.B fail2ban_var_run_t -+ -+ /var/run/fail2ban.* -+.br -+ -+.br -+.B net_conf_t -+ -+ /etc/ntpd?\.conf.* -+.br -+ /etc/hosts[^/]* -+.br -+ /etc/yp\.conf.* -+.br -+ /etc/denyhosts.* -+.br -+ /etc/hosts\.deny.* -+.br -+ /etc/resolv\.conf.* -+.br -+ /etc/ntp/step-tickers.* -+.br -+ /etc/sysconfig/networking(/.*)? -+.br -+ /etc/sysconfig/network-scripts(/.*)? -+.br -+ /etc/sysconfig/network-scripts/.*resolv\.conf -+.br -+ /etc/ethers -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fail2ban_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the fail2ban_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -25604,6 +46512,9 @@ index 0000000..d71d700 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -25615,15 +46526,15 @@ index 0000000..d71d700 + +.SH "SEE ALSO" +selinux(8), fail2ban(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, fail2ban_client_selinux(8) ++, setsebool(8), fail2ban_client_selinux(8) \ No newline at end of file diff --git a/man/man8/fcoemon_selinux.8 b/man/man8/fcoemon_selinux.8 new file mode 100644 -index 0000000..f5a355c +index 0000000..df94cd1 --- /dev/null +++ b/man/man8/fcoemon_selinux.8 -@@ -0,0 +1,106 @@ -+.TH "fcoemon_selinux" "8" "12-11-01" "fcoemon" "SELinux Policy documentation for fcoemon" +@@ -0,0 +1,211 @@ ++.TH "fcoemon_selinux" "8" "13-01-16" "fcoemon" "SELinux Policy documentation for fcoemon" +.SH "NAME" +fcoemon_selinux \- Security Enhanced Linux Policy for the fcoemon processes +.SH "DESCRIPTION" @@ -25639,7 +46550,9 @@ index 0000000..f5a355c + +.SH "ENTRYPOINTS" + -+The fcoemon_t SELinux type can be entered via the "fcoemon_exec_t" file type. The default entrypoint paths for the fcoemon_t domain are the following:" ++The fcoemon_t SELinux type can be entered via the \fBfcoemon_exec_t\fP file type. ++ ++The default entrypoint paths for the fcoemon_t domain are the following: + +/usr/sbin/fcoemon +.SH PROCESS TYPES @@ -25657,42 +46570,76 @@ index 0000000..f5a355c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a fcoemon_t ++can be used to make the process type fcoemon_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux fcoemon policy is very flexible allowing users to setup their fcoemon processes in as secure a method as possible. -+.PP -+The following file types are defined for fcoemon: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. fcoemon policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fcoemon with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B fcoemon_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the fcoemon_exec_t type, if you want to transition an executable to the fcoemon_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B fcoemon_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the fcoemon_var_run_t type, if you want to store the fcoemon files under the /run directory. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -25706,7 +46653,72 @@ index 0000000..f5a355c + /var/run/fcoemon\.pid +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux fcoemon policy is very flexible allowing users to setup their fcoemon processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the fcoemon, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t fcoemon_exec_t '/srv/fcoemon/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myfcoemon_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for fcoemon: ++ ++ ++.EX ++.PP ++.B fcoemon_exec_t ++.EE ++ ++- Set files with the fcoemon_exec_t type, if you want to transition an executable to the fcoemon_t domain. ++ ++ ++.EX ++.PP ++.B fcoemon_initrc_exec_t ++.EE ++ ++- Set files with the fcoemon_initrc_exec_t type, if you want to transition an executable to the fcoemon_initrc_t domain. ++ ++ ++.EX ++.PP ++.B fcoemon_var_run_t ++.EE ++ ++- Set files with the fcoemon_var_run_t type, if you want to store the fcoemon files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/fcm(/.*)?, /var/run/fcoemon\.pid ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -25718,6 +46730,9 @@ index 0000000..f5a355c +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -25729,13 +46744,15 @@ index 0000000..f5a355c + +.SH "SEE ALSO" +selinux(8), fcoemon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/fenced_selinux.8 b/man/man8/fenced_selinux.8 new file mode 100644 -index 0000000..fa89bb1 +index 0000000..61c77a9 --- /dev/null +++ b/man/man8/fenced_selinux.8 -@@ -0,0 +1,230 @@ -+.TH "fenced_selinux" "8" "12-11-01" "fenced" "SELinux Policy documentation for fenced" +@@ -0,0 +1,341 @@ ++.TH "fenced_selinux" "8" "13-01-16" "fenced" "SELinux Policy documentation for fenced" +.SH "NAME" +fenced_selinux \- Security Enhanced Linux Policy for the fenced processes +.SH "DESCRIPTION" @@ -25751,7 +46768,9 @@ index 0000000..fa89bb1 + +.SH "ENTRYPOINTS" + -+The fenced_t SELinux type can be entered via the "fenced_exec_t" file type. The default entrypoint paths for the fenced_t domain are the following:" ++The fenced_t SELinux type can be entered via the \fBfenced_exec_t\fP file type. ++ ++The default entrypoint paths for the fenced_t domain are the following: + +/usr/sbin/fenced, /usr/sbin/fence_node, /usr/sbin/fence_tool, /usr/sbin/fence_virtd +.SH PROCESS TYPES @@ -25769,41 +46788,199 @@ index 0000000..fa89bb1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a fenced_t ++can be used to make the process type fenced_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. fenced policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fenced with the tightest access possible. + + +.PP -+If you want to allow fenced domain to connect to the network using TCP, you must turn on the fenced_can_network_connect boolean. ++If you want to determine whether fenced can connect to the TCP network, you must turn on the fenced_can_network_connect boolean. Disabled by default. + +.EX +.B setsebool -P fenced_can_network_connect 1 ++ +.EE + +.PP -+If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean. ++If you want to determine whether fenced can use ssh, you must turn on the fenced_can_ssh boolean. Disabled by default. + +.EX +.B setsebool -P fenced_can_ssh 1 ++ +.EE + +.PP -+If you want to allow fenced domain to connect to the network using TCP, you must turn on the fenced_can_network_connect boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P fenced_can_network_connect 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P fenced_can_ssh 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the fenced_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the fenced_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type fenced_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B fenced_lock_t ++ ++ /var/lock/fence_manual\.lock ++.br ++ ++.br ++.B fenced_tmp_t ++ ++ ++.br ++.B fenced_tmpfs_t ++ ++ ++.br ++.B fenced_var_log_t ++ ++ /var/log/cluster/fenced\.log.* ++.br ++ ++.br ++.B fenced_var_run_t ++ ++ /var/run/fence.* ++.br ++ /var/run/cluster/fence_scsi.* ++.br ++ /var/run/cluster/fenced_override ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B snmpd_var_lib_t ++ ++ /var/agentx(/.*)? ++.br ++ /var/net-snmp(/.*) ++.br ++ /var/lib/snmp(/.*)? ++.br ++ /var/net-snmp(/.*)? ++.br ++ /var/lib/net-snmp(/.*)? ++.br ++ /usr/share/snmp/mibs/\.index ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -25812,7 +46989,20 @@ index 0000000..fa89bb1 +Policy governs the access confined processes have to these files. +SELinux fenced policy is very flexible allowing users to setup their fenced processes in as secure a method as possible. +.PP -+The following file types are defined for fenced: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the fenced, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t fenced_exec_t '/srv/fenced/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myfenced_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for fenced: + + +.EX @@ -25822,6 +47012,10 @@ index 0000000..fa89bb1 + +- Set files with the fenced_exec_t type, if you want to transition an executable to the fenced_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/fenced, /usr/sbin/fence_node, /usr/sbin/fence_tool, /usr/sbin/fence_virtd + +.EX +.PP @@ -25860,8 +47054,12 @@ index 0000000..fa89bb1 +.B fenced_var_run_t +.EE + -+- Set files with the fenced_var_run_t type, if you want to store the fenced files under the /run directory. ++- Set files with the fenced_var_run_t type, if you want to store the fenced files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/fence.*, /var/run/cluster/fence_scsi.*, /var/run/cluster/fenced_override + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -25870,76 +47068,6 @@ index 0000000..fa89bb1 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type fenced_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cluster_var_lib_t -+ -+ /var/lib/cluster(/.*)? -+.br -+ -+.br -+.B fenced_lock_t -+ -+ /var/lock/fence_manual\.lock -+.br -+ -+.br -+.B fenced_tmp_t -+ -+ -+.br -+.B fenced_tmpfs_t -+ -+ -+.br -+.B fenced_var_log_t -+ -+ /var/log/cluster/fenced\.log.* -+.br -+ -+.br -+.B fenced_var_run_t -+ -+ /var/run/fence.* -+.br -+ /var/run/cluster/fence_scsi.* -+.br -+ /var/run/cluster/fenced_override -+.br -+ -+.br -+.B snmpd_var_lib_t -+ -+ /var/agentx(/.*)? -+.br -+ /var/lib/snmp(/.*)? -+.br -+ /var/net-snmp(/.*)? -+.br -+ /var/lib/net-snmp(/.*)? -+.br -+ /usr/share/snmp/mibs/\.index -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fenced_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the fenced_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -25968,11 +47096,11 @@ index 0000000..fa89bb1 \ No newline at end of file diff --git a/man/man8/fetchmail_selinux.8 b/man/man8/fetchmail_selinux.8 new file mode 100644 -index 0000000..ae8394b +index 0000000..ba0d5a1 --- /dev/null +++ b/man/man8/fetchmail_selinux.8 -@@ -0,0 +1,144 @@ -+.TH "fetchmail_selinux" "8" "12-11-01" "fetchmail" "SELinux Policy documentation for fetchmail" +@@ -0,0 +1,269 @@ ++.TH "fetchmail_selinux" "8" "13-01-16" "fetchmail" "SELinux Policy documentation for fetchmail" +.SH "NAME" +fetchmail_selinux \- Security Enhanced Linux Policy for the fetchmail processes +.SH "DESCRIPTION" @@ -25988,7 +47116,9 @@ index 0000000..ae8394b + +.SH "ENTRYPOINTS" + -+The fetchmail_t SELinux type can be entered via the "fetchmail_exec_t" file type. The default entrypoint paths for the fetchmail_t domain are the following:" ++The fetchmail_t SELinux type can be entered via the \fBfetchmail_exec_t\fP file type. ++ ++The default entrypoint paths for the fetchmail_t domain are the following: + +/usr/bin/fetchmail +.SH PROCESS TYPES @@ -26006,8 +47136,118 @@ index 0000000..ae8394b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a fetchmail_t ++can be used to make the process type fetchmail_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. fetchmail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fetchmail with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type fetchmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B fetchmail_uidl_cache_t ++ ++ /var/lib/fetchmail(/.*)? ++.br ++ /var/mail/\.fetchmail-UIDL-cache ++.br ++ ++.br ++.B fetchmail_var_run_t ++ ++ /var/run/fetchmail/.* ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sendmail_log_t ++ ++ /var/log/mail(/.*)? ++.br ++ /var/log/sendmail\.st.* ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26017,7 +47257,20 @@ index 0000000..ae8394b +Policy governs the access confined processes have to these files. +SELinux fetchmail policy is very flexible allowing users to setup their fetchmail processes in as secure a method as possible. +.PP -+The following file types are defined for fetchmail: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the fetchmail, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t fetchmail_etc_t '/srv/fetchmail/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myfetchmail_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for fetchmail: + + +.EX @@ -26043,6 +47296,26 @@ index 0000000..ae8394b + +- Set files with the fetchmail_home_t type, if you want to store fetchmail files in the users home directory. + ++.br ++.TP 5 ++Paths: ++/root/\.fetchmailrc, /home/[^/]*/\.fetchmailrc, /home/pwalsh/\.fetchmailrc, /home/dwalsh/\.fetchmailrc, /var/lib/xguest/home/xguest/\.fetchmailrc ++ ++.EX ++.PP ++.B fetchmail_initrc_exec_t ++.EE ++ ++- Set files with the fetchmail_initrc_exec_t type, if you want to transition an executable to the fetchmail_initrc_t domain. ++ ++ ++.EX ++.PP ++.B fetchmail_log_t ++.EE ++ ++- Set files with the fetchmail_log_t type, if you want to treat the data as fetchmail log data, usually stored under the /var/log directory. ++ + +.EX +.PP @@ -26051,13 +47324,17 @@ index 0000000..ae8394b + +- Set files with the fetchmail_uidl_cache_t type, if you want to store the files under the /var/cache directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/fetchmail(/.*)?, /var/mail/\.fetchmail-UIDL-cache + +.EX +.PP +.B fetchmail_var_run_t +.EE + -+- Set files with the fetchmail_var_run_t type, if you want to store the fetchmail files under the /run directory. ++- Set files with the fetchmail_var_run_t type, if you want to store the fetchmail files under the /run or /var/run directory. + + +.PP @@ -26067,34 +47344,6 @@ index 0000000..ae8394b +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type fetchmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B fetchmail_uidl_cache_t -+ -+ /var/lib/fetchmail(/.*)? -+.br -+ /var/mail/\.fetchmail-UIDL-cache -+.br -+ -+.br -+.B fetchmail_var_run_t -+ -+ /var/run/fetchmail/.* -+.br -+ -+.br -+.B sendmail_log_t -+ -+ /var/log/mail(/.*)? -+.br -+ /var/log/sendmail\.st -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -26105,6 +47354,9 @@ index 0000000..ae8394b +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -26116,13 +47368,15 @@ index 0000000..ae8394b + +.SH "SEE ALSO" +selinux(8), fetchmail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/fingerd_selinux.8 b/man/man8/fingerd_selinux.8 new file mode 100644 -index 0000000..5dedb48 +index 0000000..a22c2b5 --- /dev/null +++ b/man/man8/fingerd_selinux.8 -@@ -0,0 +1,164 @@ -+.TH "fingerd_selinux" "8" "12-11-01" "fingerd" "SELinux Policy documentation for fingerd" +@@ -0,0 +1,291 @@ ++.TH "fingerd_selinux" "8" "13-01-16" "fingerd" "SELinux Policy documentation for fingerd" +.SH "NAME" +fingerd_selinux \- Security Enhanced Linux Policy for the fingerd processes +.SH "DESCRIPTION" @@ -26138,9 +47392,11 @@ index 0000000..5dedb48 + +.SH "ENTRYPOINTS" + -+The fingerd_t SELinux type can be entered via the "fingerd_exec_t" file type. The default entrypoint paths for the fingerd_t domain are the following:" ++The fingerd_t SELinux type can be entered via the \fBfingerd_exec_t\fP file type. + -+/usr/sbin/[cef]fingerd, /etc/cron\.weekly/(c)?fingerd, /usr/sbin/in\.fingerd ++The default entrypoint paths for the fingerd_t domain are the following: ++ ++/usr/sbin/[cef]fingerd, /usr/sbin/in\.(x)?fingerd, /etc/cron\.weekly/(c)?fingerd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -26156,58 +47412,124 @@ index 0000000..5dedb48 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a fingerd_t ++can be used to make the process type fingerd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux fingerd policy is very flexible allowing users to setup their fingerd processes in as secure a method as possible. -+.PP -+The following file types are defined for fingerd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. fingerd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fingerd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B fingerd_etc_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the fingerd_etc_t type, if you want to store fingerd files in the /etc directories. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B fingerd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the fingerd_exec_t type, if you want to transition an executable to the fingerd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B fingerd_log_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the fingerd_log_t type, if you want to treat the data as fingerd log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B fingerd_var_run_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the fingerd_var_run_t type, if you want to store the fingerd files under the /run directory. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the fingerd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the fingerd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -26237,30 +47559,85 @@ index 0000000..5dedb48 +The SELinux process type fingerd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B fingerd_log_t -+ -+ /var/log/cfingerd\.log.* -+.br -+ -+.br +.B fingerd_var_run_t + ++ /var/run/*.fingerd\.pid ++.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux fingerd policy is very flexible allowing users to setup their fingerd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fingerd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the fingerd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t fingerd_etc_t '/srv/fingerd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myfingerd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for fingerd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B fingerd_etc_t +.EE + ++- Set files with the fingerd_etc_t type, if you want to store fingerd files in the /etc directories. ++ ++ ++.EX ++.PP ++.B fingerd_exec_t ++.EE ++ ++- Set files with the fingerd_exec_t type, if you want to transition an executable to the fingerd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/[cef]fingerd, /usr/sbin/in\.(x)?fingerd, /etc/cron\.weekly/(c)?fingerd ++ ++.EX ++.PP ++.B fingerd_log_t ++.EE ++ ++- Set files with the fingerd_log_t type, if you want to treat the data as fingerd log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B fingerd_var_run_t ++.EE ++ ++- Set files with the fingerd_var_run_t type, if you want to store the fingerd files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the fingerd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -26275,6 +47652,9 @@ index 0000000..5dedb48 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -26286,13 +47666,15 @@ index 0000000..5dedb48 + +.SH "SEE ALSO" +selinux(8), fingerd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/firewalld_selinux.8 b/man/man8/firewalld_selinux.8 new file mode 100644 -index 0000000..fc13038 +index 0000000..2ca5a67 --- /dev/null +++ b/man/man8/firewalld_selinux.8 -@@ -0,0 +1,159 @@ -+.TH "firewalld_selinux" "8" "12-11-01" "firewalld" "SELinux Policy documentation for firewalld" +@@ -0,0 +1,324 @@ ++.TH "firewalld_selinux" "8" "13-01-16" "firewalld" "SELinux Policy documentation for firewalld" +.SH "NAME" +firewalld_selinux \- Security Enhanced Linux Policy for the firewalld processes +.SH "DESCRIPTION" @@ -26308,7 +47690,9 @@ index 0000000..fc13038 + +.SH "ENTRYPOINTS" + -+The firewalld_t SELinux type can be entered via the "firewalld_exec_t" file type. The default entrypoint paths for the firewalld_t domain are the following:" ++The firewalld_t SELinux type can be entered via the \fBfirewalld_exec_t\fP file type. ++ ++The default entrypoint paths for the firewalld_t domain are the following: + +/usr/sbin/firewalld +.SH PROCESS TYPES @@ -26326,8 +47710,158 @@ index 0000000..fc13038 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a firewalld_t ++can be used to make the process type firewalld_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. firewalld policy is extremely flexible and has several booleans that allow you to manipulate the policy and run firewalld with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the firewallgui_t, firewalld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the firewallgui_t, firewalld_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type firewalld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B firewalld_etc_rw_t ++ ++ /etc/firewalld(/.*)? ++.br ++ ++.br ++.B firewalld_tmp_t ++ ++ ++.br ++.B firewalld_tmpfs_t ++ ++ ++.br ++.B firewalld_var_run_t ++ ++ /var/run/firewalld(/.*)? ++.br ++ /var/run/firewalld\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26337,7 +47871,31 @@ index 0000000..fc13038 +Policy governs the access confined processes have to these files. +SELinux firewalld policy is very flexible allowing users to setup their firewalld processes in as secure a method as possible. +.PP -+The following file types are defined for firewalld: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++firewalld policy stores data with multiple different file context types under the /var/run/firewalld directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/firewalld /srv/firewalld ++.br ++.B restorecon -R -v /srv/firewalld ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the firewalld, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t firewalld_etc_rw_t '/srv/firewalld/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myfirewalld_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for firewalld: + + +.EX @@ -26366,6 +47924,22 @@ index 0000000..fc13038 + +.EX +.PP ++.B firewalld_tmp_t ++.EE ++ ++- Set files with the firewalld_tmp_t type, if you want to store firewalld temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B firewalld_tmpfs_t ++.EE ++ ++- Set files with the firewalld_tmpfs_t type, if you want to store firewalld files on a tmpfs file system. ++ ++ ++.EX ++.PP +.B firewalld_unit_file_t +.EE + @@ -26385,8 +47959,12 @@ index 0000000..fc13038 +.B firewalld_var_run_t +.EE + -+- Set files with the firewalld_var_run_t type, if you want to store the firewalld files under the /run directory. ++- Set files with the firewalld_var_run_t type, if you want to store the firewalld files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/firewalld(/.*)?, /var/run/firewalld\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -26395,40 +47973,6 @@ index 0000000..fc13038 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type firewalld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B firewalld_etc_rw_t -+ -+ /etc/firewalld(/.*)? -+.br -+ -+.br -+.B firewalld_var_run_t -+ -+ /var/run/firewalld(/.*)? -+.br -+ /var/run/firewalld\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -26439,6 +47983,9 @@ index 0000000..fc13038 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -26450,15 +47997,15 @@ index 0000000..fc13038 + +.SH "SEE ALSO" +selinux(8), firewalld(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, firewallgui_selinux(8) ++, setsebool(8), firewallgui_selinux(8) \ No newline at end of file diff --git a/man/man8/firewallgui_selinux.8 b/man/man8/firewallgui_selinux.8 new file mode 100644 -index 0000000..ab4f40b +index 0000000..5377297 --- /dev/null +++ b/man/man8/firewallgui_selinux.8 -@@ -0,0 +1,138 @@ -+.TH "firewallgui_selinux" "8" "12-11-01" "firewallgui" "SELinux Policy documentation for firewallgui" +@@ -0,0 +1,241 @@ ++.TH "firewallgui_selinux" "8" "13-01-16" "firewallgui" "SELinux Policy documentation for firewallgui" +.SH "NAME" +firewallgui_selinux \- Security Enhanced Linux Policy for the firewallgui processes +.SH "DESCRIPTION" @@ -26474,7 +48021,9 @@ index 0000000..ab4f40b + +.SH "ENTRYPOINTS" + -+The firewallgui_t SELinux type can be entered via the "firewallgui_exec_t" file type. The default entrypoint paths for the firewallgui_t domain are the following:" ++The firewallgui_t SELinux type can be entered via the \fBfirewallgui_exec_t\fP file type. ++ ++The default entrypoint paths for the firewallgui_t domain are the following: + +/usr/share/system-config-firewall/system-config-firewall-mechanism.py +.SH PROCESS TYPES @@ -26492,42 +48041,108 @@ index 0000000..ab4f40b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a firewallgui_t ++can be used to make the process type firewallgui_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux firewallgui policy is very flexible allowing users to setup their firewallgui processes in as secure a method as possible. -+.PP -+The following file types are defined for firewallgui: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. firewallgui policy is extremely flexible and has several booleans that allow you to manipulate the policy and run firewallgui with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B firewallgui_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the firewallgui_exec_t type, if you want to transition an executable to the firewallgui_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B firewallgui_tmp_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the firewallgui_tmp_t type, if you want to store firewallgui temporary files in the /tmp directories. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -26559,21 +48174,52 @@ index 0000000..ab4f40b + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux firewallgui policy is very flexible allowing users to setup their firewallgui processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the firewallgui, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t firewallgui_exec_t '/srv/firewallgui/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myfirewallgui_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for firewallgui: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B firewallgui_exec_t +.EE + ++- Set files with the firewallgui_exec_t type, if you want to transition an executable to the firewallgui_t domain. ++ ++ ++.EX ++.PP ++.B firewallgui_tmp_t ++.EE ++ ++- Set files with the firewallgui_tmp_t type, if you want to store firewallgui temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -26585,6 +48231,9 @@ index 0000000..ab4f40b +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -26596,13 +48245,15 @@ index 0000000..ab4f40b + +.SH "SEE ALSO" +selinux(8), firewallgui(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/firstboot_selinux.8 b/man/man8/firstboot_selinux.8 new file mode 100644 -index 0000000..53e6593 +index 0000000..40f9162 --- /dev/null +++ b/man/man8/firstboot_selinux.8 -@@ -0,0 +1,104 @@ -+.TH "firstboot_selinux" "8" "12-11-01" "firstboot" "SELinux Policy documentation for firstboot" +@@ -0,0 +1,249 @@ ++.TH "firstboot_selinux" "8" "13-01-16" "firstboot" "SELinux Policy documentation for firstboot" +.SH "NAME" +firstboot_selinux \- Security Enhanced Linux Policy for the firstboot processes +.SH "DESCRIPTION" @@ -26618,7 +48269,9 @@ index 0000000..53e6593 + +.SH "ENTRYPOINTS" + -+The firstboot_t SELinux type can be entered via the "firstboot_exec_t,filesystem_type,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type" file types. The default entrypoint paths for the firstboot_t domain are the following:" ++The firstboot_t SELinux type can be entered via the \fBsysctl_type, filesystem_type, firstboot_exec_t, mtrr_device_t, unlabeled_t, proc_type, file_type\fP file types. ++ ++The default entrypoint paths for the firstboot_t domain are the following: + +/usr/sbin/firstboot, /usr/share/firstboot/firstboot\.py, /dev/cpu/mtrr, all files on the system +.SH PROCESS TYPES @@ -26636,8 +48289,142 @@ index 0000000..53e6593 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a firstboot_t ++can be used to make the process type firstboot_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. firstboot policy is extremely flexible and has several booleans that allow you to manipulate the policy and run firstboot with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_insmod 1 ++ ++.EE ++ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_policyload 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execheap 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type firstboot_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B file_type ++ ++ all files on the system ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26647,7 +48434,20 @@ index 0000000..53e6593 +Policy governs the access confined processes have to these files. +SELinux firstboot policy is very flexible allowing users to setup their firstboot processes in as secure a method as possible. +.PP -+The following file types are defined for firstboot: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the firstboot, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t firstboot_etc_t '/srv/firstboot/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myfirstboot_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for firstboot: + + +.EX @@ -26665,6 +48465,10 @@ index 0000000..53e6593 + +- Set files with the firstboot_exec_t type, if you want to transition an executable to the firstboot_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/firstboot, /usr/share/firstboot/firstboot\.py + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -26673,18 +48477,6 @@ index 0000000..53e6593 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type firstboot_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B file_type -+ -+ all files on the system -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -26695,6 +48487,9 @@ index 0000000..53e6593 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -26706,13 +48501,15 @@ index 0000000..53e6593 + +.SH "SEE ALSO" +selinux(8), firstboot(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/foghorn_selinux.8 b/man/man8/foghorn_selinux.8 new file mode 100644 -index 0000000..f17a60b +index 0000000..8334b0a --- /dev/null +++ b/man/man8/foghorn_selinux.8 -@@ -0,0 +1,146 @@ -+.TH "foghorn_selinux" "8" "12-11-01" "foghorn" "SELinux Policy documentation for foghorn" +@@ -0,0 +1,275 @@ ++.TH "foghorn_selinux" "8" "13-01-16" "foghorn" "SELinux Policy documentation for foghorn" +.SH "NAME" +foghorn_selinux \- Security Enhanced Linux Policy for the foghorn processes +.SH "DESCRIPTION" @@ -26728,7 +48525,9 @@ index 0000000..f17a60b + +.SH "ENTRYPOINTS" + -+The foghorn_t SELinux type can be entered via the "foghorn_exec_t" file type. The default entrypoint paths for the foghorn_t domain are the following:" ++The foghorn_t SELinux type can be entered via the \fBfoghorn_exec_t\fP file type. ++ ++The default entrypoint paths for the foghorn_t domain are the following: + +/usr/sbin/foghorn +.SH PROCESS TYPES @@ -26746,8 +48545,148 @@ index 0000000..f17a60b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a foghorn_t ++can be used to make the process type foghorn_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. foghorn policy is extremely flexible and has several booleans that allow you to manipulate the policy and run foghorn with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the foghorn_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the foghorn_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type foghorn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B foghorn_tmpfs_t ++ ++ ++.br ++.B foghorn_var_log_t ++ ++ ++.br ++.B foghorn_var_run_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26757,7 +48696,20 @@ index 0000000..f17a60b +Policy governs the access confined processes have to these files. +SELinux foghorn policy is very flexible allowing users to setup their foghorn processes in as secure a method as possible. +.PP -+The following file types are defined for foghorn: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the foghorn, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t foghorn_exec_t '/srv/foghorn/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myfoghorn_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for foghorn: + + +.EX @@ -26770,6 +48722,14 @@ index 0000000..f17a60b + +.EX +.PP ++.B foghorn_initrc_exec_t ++.EE ++ ++- Set files with the foghorn_initrc_exec_t type, if you want to transition an executable to the foghorn_initrc_t domain. ++ ++ ++.EX ++.PP +.B foghorn_tmpfs_t +.EE + @@ -26789,7 +48749,7 @@ index 0000000..f17a60b +.B foghorn_var_run_t +.EE + -+- Set files with the foghorn_var_run_t type, if you want to store the foghorn files under the /run directory. ++- Set files with the foghorn_var_run_t type, if you want to store the foghorn files under the /run or /var/run directory. + + +.PP @@ -26799,44 +48759,6 @@ index 0000000..f17a60b +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type foghorn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cluster_var_lib_t -+ -+ /var/lib/cluster(/.*)? -+.br -+ -+.br -+.B foghorn_tmpfs_t -+ -+ -+.br -+.B foghorn_var_log_t -+ -+ -+.br -+.B foghorn_var_run_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the foghorn_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the foghorn_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -26847,6 +48769,9 @@ index 0000000..f17a60b +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -26858,13 +48783,15 @@ index 0000000..f17a60b + +.SH "SEE ALSO" +selinux(8), foghorn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/fprintd_selinux.8 b/man/man8/fprintd_selinux.8 new file mode 100644 -index 0000000..68cee10 +index 0000000..b957788 --- /dev/null +++ b/man/man8/fprintd_selinux.8 -@@ -0,0 +1,118 @@ -+.TH "fprintd_selinux" "8" "12-11-01" "fprintd" "SELinux Policy documentation for fprintd" +@@ -0,0 +1,245 @@ ++.TH "fprintd_selinux" "8" "13-01-16" "fprintd" "SELinux Policy documentation for fprintd" +.SH "NAME" +fprintd_selinux \- Security Enhanced Linux Policy for the fprintd processes +.SH "DESCRIPTION" @@ -26880,7 +48807,9 @@ index 0000000..68cee10 + +.SH "ENTRYPOINTS" + -+The fprintd_t SELinux type can be entered via the "fprintd_exec_t" file type. The default entrypoint paths for the fprintd_t domain are the following:" ++The fprintd_t SELinux type can be entered via the \fBfprintd_exec_t\fP file type. ++ ++The default entrypoint paths for the fprintd_t domain are the following: + +/usr/libexec/fprintd +.SH PROCESS TYPES @@ -26898,8 +48827,142 @@ index 0000000..68cee10 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a fprintd_t ++can be used to make the process type fprintd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. fprintd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fprintd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the fprintd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the fprintd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type fprintd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B fprintd_var_lib_t ++ ++ /var/lib/fprint(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26909,7 +48972,20 @@ index 0000000..68cee10 +Policy governs the access confined processes have to these files. +SELinux fprintd policy is very flexible allowing users to setup their fprintd processes in as secure a method as possible. +.PP -+The following file types are defined for fprintd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the fprintd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t fprintd_exec_t '/srv/fprintd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myfprintd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for fprintd: + + +.EX @@ -26935,32 +49011,6 @@ index 0000000..68cee10 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type fprintd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B fprintd_var_lib_t -+ -+ /var/lib/fprint(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fprintd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the fprintd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -26971,6 +49021,9 @@ index 0000000..68cee10 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -26982,13 +49035,15 @@ index 0000000..68cee10 + +.SH "SEE ALSO" +selinux(8), fprintd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/freshclam_selinux.8 b/man/man8/freshclam_selinux.8 new file mode 100644 -index 0000000..9ccf034 +index 0000000..d4710d5 --- /dev/null +++ b/man/man8/freshclam_selinux.8 -@@ -0,0 +1,164 @@ -+.TH "freshclam_selinux" "8" "12-11-01" "freshclam" "SELinux Policy documentation for freshclam" +@@ -0,0 +1,301 @@ ++.TH "freshclam_selinux" "8" "13-01-16" "freshclam" "SELinux Policy documentation for freshclam" +.SH "NAME" +freshclam_selinux \- Security Enhanced Linux Policy for the freshclam processes +.SH "DESCRIPTION" @@ -27004,7 +49059,9 @@ index 0000000..9ccf034 + +.SH "ENTRYPOINTS" + -+The freshclam_t SELinux type can be entered via the "freshclam_exec_t" file type. The default entrypoint paths for the freshclam_t domain are the following:" ++The freshclam_t SELinux type can be entered via the \fBfreshclam_exec_t\fP file type. ++ ++The default entrypoint paths for the freshclam_t domain are the following: + +/usr/bin/freshclam +.SH PROCESS TYPES @@ -27022,42 +49079,140 @@ index 0000000..9ccf034 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a freshclam_t ++can be used to make the process type freshclam_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux freshclam policy is very flexible allowing users to setup their freshclam processes in as secure a method as possible. -+.PP -+The following file types are defined for freshclam: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. freshclam policy is extremely flexible and has several booleans that allow you to manipulate the policy and run freshclam with the tightest access possible. + + ++.PP ++If you want to allow antivirus programs to read non security files on a system, you must turn on the antivirus_can_scan_system boolean. Disabled by default. ++ +.EX -+.PP -+.B freshclam_exec_t ++.B setsebool -P antivirus_can_scan_system 1 ++ +.EE + -+- Set files with the freshclam_exec_t type, if you want to transition an executable to the freshclam_t domain. -+ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.PP -+.B freshclam_var_log_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the freshclam_var_log_t type, if you want to treat the data as freshclam var log data, usually stored under the /var/log directory. ++.PP ++If you want to determine whether can clamd use JIT compiler, you must turn on the clamd_use_jit boolean. Disabled by default. + ++.EX ++.B setsebool -P clamd_use_jit 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the freshclam_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the freshclam_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -27094,17 +49249,15 @@ index 0000000..9ccf034 +.br + /var/run/amavis(d)?/clamd\.pid +.br -+ /var/spool/MailScanner(/.*)? -+.br + /var/spool/amavisd/clamd\.sock +.br + +.br -+.B freshclam_var_log_t ++.B root_t + -+ /var/log/freshclam.* ++ / +.br -+ /var/log/clamav/freshclam.* ++ /initrd +.br + +.br @@ -27115,21 +49268,56 @@ index 0000000..9ccf034 + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux freshclam policy is very flexible allowing users to setup their freshclam processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the freshclam_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the freshclam, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t freshclam_exec_t '/srv/freshclam/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myfreshclam_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for freshclam: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B freshclam_exec_t +.EE + ++- Set files with the freshclam_exec_t type, if you want to transition an executable to the freshclam_t domain. ++ ++ ++.EX ++.PP ++.B freshclam_var_log_t ++.EE ++ ++- Set files with the freshclam_var_log_t type, if you want to treat the data as freshclam var log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/freshclam.*, /var/log/clamav/freshclam.* ++ +.PP -+If you want to allow confined applications to run with kerberos for the freshclam_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -27141,6 +49329,9 @@ index 0000000..9ccf034 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -27152,13 +49343,15 @@ index 0000000..9ccf034 + +.SH "SEE ALSO" +selinux(8), freshclam(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/fsadm_selinux.8 b/man/man8/fsadm_selinux.8 new file mode 100644 -index 0000000..7bcfdaf +index 0000000..776a6f4 --- /dev/null +++ b/man/man8/fsadm_selinux.8 -@@ -0,0 +1,258 @@ -+.TH "fsadm_selinux" "8" "12-11-01" "fsadm" "SELinux Policy documentation for fsadm" +@@ -0,0 +1,343 @@ ++.TH "fsadm_selinux" "8" "13-01-16" "fsadm" "SELinux Policy documentation for fsadm" +.SH "NAME" +fsadm_selinux \- Security Enhanced Linux Policy for the fsadm processes +.SH "DESCRIPTION" @@ -27174,7 +49367,9 @@ index 0000000..7bcfdaf + +.SH "ENTRYPOINTS" + -+The fsadm_t SELinux type can be entered via the "fsadm_exec_t" file type. The default entrypoint paths for the fsadm_t domain are the following:" ++The fsadm_t SELinux type can be entered via the \fBfsadm_exec_t\fP file type. ++ ++The default entrypoint paths for the fsadm_t domain are the following: + +/sbin/fsck.*, /sbin/jfs_.*, /sbin/mkfs.*, /sbin/swapon.*, /sbin/resize.*fs, /sbin/losetup.*, /usr/sbin/fsck.*, /usr/sbin/jfs_.*, /usr/sbin/mkfs.*, /sbin/reiserfs(ck|tune), /usr/sbin/swapon.*, /usr/sbin/resize.*fs, /usr/sbin/losetup.*, /usr/sbin/reiserfs(ck|tune), /sbin/dump, /sbin/blkid, /sbin/fdisk, /sbin/partx, /sbin/cfdisk, /sbin/e2fsck, /sbin/e4fsck, /sbin/findfs, /sbin/hdparm, /sbin/lsraid, /sbin/mke2fs, /sbin/mke4fs, /sbin/mkraid, /sbin/parted, /sbin/sfdisk, /usr/bin/raw, /sbin/dosfsck, /sbin/e2label, /sbin/mkdosfs, /sbin/tune2fs, /sbin/blockdev, /sbin/dumpe2fs, /usr/sbin/dump, /sbin/partprobe, /sbin/raidstart, /sbin/scsi_info, /usr/sbin/blkid, /usr/sbin/fdisk, /usr/sbin/partx, /sbin/mkreiserfs, /usr/sbin/cfdisk, /usr/sbin/e2fsck, /usr/sbin/e4fsck, /usr/sbin/findfs, /usr/sbin/hdparm, /usr/sbin/lsraid, /usr/sbin/mke2fs, /usr/sbin/mke4fs, /usr/sbin/mkraid, /usr/sbin/parted, /usr/sbin/sfdisk, /sbin/install-mbr, /sbin/raidautorun, /usr/bin/syslinux, /usr/sbin/dosfsck, /usr/sbin/e2label, /usr/sbin/mkdosfs, /usr/sbin/tune2fs, /sbin/make_reiser4, /usr/sbin/blockdev, /usr/sbin/dumpe2fs, /usr/sbin/smartctl, /usr/sbin/partprobe, /usr/sbin/raidstart, /usr/sbin/scsi_info, /usr/sbin/mkreiserfs, /usr/sbin/clubufflush, /usr/sbin/install-mbr, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/bin/partition_uuid, /usr/bin/scsi_unique_id, /usr/lib/systemd/systemd-fsck +.SH PROCESS TYPES @@ -27192,58 +49387,68 @@ index 0000000..7bcfdaf +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a fsadm_t ++can be used to make the process type fsadm_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux fsadm policy is very flexible allowing users to setup their fsadm processes in as secure a method as possible. -+.PP -+The following file types are defined for fsadm: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. fsadm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fsadm with the tightest access possible. + + ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ +.EX -+.PP -+.B fsadm_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the fsadm_exec_t type, if you want to transition an executable to the fsadm_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B fsadm_log_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the fsadm_log_t type, if you want to treat the data as fsadm log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B fsadm_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the fsadm_tmp_t type, if you want to store fsadm temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B fsadm_var_run_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the fsadm_var_run_t type, if you want to store the fsadm files under the /run directory. ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -27280,10 +49485,10 @@ index 0000000..7bcfdaf +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -27292,10 +49497,10 @@ index 0000000..7bcfdaf +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -27356,8 +49561,12 @@ index 0000000..7bcfdaf +.br + /boot/lost\+found +.br ++ /var/log/lost\+found ++.br + /var/tmp/lost\+found +.br ++ /var/log/audit/lost\+found ++.br + /home/lost\+found +.br + @@ -27393,7 +49602,72 @@ index 0000000..7bcfdaf + /var/lib/xen/images(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux fsadm policy is very flexible allowing users to setup their fsadm processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the fsadm, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t fsadm_exec_t '/srv/fsadm/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myfsadm_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for fsadm: ++ ++ ++.EX ++.PP ++.B fsadm_exec_t ++.EE ++ ++- Set files with the fsadm_exec_t type, if you want to transition an executable to the fsadm_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/fsck.*, /sbin/jfs_.*, /sbin/mkfs.*, /sbin/swapon.*, /sbin/resize.*fs, /sbin/losetup.*, /usr/sbin/fsck.*, /usr/sbin/jfs_.*, /usr/sbin/mkfs.*, /sbin/reiserfs(ck|tune), /usr/sbin/swapon.*, /usr/sbin/resize.*fs, /usr/sbin/losetup.*, /usr/sbin/reiserfs(ck|tune), /sbin/dump, /sbin/blkid, /sbin/fdisk, /sbin/partx, /sbin/cfdisk, /sbin/e2fsck, /sbin/e4fsck, /sbin/findfs, /sbin/hdparm, /sbin/lsraid, /sbin/mke2fs, /sbin/mke4fs, /sbin/mkraid, /sbin/parted, /sbin/sfdisk, /usr/bin/raw, /sbin/dosfsck, /sbin/e2label, /sbin/mkdosfs, /sbin/tune2fs, /sbin/blockdev, /sbin/dumpe2fs, /usr/sbin/dump, /sbin/partprobe, /sbin/raidstart, /sbin/scsi_info, /usr/sbin/blkid, /usr/sbin/fdisk, /usr/sbin/partx, /sbin/mkreiserfs, /usr/sbin/cfdisk, /usr/sbin/e2fsck, /usr/sbin/e4fsck, /usr/sbin/findfs, /usr/sbin/hdparm, /usr/sbin/lsraid, /usr/sbin/mke2fs, /usr/sbin/mke4fs, /usr/sbin/mkraid, /usr/sbin/parted, /usr/sbin/sfdisk, /sbin/install-mbr, /sbin/raidautorun, /usr/bin/syslinux, /usr/sbin/dosfsck, /usr/sbin/e2label, /usr/sbin/mkdosfs, /usr/sbin/tune2fs, /sbin/make_reiser4, /usr/sbin/blockdev, /usr/sbin/dumpe2fs, /usr/sbin/smartctl, /usr/sbin/partprobe, /usr/sbin/raidstart, /usr/sbin/scsi_info, /usr/sbin/mkreiserfs, /usr/sbin/clubufflush, /usr/sbin/install-mbr, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/bin/partition_uuid, /usr/bin/scsi_unique_id, /usr/lib/systemd/systemd-fsck ++ ++.EX ++.PP ++.B fsadm_log_t ++.EE ++ ++- Set files with the fsadm_log_t type, if you want to treat the data as fsadm log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B fsadm_tmp_t ++.EE ++ ++- Set files with the fsadm_tmp_t type, if you want to store fsadm temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B fsadm_var_run_t ++.EE ++ ++- Set files with the fsadm_var_run_t type, if you want to store the fsadm files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -27405,6 +49679,9 @@ index 0000000..7bcfdaf +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -27416,13 +49693,15 @@ index 0000000..7bcfdaf + +.SH "SEE ALSO" +selinux(8), fsadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/fsdaemon_selinux.8 b/man/man8/fsdaemon_selinux.8 new file mode 100644 -index 0000000..d181d7d +index 0000000..dd521fa --- /dev/null +++ b/man/man8/fsdaemon_selinux.8 -@@ -0,0 +1,124 @@ -+.TH "fsdaemon_selinux" "8" "12-11-01" "fsdaemon" "SELinux Policy documentation for fsdaemon" +@@ -0,0 +1,269 @@ ++.TH "fsdaemon_selinux" "8" "13-01-16" "fsdaemon" "SELinux Policy documentation for fsdaemon" +.SH "NAME" +fsdaemon_selinux \- Security Enhanced Linux Policy for the fsdaemon processes +.SH "DESCRIPTION" @@ -27438,7 +49717,9 @@ index 0000000..d181d7d + +.SH "ENTRYPOINTS" + -+The fsdaemon_t SELinux type can be entered via the "fsdaemon_exec_t" file type. The default entrypoint paths for the fsdaemon_t domain are the following:" ++The fsdaemon_t SELinux type can be entered via the \fBfsdaemon_exec_t\fP file type. ++ ++The default entrypoint paths for the fsdaemon_t domain are the following: + +/usr/sbin/smartd +.SH PROCESS TYPES @@ -27456,8 +49737,142 @@ index 0000000..d181d7d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a fsdaemon_t ++can be used to make the process type fsdaemon_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. fsdaemon policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fsdaemon with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to determine whether smartmon can support devices on 3ware controllers, you must turn on the smartmon_3ware boolean. Disabled by default. ++ ++.EX ++.B setsebool -P smartmon_3ware 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_nfs 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_samba 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type fsdaemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B fsdaemon_tmp_t ++ ++ ++.br ++.B fsdaemon_var_lib_t ++ ++ /var/lib/smartmontools(/.*)? ++.br ++ ++.br ++.B fsdaemon_var_run_t ++ ++ /var/run/smartd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -27467,7 +49882,20 @@ index 0000000..d181d7d +Policy governs the access confined processes have to these files. +SELinux fsdaemon policy is very flexible allowing users to setup their fsdaemon processes in as secure a method as possible. +.PP -+The following file types are defined for fsdaemon: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the fsdaemon, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t fsdaemon_exec_t '/srv/fsdaemon/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myfsdaemon_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for fsdaemon: + + +.EX @@ -27496,10 +49924,18 @@ index 0000000..d181d7d + +.EX +.PP ++.B fsdaemon_var_lib_t ++.EE ++ ++- Set files with the fsdaemon_var_lib_t type, if you want to store the fsdaemon files under the /var/lib directory. ++ ++ ++.EX ++.PP +.B fsdaemon_var_run_t +.EE + -+- Set files with the fsdaemon_var_run_t type, if you want to store the fsdaemon files under the /run directory. ++- Set files with the fsdaemon_var_run_t type, if you want to store the fsdaemon files under the /run or /var/run directory. + + +.PP @@ -27509,22 +49945,6 @@ index 0000000..d181d7d +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type fsdaemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B fsdaemon_tmp_t -+ -+ -+.br -+.B fsdaemon_var_run_t -+ -+ /var/run/smartd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -27535,6 +49955,9 @@ index 0000000..d181d7d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -27546,13 +49969,15 @@ index 0000000..d181d7d + +.SH "SEE ALSO" +selinux(8), fsdaemon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8 -index 5bebd82..8460714 100644 +index 5bebd82..9aac8c0 100644 --- a/man/man8/ftpd_selinux.8 +++ b/man/man8/ftpd_selinux.8 -@@ -1,65 +1,608 @@ +@@ -1,65 +1,506 @@ -.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation" -+.TH "ftpd_selinux" "8" "12-11-01" "ftpd" "SELinux Policy documentation for ftpd" ++.TH "ftpd_selinux" "8" "13-01-16" "ftpd" "SELinux Policy documentation for ftpd" .SH "NAME" -.PP -ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons. @@ -27570,7 +49995,9 @@ index 5bebd82..8460714 100644 + +.SH "ENTRYPOINTS" + -+The ftpd_t SELinux type can be entered via the "ftpd_exec_t" file type. The default entrypoint paths for the ftpd_t domain are the following:" ++The ftpd_t SELinux type can be entered via the \fBftpd_exec_t\fP file type. ++ ++The default entrypoint paths for the ftpd_t domain are the following: + +/usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in\.ftpd, /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd, /etc/cron\.monthly/proftpd +.SH PROCESS TYPES @@ -27605,8 +50032,8 @@ index 5bebd82..8460714 100644 -.B -restorecon -F -R -v /var/ftp/incoming +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ftpd_t ++can be used to make the process type ftpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. .SH BOOLEANS +SELinux policy is customizable based on least access required. ftpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ftpd with the tightest access possible. @@ -27616,10 +50043,11 @@ index 5bebd82..8460714 100644 -SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool. -.TP -Allow ftp servers to read and write files with the public_content_rw_t file type. -+If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean. ++If you want to determine whether ftpd can connect to all unreserved ports, you must turn on the ftpd_connect_all_unreserved boolean. Disabled by default. + +.EX -+.B setsebool -P ftpd_use_nfs 1 ++.B setsebool -P ftpd_connect_all_unreserved 1 ++ +.EE + .PP @@ -27627,10 +50055,11 @@ index 5bebd82..8460714 100644 -setsebool -P allow_ftpd_anon_write on -.TP -Allow ftp servers to read or write files in the user home directories. -+If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean. ++If you want to determine whether ftpd can connect to databases over the TCP network, you must turn on the ftpd_connect_db boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_enable_ftp_server 1 ++.B setsebool -P ftpd_connect_db 1 ++ +.EE + .PP @@ -27638,244 +50067,272 @@ index 5bebd82..8460714 100644 -setsebool -P ftp_home_dir on -.TP -Allow ftp servers to read or write all files on the system. -+If you want to allow ftp servers to use bind to all unreserved ports for passive mode, you must turn on the ftpd_use_passive_mode boolean. ++If you want to determine whether ftpd can login to local users and can read and write all files on the system, governed by DAC, you must turn on the ftpd_full_access boolean. Disabled by default. + +.EX -+.B setsebool -P ftpd_use_passive_mode 1 ++.B setsebool -P ftpd_full_access 1 ++ +.EE + .PP -.B -setsebool -P allow_ftpd_full_access on -+If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean. -+ -+.EX -+.B setsebool -P httpd_can_connect_ftp 1 -+.EE -+ -+.PP -+If you want to allow ftp to read and write files in the user home directories, you must turn on the ftp_home_dir boolean. -+ -+.EX -+.B setsebool -P ftp_home_dir 1 -+.EE -+ -+.PP -+If you want to allow ftp servers to connect to mysql database ports, you must turn on the ftpd_connect_db boolean. -+ -+.EX -+.B setsebool -P ftpd_connect_db 1 -+.EE -+ -+.PP -+If you want to allow ftp servers to use cifs used for public file transfer services, you must turn on the ftpd_use_cifs boolean. ++If you want to determine whether ftpd can use CIFS used for public file transfer services, you must turn on the ftpd_use_cifs boolean. Disabled by default. + +.EX +.B setsebool -P ftpd_use_cifs 1 ++ +.EE + +.PP -+If you want to allow sftp-internal to read and write files in the user home directories, you must turn on the sftpd_enable_homedirs boolean. -+ -+.EX -+.B setsebool -P sftpd_enable_homedirs 1 -+.EE -+ -+.PP -+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. -+ -+.EX -+.B setsebool -P sftpd_write_ssh_home 1 -+.EE -+ -+.PP -+If you want to allow tftp to read and write files in the user home directories, you must turn on the tftp_home_dir boolean. -+ -+.EX -+.B setsebool -P tftp_home_dir 1 -+.EE -+ -+.PP -+If you want to allow sftp-internal to login to local users and read/write all files on the system, governed by DAC, you must turn on the sftpd_full_access boolean. -+ -+.EX -+.B setsebool -P sftpd_full_access 1 -+.EE -+ -+.PP -+If you want to allow ftp servers to connect to all ports > 1023, you must turn on the ftpd_connect_all_unreserved boolean. -+ -+.EX -+.B setsebool -P ftpd_connect_all_unreserved 1 -+.EE -+ -+.PP -+If you want to allow ftp servers to login to local users and read/write all files on the system, governed by DAC, you must turn on the ftpd_full_access boolean. -+ -+.EX -+.B setsebool -P ftpd_full_access 1 -+.EE -+ -+.PP -+If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean. ++If you want to determine whether ftpd can use NFS used for public file transfer services, you must turn on the ftpd_use_nfs boolean. Disabled by default. + +.EX +.B setsebool -P ftpd_use_nfs 1 ++ +.EE + +.PP -+If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean. -+ -+.EX -+.B setsebool -P httpd_enable_ftp_server 1 -+.EE -+ -+.PP -+If you want to allow ftp servers to use bind to all unreserved ports for passive mode, you must turn on the ftpd_use_passive_mode boolean. ++If you want to determine whether ftpd can bind to all unreserved ports for passive mode, you must turn on the ftpd_use_passive_mode boolean. Disabled by default. + +.EX +.B setsebool -P ftpd_use_passive_mode 1 ++ +.EE + +.PP -+If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_can_connect_ftp 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow ftp to read and write files in the user home directories, you must turn on the ftp_home_dir boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether ftpd can read and write files in user home directories, you must turn on the ftp_home_dir boolean. Disabled by default. + +.EX +.B setsebool -P ftp_home_dir 1 ++ +.EE + +.PP -+If you want to allow ftp servers to connect to mysql database ports, you must turn on the ftpd_connect_db boolean. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.B setsebool -P ftpd_connect_db 1 ++.B setsebool -P global_ssp 1 ++ +.EE + +.PP -+If you want to allow ftp servers to use cifs used for public file transfer services, you must turn on the ftpd_use_cifs boolean. ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.B setsebool -P ftpd_use_cifs 1 ++.B setsebool -P kerberos_enabled 1 ++ +.EE + +.PP -+If you want to allow sftp-internal to read and write files in the user home directories, you must turn on the sftpd_enable_homedirs boolean. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.B setsebool -P sftpd_enable_homedirs 1 ++.B setsebool -P nis_enabled 1 ++ +.EE + +.PP -+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX -+.B setsebool -P sftpd_write_ssh_home 1 ++.B setsebool -P nscd_use_shm 1 ++ +.EE + +.PP -+If you want to allow tftp to read and write files in the user home directories, you must turn on the tftp_home_dir boolean. ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Disabled by default. + +.EX -+.B setsebool -P tftp_home_dir 1 ++.B setsebool -P use_nfs_home_dirs 1 ++ +.EE + +.PP -+If you want to allow sftp-internal to login to local users and read/write all files on the system, governed by DAC, you must turn on the sftpd_full_access boolean. ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. + +.EX -+.B setsebool -P sftpd_full_access 1 ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + +.PP -+If you want to allow ftp servers to connect to all ports > 1023, you must turn on the ftpd_connect_all_unreserved boolean. ++If you want to allow confined applications to run with kerberos for the ftpd_t, you must turn on the kerberos_enabled boolean. + +.EX -+.B setsebool -P ftpd_connect_all_unreserved 1 ++.B setsebool -P kerberos_enabled 1 +.EE + ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ +.PP -+If you want to allow ftp servers to login to local users and read/write all files on the system, governed by DAC, you must turn on the ftpd_full_access boolean. ++Policy governs the access confined processes have to these ports. ++SELinux ftpd policy is very flexible allowing users to setup their ftpd processes in as secure a method as possible. ++.PP ++The following port types are defined for ftpd: + +.EX -+.B setsebool -P ftpd_full_access 1 ++.TP 5 ++.B ftp_data_port_t ++.TP 10 +.EE + -+.SH SHARING FILES -+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. - .TP --Allow ftp servers to use cifs for public file transfer services. -+Allow ftpd servers to read the /var/ftpd directory by adding the public_content_t file type to the directory and by restoring the file type. - .PP - .B --setsebool -P allow_ftpd_use_cifs on -+semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?" ++ ++Default Defined Ports: ++tcp 20 ++.EE ++ ++.EX ++.TP 5 ++.B ftp_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 21,990 ++.EE ++udp 990 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type ftpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ +.br -+.B restorecon -F -R -v /var/ftpd -+.pp - .TP --Allow ftp servers to use nfs for public file transfer services. -+Allow ftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpdd_anon_write boolean to be set. - .PP - .B --setsebool -P allow_ftpd_use_nfs on --.TP --system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR -+semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?" ++.B cifs_t ++ ++ +.br -+.B restorecon -F -R -v /var/ftpd/incoming ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B non_security_file_type + + - .PP --This manual page was written by Dan Walsh . -+If you want to allow anon internal-sftp to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the sftpd_anon_write boolean. - --.SH "SEE ALSO" -+.EX -+.B setsebool -P sftpd_anon_write 1 -+.EE ++.br ++.B user_home_t + -+.PP -+If you want to allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the ftpd_anon_write boolean. ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br + -+.EX -+.B setsebool -P ftpd_anon_write 1 -+.EE ++.br ++.B user_tmp_t + -+.PP -+If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean. -+ -+.EX -+.B setsebool -P tftp_anon_write 1 -+.EE -+ -+.PP -+If you want to allow anon internal-sftp to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the sftpd_anon_write boolean. -+ -+.EX -+.B setsebool -P sftpd_anon_write 1 -+.EE -+ -+.PP -+If you want to allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the ftpd_anon_write boolean. -+ -+.EX -+.B setsebool -P ftpd_anon_write 1 -+.EE -+ -+.PP -+If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean. -+ -+.EX -+.B setsebool -P tftp_anon_write 1 -+.EE ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -27885,7 +50342,20 @@ index 5bebd82..8460714 100644 +Policy governs the access confined processes have to these files. +SELinux ftpd policy is very flexible allowing users to setup their ftpd processes in as secure a method as possible. +.PP -+The following file types are defined for ftpd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ftpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ftpd_etc_t '/srv/ftpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myftpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ftpd: + + +.EX @@ -27903,6 +50373,10 @@ index 5bebd82..8460714 100644 + +- Set files with the ftpd_exec_t type, if you want to transition an executable to the ftpd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/ftpwho, /usr/sbin/vsftpd, /usr/sbin/in\.ftpd, /usr/sbin/proftpd, /usr/sbin/muddleftpd, /usr/kerberos/sbin/ftpd, /etc/cron\.monthly/proftpd + +.EX +.PP @@ -27911,6 +50385,10 @@ index 5bebd82..8460714 100644 + +- Set files with the ftpd_initrc_exec_t type, if you want to transition an executable to the ftpd_initrc_t domain. + ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/vsftpd, /etc/rc\.d/init\.d/proftpd + +.EX +.PP @@ -27957,7 +50435,7 @@ index 5bebd82..8460714 100644 +.B ftpd_var_run_t +.EE + -+- Set files with the ftpd_var_run_t type, if you want to store the ftpd files under the /run directory. ++- Set files with the ftpd_var_run_t type, if you want to store the ftpd files under the /run or /var/run directory. + + +.EX @@ -27983,210 +50461,55 @@ index 5bebd82..8460714 100644 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: ++.SH SHARING FILES ++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. + .TP +-Allow ftp servers to use cifs for public file transfer services. ++Allow ftpd servers to read the /var/ftpd directory by adding the public_content_t file type to the directory and by restoring the file type. + .PP + .B +-setsebool -P allow_ftpd_use_cifs on ++semanage fcontext -a -t public_content_t "/var/ftpd(/.*)?" ++.br ++.B restorecon -F -R -v /var/ftpd ++.pp + .TP +-Allow ftp servers to use nfs for public file transfer services. ++Allow ftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpdd_anon_write boolean to be set. + .PP + .B +-setsebool -P allow_ftpd_use_nfs on +-.TP +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +-.SH AUTHOR ++semanage fcontext -a -t public_content_rw_t "/var/ftpd/incoming(/.*)?" ++.br ++.B restorecon -F -R -v /var/ftpd/incoming + -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux ftpd policy is very flexible allowing users to setup their ftpd processes in as secure a method as possible. -+.PP -+The following port types are defined for ftpd: + + .PP +-This manual page was written by Dan Walsh . ++If you want to determine whether ftpd can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t., you must turn on the ftpd_anon_write boolean. + +-.SH "SEE ALSO" +.EX -+.TP 5 -+.B ftp_data_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 20 -+.EE -+ -+.EX -+.TP 5 -+.B ftp_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 21,990 -+.EE -+udp 990 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type ftpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B faillog_t -+ -+ /var/log/btmp.* -+.br -+ /var/run/faillock(/.*)? -+.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br -+ -+.br -+.B ftpd_lock_t -+ -+ -+.br -+.B ftpd_tmp_t -+ -+ -+.br -+.B ftpd_tmpfs_t -+ -+ -+.br -+.B ftpd_var_run_t -+ -+ /var/run/proftpd.* -+.br -+ -+.br -+.B initrc_var_run_t -+ -+ /var/run/utmp -+.br -+ /var/run/random-seed -+.br -+ /var/run/runlevel\.dir -+.br -+ /var/run/setmixer_flag -+.br -+ -+.br -+.B krb5_host_rcache_t -+ -+ /var/cache/krb5rcache(/.*)? -+.br -+ /var/tmp/nfs_0 -+.br -+ /var/tmp/DNS_25 -+.br -+ /var/tmp/host_0 -+.br -+ /var/tmp/imap_0 -+.br -+ /var/tmp/HTTP_23 -+.br -+ /var/tmp/HTTP_48 -+.br -+ /var/tmp/ldap_55 -+.br -+ /var/tmp/ldap_487 -+.br -+ /var/tmp/ldapmap1_0 -+.br -+ -+.br -+.B lastlog_t -+ -+ /var/log/lastlog -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br -+.B security_t -+ -+ /selinux -+.br -+ -+.br -+.B var_auth_t -+ -+ /var/ace(/.*)? -+.br -+ /var/rsa(/.*)? -+.br -+ /var/lib/abl(/.*)? -+.br -+ /var/lib/rsa(/.*)? -+.br -+ /var/lib/pam_ssh(/.*)? -+.br -+ /var/run/pam_ssh(/.*)? -+.br -+ /var/lib/pam_shield(/.*)? -+.br -+ /var/lib/google-authenticator(/.*)? -+.br -+ -+.br -+.B wtmp_t -+ -+ /var/log/wtmp.* -+.br -+ -+.br -+.B xferlog_t -+ -+ /var/log/vsftpd.* -+.br -+ /var/log/xferlog.* -+.br -+ /var/log/proftpd(/.*)? -+.br -+ /var/log/xferreport.* -+.br -+ /var/log/muddleftpd\.log.* -+.br -+ /usr/libexec/webmin/vsftpd/webalizer/xfer_log -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the ftpd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 ++.B setsebool -P ftpd_anon_write 1 +.EE + +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. - .PP ++.PP +.B semanage permissive +can also be used to manipulate whether or not a process type is permissive. -+.PP + .PP +.B semanage module +can also be used to enable/disable/install/remove policy modules. -+ -+.B semanage port -+can also be used to manipulate the port definitions -selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8) ++.B semanage port ++can also be used to manipulate the port definitions ++ +.B semanage boolean +can also be used to manipulate the booleans + @@ -28205,11 +50528,11 @@ index 5bebd82..8460714 100644 \ No newline at end of file diff --git a/man/man8/ftpdctl_selinux.8 b/man/man8/ftpdctl_selinux.8 new file mode 100644 -index 0000000..c926027 +index 0000000..696388b --- /dev/null +++ b/man/man8/ftpdctl_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "ftpdctl_selinux" "8" "12-11-01" "ftpdctl" "SELinux Policy documentation for ftpdctl" +@@ -0,0 +1,163 @@ ++.TH "ftpdctl_selinux" "8" "13-01-16" "ftpdctl" "SELinux Policy documentation for ftpdctl" +.SH "NAME" +ftpdctl_selinux \- Security Enhanced Linux Policy for the ftpdctl processes +.SH "DESCRIPTION" @@ -28225,7 +50548,9 @@ index 0000000..c926027 + +.SH "ENTRYPOINTS" + -+The ftpdctl_t SELinux type can be entered via the "ftpdctl_exec_t" file type. The default entrypoint paths for the ftpdctl_t domain are the following:" ++The ftpdctl_t SELinux type can be entered via the \fBftpdctl_exec_t\fP file type. ++ ++The default entrypoint paths for the ftpdctl_t domain are the following: + +/usr/bin/ftpdctl +.SH PROCESS TYPES @@ -28243,8 +50568,60 @@ index 0000000..c926027 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ftpdctl_t ++can be used to make the process type ftpdctl_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ftpdctl policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ftpdctl with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -28254,7 +50631,20 @@ index 0000000..c926027 +Policy governs the access confined processes have to these files. +SELinux ftpdctl policy is very flexible allowing users to setup their ftpdctl processes in as secure a method as possible. +.PP -+The following file types are defined for ftpdctl: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ftpdctl, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ftpdctl_exec_t '/srv/ftpdctl/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myftpdctl_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ftpdctl: + + +.EX @@ -28280,8 +50670,6 @@ index 0000000..c926027 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -28292,6 +50680,9 @@ index 0000000..c926027 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -28303,15 +50694,15 @@ index 0000000..c926027 + +.SH "SEE ALSO" +selinux(8), ftpdctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, ftpd_selinux(8) ++, setsebool(8), ftpd_selinux(8) \ No newline at end of file diff --git a/man/man8/games_selinux.8 b/man/man8/games_selinux.8 new file mode 100644 -index 0000000..3e88bfa +index 0000000..91a3fec --- /dev/null +++ b/man/man8/games_selinux.8 -@@ -0,0 +1,178 @@ -+.TH "games_selinux" "8" "12-11-01" "games" "SELinux Policy documentation for games" +@@ -0,0 +1,307 @@ ++.TH "games_selinux" "8" "13-01-16" "games" "SELinux Policy documentation for games" +.SH "NAME" +games_selinux \- Security Enhanced Linux Policy for the games processes +.SH "DESCRIPTION" @@ -28327,9 +50718,11 @@ index 0000000..3e88bfa + +.SH "ENTRYPOINTS" + -+The games_t SELinux type can be entered via the "games_exec_t" file type. The default entrypoint paths for the games_t domain are the following:" ++The games_t SELinux type can be entered via the \fBgames_exec_t\fP file type. + -+/usr/games/.*, /usr/lib/games(/.*)?, /usr/bin/civclient.*, /usr/bin/civserver.*, /usr/bin/sol, /usr/bin/micq, /usr/bin/kolf, /usr/bin/kpat, /usr/bin/gnect, /usr/bin/gtali, /usr/bin/iagno, /usr/bin/ksame, /usr/bin/ktron, /usr/bin/kwin4, /usr/bin/lskat, /usr/bin/gataxx, /usr/bin/glines, /usr/bin/klines, /usr/bin/kmines, /usr/bin/kpoker, /usr/bin/ksnake, /usr/bin/gnomine, /usr/bin/gnotski, /usr/bin/katomic, /usr/bin/kbounce, /usr/bin/kshisen, /usr/bin/ksirtet, /usr/bin/gnibbles, /usr/bin/gnobots2, /usr/bin/mahjongg, /usr/bin/atlantik, /usr/bin/kenolaba, /usr/bin/klickety, /usr/bin/konquest, /usr/bin/kreversi, /usr/bin/ksokoban, /usr/bin/blackjack, /usr/bin/gnotravex, /usr/bin/kblackbox, /usr/bin/kfouleggs, /usr/bin/kmahjongg, /usr/bin/kwin4proc, /usr/bin/lskatproc, /usr/bin/Maelstrom, /usr/bin/same-gnome, /usr/bin/kasteroids, /usr/bin/ksmiletris, /usr/bin/kspaceduel, /usr/bin/ktuberling, /usr/bin/kbackgammon, /usr/bin/kbattleship, /usr/bin/kgoldrunner, /usr/bin/gnome-stones, /usr/bin/kjumpingcube ++The default entrypoint paths for the games_t domain are the following: ++ ++/usr/games/.*, /usr/lib/games(/.*)?, /usr/bin/civclient.*, /usr/bin/civserver.*, /usr/bin/sol, /usr/bin/kolf, /usr/bin/kpat, /usr/bin/micq, /usr/bin/gnect, /usr/bin/gtali, /usr/bin/iagno, /usr/bin/ksame, /usr/bin/ktron, /usr/bin/kwin4, /usr/bin/lskat, /usr/bin/gataxx, /usr/bin/glines, /usr/bin/klines, /usr/bin/kmines, /usr/bin/kpoker, /usr/bin/ksnake, /usr/bin/gnomine, /usr/bin/gnotski, /usr/bin/katomic, /usr/bin/kbounce, /usr/bin/kshisen, /usr/bin/ksirtet, /usr/bin/atlantik, /usr/bin/gnibbles, /usr/bin/gnobots2, /usr/bin/kenolaba, /usr/bin/klickety, /usr/bin/konquest, /usr/bin/kreversi, /usr/bin/ksokoban, /usr/bin/mahjongg, /usr/bin/blackjack, /usr/bin/gnotravex, /usr/bin/kblackbox, /usr/bin/kfouleggs, /usr/bin/kmahjongg, /usr/bin/kwin4proc, /usr/bin/lskatproc, /usr/bin/Maelstrom, /usr/bin/kasteroids, /usr/bin/ksmiletris, /usr/bin/kspaceduel, /usr/bin/ktuberling, /usr/bin/same-gnome, /usr/bin/kbackgammon, /usr/bin/kbattleship, /usr/bin/kgoldrunner, /usr/bin/gnome-stones, /usr/bin/kjumpingcube +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -28345,66 +50738,100 @@ index 0000000..3e88bfa +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a games_t ++can be used to make the process type games_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux games policy is very flexible allowing users to setup their games processes in as secure a method as possible. -+.PP -+The following file types are defined for games: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. games policy is extremely flexible and has several booleans that allow you to manipulate the policy and run games with the tightest access possible. + + ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ +.EX -+.PP -+.B games_data_t ++.B setsebool -P deny_execmem 1 ++ +.EE + -+- Set files with the games_data_t type, if you want to treat the files as games content. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B games_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the games_exec_t type, if you want to transition an executable to the games_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B games_srv_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the games_srv_var_run_t type, if you want to store the games srv files under the /run directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B games_tmp_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the games_tmp_t type, if you want to store games temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B games_tmpfs_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the games_tmpfs_t type, if you want to store games files on a tmpfs file system. ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -28441,6 +50868,12 @@ index 0000000..3e88bfa +.br + /home/[^/]*/\.fonts\.cache-.* +.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br + /home/dwalsh/\.fontconfig(/.*)? +.br + /home/dwalsh/\.fonts/auto(/.*)? @@ -28461,12 +50894,95 @@ index 0000000..3e88bfa +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B xserver_tmpfs_t ++ ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux games policy is very flexible allowing users to setup their games processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the games, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t games_data_t '/srv/games/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygames_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for games: ++ ++ ++.EX ++.PP ++.B games_data_t ++.EE ++ ++- Set files with the games_data_t type, if you want to treat the files as games content. ++ ++.br ++.TP 5 ++Paths: ++/var/games(/.*)?, /var/lib/games(/.*)? ++ ++.EX ++.PP ++.B games_exec_t ++.EE ++ ++- Set files with the games_exec_t type, if you want to transition an executable to the games_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/games/.*, /usr/lib/games(/.*)?, /usr/bin/civclient.*, /usr/bin/civserver.*, /usr/bin/sol, /usr/bin/kolf, /usr/bin/kpat, /usr/bin/micq, /usr/bin/gnect, /usr/bin/gtali, /usr/bin/iagno, /usr/bin/ksame, /usr/bin/ktron, /usr/bin/kwin4, /usr/bin/lskat, /usr/bin/gataxx, /usr/bin/glines, /usr/bin/klines, /usr/bin/kmines, /usr/bin/kpoker, /usr/bin/ksnake, /usr/bin/gnomine, /usr/bin/gnotski, /usr/bin/katomic, /usr/bin/kbounce, /usr/bin/kshisen, /usr/bin/ksirtet, /usr/bin/atlantik, /usr/bin/gnibbles, /usr/bin/gnobots2, /usr/bin/kenolaba, /usr/bin/klickety, /usr/bin/konquest, /usr/bin/kreversi, /usr/bin/ksokoban, /usr/bin/mahjongg, /usr/bin/blackjack, /usr/bin/gnotravex, /usr/bin/kblackbox, /usr/bin/kfouleggs, /usr/bin/kmahjongg, /usr/bin/kwin4proc, /usr/bin/lskatproc, /usr/bin/Maelstrom, /usr/bin/kasteroids, /usr/bin/ksmiletris, /usr/bin/kspaceduel, /usr/bin/ktuberling, /usr/bin/same-gnome, /usr/bin/kbackgammon, /usr/bin/kbattleship, /usr/bin/kgoldrunner, /usr/bin/gnome-stones, /usr/bin/kjumpingcube ++ ++.EX ++.PP ++.B games_srv_var_run_t ++.EE ++ ++- Set files with the games_srv_var_run_t type, if you want to store the games srv files under the /run or /var/run directory. ++ ++ ++.EX ++.PP ++.B games_tmp_t ++.EE ++ ++- Set files with the games_tmp_t type, if you want to store games temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B games_tmpfs_t ++.EE ++ ++- Set files with the games_tmpfs_t type, if you want to store games files on a tmpfs file system. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -28478,6 +50994,9 @@ index 0000000..3e88bfa +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -28489,13 +51008,154 @@ index 0000000..3e88bfa + +.SH "SEE ALSO" +selinux(8), games(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), games_srv_selinux(8) +\ No newline at end of file +diff --git a/man/man8/games_srv_selinux.8 b/man/man8/games_srv_selinux.8 +new file mode 100644 +index 0000000..ca237fc +--- /dev/null ++++ b/man/man8/games_srv_selinux.8 +@@ -0,0 +1,132 @@ ++.TH "games_srv_selinux" "8" "13-01-16" "games_srv" "SELinux Policy documentation for games_srv" ++.SH "NAME" ++games_srv_selinux \- Security Enhanced Linux Policy for the games_srv processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the games_srv processes via flexible mandatory access control. ++ ++The games_srv processes execute with the games_srv_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep games_srv_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The games_srv_t SELinux type can be entered via the \fBgames_exec_t\fP file type. ++ ++The default entrypoint paths for the games_srv_t domain are the following: ++ ++/usr/games/.*, /usr/lib/games(/.*)?, /usr/bin/civclient.*, /usr/bin/civserver.*, /usr/bin/sol, /usr/bin/kolf, /usr/bin/kpat, /usr/bin/micq, /usr/bin/gnect, /usr/bin/gtali, /usr/bin/iagno, /usr/bin/ksame, /usr/bin/ktron, /usr/bin/kwin4, /usr/bin/lskat, /usr/bin/gataxx, /usr/bin/glines, /usr/bin/klines, /usr/bin/kmines, /usr/bin/kpoker, /usr/bin/ksnake, /usr/bin/gnomine, /usr/bin/gnotski, /usr/bin/katomic, /usr/bin/kbounce, /usr/bin/kshisen, /usr/bin/ksirtet, /usr/bin/atlantik, /usr/bin/gnibbles, /usr/bin/gnobots2, /usr/bin/kenolaba, /usr/bin/klickety, /usr/bin/konquest, /usr/bin/kreversi, /usr/bin/ksokoban, /usr/bin/mahjongg, /usr/bin/blackjack, /usr/bin/gnotravex, /usr/bin/kblackbox, /usr/bin/kfouleggs, /usr/bin/kmahjongg, /usr/bin/kwin4proc, /usr/bin/lskatproc, /usr/bin/Maelstrom, /usr/bin/kasteroids, /usr/bin/ksmiletris, /usr/bin/kspaceduel, /usr/bin/ktuberling, /usr/bin/same-gnome, /usr/bin/kbackgammon, /usr/bin/kbattleship, /usr/bin/kgoldrunner, /usr/bin/gnome-stones, /usr/bin/kjumpingcube ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux games_srv policy is very flexible allowing users to setup their games_srv processes in as secure a method as possible. ++.PP ++The following process types are defined for games_srv: ++ ++.EX ++.B games_srv_t ++.EE ++.PP ++Note: ++.B semanage permissive -a games_srv_t ++can be used to make the process type games_srv_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. games_srv policy is extremely flexible and has several booleans that allow you to manipulate the policy and run games_srv with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type games_srv_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B games_data_t ++ ++ /var/games(/.*)? ++.br ++ /var/lib/games(/.*)? ++.br ++ ++.br ++.B games_srv_var_run_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), games_srv(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), games_selinux(8), games_selinux(8) +\ No newline at end of file diff --git a/man/man8/gconfd_selinux.8 b/man/man8/gconfd_selinux.8 new file mode 100644 -index 0000000..18de510 +index 0000000..40536b1 --- /dev/null +++ b/man/man8/gconfd_selinux.8 -@@ -0,0 +1,129 @@ -+.TH "gconfd_selinux" "8" "12-11-01" "gconfd" "SELinux Policy documentation for gconfd" +@@ -0,0 +1,195 @@ ++.TH "gconfd_selinux" "8" "13-01-16" "gconfd" "SELinux Policy documentation for gconfd" +.SH "NAME" +gconfd_selinux \- Security Enhanced Linux Policy for the gconfd processes +.SH "DESCRIPTION" @@ -28511,7 +51171,9 @@ index 0000000..18de510 + +.SH "ENTRYPOINTS" + -+The gconfd_t SELinux type can be entered via the "gconfd_exec_t" file type. The default entrypoint paths for the gconfd_t domain are the following:" ++The gconfd_t SELinux type can be entered via the \fBgconfd_exec_t\fP file type. ++ ++The default entrypoint paths for the gconfd_t domain are the following: + + +.SH PROCESS TYPES @@ -28529,8 +51191,92 @@ index 0000000..18de510 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a gconfd_t ++can be used to make the process type gconfd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. gconfd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gconfd with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type gconfd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B gconf_home_t ++ ++ /root/\.local.* ++.br ++ /root/\.gconf(d)?(/.*)? ++.br ++ /home/[^/]*/\.local.* ++.br ++ /home/[^/]*/\.gconf(d)?(/.*)? ++.br ++ /home/pwalsh/\.local.* ++.br ++ /home/pwalsh/\.gconf(d)?(/.*)? ++.br ++ /home/dwalsh/\.local.* ++.br ++ /home/dwalsh/\.gconf(d)?(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.local.* ++.br ++ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)? ++.br ++ ++.br ++.B gconf_tmp_t ++ ++ /tmp/gconfd-.*/.* ++.br ++ /tmp/gconfd-pwalsh/.* ++.br ++ /tmp/gconfd-dwalsh/.* ++.br ++ /tmp/gconfd-xguest/.* ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -28540,7 +51286,20 @@ index 0000000..18de510 +Policy governs the access confined processes have to these files. +SELinux gconfd policy is very flexible allowing users to setup their gconfd processes in as secure a method as possible. +.PP -+The following file types are defined for gconfd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the gconfd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t gconfd_exec_t '/srv/gconfd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygconfd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for gconfd: + + +.EX @@ -28566,42 +51325,6 @@ index 0000000..18de510 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type gconfd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B gconf_home_t -+ -+ /root/\.local.* -+.br -+ /root/\.gconf(d)?(/.*)? -+.br -+ /home/[^/]*/\.local.* -+.br -+ /home/[^/]*/\.gconf(d)?(/.*)? -+.br -+ /home/dwalsh/\.local.* -+.br -+ /home/dwalsh/\.gconf(d)?(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.local.* -+.br -+ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)? -+.br -+ -+.br -+.B gconf_tmp_t -+ -+ /tmp/gconfd-.*/.* -+.br -+ /tmp/gconfd-dwalsh/.* -+.br -+ /tmp/gconfd-xguest/.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -28612,6 +51335,9 @@ index 0000000..18de510 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -28623,15 +51349,15 @@ index 0000000..18de510 + +.SH "SEE ALSO" +selinux(8), gconfd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, gconfdefaultsm_selinux(8) ++, setsebool(8), gconfdefaultsm_selinux(8) \ No newline at end of file diff --git a/man/man8/gconfdefaultsm_selinux.8 b/man/man8/gconfdefaultsm_selinux.8 new file mode 100644 -index 0000000..a13ef31 +index 0000000..c91cb02 --- /dev/null +++ b/man/man8/gconfdefaultsm_selinux.8 -@@ -0,0 +1,117 @@ -+.TH "gconfdefaultsm_selinux" "8" "12-11-01" "gconfdefaultsm" "SELinux Policy documentation for gconfdefaultsm" +@@ -0,0 +1,277 @@ ++.TH "gconfdefaultsm_selinux" "8" "13-01-16" "gconfdefaultsm" "SELinux Policy documentation for gconfdefaultsm" +.SH "NAME" +gconfdefaultsm_selinux \- Security Enhanced Linux Policy for the gconfdefaultsm processes +.SH "DESCRIPTION" @@ -28647,7 +51373,9 @@ index 0000000..a13ef31 + +.SH "ENTRYPOINTS" + -+The gconfdefaultsm_t SELinux type can be entered via the "gconfdefaultsm_exec_t" file type. The default entrypoint paths for the gconfdefaultsm_t domain are the following:" ++The gconfdefaultsm_t SELinux type can be entered via the \fBgconfdefaultsm_exec_t\fP file type. ++ ++The default entrypoint paths for the gconfdefaultsm_t domain are the following: + +/usr/libexec/gconf-defaults-mechanism +.SH PROCESS TYPES @@ -28665,40 +51393,142 @@ index 0000000..a13ef31 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a gconfdefaultsm_t ++can be used to make the process type gconfdefaultsm_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux gconfdefaultsm policy is very flexible allowing users to setup their gconfdefaultsm processes in as secure a method as possible. -+.PP -+The following file types are defined for gconfdefaultsm: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. gconfdefaultsm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gconfdefaultsm with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B gconfdefaultsm_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the gconfdefaultsm_exec_t type, if you want to transition an executable to the gconfdefaultsm_t domain. ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE + +.SH "MANAGED FILES" + +The SELinux process type gconfdefaultsm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br +.B gconf_etc_t + + /etc/gconf(/.*)? @@ -28715,6 +51545,10 @@ index 0000000..a13ef31 +.br + /home/[^/]*/\.gconf(d)?(/.*)? +.br ++ /home/pwalsh/\.local.* ++.br ++ /home/pwalsh/\.gconf(d)?(/.*)? ++.br + /home/dwalsh/\.local.* +.br + /home/dwalsh/\.gconf(d)?(/.*)? @@ -28724,7 +51558,56 @@ index 0000000..a13ef31 + /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B nfs_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux gconfdefaultsm policy is very flexible allowing users to setup their gconfdefaultsm processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the gconfdefaultsm, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t gconfdefaultsm_exec_t '/srv/gconfdefaultsm/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygconfdefaultsm_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for gconfdefaultsm: ++ ++ ++.EX ++.PP ++.B gconfdefaultsm_exec_t ++.EE ++ ++- Set files with the gconfdefaultsm_exec_t type, if you want to transition an executable to the gconfdefaultsm_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -28736,6 +51619,9 @@ index 0000000..a13ef31 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -28747,15 +51633,15 @@ index 0000000..a13ef31 + +.SH "SEE ALSO" +selinux(8), gconfdefaultsm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, gconfd_selinux(8) ++, setsebool(8), gconfd_selinux(8) \ No newline at end of file diff --git a/man/man8/getty_selinux.8 b/man/man8/getty_selinux.8 new file mode 100644 -index 0000000..d3c311a +index 0000000..ae855e3 --- /dev/null +++ b/man/man8/getty_selinux.8 -@@ -0,0 +1,212 @@ -+.TH "getty_selinux" "8" "12-11-01" "getty" "SELinux Policy documentation for getty" +@@ -0,0 +1,335 @@ ++.TH "getty_selinux" "8" "13-01-16" "getty" "SELinux Policy documentation for getty" +.SH "NAME" +getty_selinux \- Security Enhanced Linux Policy for the getty processes +.SH "DESCRIPTION" @@ -28771,7 +51657,9 @@ index 0000000..d3c311a + +.SH "ENTRYPOINTS" + -+The getty_t SELinux type can be entered via the "getty_exec_t" file type. The default entrypoint paths for the getty_t domain are the following:" ++The getty_t SELinux type can be entered via the \fBgetty_exec_t\fP file type. ++ ++The default entrypoint paths for the getty_t domain are the following: + +/sbin/.*getty, /usr/sbin/.*getty +.SH PROCESS TYPES @@ -28789,82 +51677,116 @@ index 0000000..d3c311a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a getty_t ++can be used to make the process type getty_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux getty policy is very flexible allowing users to setup their getty processes in as secure a method as possible. -+.PP -+The following file types are defined for getty: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. getty policy is extremely flexible and has several booleans that allow you to manipulate the policy and run getty with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B getty_etc_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the getty_etc_t type, if you want to store getty files in the /etc directories. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B getty_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the getty_exec_t type, if you want to transition an executable to the getty_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B getty_lock_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the getty_lock_t type, if you want to treat the files as getty lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B getty_log_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the getty_log_t type, if you want to treat the data as getty log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B getty_tmp_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the getty_tmp_t type, if you want to store getty temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B getty_unit_file_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the getty_unit_file_t type, if you want to treat the files as getty unit content. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B getty_var_run_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the getty_var_run_t type, if you want to store the getty files under the /run directory. ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the getty_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the getty_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -28930,21 +51852,104 @@ index 0000000..d3c311a + /var/log/wtmp.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux getty policy is very flexible allowing users to setup their getty processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the getty_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the getty, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t getty_etc_t '/srv/getty/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygetty_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for getty: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B getty_etc_t +.EE + ++- Set files with the getty_etc_t type, if you want to store getty files in the /etc directories. ++ ++ ++.EX ++.PP ++.B getty_exec_t ++.EE ++ ++- Set files with the getty_exec_t type, if you want to transition an executable to the getty_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/.*getty, /usr/sbin/.*getty ++ ++.EX ++.PP ++.B getty_lock_t ++.EE ++ ++- Set files with the getty_lock_t type, if you want to treat the files as getty lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B getty_log_t ++.EE ++ ++- Set files with the getty_log_t type, if you want to treat the data as getty log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/mgetty\.log.*, /var/log/vgetty\.log\..* ++ ++.EX ++.PP ++.B getty_tmp_t ++.EE ++ ++- Set files with the getty_tmp_t type, if you want to store getty temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B getty_unit_file_t ++.EE ++ ++- Set files with the getty_unit_file_t type, if you want to treat the files as getty unit content. ++ ++ ++.EX ++.PP ++.B getty_var_run_t ++.EE ++ ++- Set files with the getty_var_run_t type, if you want to store the getty files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/spool/fax(/.*)?, /var/spool/voice(/.*)?, /var/run/mgetty\.pid.* ++ +.PP -+If you want to allow confined applications to run with kerberos for the getty_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -28956,6 +51961,9 @@ index 0000000..d3c311a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -28967,13 +51975,15 @@ index 0000000..d3c311a + +.SH "SEE ALSO" +selinux(8), getty(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/gfs_controld_selinux.8 b/man/man8/gfs_controld_selinux.8 new file mode 100644 -index 0000000..d464731 +index 0000000..dce7362 --- /dev/null +++ b/man/man8/gfs_controld_selinux.8 -@@ -0,0 +1,160 @@ -+.TH "gfs_controld_selinux" "8" "12-11-01" "gfs_controld" "SELinux Policy documentation for gfs_controld" +@@ -0,0 +1,281 @@ ++.TH "gfs_controld_selinux" "8" "13-01-16" "gfs_controld" "SELinux Policy documentation for gfs_controld" +.SH "NAME" +gfs_controld_selinux \- Security Enhanced Linux Policy for the gfs_controld processes +.SH "DESCRIPTION" @@ -28989,7 +51999,9 @@ index 0000000..d464731 + +.SH "ENTRYPOINTS" + -+The gfs_controld_t SELinux type can be entered via the "gfs_controld_exec_t" file type. The default entrypoint paths for the gfs_controld_t domain are the following:" ++The gfs_controld_t SELinux type can be entered via the \fBgfs_controld_exec_t\fP file type. ++ ++The default entrypoint paths for the gfs_controld_t domain are the following: + +/usr/sbin/gfs_controld +.SH PROCESS TYPES @@ -29007,8 +52019,162 @@ index 0000000..d464731 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a gfs_controld_t ++can be used to make the process type gfs_controld_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. gfs_controld policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gfs_controld with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the gfs_controld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the gfs_controld_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type gfs_controld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B gfs_controld_tmpfs_t ++ ++ ++.br ++.B gfs_controld_var_log_t ++ ++ /var/log/cluster/gfs_controld\.log.* ++.br ++ ++.br ++.B gfs_controld_var_run_t ++ ++ /var/run/gfs_controld\.pid ++.br ++ ++.br ++.B initrc_tmp_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sysfs_t ++ ++ /sys(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -29018,7 +52184,20 @@ index 0000000..d464731 +Policy governs the access confined processes have to these files. +SELinux gfs_controld policy is very flexible allowing users to setup their gfs_controld processes in as secure a method as possible. +.PP -+The following file types are defined for gfs_controld: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the gfs_controld, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t gfs_controld_exec_t '/srv/gfs_controld/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygfs_controld_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for gfs_controld: + + +.EX @@ -29050,7 +52229,7 @@ index 0000000..d464731 +.B gfs_controld_var_run_t +.EE + -+- Set files with the gfs_controld_var_run_t type, if you want to store the gfs controld files under the /run directory. ++- Set files with the gfs_controld_var_run_t type, if you want to store the gfs controld files under the /run or /var/run directory. + + +.PP @@ -29060,58 +52239,6 @@ index 0000000..d464731 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type gfs_controld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cluster_var_lib_t -+ -+ /var/lib/cluster(/.*)? -+.br -+ -+.br -+.B gfs_controld_tmpfs_t -+ -+ -+.br -+.B gfs_controld_var_log_t -+ -+ /var/log/cluster/gfs_controld\.log.* -+.br -+ -+.br -+.B gfs_controld_var_run_t -+ -+ /var/run/gfs_controld\.pid -+.br -+ -+.br -+.B initrc_tmp_t -+ -+ -+.br -+.B sysfs_t -+ -+ /sys(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gfs_controld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the gfs_controld_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -29122,6 +52249,9 @@ index 0000000..d464731 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -29133,6 +52263,8 @@ index 0000000..d464731 + +.SH "SEE ALSO" +selinux(8), gfs_controld(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8 deleted file mode 100644 index e9c43b1..0000000 @@ -29248,122 +52380,174 @@ index e9c43b1..0000000 -This manual page was written by Dominick Grift . -.SH "SEE ALSO" -selinux(8), git(8), chcon(1), semodule(8), setsebool(8) -diff --git a/man/man8/git_shell_selinux.8 b/man/man8/git_shell_selinux.8 +diff --git a/man/man8/git_session_selinux.8 b/man/man8/git_session_selinux.8 new file mode 100644 -index 0000000..f991f0f +index 0000000..344e746 --- /dev/null -+++ b/man/man8/git_shell_selinux.8 -@@ -0,0 +1,133 @@ -+.TH "git_shell_selinux" "8" "git_shell" "mgrepl@redhat.com" "git_shell SELinux Policy documentation" ++++ b/man/man8/git_session_selinux.8 +@@ -0,0 +1,188 @@ ++.TH "git_session_selinux" "8" "13-01-16" "git_session" "SELinux Policy documentation for git_session" +.SH "NAME" -+git_shell_u \- \fBgit_shell user role\fP - Security Enhanced Linux Policy ++git_session_selinux \- Security Enhanced Linux Policy for the git_session processes ++.SH "DESCRIPTION" + -+.SH DESCRIPTION ++Security-Enhanced Linux secures the git_session processes via flexible mandatory access control. + -+\fBgit_shell_u\fP is an SELinux User defined in the SELinux -+policy. SELinux users have default roles, \fBgit_shell_r\fP. The -+default role has a default type, \fBgit_shell_t\fP, associated with it. ++The git_session processes execute with the git_session_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. + -+The SELinux user will usually login to a system with a context that looks like: ++For example: + -+.B git_shell_u:git_shell_r:git_shell_t:s0-s0:c0.c1023 -+ -+Linux users are automatically assigned an SELinux users at login. -+Login programs use the SELinux User to assign initial context to the user's shell. -+ -+SELinux policy uses the context to control the user's access. -+ -+By default all users are assigned to the SELinux user via the \fB__default__\fP flag -+ -+On Targeted policy systems the \fB__default__\fP user is assigned to the \fBunconfined_u\fP SELinux user. -+ -+You can list all Linux User to SELinux user mapping using: -+ -+.B semanage login -l -+ -+If you wanted to change the default user mapping to use the git_shell_u user, you would execute: -+ -+.B semanage login -m -s git_shell_u __default__ ++.B ps -eZ | grep git_session_t + + -+.SH USER DESCRIPTION ++.SH "ENTRYPOINTS" + -+The SELinux user git_shell_u is defined in policy as a unprivileged user. SELinux prevents unprivileged users from doing administration tasks without transitioning to a different role. ++The git_session_t SELinux type can be entered via the \fBgitd_exec_t\fP file type. + -+.SH SUDO ++The default entrypoint paths for the git_session_t domain are the following: + -+.SH X WINDOWS LOGIN ++/usr/libexec/git-core/git-daemon ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux git_session policy is very flexible allowing users to setup their git_session processes in as secure a method as possible. ++.PP ++The following process types are defined for git_session: + -+The SELinux user git_shell_u is not able to X Windows login. ++.EX ++.B git_session_t ++.EE ++.PP ++Note: ++.B semanage permissive -a git_session_t ++can be used to make the process type git_session_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH NETWORK -+ -+.TP -+The SELinux user git_shell_u is able to connect to the following tcp ports. -+ -+.B dns_port_t: 53 -+ -+.B ocsp_port_t: 9080 -+ -+.B kerberos_port_t: 88,750,4444 -+ -+.TP -+The SELinux user git_shell_u is able to connect to the following tcp ports. -+ -+.B dns_port_t: 53 -+ -+.B ocsp_port_t: 9080 -+ -+.B kerberos_port_t: 88,750,4444 -+ -+.SH HOME_EXEC -+ -+The SELinux user git_shell_u is able execute home content files. -+ -+.SH TRANSITIONS -+ -+Three things can happen when git_shell_t attempts to execute a program. -+ -+\fB1.\fP SELinux Policy can deny git_shell_t from executing the program. -+ -+.TP -+ -+\fB2.\fP SELinux Policy can allow git_shell_t to execute the program in the current user type. -+ -+Execute the following to see the types that the SELinux user git_shell_t can execute without transitioning: -+ -+.B search -A -s git_shell_t -c file -p execute_no_trans -+ -+.TP -+ -+\fB3.\fP SELinux can allow git_shell_t to execute the program and transition to a new type. -+ -+Execute the following to see the types that the SELinux user git_shell_t can execute and transition: -+ -+.B $ search -A -s git_shell_t -c process -p transition ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. git_session policy is extremely flexible and has several booleans that allow you to manipulate the policy and run git_session with the tightest access possible. + + -+.SH "MANAGED FILES" ++.PP ++If you want to determine whether Git session daemon can bind TCP sockets to all unreserved ports, you must turn on the git_session_bind_all_unreserved_ports boolean. Disabled by default. + -+The SELinux process type git_shell_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++.EX ++.B setsebool -P git_session_bind_all_unreserved_ports 1 + -+.br -+.B alsa_home_t ++.EE + -+ /home/[^/]*/\.asoundrc -+.br -+ /home/dwalsh/\.asoundrc -+.br -+ /var/lib/xguest/home/xguest/\.asoundrc -+.br ++.PP ++If you want to determine whether calling user domains can execute Git daemon in the git_session_t domain, you must turn on the git_session_users boolean. Disabled by default. + -+.br -+.B git_sys_content_t ++.EX ++.B setsebool -P git_session_users 1 + -+ /srv/git(/.*)? -+.br -+ /var/lib/git(/.*)? -+.br ++.EE ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the git_session_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the git_session_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "COMMANDS" +.B semanage fcontext @@ -29375,6 +52559,9 @@ index 0000000..f991f0f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -29385,16 +52572,219 @@ index 0000000..f991f0f +by Dan Walsh. + +.SH "SEE ALSO" -+selinux(8), git_shell(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, gitosis_selinux(8) ++selinux(8), git_session(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), git_system_selinux(8), gitosis_selinux(8) +\ No newline at end of file +diff --git a/man/man8/git_system_selinux.8 b/man/man8/git_system_selinux.8 +new file mode 100644 +index 0000000..e0c9ecd +--- /dev/null ++++ b/man/man8/git_system_selinux.8 +@@ -0,0 +1,196 @@ ++.TH "git_system_selinux" "8" "13-01-16" "git_system" "SELinux Policy documentation for git_system" ++.SH "NAME" ++git_system_selinux \- Security Enhanced Linux Policy for the git_system processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the git_system processes via flexible mandatory access control. ++ ++The git_system processes execute with the git_system_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep git_system_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The git_system_t SELinux type can be entered via the \fBgitd_exec_t\fP file type. ++ ++The default entrypoint paths for the git_system_t domain are the following: ++ ++/usr/libexec/git-core/git-daemon ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux git_system policy is very flexible allowing users to setup their git_system processes in as secure a method as possible. ++.PP ++The following process types are defined for git_system: ++ ++.EX ++.B git_system_t ++.EE ++.PP ++Note: ++.B semanage permissive -a git_system_t ++can be used to make the process type git_system_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. git_system policy is extremely flexible and has several booleans that allow you to manipulate the policy and run git_system with the tightest access possible. ++ ++ ++.PP ++If you want to determine whether Git system daemon can search home directories, you must turn on the git_system_enable_homedirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P git_system_enable_homedirs 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Git system daemon can access cifs file systems, you must turn on the git_system_use_cifs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P git_system_use_cifs 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Git system daemon can access nfs file systems, you must turn on the git_system_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P git_system_use_nfs 1 ++ ++.EE ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the git_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the git_system_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), git_system(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), git_session_selinux(8), gitosis_selinux(8) \ No newline at end of file diff --git a/man/man8/gitosis_selinux.8 b/man/man8/gitosis_selinux.8 new file mode 100644 -index 0000000..56b4bdf +index 0000000..5f4b3f8 --- /dev/null +++ b/man/man8/gitosis_selinux.8 -@@ -0,0 +1,128 @@ -+.TH "gitosis_selinux" "8" "12-11-01" "gitosis" "SELinux Policy documentation for gitosis" +@@ -0,0 +1,185 @@ ++.TH "gitosis_selinux" "8" "13-01-16" "gitosis" "SELinux Policy documentation for gitosis" +.SH "NAME" +gitosis_selinux \- Security Enhanced Linux Policy for the gitosis processes +.SH "DESCRIPTION" @@ -29410,7 +52800,9 @@ index 0000000..56b4bdf + +.SH "ENTRYPOINTS" + -+The gitosis_t SELinux type can be entered via the "gitosis_exec_t" file type. The default entrypoint paths for the gitosis_t domain are the following:" ++The gitosis_t SELinux type can be entered via the \fBgitosis_exec_t\fP file type. ++ ++The default entrypoint paths for the gitosis_t domain are the following: + +/usr/bin/gitosis-serve, /usr/bin/gl-auth-command +.SH PROCESS TYPES @@ -29428,27 +52820,75 @@ index 0000000..56b4bdf +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a gitosis_t ++can be used to make the process type gitosis_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. gitosis policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gitosis with the tightest access possible. + + +.PP -+If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean. ++If you want to determine whether Gitosis can send mail, you must turn on the gitosis_can_sendmail boolean. Disabled by default. + +.EX +.B setsebool -P gitosis_can_sendmail 1 ++ +.EE + +.PP -+If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P gitosis_can_sendmail 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type gitosis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B gitosis_var_lib_t ++ ++ /srv/lib/gitosis(/.*)? ++.br ++ /var/lib/gitosis(/.*)? ++.br ++ /var/lib/gitolite(3)?(/.*)? ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -29457,7 +52897,20 @@ index 0000000..56b4bdf +Policy governs the access confined processes have to these files. +SELinux gitosis policy is very flexible allowing users to setup their gitosis processes in as secure a method as possible. +.PP -+The following file types are defined for gitosis: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the gitosis, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t gitosis_exec_t '/srv/gitosis/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygitosis_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for gitosis: + + +.EX @@ -29467,6 +52920,10 @@ index 0000000..56b4bdf + +- Set files with the gitosis_exec_t type, if you want to transition an executable to the gitosis_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/gitosis-serve, /usr/bin/gl-auth-command + +.EX +.PP @@ -29475,6 +52932,10 @@ index 0000000..56b4bdf + +- Set files with the gitosis_var_lib_t type, if you want to store the gitosis files under the /var/lib directory. + ++.br ++.TP 5 ++Paths: ++/srv/lib/gitosis(/.*)?, /var/lib/gitosis(/.*)?, /var/lib/gitolite(3)?(/.*)? + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -29483,20 +52944,6 @@ index 0000000..56b4bdf +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type gitosis_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B gitosis_var_lib_t -+ -+ /var/lib/gitosis(/.*)? -+.br -+ /var/lib/gitolite(3)?(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -29525,11 +52972,11 @@ index 0000000..56b4bdf \ No newline at end of file diff --git a/man/man8/glance_api_selinux.8 b/man/man8/glance_api_selinux.8 new file mode 100644 -index 0000000..f7a5295 +index 0000000..5ec91e0 --- /dev/null +++ b/man/man8/glance_api_selinux.8 -@@ -0,0 +1,121 @@ -+.TH "glance_api_selinux" "8" "12-11-01" "glance_api" "SELinux Policy documentation for glance_api" +@@ -0,0 +1,215 @@ ++.TH "glance_api_selinux" "8" "13-01-16" "glance_api" "SELinux Policy documentation for glance_api" +.SH "NAME" +glance_api_selinux \- Security Enhanced Linux Policy for the glance_api processes +.SH "DESCRIPTION" @@ -29545,7 +52992,9 @@ index 0000000..f7a5295 + +.SH "ENTRYPOINTS" + -+The glance_api_t SELinux type can be entered via the "glance_api_exec_t" file type. The default entrypoint paths for the glance_api_t domain are the following:" ++The glance_api_t SELinux type can be entered via the \fBglance_api_exec_t\fP file type. ++ ++The default entrypoint paths for the glance_api_t domain are the following: + +/usr/bin/glance-api +.SH PROCESS TYPES @@ -29563,8 +53012,112 @@ index 0000000..f7a5295 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a glance_api_t ++can be used to make the process type glance_api_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. glance_api policy is extremely flexible and has several booleans that allow you to manipulate the policy and run glance_api with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type glance_api_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B glance_tmp_t ++ ++ ++.br ++.B glance_var_lib_t ++ ++ /var/lib/glance(/.*)? ++.br ++ ++.br ++.B glance_var_run_t ++ ++ /var/run/glance(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -29574,7 +53127,20 @@ index 0000000..f7a5295 +Policy governs the access confined processes have to these files. +SELinux glance_api policy is very flexible allowing users to setup their glance_api processes in as secure a method as possible. +.PP -+The following file types are defined for glance_api: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the glance_api, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t glance_api_exec_t '/srv/glance_api/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myglance_api_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for glance_api: + + +.EX @@ -29600,34 +53166,6 @@ index 0000000..f7a5295 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type glance_api_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B glance_log_t -+ -+ /var/log/glance(/.*)? -+.br -+ -+.br -+.B glance_tmp_t -+ -+ -+.br -+.B glance_var_lib_t -+ -+ /var/lib/glance(/.*)? -+.br -+ -+.br -+.B glance_var_run_t -+ -+ /var/run/glance(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -29638,6 +53176,9 @@ index 0000000..f7a5295 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -29649,15 +53190,15 @@ index 0000000..f7a5295 + +.SH "SEE ALSO" +selinux(8), glance_api(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, glance_registry_selinux(8) ++, setsebool(8), glance_registry_selinux(8) \ No newline at end of file diff --git a/man/man8/glance_registry_selinux.8 b/man/man8/glance_registry_selinux.8 new file mode 100644 -index 0000000..1846d51 +index 0000000..6b48816 --- /dev/null +++ b/man/man8/glance_registry_selinux.8 -@@ -0,0 +1,157 @@ -+.TH "glance_registry_selinux" "8" "12-11-01" "glance_registry" "SELinux Policy documentation for glance_registry" +@@ -0,0 +1,263 @@ ++.TH "glance_registry_selinux" "8" "13-01-16" "glance_registry" "SELinux Policy documentation for glance_registry" +.SH "NAME" +glance_registry_selinux \- Security Enhanced Linux Policy for the glance_registry processes +.SH "DESCRIPTION" @@ -29673,7 +53214,9 @@ index 0000000..1846d51 + +.SH "ENTRYPOINTS" + -+The glance_registry_t SELinux type can be entered via the "glance_registry_exec_t" file type. The default entrypoint paths for the glance_registry_t domain are the following:" ++The glance_registry_t SELinux type can be entered via the \fBglance_registry_exec_t\fP file type. ++ ++The default entrypoint paths for the glance_registry_t domain are the following: + +/usr/bin/glance-registry +.SH PROCESS TYPES @@ -29691,50 +53234,84 @@ index 0000000..1846d51 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a glance_registry_t ++can be used to make the process type glance_registry_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux glance_registry policy is very flexible allowing users to setup their glance_registry processes in as secure a method as possible. -+.PP -+The following file types are defined for glance_registry: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. glance_registry policy is extremely flexible and has several booleans that allow you to manipulate the policy and run glance_registry with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B glance_registry_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the glance_registry_exec_t type, if you want to transition an executable to the glance_registry_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B glance_registry_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the glance_registry_initrc_exec_t type, if you want to transition an executable to the glance_registry_initrc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B glance_registry_tmp_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the glance_registry_tmp_t type, if you want to store glance registry temporary files in the /tmp directories. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -29766,16 +53343,14 @@ index 0000000..1846d51 +The SELinux process type glance_registry_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B glance_log_t -+ -+ /var/log/glance(/.*)? -+.br -+ -+.br +.B glance_registry_tmp_t + + +.br ++.B glance_registry_tmpfs_t ++ ++ ++.br +.B glance_var_lib_t + + /var/lib/glance(/.*)? @@ -29787,7 +53362,76 @@ index 0000000..1846d51 + /var/run/glance(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux glance_registry policy is very flexible allowing users to setup their glance_registry processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the glance_registry, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t glance_registry_exec_t '/srv/glance_registry/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myglance_registry_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for glance_registry: ++ ++ ++.EX ++.PP ++.B glance_registry_exec_t ++.EE ++ ++- Set files with the glance_registry_exec_t type, if you want to transition an executable to the glance_registry_t domain. ++ ++ ++.EX ++.PP ++.B glance_registry_initrc_exec_t ++.EE ++ ++- Set files with the glance_registry_initrc_exec_t type, if you want to transition an executable to the glance_registry_initrc_t domain. ++ ++ ++.EX ++.PP ++.B glance_registry_tmp_t ++.EE ++ ++- Set files with the glance_registry_tmp_t type, if you want to store glance registry temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B glance_registry_tmpfs_t ++.EE ++ ++- Set files with the glance_registry_tmpfs_t type, if you want to store glance registry files on a tmpfs file system. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -29802,6 +53446,9 @@ index 0000000..1846d51 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -29813,15 +53460,15 @@ index 0000000..1846d51 + +.SH "SEE ALSO" +selinux(8), glance_registry(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, glance_api_selinux(8) ++, setsebool(8), glance_api_selinux(8) \ No newline at end of file diff --git a/man/man8/glusterd_selinux.8 b/man/man8/glusterd_selinux.8 new file mode 100644 -index 0000000..b54fc9a +index 0000000..c521415 --- /dev/null +++ b/man/man8/glusterd_selinux.8 -@@ -0,0 +1,182 @@ -+.TH "glusterd_selinux" "8" "12-11-01" "glusterd" "SELinux Policy documentation for glusterd" +@@ -0,0 +1,332 @@ ++.TH "glusterd_selinux" "8" "13-01-16" "glusterd" "SELinux Policy documentation for glusterd" +.SH "NAME" +glusterd_selinux \- Security Enhanced Linux Policy for the glusterd processes +.SH "DESCRIPTION" @@ -29837,7 +53484,9 @@ index 0000000..b54fc9a + +.SH "ENTRYPOINTS" + -+The glusterd_t SELinux type can be entered via the "glusterd_exec_t" file type. The default entrypoint paths for the glusterd_t domain are the following:" ++The glusterd_t SELinux type can be entered via the \fBglusterd_exec_t\fP file type. ++ ++The default entrypoint paths for the glusterd_t domain are the following: + +/opt/glusterfs/[^/]+/sbin/glusterfsd, /usr/sbin/glusterfsd +.SH PROCESS TYPES @@ -29855,8 +53504,162 @@ index 0000000..b54fc9a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a glusterd_t ++can be used to make the process type glusterd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. glusterd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run glusterd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the glusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the glusterd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type glusterd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B glusterd_conf_t ++ ++ /etc/glusterd(/.*)? ++.br ++ /etc/glusterfs(/.*)? ++.br ++ ++.br ++.B glusterd_tmp_t ++ ++ ++.br ++.B glusterd_var_lib_t ++ ++ /var/lib/gluster.* ++.br ++ ++.br ++.B glusterd_var_run_t ++ ++ /var/run/glusterd(/.*)? ++.br ++ /var/run/glusterd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -29866,16 +53669,44 @@ index 0000000..b54fc9a +Policy governs the access confined processes have to these files. +SELinux glusterd policy is very flexible allowing users to setup their glusterd processes in as secure a method as possible. +.PP -+The following file types are defined for glusterd: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++glusterd policy stores data with multiple different file context types under the /var/run/glusterd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/glusterd /srv/glusterd ++.br ++.B restorecon -R -v /srv/glusterd ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the glusterd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t glusterd_conf_t '/srv/glusterd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myglusterd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for glusterd: + + +.EX +.PP -+.B glusterd_etc_t ++.B glusterd_conf_t +.EE + -+- Set files with the glusterd_etc_t type, if you want to store glusterd files in the /etc directories. ++- Set files with the glusterd_conf_t type, if you want to treat the files as glusterd configuration data, usually stored under the /etc directory. + ++.br ++.TP 5 ++Paths: ++/etc/glusterd(/.*)?, /etc/glusterfs(/.*)? + +.EX +.PP @@ -29884,6 +53715,10 @@ index 0000000..b54fc9a + +- Set files with the glusterd_exec_t type, if you want to transition an executable to the glusterd_t domain. + ++.br ++.TP 5 ++Paths: ++/opt/glusterfs/[^/]+/sbin/glusterfsd, /usr/sbin/glusterfsd + +.EX +.PP @@ -29892,6 +53727,10 @@ index 0000000..b54fc9a + +- Set files with the glusterd_initrc_exec_t type, if you want to transition an executable to the glusterd_initrc_t domain. + ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/gluster.*, /usr/sbin/glusterd + +.EX +.PP @@ -29922,8 +53761,12 @@ index 0000000..b54fc9a +.B glusterd_var_run_t +.EE + -+- Set files with the glusterd_var_run_t type, if you want to store the glusterd files under the /run directory. ++- Set files with the glusterd_var_run_t type, if you want to store the glusterd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/glusterd(/.*)?, /var/run/glusterd\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -29932,56 +53775,6 @@ index 0000000..b54fc9a +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type glusterd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B glusterd_etc_t -+ -+ /etc/glusterd(/.*)? -+.br -+ /etc/glusterfs(/.*)? -+.br -+ -+.br -+.B glusterd_log_t -+ -+ /var/log/glusterfs(/.*)? -+.br -+ -+.br -+.B glusterd_tmp_t -+ -+ -+.br -+.B glusterd_var_lib_t -+ -+ -+.br -+.B glusterd_var_run_t -+ -+ /var/run/glusterd(/.*)? -+.br -+ /var/run/glusterd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the glusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the glusterd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -29992,6 +53785,9 @@ index 0000000..b54fc9a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -30003,163 +53799,15 @@ index 0000000..b54fc9a + +.SH "SEE ALSO" +selinux(8), glusterd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -diff --git a/man/man8/gnomeclock_selinux.8 b/man/man8/gnomeclock_selinux.8 -new file mode 100644 -index 0000000..3f491fb ---- /dev/null -+++ b/man/man8/gnomeclock_selinux.8 -@@ -0,0 +1,144 @@ -+.TH "gnomeclock_selinux" "8" "12-11-01" "gnomeclock" "SELinux Policy documentation for gnomeclock" -+.SH "NAME" -+gnomeclock_selinux \- Security Enhanced Linux Policy for the gnomeclock processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the gnomeclock processes via flexible mandatory access control. -+ -+The gnomeclock processes execute with the gnomeclock_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep gnomeclock_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The gnomeclock_t SELinux type can be entered via the "gnomeclock_exec_t" file type. The default entrypoint paths for the gnomeclock_t domain are the following:" -+ -+/usr/libexec/kde(3|4)/kcmdatetimehelper, /usr/lib/systemd/systemd-timedated, /usr/libexec/gsd-datetime-mechanism, /usr/libexec/gnome-clock-applet-mechanism -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux gnomeclock policy is very flexible allowing users to setup their gnomeclock processes in as secure a method as possible. -+.PP -+The following process types are defined for gnomeclock: -+ -+.EX -+.B gnomeclock_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux gnomeclock policy is very flexible allowing users to setup their gnomeclock processes in as secure a method as possible. -+.PP -+The following file types are defined for gnomeclock: -+ -+ -+.EX -+.PP -+.B gnomeclock_exec_t -+.EE -+ -+- Set files with the gnomeclock_exec_t type, if you want to transition an executable to the gnomeclock_t domain. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ -+.SH "MANAGED FILES" -+ -+The SELinux process type gnomeclock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B config_usr_t -+ -+ /usr/share/config(/.*)? -+.br -+ -+.br -+.B locale_t -+ -+ /etc/locale.conf -+.br -+ /usr/lib/locale(/.*)? -+.br -+ /usr/share/locale(/.*)? -+.br -+ /usr/share/zoneinfo(/.*)? -+.br -+ /usr/share/X11/locale(/.*)? -+.br -+ /etc/timezone -+.br -+ /etc/localtime -+.br -+ /etc/sysconfig/clock -+.br -+ /etc/avahi/etc/localtime -+.br -+ /var/empty/sshd/etc/localtime -+.br -+ /var/spool/postfix/etc/localtime -+.br -+ -+.br -+.B systemd_passwd_var_run_t -+ -+ /var/run/systemd/ask-password(/.*)? -+.br -+ /var/run/systemd/ask-password-block(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gnomeclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the gnomeclock_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), gnomeclock(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/gnomesystemmm_selinux.8 b/man/man8/gnomesystemmm_selinux.8 new file mode 100644 -index 0000000..a1956e7 +index 0000000..f218b96 --- /dev/null +++ b/man/man8/gnomesystemmm_selinux.8 -@@ -0,0 +1,96 @@ -+.TH "gnomesystemmm_selinux" "8" "12-11-01" "gnomesystemmm" "SELinux Policy documentation for gnomesystemmm" +@@ -0,0 +1,193 @@ ++.TH "gnomesystemmm_selinux" "8" "13-01-16" "gnomesystemmm" "SELinux Policy documentation for gnomesystemmm" +.SH "NAME" +gnomesystemmm_selinux \- Security Enhanced Linux Policy for the gnomesystemmm processes +.SH "DESCRIPTION" @@ -30175,7 +53823,9 @@ index 0000000..a1956e7 + +.SH "ENTRYPOINTS" + -+The gnomesystemmm_t SELinux type can be entered via the "gnomesystemmm_exec_t" file type. The default entrypoint paths for the gnomesystemmm_t domain are the following:" ++The gnomesystemmm_t SELinux type can be entered via the \fBgnomesystemmm_exec_t\fP file type. ++ ++The default entrypoint paths for the gnomesystemmm_t domain are the following: + +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper, /usr/libexec/gnome-system-monitor-mechanism +.SH PROCESS TYPES @@ -30193,34 +53843,76 @@ index 0000000..a1956e7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a gnomesystemmm_t ++can be used to make the process type gnomesystemmm_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux gnomesystemmm policy is very flexible allowing users to setup their gnomesystemmm processes in as secure a method as possible. -+.PP -+The following file types are defined for gnomesystemmm: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. gnomesystemmm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gnomesystemmm with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B gnomesystemmm_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the gnomesystemmm_exec_t type, if you want to transition an executable to the gnomesystemmm_t domain. ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -30232,7 +53924,56 @@ index 0000000..a1956e7 + /usr/share/config(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux gnomesystemmm policy is very flexible allowing users to setup their gnomesystemmm processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the gnomesystemmm, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t gnomesystemmm_exec_t '/srv/gnomesystemmm/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygnomesystemmm_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for gnomesystemmm: ++ ++ ++.EX ++.PP ++.B gnomesystemmm_exec_t ++.EE ++ ++- Set files with the gnomesystemmm_exec_t type, if you want to transition an executable to the gnomesystemmm_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/kde(3|4)/ksysguardprocesslist_helper, /usr/libexec/gnome-system-monitor-mechanism ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -30244,6 +53985,9 @@ index 0000000..a1956e7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -30255,13 +53999,15 @@ index 0000000..a1956e7 + +.SH "SEE ALSO" +selinux(8), gnomesystemmm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/gpg_agent_selinux.8 b/man/man8/gpg_agent_selinux.8 new file mode 100644 -index 0000000..c5861f9 +index 0000000..43382c2 --- /dev/null +++ b/man/man8/gpg_agent_selinux.8 -@@ -0,0 +1,144 @@ -+.TH "gpg_agent_selinux" "8" "12-11-01" "gpg_agent" "SELinux Policy documentation for gpg_agent" +@@ -0,0 +1,275 @@ ++.TH "gpg_agent_selinux" "8" "13-01-16" "gpg_agent" "SELinux Policy documentation for gpg_agent" +.SH "NAME" +gpg_agent_selinux \- Security Enhanced Linux Policy for the gpg_agent processes +.SH "DESCRIPTION" @@ -30277,7 +54023,9 @@ index 0000000..c5861f9 + +.SH "ENTRYPOINTS" + -+The gpg_agent_t SELinux type can be entered via the "gpg_agent_exec_t" file type. The default entrypoint paths for the gpg_agent_t domain are the following:" ++The gpg_agent_t SELinux type can be entered via the \fBgpg_agent_exec_t\fP file type. ++ ++The default entrypoint paths for the gpg_agent_t domain are the following: + +/usr/bin/gpg-agent +.SH PROCESS TYPES @@ -30295,27 +54043,169 @@ index 0000000..c5861f9 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a gpg_agent_t ++can be used to make the process type gpg_agent_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. gpg_agent policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg_agent with the tightest access possible. + + +.PP -+If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean. ++If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean. Disabled by default. + +.EX +.B setsebool -P gpg_agent_env_file 1 ++ +.EE + +.PP -+If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P gpg_agent_env_file 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type gpg_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B gpg_agent_tmp_t ++ ++ /home/[^/]*/\.gnupg/log-socket ++.br ++ /home/pwalsh/\.gnupg/log-socket ++.br ++ /home/dwalsh/\.gnupg/log-socket ++.br ++ /var/lib/xguest/home/xguest/\.gnupg/log-socket ++.br ++ ++.br ++.B gpg_secret_t ++ ++ /root/\.gnupg(/.+)? ++.br ++ /etc/mail/spamassassin/sa-update-keys(/.*)? ++.br ++ /home/[^/]*/\.gnupg(/.+)? ++.br ++ /home/pwalsh/\.gnupg(/.+)? ++.br ++ /home/dwalsh/\.gnupg(/.+)? ++.br ++ /var/lib/xguest/home/xguest/\.gnupg(/.+)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -30324,7 +54214,20 @@ index 0000000..c5861f9 +Policy governs the access confined processes have to these files. +SELinux gpg_agent policy is very flexible allowing users to setup their gpg_agent processes in as secure a method as possible. +.PP -+The following file types are defined for gpg_agent: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the gpg_agent, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t gpg_agent_exec_t '/srv/gpg_agent/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygpg_agent_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for gpg_agent: + + +.EX @@ -30342,6 +54245,10 @@ index 0000000..c5861f9 + +- Set files with the gpg_agent_tmp_t type, if you want to store gpg agent temporary files in the /tmp directories. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.gnupg/log-socket, /home/pwalsh/\.gnupg/log-socket, /home/dwalsh/\.gnupg/log-socket, /var/lib/xguest/home/xguest/\.gnupg/log-socket + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -30350,36 +54257,6 @@ index 0000000..c5861f9 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type gpg_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B gpg_agent_tmp_t -+ -+ /home/[^/]*/\.gnupg/log-socket -+.br -+ /home/dwalsh/\.gnupg/log-socket -+.br -+ /var/lib/xguest/home/xguest/\.gnupg/log-socket -+.br -+ -+.br -+.B gpg_secret_t -+ -+ /root/\.gnupg(/.+)? -+.br -+ /etc/mail/spamassassin/sa-update-keys(/.*)? -+.br -+ /home/[^/]*/\.gnupg(/.+)? -+.br -+ /home/dwalsh/\.gnupg(/.+)? -+.br -+ /var/lib/xguest/home/xguest/\.gnupg(/.+)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -30404,15 +54281,15 @@ index 0000000..c5861f9 + +.SH "SEE ALSO" +selinux(8), gpg_agent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8), gpg_selinux(8), gpg_selinux(8), gpg_helper_selinux(8) ++, setsebool(8), gpg_selinux(8), gpg_selinux(8), gpg_helper_selinux(8), gpg_pinentry_selinux(8), gpg_web_selinux(8) \ No newline at end of file diff --git a/man/man8/gpg_helper_selinux.8 b/man/man8/gpg_helper_selinux.8 new file mode 100644 -index 0000000..b331e87 +index 0000000..5193ed3 --- /dev/null +++ b/man/man8/gpg_helper_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "gpg_helper_selinux" "8" "12-11-01" "gpg_helper" "SELinux Policy documentation for gpg_helper" +@@ -0,0 +1,195 @@ ++.TH "gpg_helper_selinux" "8" "13-01-16" "gpg_helper" "SELinux Policy documentation for gpg_helper" +.SH "NAME" +gpg_helper_selinux \- Security Enhanced Linux Policy for the gpg_helper processes +.SH "DESCRIPTION" @@ -30428,7 +54305,9 @@ index 0000000..b331e87 + +.SH "ENTRYPOINTS" + -+The gpg_helper_t SELinux type can be entered via the "gpg_helper_exec_t" file type. The default entrypoint paths for the gpg_helper_t domain are the following:" ++The gpg_helper_t SELinux type can be entered via the \fBgpg_helper_exec_t\fP file type. ++ ++The default entrypoint paths for the gpg_helper_t domain are the following: + +/usr/lib/gnupg/gpgkeys.* +.SH PROCESS TYPES @@ -30446,8 +54325,100 @@ index 0000000..b331e87 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a gpg_helper_t ++can be used to make the process type gpg_helper_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. gpg_helper policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg_helper with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the gpg_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the gpg_helper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30457,7 +54428,20 @@ index 0000000..b331e87 +Policy governs the access confined processes have to these files. +SELinux gpg_helper policy is very flexible allowing users to setup their gpg_helper processes in as secure a method as possible. +.PP -+The following file types are defined for gpg_helper: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the gpg_helper, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t gpg_helper_exec_t '/srv/gpg_helper/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygpg_helper_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for gpg_helper: + + +.EX @@ -30475,22 +54459,6 @@ index 0000000..b331e87 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpg_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the gpg_helper_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -30501,6 +54469,9 @@ index 0000000..b331e87 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -30512,15 +54483,346 @@ index 0000000..b331e87 + +.SH "SEE ALSO" +selinux(8), gpg_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, gpg_selinux(8), gpg_selinux(8), gpg_agent_selinux(8) ++, setsebool(8), gpg_selinux(8), gpg_selinux(8), gpg_agent_selinux(8), gpg_pinentry_selinux(8), gpg_web_selinux(8) +\ No newline at end of file +diff --git a/man/man8/gpg_pinentry_selinux.8 b/man/man8/gpg_pinentry_selinux.8 +new file mode 100644 +index 0000000..c8ae877 +--- /dev/null ++++ b/man/man8/gpg_pinentry_selinux.8 +@@ -0,0 +1,324 @@ ++.TH "gpg_pinentry_selinux" "8" "13-01-16" "gpg_pinentry" "SELinux Policy documentation for gpg_pinentry" ++.SH "NAME" ++gpg_pinentry_selinux \- Security Enhanced Linux Policy for the gpg_pinentry processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the gpg_pinentry processes via flexible mandatory access control. ++ ++The gpg_pinentry processes execute with the gpg_pinentry_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep gpg_pinentry_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The gpg_pinentry_t SELinux type can be entered via the \fBpinentry_exec_t\fP file type. ++ ++The default entrypoint paths for the gpg_pinentry_t domain are the following: ++ ++/usr/bin/pinentry.* ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux gpg_pinentry policy is very flexible allowing users to setup their gpg_pinentry processes in as secure a method as possible. ++.PP ++The following process types are defined for gpg_pinentry: ++ ++.EX ++.B gpg_pinentry_t ++.EE ++.PP ++Note: ++.B semanage permissive -a gpg_pinentry_t ++can be used to make the process type gpg_pinentry_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. gpg_pinentry policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg_pinentry with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the gpg_pinentry_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the gpg_pinentry_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type gpg_pinentry_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cache_home_t ++ ++ /root/\.cache(/.*)? ++.br ++ /home/[^/]*/\.nv(/.*)? ++.br ++ /home/[^/]*/\.cache(/.*)? ++.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br ++ /home/dwalsh/\.nv(/.*)? ++.br ++ /home/dwalsh/\.cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.nv(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache(/.*)? ++.br ++ ++.br ++.B gpg_pinentry_tmpfs_t ++ ++ ++.br ++.B pulseaudio_home_t ++ ++ /root/\.pulse(/.*)? ++.br ++ /root/\.config/pulse(/.*)? ++.br ++ /root/\.esd_auth ++.br ++ /root/\.pulse-cookie ++.br ++ /home/[^/]*/\.pulse(/.*)? ++.br ++ /home/[^/]*/\.config/pulse(/.*)? ++.br ++ /home/[^/]*/\.esd_auth ++.br ++ /home/[^/]*/\.pulse-cookie ++.br ++ /home/pwalsh/\.pulse(/.*)? ++.br ++ /home/pwalsh/\.config/pulse(/.*)? ++.br ++ /home/pwalsh/\.esd_auth ++.br ++ /home/pwalsh/\.pulse-cookie ++.br ++ /home/dwalsh/\.pulse(/.*)? ++.br ++ /home/dwalsh/\.config/pulse(/.*)? ++.br ++ /home/dwalsh/\.esd_auth ++.br ++ /home/dwalsh/\.pulse-cookie ++.br ++ /var/lib/xguest/home/xguest/\.pulse(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config/pulse(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.esd_auth ++.br ++ /var/lib/xguest/home/xguest/\.pulse-cookie ++.br ++ ++.br ++.B user_fonts_cache_t ++ ++ /root/\.fontconfig(/.*)? ++.br ++ /root/\.fonts/auto(/.*)? ++.br ++ /root/\.fonts\.cache-.* ++.br ++ /home/[^/]*/\.fontconfig(/.*)? ++.br ++ /home/[^/]*/\.fonts/auto(/.*)? ++.br ++ /home/[^/]*/\.fonts\.cache-.* ++.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br ++ /home/dwalsh/\.fontconfig(/.*)? ++.br ++ /home/dwalsh/\.fonts/auto(/.*)? ++.br ++ /home/dwalsh/\.fonts\.cache-.* ++.br ++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts\.cache-.* ++.br ++ ++.br ++.B xserver_tmpfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), gpg_pinentry(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), gpg_selinux(8), gpg_selinux(8), gpg_agent_selinux(8), gpg_helper_selinux(8), gpg_web_selinux(8) \ No newline at end of file diff --git a/man/man8/gpg_selinux.8 b/man/man8/gpg_selinux.8 new file mode 100644 -index 0000000..4748f85 +index 0000000..f9ade3f --- /dev/null +++ b/man/man8/gpg_selinux.8 -@@ -0,0 +1,361 @@ -+.TH "gpg_selinux" "8" "12-11-01" "gpg" "SELinux Policy documentation for gpg" +@@ -0,0 +1,511 @@ ++.TH "gpg_selinux" "8" "13-01-16" "gpg" "SELinux Policy documentation for gpg" +.SH "NAME" +gpg_selinux \- Security Enhanced Linux Policy for the gpg processes +.SH "DESCRIPTION" @@ -30536,7 +54838,9 @@ index 0000000..4748f85 + +.SH "ENTRYPOINTS" + -+The gpg_t SELinux type can be entered via the "gpg_exec_t" file type. The default entrypoint paths for the gpg_t domain are the following:" ++The gpg_t SELinux type can be entered via the \fBgpg_exec_t\fP file type. ++ ++The default entrypoint paths for the gpg_t domain are the following: + +/usr/bin/gpg(2)?, /usr/lib/gnupg/.*, /usr/bin/gpgsm +.SH PROCESS TYPES @@ -30554,163 +54858,182 @@ index 0000000..4748f85 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a gpg_t ++can be used to make the process type gpg_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. gpg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg with the tightest access possible. + + +.PP -+If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_use_gpg 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P gpg_agent_env_file 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + +.PP -+If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.B setsebool -P httpd_use_gpg 1 ++.B setsebool -P domain_fd_use 1 ++ +.EE + +.PP -+If you want to allow usage of the gpg-agent --write-env-file option. This also allows gpg-agent to manage user files, you must turn on the gpg_agent_env_file boolean. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.B setsebool -P gpg_agent_env_file 1 -+.EE ++.B setsebool -P domain_kernel_load_modules 1 + -+.SH SHARING FILES -+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. -+.TP -+Allow gpg servers to read the /var/gpg directory by adding the public_content_t file type to the directory and by restoring the file type. -+.PP -+.B -+semanage fcontext -a -t public_content_t "/var/gpg(/.*)?" -+.br -+.B restorecon -F -R -v /var/gpg -+.pp -+.TP -+Allow gpg servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_gpgd_anon_write boolean to be set. -+.PP -+.B -+semanage fcontext -a -t public_content_rw_t "/var/gpg/incoming(/.*)?" -+.br -+.B restorecon -F -R -v /var/gpg/incoming -+ -+ -+.PP -+If you want to allow gpg web domain to modify public files used for public file transfer services., you must turn on the gpg_web_anon_write boolean. -+ -+.EX -+.B setsebool -P gpg_web_anon_write 1 +.EE + +.PP -+If you want to allow gpg web domain to modify public files used for public file transfer services., you must turn on the gpg_web_anon_write boolean. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.B setsebool -P gpg_web_anon_write 1 ++.B setsebool -P fips_mode 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux gpg policy is very flexible allowing users to setup their gpg processes in as secure a method as possible. -+.PP -+The following file types are defined for gpg: -+ ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B gpg_agent_exec_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the gpg_agent_exec_t type, if you want to transition an executable to the gpg_agent_t domain. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B gpg_agent_tmp_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the gpg_agent_tmp_t type, if you want to store gpg agent temporary files in the /tmp directories. -+ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.PP -+.B gpg_exec_t ++.B setsebool -P nis_enabled 1 ++ +.EE + -+- Set files with the gpg_exec_t type, if you want to transition an executable to the gpg_t domain. -+ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX -+.PP -+.B gpg_helper_exec_t ++.B setsebool -P nscd_use_shm 1 ++ +.EE + -+- Set files with the gpg_helper_exec_t type, if you want to transition an executable to the gpg_helper_t domain. -+ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. + +.EX -+.PP -+.B gpg_pinentry_tmp_t ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ +.EE + -+- Set files with the gpg_pinentry_tmp_t type, if you want to store gpg pinentry temporary files in the /tmp directories. -+ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. + +.EX -+.PP -+.B gpg_pinentry_tmpfs_t ++.B setsebool -P use_fusefs_home_dirs 1 ++ +.EE + -+- Set files with the gpg_pinentry_tmpfs_t type, if you want to store gpg pinentry files on a tmpfs file system. -+ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. + +.EX -+.PP -+.B gpg_secret_t ++.B setsebool -P use_nfs_home_dirs 1 ++ +.EE + -+- Set files with the gpg_secret_t type, if you want to treat the files as gpg se secret data. ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. + ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type gpg_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br +.B etc_mail_t + + /etc/mail(/.*)? +.br + +.br ++.B fusefs_t ++ ++ ++.br ++.B gnome_home_type ++ ++ ++.br +.B gpg_agent_tmp_t + + /home/[^/]*/\.gnupg/log-socket +.br ++ /home/pwalsh/\.gnupg/log-socket ++.br + /home/dwalsh/\.gnupg/log-socket +.br + /var/lib/xguest/home/xguest/\.gnupg/log-socket @@ -30725,6 +55048,8 @@ index 0000000..4748f85 +.br + /home/[^/]*/\.gnupg(/.+)? +.br ++ /home/pwalsh/\.gnupg(/.+)? ++.br + /home/dwalsh/\.gnupg(/.+)? +.br + /var/lib/xguest/home/xguest/\.gnupg(/.+)? @@ -30733,6 +55058,8 @@ index 0000000..4748f85 +.br +.B mozilla_home_t + ++ /home/[^/]*/\.lyx(/.*)? ++.br + /home/[^/]*/\.java(/.*)? +.br + /home/[^/]*/\.adobe(/.*)? @@ -30763,6 +55090,40 @@ index 0000000..4748f85 +.br + /home/[^/]*/\.config/chromium(/.*)? +.br ++ /home/pwalsh/\.lyx(/.*)? ++.br ++ /home/pwalsh/\.java(/.*)? ++.br ++ /home/pwalsh/\.adobe(/.*)? ++.br ++ /home/pwalsh/\.gnash(/.*)? ++.br ++ /home/pwalsh/\.galeon(/.*)? ++.br ++ /home/pwalsh/\.spicec(/.*)? ++.br ++ /home/pwalsh/\.mozilla(/.*)? ++.br ++ /home/pwalsh/\.phoenix(/.*)? ++.br ++ /home/pwalsh/\.netscape(/.*)? ++.br ++ /home/pwalsh/\.ICAClient(/.*)? ++.br ++ /home/pwalsh/\.macromedia(/.*)? ++.br ++ /home/pwalsh/\.thunderbird(/.*)? ++.br ++ /home/pwalsh/\.gcjwebplugin(/.*)? ++.br ++ /home/pwalsh/\.icedteaplugin(/.*)? ++.br ++ /home/pwalsh/zimbrauserdata(/.*)? ++.br ++ /home/pwalsh/\.config/chromium(/.*)? ++.br ++ /home/dwalsh/\.lyx(/.*)? ++.br + /home/dwalsh/\.java(/.*)? +.br + /home/dwalsh/\.adobe(/.*)? @@ -30793,6 +55154,8 @@ index 0000000..4748f85 +.br + /home/dwalsh/\.config/chromium(/.*)? +.br ++ /var/lib/xguest/home/xguest/\.lyx(/.*)? ++.br + /var/lib/xguest/home/xguest/\.java(/.*)? +.br + /var/lib/xguest/home/xguest/\.adobe(/.*)? @@ -30825,10 +55188,16 @@ index 0000000..4748f85 +.br + +.br ++.B nfs_t ++ ++ ++.br +.B user_home_t + + /home/[^/]*/.+ +.br ++ /home/pwalsh/.+ ++.br + /home/dwalsh/.+ +.br + /var/lib/xguest/home/xguest/.+ @@ -30840,21 +55209,104 @@ index 0000000..4748f85 + all user tmp files +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux gpg policy is very flexible allowing users to setup their gpg processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the gpg, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t gpg_agent_exec_t '/srv/gpg/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygpg_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for gpg: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B gpg_agent_exec_t +.EE + ++- Set files with the gpg_agent_exec_t type, if you want to transition an executable to the gpg_agent_t domain. ++ ++ ++.EX ++.PP ++.B gpg_agent_tmp_t ++.EE ++ ++- Set files with the gpg_agent_tmp_t type, if you want to store gpg agent temporary files in the /tmp directories. ++ ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.gnupg/log-socket, /home/pwalsh/\.gnupg/log-socket, /home/dwalsh/\.gnupg/log-socket, /var/lib/xguest/home/xguest/\.gnupg/log-socket ++ ++.EX ++.PP ++.B gpg_exec_t ++.EE ++ ++- Set files with the gpg_exec_t type, if you want to transition an executable to the gpg_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/gpg(2)?, /usr/lib/gnupg/.*, /usr/bin/gpgsm ++ ++.EX ++.PP ++.B gpg_helper_exec_t ++.EE ++ ++- Set files with the gpg_helper_exec_t type, if you want to transition an executable to the gpg_helper_t domain. ++ ++ ++.EX ++.PP ++.B gpg_pinentry_tmp_t ++.EE ++ ++- Set files with the gpg_pinentry_tmp_t type, if you want to store gpg pinentry temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B gpg_pinentry_tmpfs_t ++.EE ++ ++- Set files with the gpg_pinentry_tmpfs_t type, if you want to store gpg pinentry files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B gpg_secret_t ++.EE ++ ++- Set files with the gpg_secret_t type, if you want to treat the files as gpg se secret data. ++ ++.br ++.TP 5 ++Paths: ++/root/\.gnupg(/.+)?, /etc/mail/spamassassin/sa-update-keys(/.*)?, /home/[^/]*/\.gnupg(/.+)?, /home/pwalsh/\.gnupg(/.+)?, /home/dwalsh/\.gnupg(/.+)?, /var/lib/xguest/home/xguest/\.gnupg(/.+)? ++ +.PP -+If you want to allow confined applications to run with kerberos for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -30880,15 +55332,234 @@ index 0000000..4748f85 + +.SH "SEE ALSO" +selinux(8), gpg(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8), gpg_agent_selinux(8), gpg_helper_selinux(8) ++, setsebool(8), gpg_agent_selinux(8), gpg_helper_selinux(8), gpg_pinentry_selinux(8), gpg_web_selinux(8) +\ No newline at end of file +diff --git a/man/man8/gpg_web_selinux.8 b/man/man8/gpg_web_selinux.8 +new file mode 100644 +index 0000000..a3bc3d3 +--- /dev/null ++++ b/man/man8/gpg_web_selinux.8 +@@ -0,0 +1,212 @@ ++.TH "gpg_web_selinux" "8" "13-01-16" "gpg_web" "SELinux Policy documentation for gpg_web" ++.SH "NAME" ++gpg_web_selinux \- Security Enhanced Linux Policy for the gpg_web processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the gpg_web processes via flexible mandatory access control. ++ ++The gpg_web processes execute with the gpg_web_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep gpg_web_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The gpg_web_t SELinux type can be entered via the \fBgpg_exec_t\fP file type. ++ ++The default entrypoint paths for the gpg_web_t domain are the following: ++ ++/usr/bin/gpg(2)?, /usr/lib/gnupg/.*, /usr/bin/gpgsm ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux gpg_web policy is very flexible allowing users to setup their gpg_web processes in as secure a method as possible. ++.PP ++The following process types are defined for gpg_web: ++ ++.EX ++.B gpg_web_t ++.EE ++.PP ++Note: ++.B semanage permissive -a gpg_web_t ++can be used to make the process type gpg_web_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. gpg_web policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg_web with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_use_gpg 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type gpg_web_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B httpd_sys_rw_content_t ++ ++ /etc/horde(/.*)? ++.br ++ /etc/drupal.* ++.br ++ /etc/z-push(/.*)? ++.br ++ /var/lib/svn(/.*)? ++.br ++ /var/www/svn(/.*)? ++.br ++ /etc/mock/koji(/.*)? ++.br ++ /var/www/html/[^/]*/sites/default/files(/.*)? ++.br ++ /var/www/html/[^/]*/sites/default/settings\.php ++.br ++ /var/lib/drupal.* ++.br ++ /etc/zabbix/web(/.*)? ++.br ++ /var/log/z-push(/.*)? ++.br ++ /var/spool/gosa(/.*)? ++.br ++ /etc/WebCalendar(/.*)? ++.br ++ /var/lib/dokuwiki(/.*)? ++.br ++ /var/spool/viewvc(/.*)? ++.br ++ /var/lib/pootle/po(/.*)? ++.br ++ /var/www/moodledata(/.*)? ++.br ++ /var/www/gallery/albums(/.*)? ++.br ++ /var/www/html/wp-content(/.*)? ++.br ++ /usr/share/wordpress-mu/wp-content(/.*)? ++.br ++ /usr/share/wordpress/wp-content/uploads(/.*)? ++.br ++ /usr/share/wordpress/wp-content/upgrade(/.*)? ++.br ++ /etc/owncloud/config\.php ++.br ++ /var/www/html/configuration\.php ++.br ++ ++.br ++.B public_content_rw_t ++ ++ /var/spool/abrt-upload(/.*)? ++.br ++ ++.SH SHARING FILES ++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. ++.TP ++Allow gpg_web servers to read the /var/gpg_web directory by adding the public_content_t file type to the directory and by restoring the file type. ++.PP ++.B ++semanage fcontext -a -t public_content_t "/var/gpg_web(/.*)?" ++.br ++.B restorecon -F -R -v /var/gpg_web ++.pp ++.TP ++Allow gpg_web servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_gpg_webd_anon_write boolean to be set. ++.PP ++.B ++semanage fcontext -a -t public_content_rw_t "/var/gpg_web/incoming(/.*)?" ++.br ++.B restorecon -F -R -v /var/gpg_web/incoming ++ ++ ++.PP ++If you want to allow gpg web domain to modify public files used for public file transfer services., you must turn on the gpg_web_anon_write boolean. ++ ++.EX ++.B setsebool -P gpg_web_anon_write 1 ++.EE ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), gpg_web(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), gpg_selinux(8), gpg_selinux(8), gpg_agent_selinux(8), gpg_helper_selinux(8), gpg_pinentry_selinux(8) \ No newline at end of file diff --git a/man/man8/gpm_selinux.8 b/man/man8/gpm_selinux.8 new file mode 100644 -index 0000000..6c04bf7 +index 0000000..64852c0 --- /dev/null +++ b/man/man8/gpm_selinux.8 -@@ -0,0 +1,130 @@ -+.TH "gpm_selinux" "8" "12-11-01" "gpm" "SELinux Policy documentation for gpm" +@@ -0,0 +1,241 @@ ++.TH "gpm_selinux" "8" "13-01-16" "gpm" "SELinux Policy documentation for gpm" +.SH "NAME" +gpm_selinux \- Security Enhanced Linux Policy for the gpm processes +.SH "DESCRIPTION" @@ -30904,7 +55575,9 @@ index 0000000..6c04bf7 + +.SH "ENTRYPOINTS" + -+The gpm_t SELinux type can be entered via the "gpm_exec_t" file type. The default entrypoint paths for the gpm_t domain are the following:" ++The gpm_t SELinux type can be entered via the \fBgpm_exec_t\fP file type. ++ ++The default entrypoint paths for the gpm_t domain are the following: + +/usr/sbin/gpm +.SH PROCESS TYPES @@ -30922,8 +55595,98 @@ index 0000000..6c04bf7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a gpm_t ++can be used to make the process type gpm_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. gpm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpm with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type gpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B gpm_tmp_t ++ ++ ++.br ++.B gpm_var_run_t ++ ++ /var/run/gpm\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30933,7 +55696,20 @@ index 0000000..6c04bf7 +Policy governs the access confined processes have to these files. +SELinux gpm policy is very flexible allowing users to setup their gpm processes in as secure a method as possible. +.PP -+The following file types are defined for gpm: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the gpm, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t gpm_conf_t '/srv/gpm/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygpm_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for gpm: + + +.EX @@ -30943,6 +55719,10 @@ index 0000000..6c04bf7 + +- Set files with the gpm_conf_t type, if you want to treat the files as gpm configuration data, usually stored under the /etc directory. + ++.br ++.TP 5 ++Paths: ++/etc/gpm(/.*)?, /etc/gpm-.*\.conf + +.EX +.PP @@ -30954,6 +55734,14 @@ index 0000000..6c04bf7 + +.EX +.PP ++.B gpm_initrc_exec_t ++.EE ++ ++- Set files with the gpm_initrc_exec_t type, if you want to transition an executable to the gpm_initrc_t domain. ++ ++ ++.EX ++.PP +.B gpm_tmp_t +.EE + @@ -30965,7 +55753,7 @@ index 0000000..6c04bf7 +.B gpm_var_run_t +.EE + -+- Set files with the gpm_var_run_t type, if you want to store the gpm files under the /run directory. ++- Set files with the gpm_var_run_t type, if you want to store the gpm files under the /run or /var/run directory. + + +.EX @@ -30975,6 +55763,10 @@ index 0000000..6c04bf7 + +- Set files with the gpmctl_t type, if you want to treat the files as gpmctl data. + ++.br ++.TP 5 ++Paths: ++/dev/gpmctl, /dev/gpmdata + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -30983,20 +55775,6 @@ index 0000000..6c04bf7 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type gpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B gpm_tmp_t -+ -+ -+.br -+.B gpm_var_run_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -31007,6 +55785,9 @@ index 0000000..6c04bf7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -31018,13 +55799,15 @@ index 0000000..6c04bf7 + +.SH "SEE ALSO" +selinux(8), gpm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/gpsd_selinux.8 b/man/man8/gpsd_selinux.8 new file mode 100644 -index 0000000..9c4572e +index 0000000..81d7583 --- /dev/null +++ b/man/man8/gpsd_selinux.8 -@@ -0,0 +1,174 @@ -+.TH "gpsd_selinux" "8" "12-11-01" "gpsd" "SELinux Policy documentation for gpsd" +@@ -0,0 +1,305 @@ ++.TH "gpsd_selinux" "8" "13-01-16" "gpsd" "SELinux Policy documentation for gpsd" +.SH "NAME" +gpsd_selinux \- Security Enhanced Linux Policy for the gpsd processes +.SH "DESCRIPTION" @@ -31040,7 +55823,9 @@ index 0000000..9c4572e + +.SH "ENTRYPOINTS" + -+The gpsd_t SELinux type can be entered via the "gpsd_exec_t" file type. The default entrypoint paths for the gpsd_t domain are the following:" ++The gpsd_t SELinux type can be entered via the \fBgpsd_exec_t\fP file type. ++ ++The default entrypoint paths for the gpsd_t domain are the following: + +/usr/sbin/gpsd +.SH PROCESS TYPES @@ -31058,58 +55843,124 @@ index 0000000..9c4572e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a gpsd_t ++can be used to make the process type gpsd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux gpsd policy is very flexible allowing users to setup their gpsd processes in as secure a method as possible. -+.PP -+The following file types are defined for gpsd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. gpsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpsd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B gpsd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the gpsd_exec_t type, if you want to transition an executable to the gpsd_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B gpsd_initrc_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the gpsd_initrc_exec_t type, if you want to transition an executable to the gpsd_initrc_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B gpsd_tmpfs_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the gpsd_tmpfs_t type, if you want to store gpsd files on a tmpfs file system. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B gpsd_var_run_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the gpsd_var_run_t type, if you want to store the gpsd files under the /run directory. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the gpsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the gpsd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -31158,21 +56009,80 @@ index 0000000..9c4572e +.B ntpd_tmpfs_t + + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux gpsd policy is very flexible allowing users to setup their gpsd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the gpsd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t gpsd_exec_t '/srv/gpsd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygpsd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for gpsd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B gpsd_exec_t +.EE + ++- Set files with the gpsd_exec_t type, if you want to transition an executable to the gpsd_t domain. ++ ++ ++.EX ++.PP ++.B gpsd_initrc_exec_t ++.EE ++ ++- Set files with the gpsd_initrc_exec_t type, if you want to transition an executable to the gpsd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B gpsd_tmpfs_t ++.EE ++ ++- Set files with the gpsd_tmpfs_t type, if you want to store gpsd files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B gpsd_var_run_t ++.EE ++ ++- Set files with the gpsd_var_run_t type, if you want to store the gpsd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/gpsd\.pid, /var/run/gpsd\.sock ++ +.PP -+If you want to allow confined applications to run with kerberos for the gpsd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -31187,6 +56097,9 @@ index 0000000..9c4572e +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -31198,13 +56111,15 @@ index 0000000..9c4572e + +.SH "SEE ALSO" +selinux(8), gpsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/greylist_milter_selinux.8 b/man/man8/greylist_milter_selinux.8 new file mode 100644 -index 0000000..848aace +index 0000000..49d9650 --- /dev/null +++ b/man/man8/greylist_milter_selinux.8 -@@ -0,0 +1,126 @@ -+.TH "greylist_milter_selinux" "8" "12-11-01" "greylist_milter" "SELinux Policy documentation for greylist_milter" +@@ -0,0 +1,272 @@ ++.TH "greylist_milter_selinux" "8" "13-01-16" "greylist_milter" "SELinux Policy documentation for greylist_milter" +.SH "NAME" +greylist_milter_selinux \- Security Enhanced Linux Policy for the greylist_milter processes +.SH "DESCRIPTION" @@ -31220,7 +56135,9 @@ index 0000000..848aace + +.SH "ENTRYPOINTS" + -+The greylist_milter_t SELinux type can be entered via the "greylist_milter_exec_t" file type. The default entrypoint paths for the greylist_milter_t domain are the following:" ++The greylist_milter_t SELinux type can be entered via the \fBgreylist_milter_exec_t\fP file type. ++ ++The default entrypoint paths for the greylist_milter_t domain are the following: + +/usr/sbin/sqlgrey, /usr/sbin/milter-greylist +.SH PROCESS TYPES @@ -31238,42 +56155,124 @@ index 0000000..848aace +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a greylist_milter_t ++can be used to make the process type greylist_milter_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux greylist_milter policy is very flexible allowing users to setup their greylist_milter processes in as secure a method as possible. -+.PP -+The following file types are defined for greylist_milter: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. greylist_milter policy is extremely flexible and has several booleans that allow you to manipulate the policy and run greylist_milter with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B greylist_milter_data_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the greylist_milter_data_t type, if you want to treat the files as greylist milter content. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B greylist_milter_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the greylist_milter_exec_t type, if you want to transition an executable to the greylist_milter_t domain. ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the greylist_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the greylist_milter_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -31293,22 +56292,80 @@ index 0000000..848aace + /var/run/milter-greylist\.pid +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux greylist_milter policy is very flexible allowing users to setup their greylist_milter processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the greylist_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the greylist_milter_t, you must turn on the kerberos_enabled boolean. ++greylist_milter policy stores data with multiple different file context types under the /var/run/milter-greylist directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/milter-greylist /srv/milter-greylist ++.br ++.B restorecon -R -v /srv/milter-greylist ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the greylist_milter, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t greylist_milter_data_t '/srv/greylist_milter/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygreylist_milter_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for greylist_milter: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B greylist_milter_data_t +.EE + ++- Set files with the greylist_milter_data_t type, if you want to treat the files as greylist milter content. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/sqlgrey(/.*)?, /var/lib/milter-greylist(/.*)?, /var/run/milter-greylist(/.*)?, /var/run/sqlgrey\.pid, /var/run/milter-greylist\.pid ++ ++.EX ++.PP ++.B greylist_milter_exec_t ++.EE ++ ++- Set files with the greylist_milter_exec_t type, if you want to transition an executable to the greylist_milter_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/sqlgrey, /usr/sbin/milter-greylist ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -31319,6 +56376,9 @@ index 0000000..848aace +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -31330,13 +56390,15 @@ index 0000000..848aace + +.SH "SEE ALSO" +selinux(8), greylist_milter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/groupadd_selinux.8 b/man/man8/groupadd_selinux.8 new file mode 100644 -index 0000000..929fc9a +index 0000000..f59139d --- /dev/null +++ b/man/man8/groupadd_selinux.8 -@@ -0,0 +1,176 @@ -+.TH "groupadd_selinux" "8" "12-11-01" "groupadd" "SELinux Policy documentation for groupadd" +@@ -0,0 +1,279 @@ ++.TH "groupadd_selinux" "8" "13-01-16" "groupadd" "SELinux Policy documentation for groupadd" +.SH "NAME" +groupadd_selinux \- Security Enhanced Linux Policy for the groupadd processes +.SH "DESCRIPTION" @@ -31352,7 +56414,9 @@ index 0000000..929fc9a + +.SH "ENTRYPOINTS" + -+The groupadd_t SELinux type can be entered via the "groupadd_exec_t" file type. The default entrypoint paths for the groupadd_t domain are the following:" ++The groupadd_t SELinux type can be entered via the \fBgroupadd_exec_t\fP file type. ++ ++The default entrypoint paths for the groupadd_t domain are the following: + +/usr/bin/gpasswd, /usr/sbin/gpasswd, /usr/sbin/groupadd, /usr/sbin/groupdel, /usr/sbin/groupmod +.SH PROCESS TYPES @@ -31370,34 +56434,116 @@ index 0000000..929fc9a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a groupadd_t ++can be used to make the process type groupadd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux groupadd policy is very flexible allowing users to setup their groupadd processes in as secure a method as possible. -+.PP -+The following file types are defined for groupadd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. groupadd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run groupadd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B groupadd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the groupadd_exec_t type, if you want to transition an executable to the groupadd_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow samba to act as the domain controller, add users, groups and change passwords, you must turn on the samba_domain_controller boolean. Disabled by default. ++ ++.EX ++.B setsebool -P samba_domain_controller 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the groupadd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -31408,17 +56554,17 @@ index 0000000..929fc9a + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B lastlog_t + -+ /var/log/lastlog ++ /var/log/lastlog.* +.br + +.br @@ -31442,20 +56588,6 @@ index 0000000..929fc9a +.br + +.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br +.B security_t + + /selinux @@ -31468,6 +56600,8 @@ index 0000000..929fc9a +.br + /etc/gshadow.* +.br ++ /etc/nshadow.* ++.br + /var/db/shadow.* +.br + /etc/security/opasswd @@ -31475,21 +56609,48 @@ index 0000000..929fc9a + /etc/security/opasswd\.old +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux groupadd policy is very flexible allowing users to setup their groupadd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the groupadd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t groupadd_exec_t '/srv/groupadd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygroupadd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for groupadd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B groupadd_exec_t +.EE + ++- Set files with the groupadd_exec_t type, if you want to transition an executable to the groupadd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/gpasswd, /usr/sbin/gpasswd, /usr/sbin/groupadd, /usr/sbin/groupdel, /usr/sbin/groupmod ++ +.PP -+If you want to allow confined applications to run with kerberos for the groupadd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -31501,6 +56662,9 @@ index 0000000..929fc9a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -31512,13 +56676,15 @@ index 0000000..929fc9a + +.SH "SEE ALSO" +selinux(8), groupadd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/groupd_selinux.8 b/man/man8/groupd_selinux.8 new file mode 100644 -index 0000000..88f7928 +index 0000000..12883fc --- /dev/null +++ b/man/man8/groupd_selinux.8 -@@ -0,0 +1,153 @@ -+.TH "groupd_selinux" "8" "12-11-01" "groupd" "SELinux Policy documentation for groupd" +@@ -0,0 +1,273 @@ ++.TH "groupd_selinux" "8" "13-01-16" "groupd" "SELinux Policy documentation for groupd" +.SH "NAME" +groupd_selinux \- Security Enhanced Linux Policy for the groupd processes +.SH "DESCRIPTION" @@ -31534,7 +56700,9 @@ index 0000000..88f7928 + +.SH "ENTRYPOINTS" + -+The groupd_t SELinux type can be entered via the "groupd_exec_t" file type. The default entrypoint paths for the groupd_t domain are the following:" ++The groupd_t SELinux type can be entered via the \fBgroupd_exec_t\fP file type. ++ ++The default entrypoint paths for the groupd_t domain are the following: + +/usr/sbin/groupd +.SH PROCESS TYPES @@ -31552,8 +56720,154 @@ index 0000000..88f7928 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a groupd_t ++can be used to make the process type groupd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. groupd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run groupd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the groupd_t, groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the groupd_t, groupadd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type groupd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B groupd_tmpfs_t ++ ++ ++.br ++.B groupd_var_log_t ++ ++ ++.br ++.B groupd_var_run_t ++ ++ /var/run/groupd\.pid ++.br ++ ++.br ++.B initrc_tmp_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -31563,7 +56877,20 @@ index 0000000..88f7928 +Policy governs the access confined processes have to these files. +SELinux groupd policy is very flexible allowing users to setup their groupd processes in as secure a method as possible. +.PP -+The following file types are defined for groupd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the groupd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t groupd_exec_t '/srv/groupd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygroupd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for groupd: + + +.EX @@ -31595,7 +56922,7 @@ index 0000000..88f7928 +.B groupd_var_run_t +.EE + -+- Set files with the groupd_var_run_t type, if you want to store the groupd files under the /run directory. ++- Set files with the groupd_var_run_t type, if you want to store the groupd files under the /run or /var/run directory. + + +.PP @@ -31605,50 +56932,6 @@ index 0000000..88f7928 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type groupd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cluster_var_lib_t -+ -+ /var/lib/cluster(/.*)? -+.br -+ -+.br -+.B groupd_tmpfs_t -+ -+ -+.br -+.B groupd_var_log_t -+ -+ -+.br -+.B groupd_var_run_t -+ -+ /var/run/groupd\.pid -+.br -+ -+.br -+.B initrc_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the groupd_t, groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the groupd_t, groupadd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -31659,6 +56942,9 @@ index 0000000..88f7928 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -31670,15 +56956,15 @@ index 0000000..88f7928 + +.SH "SEE ALSO" +selinux(8), groupd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, groupadd_selinux(8) ++, setsebool(8), groupadd_selinux(8) \ No newline at end of file diff --git a/man/man8/gssd_selinux.8 b/man/man8/gssd_selinux.8 new file mode 100644 -index 0000000..071e84c +index 0000000..52d4c7d --- /dev/null +++ b/man/man8/gssd_selinux.8 -@@ -0,0 +1,204 @@ -+.TH "gssd_selinux" "8" "12-11-01" "gssd" "SELinux Policy documentation for gssd" +@@ -0,0 +1,323 @@ ++.TH "gssd_selinux" "8" "13-01-16" "gssd" "SELinux Policy documentation for gssd" +.SH "NAME" +gssd_selinux \- Security Enhanced Linux Policy for the gssd processes +.SH "DESCRIPTION" @@ -31694,7 +56980,9 @@ index 0000000..071e84c + +.SH "ENTRYPOINTS" + -+The gssd_t SELinux type can be entered via the "gssd_exec_t" file type. The default entrypoint paths for the gssd_t domain are the following:" ++The gssd_t SELinux type can be entered via the \fBgssd_exec_t\fP file type. ++ ++The default entrypoint paths for the gssd_t domain are the following: + +/usr/sbin/rpc\.gssd, /usr/sbin/rpc\.svcgssd +.SH PROCESS TYPES @@ -31712,68 +57000,132 @@ index 0000000..071e84c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a gssd_t ++can be used to make the process type gssd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. gssd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gssd with the tightest access possible. + + +.PP -+If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean. ++If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean. Enabled by default. + +.EX +.B setsebool -P gssd_read_tmp 1 ++ +.EE + +.PP -+If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P gssd_read_tmp 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux gssd policy is very flexible allowing users to setup their gssd processes in as secure a method as possible. -+.PP -+The following file types are defined for gssd: -+ ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B gssd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the gssd_exec_t type, if you want to transition an executable to the gssd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B gssd_keytab_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the gssd_keytab_t type, if you want to treat the files as kerberos keytab files. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B gssd_tmp_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the gssd_tmp_t type, if you want to store gssd temporary files in the /tmp directories. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the gssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the gssd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -31814,12 +57166,22 @@ index 0000000..071e84c +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B user_tmp_t + + /var/run/user(/.*)? +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest @@ -31841,21 +57203,64 @@ index 0000000..071e84c + /tmp/\.X0-lock +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux gssd policy is very flexible allowing users to setup their gssd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the gssd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t gssd_exec_t '/srv/gssd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mygssd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for gssd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B gssd_exec_t +.EE + ++- Set files with the gssd_exec_t type, if you want to transition an executable to the gssd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/rpc\.gssd, /usr/sbin/rpc\.svcgssd ++ ++.EX ++.PP ++.B gssd_keytab_t ++.EE ++ ++- Set files with the gssd_keytab_t type, if you want to treat the files as kerberos keytab files. ++ ++ ++.EX ++.PP ++.B gssd_tmp_t ++.EE ++ ++- Set files with the gssd_tmp_t type, if you want to store gssd temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the gssd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -31885,13 +57290,13 @@ index 0000000..071e84c \ No newline at end of file diff --git a/man/man8/guest_selinux.8 b/man/man8/guest_selinux.8 new file mode 100644 -index 0000000..dc5e824 +index 0000000..b3b667e --- /dev/null +++ b/man/man8/guest_selinux.8 -@@ -0,0 +1,241 @@ +@@ -0,0 +1,375 @@ +.TH "guest_selinux" "8" "guest" "mgrepl@redhat.com" "guest SELinux Policy documentation" +.SH "NAME" -+guest_u \- \fBLeast privledge terminal user role\fP - Security Enhanced Linux Policy ++guest_u \- \fBLeast privledge terminal user role.\fP - Security Enhanced Linux Policy + +.SH DESCRIPTION + @@ -31901,7 +57306,7 @@ index 0000000..dc5e824 + +The SELinux user will usually login to a system with a context that looks like: + -+.B guest_u:guest_r:guest_t:s0-s0:c0.c1023 ++.B guest_u:guest_r:guest_t:s0 + +Linux users are automatically assigned an SELinux users at login. +Login programs use the SELinux User to assign initial context to the user's shell. @@ -31961,45 +57366,163 @@ index 0000000..dc5e824 + + +.PP -+If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P xguest_mount_media 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean. ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. + +.EX -+.B setsebool -P xguest_connect_network 1 ++.B setsebool -P deny_execmem 1 ++ +.EE + +.PP -+If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P xguest_use_bluetooth 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + +.PP -+If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.B setsebool -P xguest_mount_media 1 ++.B setsebool -P domain_fd_use 1 ++ +.EE + +.PP -+If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.B setsebool -P xguest_connect_network 1 ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + +.PP -+If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.B setsebool -P xguest_use_bluetooth 1 ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_unified 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Disabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_use_ssh_chroot 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ssh_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xdm_sysadm_login 1 ++ +.EE + +.SH HOME_EXEC @@ -32044,10 +57567,16 @@ index 0000000..dc5e824 +.br + +.br ++.B cifs_t ++ ++ ++.br +.B httpd_user_content_t + + /home/[^/]*/((www)|(web)|(public_html))(/.+)? +.br ++ /home/pwalsh/((www)|(web)|(public_html))(/.+)? ++.br + /home/dwalsh/((www)|(web)|(public_html))(/.+)? +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)? @@ -32058,6 +57587,8 @@ index 0000000..dc5e824 + + /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess +.br ++ /home/pwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess ++.br + /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess @@ -32068,6 +57599,8 @@ index 0000000..dc5e824 + + /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)? +.br ++ /home/pwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)? ++.br + /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)? +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)? @@ -32082,12 +57615,18 @@ index 0000000..dc5e824 + + /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)? +.br ++ /home/pwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)? ++.br + /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)? +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)? +.br + +.br ++.B nfs_t ++ ++ ++.br +.B user_home_type + + all user home files @@ -32133,11 +57672,11 @@ index 0000000..dc5e824 \ No newline at end of file diff --git a/man/man8/hddtemp_selinux.8 b/man/man8/hddtemp_selinux.8 new file mode 100644 -index 0000000..3f4d9a5 +index 0000000..5926678 --- /dev/null +++ b/man/man8/hddtemp_selinux.8 -@@ -0,0 +1,128 @@ -+.TH "hddtemp_selinux" "8" "12-11-01" "hddtemp" "SELinux Policy documentation for hddtemp" +@@ -0,0 +1,273 @@ ++.TH "hddtemp_selinux" "8" "13-01-16" "hddtemp" "SELinux Policy documentation for hddtemp" +.SH "NAME" +hddtemp_selinux \- Security Enhanced Linux Policy for the hddtemp processes +.SH "DESCRIPTION" @@ -32153,7 +57692,9 @@ index 0000000..3f4d9a5 + +.SH "ENTRYPOINTS" + -+The hddtemp_t SELinux type can be entered via the "hddtemp_exec_t" file type. The default entrypoint paths for the hddtemp_t domain are the following:" ++The hddtemp_t SELinux type can be entered via the \fBhddtemp_exec_t\fP file type. ++ ++The default entrypoint paths for the hddtemp_t domain are the following: + +/usr/sbin/hddtemp +.SH PROCESS TYPES @@ -32171,8 +57712,159 @@ index 0000000..3f4d9a5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a hddtemp_t ++can be used to make the process type hddtemp_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. hddtemp policy is extremely flexible and has several booleans that allow you to manipulate the policy and run hddtemp with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the hddtemp_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the hddtemp_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux hddtemp policy is very flexible allowing users to setup their hddtemp processes in as secure a method as possible. ++.PP ++The following port types are defined for hddtemp: ++ ++.EX ++.TP 5 ++.B hddtemp_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 7634 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type hddtemp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32182,7 +57874,20 @@ index 0000000..3f4d9a5 +Policy governs the access confined processes have to these files. +SELinux hddtemp policy is very flexible allowing users to setup their hddtemp processes in as secure a method as possible. +.PP -+The following file types are defined for hddtemp: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the hddtemp, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t hddtemp_etc_t '/srv/hddtemp/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhddtemp_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for hddtemp: + + +.EX @@ -32216,31 +57921,6 @@ index 0000000..3f4d9a5 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux hddtemp policy is very flexible allowing users to setup their hddtemp processes in as secure a method as possible. -+.PP -+The following port types are defined for hddtemp: -+ -+.EX -+.TP 5 -+.B hddtemp_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 7634 -+.EE -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -32254,6 +57934,9 @@ index 0000000..3f4d9a5 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -32265,13 +57948,15 @@ index 0000000..3f4d9a5 + +.SH "SEE ALSO" +selinux(8), hddtemp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/hostname_selinux.8 b/man/man8/hostname_selinux.8 new file mode 100644 -index 0000000..5de0695 +index 0000000..6d67f09 --- /dev/null +++ b/man/man8/hostname_selinux.8 -@@ -0,0 +1,86 @@ -+.TH "hostname_selinux" "8" "12-11-01" "hostname" "SELinux Policy documentation for hostname" +@@ -0,0 +1,175 @@ ++.TH "hostname_selinux" "8" "13-01-16" "hostname" "SELinux Policy documentation for hostname" +.SH "NAME" +hostname_selinux \- Security Enhanced Linux Policy for the hostname processes +.SH "DESCRIPTION" @@ -32287,7 +57972,9 @@ index 0000000..5de0695 + +.SH "ENTRYPOINTS" + -+The hostname_t SELinux type can be entered via the "hostname_exec_t" file type. The default entrypoint paths for the hostname_t domain are the following:" ++The hostname_t SELinux type can be entered via the \fBhostname_exec_t\fP file type. ++ ++The default entrypoint paths for the hostname_t domain are the following: + +/bin/hostname, /usr/bin/hostname +.SH PROCESS TYPES @@ -32305,8 +57992,76 @@ index 0000000..5de0695 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a hostname_t ++can be used to make the process type hostname_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. hostname policy is extremely flexible and has several booleans that allow you to manipulate the policy and run hostname with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32316,7 +58071,20 @@ index 0000000..5de0695 +Policy governs the access confined processes have to these files. +SELinux hostname policy is very flexible allowing users to setup their hostname processes in as secure a method as possible. +.PP -+The following file types are defined for hostname: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the hostname, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t hostname_exec_t '/srv/hostname/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhostname_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for hostname: + + +.EX @@ -32326,6 +58094,10 @@ index 0000000..5de0695 + +- Set files with the hostname_exec_t type, if you want to transition an executable to the hostname_t domain. + ++.br ++.TP 5 ++Paths: ++/bin/hostname, /usr/bin/hostname + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -32334,8 +58106,6 @@ index 0000000..5de0695 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -32346,6 +58116,9 @@ index 0000000..5de0695 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -32357,13 +58130,15 @@ index 0000000..5de0695 + +.SH "SEE ALSO" +selinux(8), hostname(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/hplip_selinux.8 b/man/man8/hplip_selinux.8 new file mode 100644 -index 0000000..d23889a +index 0000000..b24fed0 --- /dev/null +++ b/man/man8/hplip_selinux.8 -@@ -0,0 +1,198 @@ -+.TH "hplip_selinux" "8" "12-11-01" "hplip" "SELinux Policy documentation for hplip" +@@ -0,0 +1,307 @@ ++.TH "hplip_selinux" "8" "13-01-16" "hplip" "SELinux Policy documentation for hplip" +.SH "NAME" +hplip_selinux \- Security Enhanced Linux Policy for the hplip processes +.SH "DESCRIPTION" @@ -32379,7 +58154,9 @@ index 0000000..d23889a + +.SH "ENTRYPOINTS" + -+The hplip_t SELinux type can be entered via the "hplip_exec_t" file type. The default entrypoint paths for the hplip_t domain are the following:" ++The hplip_t SELinux type can be entered via the \fBhplip_exec_t\fP file type. ++ ++The default entrypoint paths for the hplip_t domain are the following: + +/usr/sbin/hp-[^/]+, /usr/share/hplip/.*\.py, /usr/lib/cups/backend/hp.*, /usr/bin/hpijs, /usr/sbin/hpiod +.SH PROCESS TYPES @@ -32397,74 +58174,84 @@ index 0000000..d23889a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a hplip_t ++can be used to make the process type hplip_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux hplip policy is very flexible allowing users to setup their hplip processes in as secure a method as possible. -+.PP -+The following file types are defined for hplip: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. hplip policy is extremely flexible and has several booleans that allow you to manipulate the policy and run hplip with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B hplip_etc_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the hplip_etc_t type, if you want to store hplip files in the /etc directories. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B hplip_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the hplip_exec_t type, if you want to transition an executable to the hplip_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B hplip_tmp_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the hplip_tmp_t type, if you want to store hplip temporary files in the /tmp directories. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B hplip_var_lib_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the hplip_var_lib_t type, if you want to store the hplip files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B hplip_var_log_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the hplip_var_log_t type, if you want to treat the data as hplip var log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B hplip_var_run_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the hplip_var_run_t type, if you want to store the hplip files under the /run directory. ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -32532,10 +58319,103 @@ index 0000000..d23889a +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B usbfs_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux hplip policy is very flexible allowing users to setup their hplip processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the hplip, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t hplip_etc_t '/srv/hplip/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhplip_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for hplip: ++ ++ ++.EX ++.PP ++.B hplip_etc_t ++.EE ++ ++- Set files with the hplip_etc_t type, if you want to store hplip files in the /etc directories. ++ ++ ++.EX ++.PP ++.B hplip_exec_t ++.EE ++ ++- Set files with the hplip_exec_t type, if you want to transition an executable to the hplip_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/hp-[^/]+, /usr/share/hplip/.*\.py, /usr/lib/cups/backend/hp.*, /usr/bin/hpijs, /usr/sbin/hpiod ++ ++.EX ++.PP ++.B hplip_tmp_t ++.EE ++ ++- Set files with the hplip_tmp_t type, if you want to store hplip temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B hplip_var_lib_t ++.EE ++ ++- Set files with the hplip_var_lib_t type, if you want to store the hplip files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B hplip_var_log_t ++.EE ++ ++- Set files with the hplip_var_log_t type, if you want to treat the data as hplip var log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B hplip_var_run_t ++.EE ++ ++- Set files with the hplip_var_run_t type, if you want to store the hplip files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/hp.*\.pid, /var/run/hp.*\.port ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -32550,6 +58430,9 @@ index 0000000..d23889a +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -32561,13 +58444,15 @@ index 0000000..d23889a + +.SH "SEE ALSO" +selinux(8), hplip(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/httpd_apcupsd_cgi_script_selinux.8 b/man/man8/httpd_apcupsd_cgi_script_selinux.8 new file mode 100644 -index 0000000..b70ebe0 +index 0000000..8711d95 --- /dev/null +++ b/man/man8/httpd_apcupsd_cgi_script_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "httpd_apcupsd_cgi_script_selinux" "8" "12-11-01" "httpd_apcupsd_cgi_script" "SELinux Policy documentation for httpd_apcupsd_cgi_script" +@@ -0,0 +1,183 @@ ++.TH "httpd_apcupsd_cgi_script_selinux" "8" "13-01-16" "httpd_apcupsd_cgi_script" "SELinux Policy documentation for httpd_apcupsd_cgi_script" +.SH "NAME" +httpd_apcupsd_cgi_script_selinux \- Security Enhanced Linux Policy for the httpd_apcupsd_cgi_script processes +.SH "DESCRIPTION" @@ -32583,9 +58468,11 @@ index 0000000..b70ebe0 + +.SH "ENTRYPOINTS" + -+The httpd_apcupsd_cgi_script_t SELinux type can be entered via the "shell_exec_t,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_exec_t" file types. The default entrypoint paths for the httpd_apcupsd_cgi_script_t domain are the following:" ++The httpd_apcupsd_cgi_script_t SELinux type can be entered via the \fBhttpd_apcupsd_cgi_script_exec_t, shell_exec_t, httpd_apcupsd_cgi_script_exec_t\fP file types. + -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/cgi-bin/apcgui(/.*)?, /var/www/apcupsd/multimon\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsfstats\.cgi, /var/www/cgi-bin/apcgui(/.*)?, /var/www/apcupsd/multimon\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsfstats\.cgi ++The default entrypoint paths for the httpd_apcupsd_cgi_script_t domain are the following: ++ ++/var/www/cgi-bin/apcgui(/.*)?, /var/www/apcupsd/multimon\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsfstats\.cgi, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/cgi-bin/apcgui(/.*)?, /var/www/apcupsd/multimon\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsfstats\.cgi +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -32601,34 +58488,76 @@ index 0000000..b70ebe0 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_apcupsd_cgi_script_t ++can be used to make the process type httpd_apcupsd_cgi_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_apcupsd_cgi_script policy is very flexible allowing users to setup their httpd_apcupsd_cgi_script processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_apcupsd_cgi_script: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_apcupsd_cgi_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_apcupsd_cgi_script with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B httpd_apcupsd_cgi_script_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the httpd_apcupsd_cgi_script_exec_t type, if you want to transition an executable to the httpd_apcupsd_cgi_script_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -32638,7 +58567,48 @@ index 0000000..b70ebe0 +.B httpd_apcupsd_cgi_rw_content_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux httpd_apcupsd_cgi_script policy is very flexible allowing users to setup their httpd_apcupsd_cgi_script processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_apcupsd_cgi_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_apcupsd_cgi_script_exec_t '/srv/httpd_apcupsd_cgi_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_apcupsd_cgi_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_apcupsd_cgi_script: ++ ++ ++.EX ++.PP ++.B httpd_apcupsd_cgi_script_exec_t ++.EE ++ ++- Set files with the httpd_apcupsd_cgi_script_exec_t type, if you want to transition an executable to the httpd_apcupsd_cgi_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/var/www/cgi-bin/apcgui(/.*)?, /var/www/apcupsd/multimon\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsfstats\.cgi ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -32650,6 +58620,9 @@ index 0000000..b70ebe0 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -32661,15 +58634,15 @@ index 0000000..b70ebe0 + +.SH "SEE ALSO" +selinux(8), httpd_apcupsd_cgi_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_awstats_script_selinux.8 b/man/man8/httpd_awstats_script_selinux.8 new file mode 100644 -index 0000000..d03827d +index 0000000..56c4723 --- /dev/null +++ b/man/man8/httpd_awstats_script_selinux.8 -@@ -0,0 +1,99 @@ -+.TH "httpd_awstats_script_selinux" "8" "12-11-01" "httpd_awstats_script" "SELinux Policy documentation for httpd_awstats_script" +@@ -0,0 +1,175 @@ ++.TH "httpd_awstats_script_selinux" "8" "13-01-16" "httpd_awstats_script" "SELinux Policy documentation for httpd_awstats_script" +.SH "NAME" +httpd_awstats_script_selinux \- Security Enhanced Linux Policy for the httpd_awstats_script processes +.SH "DESCRIPTION" @@ -32685,9 +58658,11 @@ index 0000000..d03827d + +.SH "ENTRYPOINTS" + -+The httpd_awstats_script_t SELinux type can be entered via the "shell_exec_t,httpd_awstats_script_exec_t,httpd_awstats_script_exec_t" file types. The default entrypoint paths for the httpd_awstats_script_t domain are the following:" ++The httpd_awstats_script_t SELinux type can be entered via the \fBshell_exec_t, httpd_awstats_script_exec_t, httpd_awstats_script_exec_t\fP file types. + -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/awstats/wwwroot/cgi-bin(/.*)?, /usr/share/awstats/wwwroot/cgi-bin(/.*)? ++The default entrypoint paths for the httpd_awstats_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/awstats/wwwroot/cgi-bin(/.*)?, /usr/share/awstats/wwwroot/cgi-bin(/.*)? +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -32703,8 +58678,80 @@ index 0000000..d03827d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_awstats_script_t ++can be used to make the process type httpd_awstats_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_awstats_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_awstats_script with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_awstats_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B awstats_tmp_t ++ ++ ++.br ++.B httpd_awstats_rw_content_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32714,7 +58761,20 @@ index 0000000..d03827d +Policy governs the access confined processes have to these files. +SELinux httpd_awstats_script policy is very flexible allowing users to setup their httpd_awstats_script processes in as secure a method as possible. +.PP -+The following file types are defined for httpd_awstats_script: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_awstats_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_awstats_script_exec_t '/srv/httpd_awstats_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_awstats_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_awstats_script: + + +.EX @@ -32732,20 +58792,6 @@ index 0000000..d03827d +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type httpd_awstats_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B awstats_tmp_t -+ -+ -+.br -+.B httpd_awstats_rw_content_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -32756,6 +58802,9 @@ index 0000000..d03827d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -32767,15 +58816,15 @@ index 0000000..d03827d + +.SH "SEE ALSO" +selinux(8), httpd_awstats_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_bugzilla_script_selinux.8 b/man/man8/httpd_bugzilla_script_selinux.8 new file mode 100644 -index 0000000..84e7a1b +index 0000000..0bd542f --- /dev/null +++ b/man/man8/httpd_bugzilla_script_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "httpd_bugzilla_script_selinux" "8" "12-11-01" "httpd_bugzilla_script" "SELinux Policy documentation for httpd_bugzilla_script" +@@ -0,0 +1,177 @@ ++.TH "httpd_bugzilla_script_selinux" "8" "13-01-16" "httpd_bugzilla_script" "SELinux Policy documentation for httpd_bugzilla_script" +.SH "NAME" +httpd_bugzilla_script_selinux \- Security Enhanced Linux Policy for the httpd_bugzilla_script processes +.SH "DESCRIPTION" @@ -32791,9 +58840,11 @@ index 0000000..84e7a1b + +.SH "ENTRYPOINTS" + -+The httpd_bugzilla_script_t SELinux type can be entered via the "httpd_bugzilla_script_exec_t,shell_exec_t,httpd_bugzilla_script_exec_t" file types. The default entrypoint paths for the httpd_bugzilla_script_t domain are the following:" ++The httpd_bugzilla_script_t SELinux type can be entered via the \fBhttpd_bugzilla_script_exec_t, shell_exec_t, httpd_bugzilla_script_exec_t\fP file types. + -+/usr/share/bugzilla(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/bugzilla(/.*)? ++The default entrypoint paths for the httpd_bugzilla_script_t domain are the following: ++ ++/usr/share/bugzilla(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/bugzilla(/.*)? +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -32809,8 +58860,82 @@ index 0000000..84e7a1b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_bugzilla_script_t ++can be used to make the process type httpd_bugzilla_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_bugzilla_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_bugzilla_script with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_bugzilla_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B httpd_bugzilla_rw_content_t ++ ++ /var/lib/bugzilla(/.*)? ++.br ++ ++.br ++.B httpd_bugzilla_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32820,7 +58945,20 @@ index 0000000..84e7a1b +Policy governs the access confined processes have to these files. +SELinux httpd_bugzilla_script policy is very flexible allowing users to setup their httpd_bugzilla_script processes in as secure a method as possible. +.PP -+The following file types are defined for httpd_bugzilla_script: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_bugzilla_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_bugzilla_script_exec_t '/srv/httpd_bugzilla_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_bugzilla_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_bugzilla_script: + + +.EX @@ -32838,22 +58976,6 @@ index 0000000..84e7a1b +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type httpd_bugzilla_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B httpd_bugzilla_rw_content_t -+ -+ /var/lib/bugzilla(/.*)? -+.br -+ -+.br -+.B httpd_bugzilla_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -32864,6 +58986,9 @@ index 0000000..84e7a1b +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -32875,117 +59000,15 @@ index 0000000..84e7a1b + +.SH "SEE ALSO" +selinux(8), httpd_bugzilla_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) -\ No newline at end of file -diff --git a/man/man8/httpd_cobbler_script_selinux.8 b/man/man8/httpd_cobbler_script_selinux.8 -new file mode 100644 -index 0000000..9a182d6 ---- /dev/null -+++ b/man/man8/httpd_cobbler_script_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "httpd_cobbler_script_selinux" "8" "12-11-01" "httpd_cobbler_script" "SELinux Policy documentation for httpd_cobbler_script" -+.SH "NAME" -+httpd_cobbler_script_selinux \- Security Enhanced Linux Policy for the httpd_cobbler_script processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the httpd_cobbler_script processes via flexible mandatory access control. -+ -+The httpd_cobbler_script processes execute with the httpd_cobbler_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep httpd_cobbler_script_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The httpd_cobbler_script_t SELinux type can be entered via the "httpd_cobbler_script_exec_t,shell_exec_t,httpd_cobbler_script_exec_t" file types. The default entrypoint paths for the httpd_cobbler_script_t domain are the following:" -+ -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux httpd_cobbler_script policy is very flexible allowing users to setup their httpd_cobbler_script processes in as secure a method as possible. -+.PP -+The following process types are defined for httpd_cobbler_script: -+ -+.EX -+.B httpd_cobbler_script_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_cobbler_script policy is very flexible allowing users to setup their httpd_cobbler_script processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_cobbler_script: -+ -+ -+.EX -+.PP -+.B httpd_cobbler_script_exec_t -+.EE -+ -+- Set files with the httpd_cobbler_script_exec_t type, if you want to transition an executable to the httpd_cobbler_script_t domain. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ -+.SH "MANAGED FILES" -+ -+The SELinux process type httpd_cobbler_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B httpd_cobbler_rw_content_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), httpd_cobbler_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_collectd_script_selinux.8 b/man/man8/httpd_collectd_script_selinux.8 new file mode 100644 -index 0000000..8b345d1 +index 0000000..8be484e --- /dev/null +++ b/man/man8/httpd_collectd_script_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "httpd_collectd_script_selinux" "8" "12-11-01" "httpd_collectd_script" "SELinux Policy documentation for httpd_collectd_script" +@@ -0,0 +1,171 @@ ++.TH "httpd_collectd_script_selinux" "8" "13-01-16" "httpd_collectd_script" "SELinux Policy documentation for httpd_collectd_script" +.SH "NAME" +httpd_collectd_script_selinux \- Security Enhanced Linux Policy for the httpd_collectd_script processes +.SH "DESCRIPTION" @@ -33001,9 +59024,11 @@ index 0000000..8b345d1 + +.SH "ENTRYPOINTS" + -+The httpd_collectd_script_t SELinux type can be entered via the "shell_exec_t,httpd_collectd_script_exec_t,httpd_collectd_script_exec_t" file types. The default entrypoint paths for the httpd_collectd_script_t domain are the following:" ++The httpd_collectd_script_t SELinux type can be entered via the \fBhttpd_collectd_script_exec_t, shell_exec_t, httpd_collectd_script_exec_t\fP file types. + -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/collectd/collection3/bin/.*\.cgi, /usr/share/collectd/collection3/bin/.*\.cgi ++The default entrypoint paths for the httpd_collectd_script_t domain are the following: ++ ++/usr/share/collectd/collection3/bin/.*\.cgi, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/collectd/collection3/bin/.*\.cgi +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -33019,8 +59044,76 @@ index 0000000..8b345d1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_collectd_script_t ++can be used to make the process type httpd_collectd_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_collectd_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_collectd_script with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_collectd_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B httpd_collectd_rw_content_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -33030,7 +59123,20 @@ index 0000000..8b345d1 +Policy governs the access confined processes have to these files. +SELinux httpd_collectd_script policy is very flexible allowing users to setup their httpd_collectd_script processes in as secure a method as possible. +.PP -+The following file types are defined for httpd_collectd_script: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_collectd_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_collectd_script_exec_t '/srv/httpd_collectd_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_collectd_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_collectd_script: + + +.EX @@ -33048,16 +59154,6 @@ index 0000000..8b345d1 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type httpd_collectd_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B httpd_collectd_rw_content_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -33068,6 +59164,9 @@ index 0000000..8b345d1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -33079,15 +59178,15 @@ index 0000000..8b345d1 + +.SH "SEE ALSO" +selinux(8), httpd_collectd_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_cvs_script_selinux.8 b/man/man8/httpd_cvs_script_selinux.8 new file mode 100644 -index 0000000..4c09121 +index 0000000..0ad2d56 --- /dev/null +++ b/man/man8/httpd_cvs_script_selinux.8 -@@ -0,0 +1,99 @@ -+.TH "httpd_cvs_script_selinux" "8" "12-11-01" "httpd_cvs_script" "SELinux Policy documentation for httpd_cvs_script" +@@ -0,0 +1,179 @@ ++.TH "httpd_cvs_script_selinux" "8" "13-01-16" "httpd_cvs_script" "SELinux Policy documentation for httpd_cvs_script" +.SH "NAME" +httpd_cvs_script_selinux \- Security Enhanced Linux Policy for the httpd_cvs_script processes +.SH "DESCRIPTION" @@ -33103,9 +59202,11 @@ index 0000000..4c09121 + +.SH "ENTRYPOINTS" + -+The httpd_cvs_script_t SELinux type can be entered via the "shell_exec_t,httpd_cvs_script_exec_t,httpd_cvs_script_exec_t" file types. The default entrypoint paths for the httpd_cvs_script_t domain are the following:" ++The httpd_cvs_script_t SELinux type can be entered via the \fBhttpd_cvs_script_exec_t, shell_exec_t, httpd_cvs_script_exec_t\fP file types. + -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/cgi-bin/cvsweb\.cgi, /usr/share/cvsweb/cvsweb\.cgi, /var/www/cgi-bin/cvsweb\.cgi, /usr/share/cvsweb/cvsweb\.cgi ++The default entrypoint paths for the httpd_cvs_script_t domain are the following: ++ ++/var/www/cgi-bin/cvsweb\.cgi, /usr/share/cvsweb/cvsweb\.cgi, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/cgi-bin/cvsweb\.cgi, /usr/share/cvsweb/cvsweb\.cgi +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -33121,34 +59222,68 @@ index 0000000..4c09121 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_cvs_script_t ++can be used to make the process type httpd_cvs_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_cvs_script policy is very flexible allowing users to setup their httpd_cvs_script processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_cvs_script: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_cvs_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_cvs_script with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B httpd_cvs_script_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the httpd_cvs_script_exec_t type, if you want to transition an executable to the httpd_cvs_script_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -33162,7 +59297,48 @@ index 0000000..4c09121 +.B httpd_cvs_rw_content_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux httpd_cvs_script policy is very flexible allowing users to setup their httpd_cvs_script processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_cvs_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_cvs_script_exec_t '/srv/httpd_cvs_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_cvs_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_cvs_script: ++ ++ ++.EX ++.PP ++.B httpd_cvs_script_exec_t ++.EE ++ ++- Set files with the httpd_cvs_script_exec_t type, if you want to transition an executable to the httpd_cvs_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/var/www/cgi-bin/cvsweb\.cgi, /usr/share/cvsweb/cvsweb\.cgi ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -33174,6 +59350,9 @@ index 0000000..4c09121 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -33185,15 +59364,15 @@ index 0000000..4c09121 + +.SH "SEE ALSO" +selinux(8), httpd_cvs_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_dirsrvadmin_script_selinux.8 b/man/man8/httpd_dirsrvadmin_script_selinux.8 new file mode 100644 -index 0000000..8523dac +index 0000000..7215d53 --- /dev/null +++ b/man/man8/httpd_dirsrvadmin_script_selinux.8 -@@ -0,0 +1,137 @@ -+.TH "httpd_dirsrvadmin_script_selinux" "8" "12-11-01" "httpd_dirsrvadmin_script" "SELinux Policy documentation for httpd_dirsrvadmin_script" +@@ -0,0 +1,217 @@ ++.TH "httpd_dirsrvadmin_script_selinux" "8" "13-01-16" "httpd_dirsrvadmin_script" "SELinux Policy documentation for httpd_dirsrvadmin_script" +.SH "NAME" +httpd_dirsrvadmin_script_selinux \- Security Enhanced Linux Policy for the httpd_dirsrvadmin_script processes +.SH "DESCRIPTION" @@ -33209,9 +59388,11 @@ index 0000000..8523dac + +.SH "ENTRYPOINTS" + -+The httpd_dirsrvadmin_script_t SELinux type can be entered via the "httpd_dirsrvadmin_script_exec_t,shell_exec_t,httpd_dirsrvadmin_script_exec_t" file types. The default entrypoint paths for the httpd_dirsrvadmin_script_t domain are the following:" ++The httpd_dirsrvadmin_script_t SELinux type can be entered via the \fBshell_exec_t, httpd_dirsrvadmin_script_exec_t, httpd_dirsrvadmin_script_exec_t\fP file types. + -+/usr/lib/dirsrv/cgi-bin(/.*)?, /usr/lib/dirsrv/dsgw-cgi-bin(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/dirsrv/cgi-bin(/.*)?, /usr/lib/dirsrv/dsgw-cgi-bin(/.*)? ++The default entrypoint paths for the httpd_dirsrvadmin_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/dirsrv/cgi-bin(/.*)?, /usr/lib/dirsrv/dsgw-cgi-bin(/.*)?, /usr/lib/dirsrv/cgi-bin(/.*)?, /usr/lib/dirsrv/dsgw-cgi-bin(/.*)? +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -33227,34 +59408,68 @@ index 0000000..8523dac +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_dirsrvadmin_script_t ++can be used to make the process type httpd_dirsrvadmin_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_dirsrvadmin_script policy is very flexible allowing users to setup their httpd_dirsrvadmin_script processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_dirsrvadmin_script: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_dirsrvadmin_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_dirsrvadmin_script with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B httpd_dirsrvadmin_script_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the httpd_dirsrvadmin_script_exec_t type, if you want to transition an executable to the httpd_dirsrvadmin_script_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -33306,7 +59521,48 @@ index 0000000..8523dac +.B httpd_dirsrvadmin_rw_content_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux httpd_dirsrvadmin_script policy is very flexible allowing users to setup their httpd_dirsrvadmin_script processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_dirsrvadmin_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_dirsrvadmin_script_exec_t '/srv/httpd_dirsrvadmin_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_dirsrvadmin_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_dirsrvadmin_script: ++ ++ ++.EX ++.PP ++.B httpd_dirsrvadmin_script_exec_t ++.EE ++ ++- Set files with the httpd_dirsrvadmin_script_exec_t type, if you want to transition an executable to the httpd_dirsrvadmin_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/dirsrv/cgi-bin(/.*)?, /usr/lib/dirsrv/dsgw-cgi-bin(/.*)? ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -33318,6 +59574,9 @@ index 0000000..8523dac +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -33329,15 +59588,15 @@ index 0000000..8523dac + +.SH "SEE ALSO" +selinux(8), httpd_dirsrvadmin_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_dspam_script_selinux.8 b/man/man8/httpd_dspam_script_selinux.8 new file mode 100644 -index 0000000..09ee1ed +index 0000000..908963d --- /dev/null +++ b/man/man8/httpd_dspam_script_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "httpd_dspam_script_selinux" "8" "12-11-01" "httpd_dspam_script" "SELinux Policy documentation for httpd_dspam_script" +@@ -0,0 +1,175 @@ ++.TH "httpd_dspam_script_selinux" "8" "13-01-16" "httpd_dspam_script" "SELinux Policy documentation for httpd_dspam_script" +.SH "NAME" +httpd_dspam_script_selinux \- Security Enhanced Linux Policy for the httpd_dspam_script processes +.SH "DESCRIPTION" @@ -33353,9 +59612,11 @@ index 0000000..09ee1ed + +.SH "ENTRYPOINTS" + -+The httpd_dspam_script_t SELinux type can be entered via the "httpd_dspam_script_exec_t,shell_exec_t,httpd_dspam_script_exec_t" file types. The default entrypoint paths for the httpd_dspam_script_t domain are the following:" ++The httpd_dspam_script_t SELinux type can be entered via the \fBhttpd_dspam_script_exec_t, shell_exec_t, httpd_dspam_script_exec_t\fP file types. + -+/usr/share/dspam-web/dspam\.cgi, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/dspam-web/dspam\.cgi ++The default entrypoint paths for the httpd_dspam_script_t domain are the following: ++ ++/var/www/dspam/.*\.cgi, /usr/share/dspam-web/dspam\.cgi, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/dspam/.*\.cgi, /usr/share/dspam-web/dspam\.cgi +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -33371,34 +59632,68 @@ index 0000000..09ee1ed +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_dspam_script_t ++can be used to make the process type httpd_dspam_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_dspam_script policy is very flexible allowing users to setup their httpd_dspam_script processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_dspam_script: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_dspam_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_dspam_script with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B httpd_dspam_script_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the httpd_dspam_script_exec_t type, if you want to transition an executable to the httpd_dspam_script_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -33408,7 +59703,48 @@ index 0000000..09ee1ed +.B httpd_dspam_rw_content_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux httpd_dspam_script policy is very flexible allowing users to setup their httpd_dspam_script processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_dspam_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_dspam_script_exec_t '/srv/httpd_dspam_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_dspam_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_dspam_script: ++ ++ ++.EX ++.PP ++.B httpd_dspam_script_exec_t ++.EE ++ ++- Set files with the httpd_dspam_script_exec_t type, if you want to transition an executable to the httpd_dspam_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/var/www/dspam/.*\.cgi, /usr/share/dspam-web/dspam\.cgi ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -33420,6 +59756,9 @@ index 0000000..09ee1ed +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -33431,15 +59770,15 @@ index 0000000..09ee1ed + +.SH "SEE ALSO" +selinux(8), httpd_dspam_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_git_script_selinux.8 b/man/man8/httpd_git_script_selinux.8 new file mode 100644 -index 0000000..3518b85 +index 0000000..ea22579 --- /dev/null +++ b/man/man8/httpd_git_script_selinux.8 -@@ -0,0 +1,113 @@ -+.TH "httpd_git_script_selinux" "8" "12-11-01" "httpd_git_script" "SELinux Policy documentation for httpd_git_script" +@@ -0,0 +1,259 @@ ++.TH "httpd_git_script_selinux" "8" "13-01-16" "httpd_git_script" "SELinux Policy documentation for httpd_git_script" +.SH "NAME" +httpd_git_script_selinux \- Security Enhanced Linux Policy for the httpd_git_script processes +.SH "DESCRIPTION" @@ -33455,9 +59794,11 @@ index 0000000..3518b85 + +.SH "ENTRYPOINTS" + -+The httpd_git_script_t SELinux type can be entered via the "shell_exec_t,httpd_git_script_exec_t,httpd_git_script_exec_t" file types. The default entrypoint paths for the httpd_git_script_t domain are the following:" ++The httpd_git_script_t SELinux type can be entered via the \fBshell_exec_t, httpd_git_script_exec_t, httpd_git_script_exec_t\fP file types. + -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/cgi-bin/cgit, /var/www/git/gitweb\.cgi, /var/www/gitweb-caching/gitweb\.cgi, /var/www/cgi-bin/cgit, /var/www/git/gitweb\.cgi, /var/www/gitweb-caching/gitweb\.cgi ++The default entrypoint paths for the httpd_git_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/cgi-bin/cgit, /var/www/git/gitweb\.cgi, /var/www/gitweb-caching/gitweb\.cgi, /var/www/cgi-bin/cgit, /var/www/git/gitweb\.cgi, /var/www/gitweb-caching/gitweb\.cgi +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -33473,34 +59814,148 @@ index 0000000..3518b85 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_git_script_t ++can be used to make the process type httpd_git_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_git_script policy is very flexible allowing users to setup their httpd_git_script processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_git_script: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_git_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_git_script with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B httpd_git_script_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the httpd_git_script_exec_t type, if you want to transition an executable to the httpd_git_script_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Git CGI can search home directories, you must turn on the git_cgi_enable_homedirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P git_cgi_enable_homedirs 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Git CGI can access cifs file systems, you must turn on the git_cgi_use_cifs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P git_cgi_use_cifs 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Git CGI can access nfs file systems, you must turn on the git_cgi_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P git_cgi_use_nfs 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the httpd_git_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the httpd_git_script_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -33514,21 +59969,48 @@ index 0000000..3518b85 + /var/cache/gitweb-caching(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux httpd_git_script policy is very flexible allowing users to setup their httpd_git_script processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_git_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_git_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_git_script_exec_t '/srv/httpd_git_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_git_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_git_script: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B httpd_git_script_exec_t +.EE + ++- Set files with the httpd_git_script_exec_t type, if you want to transition an executable to the httpd_git_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/var/www/cgi-bin/cgit, /var/www/git/gitweb\.cgi, /var/www/gitweb-caching/gitweb\.cgi ++ +.PP -+If you want to allow confined applications to run with kerberos for the httpd_git_script_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -33540,6 +60022,9 @@ index 0000000..3518b85 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -33551,15 +60036,15 @@ index 0000000..3518b85 + +.SH "SEE ALSO" +selinux(8), httpd_git_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_helper_selinux.8 b/man/man8/httpd_helper_selinux.8 new file mode 100644 -index 0000000..3f124b1 +index 0000000..8868c09 --- /dev/null +++ b/man/man8/httpd_helper_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "httpd_helper_selinux" "8" "12-11-01" "httpd_helper" "SELinux Policy documentation for httpd_helper" +@@ -0,0 +1,155 @@ ++.TH "httpd_helper_selinux" "8" "13-01-16" "httpd_helper" "SELinux Policy documentation for httpd_helper" +.SH "NAME" +httpd_helper_selinux \- Security Enhanced Linux Policy for the httpd_helper processes +.SH "DESCRIPTION" @@ -33575,7 +60060,9 @@ index 0000000..3f124b1 + +.SH "ENTRYPOINTS" + -+The httpd_helper_t SELinux type can be entered via the "httpd_helper_exec_t" file type. The default entrypoint paths for the httpd_helper_t domain are the following:" ++The httpd_helper_t SELinux type can be entered via the \fBhttpd_helper_exec_t\fP file type. ++ ++The default entrypoint paths for the httpd_helper_t domain are the following: + +/usr/bin/htsslpass +.SH PROCESS TYPES @@ -33593,8 +60080,60 @@ index 0000000..3f124b1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_helper_t ++can be used to make the process type httpd_helper_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_helper policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_helper with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal, you must turn on the httpd_tty_comm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_tty_comm 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -33604,7 +60143,20 @@ index 0000000..3f124b1 +Policy governs the access confined processes have to these files. +SELinux httpd_helper policy is very flexible allowing users to setup their httpd_helper processes in as secure a method as possible. +.PP -+The following file types are defined for httpd_helper: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_helper, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_helper_exec_t '/srv/httpd_helper/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_helper_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_helper: + + +.EX @@ -33622,8 +60174,6 @@ index 0000000..3f124b1 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -33634,6 +60184,9 @@ index 0000000..3f124b1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -33645,15 +60198,15 @@ index 0000000..3f124b1 + +.SH "SEE ALSO" +selinux(8), httpd_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_man2html_script_selinux.8 b/man/man8/httpd_man2html_script_selinux.8 new file mode 100644 -index 0000000..e3292a9 +index 0000000..a3753d9 --- /dev/null +++ b/man/man8/httpd_man2html_script_selinux.8 -@@ -0,0 +1,109 @@ -+.TH "httpd_man2html_script_selinux" "8" "12-11-01" "httpd_man2html_script" "SELinux Policy documentation for httpd_man2html_script" +@@ -0,0 +1,189 @@ ++.TH "httpd_man2html_script_selinux" "8" "13-01-16" "httpd_man2html_script" "SELinux Policy documentation for httpd_man2html_script" +.SH "NAME" +httpd_man2html_script_selinux \- Security Enhanced Linux Policy for the httpd_man2html_script processes +.SH "DESCRIPTION" @@ -33669,9 +60222,11 @@ index 0000000..e3292a9 + +.SH "ENTRYPOINTS" + -+The httpd_man2html_script_t SELinux type can be entered via the "shell_exec_t,httpd_man2html_script_exec_t,httpd_man2html_script_exec_t" file types. The default entrypoint paths for the httpd_man2html_script_t domain are the following:" ++The httpd_man2html_script_t SELinux type can be entered via the \fBshell_exec_t, httpd_man2html_script_exec_t, httpd_man2html_script_exec_t\fP file types. + -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/man2html/cgi-bin/man/mansec, /usr/lib/man2html/cgi-bin/man/man2html, /usr/lib/man2html/cgi-bin/man/manwhatis, /usr/lib/man2html/cgi-bin/man/mansec, /usr/lib/man2html/cgi-bin/man/man2html, /usr/lib/man2html/cgi-bin/man/manwhatis ++The default entrypoint paths for the httpd_man2html_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/man2html/cgi-bin/man/mansec, /usr/lib/man2html/cgi-bin/man/man2html, /usr/lib/man2html/cgi-bin/man/manwhatis, /usr/lib/man2html/cgi-bin/man/mansec, /usr/lib/man2html/cgi-bin/man/man2html, /usr/lib/man2html/cgi-bin/man/manwhatis +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -33687,8 +60242,82 @@ index 0000000..e3292a9 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_man2html_script_t ++can be used to make the process type httpd_man2html_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_man2html_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_man2html_script with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_man2html_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B httpd_man2html_rw_content_t ++ ++ ++.br ++.B httpd_man2html_script_cache_t ++ ++ /var/cache/man2html(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -33698,7 +60327,20 @@ index 0000000..e3292a9 +Policy governs the access confined processes have to these files. +SELinux httpd_man2html_script policy is very flexible allowing users to setup their httpd_man2html_script processes in as secure a method as possible. +.PP -+The following file types are defined for httpd_man2html_script: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_man2html_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_man2html_script_cache_t '/srv/httpd_man2html_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_man2html_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_man2html_script: + + +.EX @@ -33716,6 +60358,10 @@ index 0000000..e3292a9 + +- Set files with the httpd_man2html_script_exec_t type, if you want to transition an executable to the httpd_man2html_script_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/man2html/cgi-bin/man/mansec, /usr/lib/man2html/cgi-bin/man/man2html, /usr/lib/man2html/cgi-bin/man/manwhatis + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -33724,22 +60370,6 @@ index 0000000..e3292a9 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type httpd_man2html_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B httpd_man2html_rw_content_t -+ -+ -+.br -+.B httpd_man2html_script_cache_t -+ -+ /var/cache/man2html(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -33750,6 +60380,9 @@ index 0000000..e3292a9 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -33761,15 +60394,15 @@ index 0000000..e3292a9 + +.SH "SEE ALSO" +selinux(8), httpd_man2html_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_mediawiki_script_selinux.8 b/man/man8/httpd_mediawiki_script_selinux.8 new file mode 100644 -index 0000000..eaf2b98 +index 0000000..ad18507 --- /dev/null +++ b/man/man8/httpd_mediawiki_script_selinux.8 -@@ -0,0 +1,97 @@ -+.TH "httpd_mediawiki_script_selinux" "8" "12-11-01" "httpd_mediawiki_script" "SELinux Policy documentation for httpd_mediawiki_script" +@@ -0,0 +1,177 @@ ++.TH "httpd_mediawiki_script_selinux" "8" "13-01-16" "httpd_mediawiki_script" "SELinux Policy documentation for httpd_mediawiki_script" +.SH "NAME" +httpd_mediawiki_script_selinux \- Security Enhanced Linux Policy for the httpd_mediawiki_script processes +.SH "DESCRIPTION" @@ -33785,9 +60418,11 @@ index 0000000..eaf2b98 + +.SH "ENTRYPOINTS" + -+The httpd_mediawiki_script_t SELinux type can be entered via the "httpd_mediawiki_script_exec_t,shell_exec_t,httpd_mediawiki_script_exec_t" file types. The default entrypoint paths for the httpd_mediawiki_script_t domain are the following:" ++The httpd_mediawiki_script_t SELinux type can be entered via the \fBshell_exec_t, httpd_mediawiki_script_exec_t, httpd_mediawiki_script_exec_t\fP file types. + -+/usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc_tes, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc_tes ++The default entrypoint paths for the httpd_mediawiki_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc_tes, /usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc_tes +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -33803,34 +60438,68 @@ index 0000000..eaf2b98 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_mediawiki_script_t ++can be used to make the process type httpd_mediawiki_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_mediawiki_script policy is very flexible allowing users to setup their httpd_mediawiki_script processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_mediawiki_script: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_mediawiki_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_mediawiki_script with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B httpd_mediawiki_script_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the httpd_mediawiki_script_exec_t type, if you want to transition an executable to the httpd_mediawiki_script_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -33842,7 +60511,48 @@ index 0000000..eaf2b98 + /var/www/wiki(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux httpd_mediawiki_script policy is very flexible allowing users to setup their httpd_mediawiki_script processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_mediawiki_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_mediawiki_script_exec_t '/srv/httpd_mediawiki_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_mediawiki_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_mediawiki_script: ++ ++ ++.EX ++.PP ++.B httpd_mediawiki_script_exec_t ++.EE ++ ++- Set files with the httpd_mediawiki_script_exec_t type, if you want to transition an executable to the httpd_mediawiki_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc_tes ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -33854,6 +60564,9 @@ index 0000000..eaf2b98 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -33865,15 +60578,15 @@ index 0000000..eaf2b98 + +.SH "SEE ALSO" +selinux(8), httpd_mediawiki_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_mojomojo_script_selinux.8 b/man/man8/httpd_mojomojo_script_selinux.8 new file mode 100644 -index 0000000..8ff95bf +index 0000000..1bc0810 --- /dev/null +++ b/man/man8/httpd_mojomojo_script_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "httpd_mojomojo_script_selinux" "8" "12-11-01" "httpd_mojomojo_script" "SELinux Policy documentation for httpd_mojomojo_script" +@@ -0,0 +1,185 @@ ++.TH "httpd_mojomojo_script_selinux" "8" "13-01-16" "httpd_mojomojo_script" "SELinux Policy documentation for httpd_mojomojo_script" +.SH "NAME" +httpd_mojomojo_script_selinux \- Security Enhanced Linux Policy for the httpd_mojomojo_script processes +.SH "DESCRIPTION" @@ -33889,9 +60602,11 @@ index 0000000..8ff95bf + +.SH "ENTRYPOINTS" + -+The httpd_mojomojo_script_t SELinux type can be entered via the "httpd_mojomojo_script_exec_t,shell_exec_t,httpd_mojomojo_script_exec_t" file types. The default entrypoint paths for the httpd_mojomojo_script_t domain are the following:" ++The httpd_mojomojo_script_t SELinux type can be entered via the \fBhttpd_mojomojo_script_exec_t, shell_exec_t, httpd_mojomojo_script_exec_t\fP file types. + -+/usr/bin/mojomojo_fastcgi\.pl, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/bin/mojomojo_fastcgi\.pl ++The default entrypoint paths for the httpd_mojomojo_script_t domain are the following: ++ ++/usr/bin/mojomojo_fastcgi\.pl, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/bin/mojomojo_fastcgi\.pl +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -33907,8 +60622,90 @@ index 0000000..8ff95bf +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_mojomojo_script_t ++can be used to make the process type httpd_mojomojo_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_mojomojo_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_mojomojo_script with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_mojomojo_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B httpd_mojomojo_rw_content_t ++ ++ /var/lib/mojomojo(/.*)? ++.br ++ ++.br ++.B httpd_mojomojo_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -33918,7 +60715,20 @@ index 0000000..8ff95bf +Policy governs the access confined processes have to these files. +SELinux httpd_mojomojo_script policy is very flexible allowing users to setup their httpd_mojomojo_script processes in as secure a method as possible. +.PP -+The following file types are defined for httpd_mojomojo_script: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_mojomojo_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_mojomojo_script_exec_t '/srv/httpd_mojomojo_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_mojomojo_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_mojomojo_script: + + +.EX @@ -33936,22 +60746,6 @@ index 0000000..8ff95bf +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type httpd_mojomojo_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B httpd_mojomojo_rw_content_t -+ -+ /var/lib/mojomojo(/.*)? -+.br -+ -+.br -+.B httpd_mojomojo_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -33962,6 +60756,9 @@ index 0000000..8ff95bf +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -33973,15 +60770,15 @@ index 0000000..8ff95bf + +.SH "SEE ALSO" +selinux(8), httpd_mojomojo_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_munin_script_selinux.8 b/man/man8/httpd_munin_script_selinux.8 new file mode 100644 -index 0000000..df7ae1a +index 0000000..337129b --- /dev/null +++ b/man/man8/httpd_munin_script_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "httpd_munin_script_selinux" "8" "12-11-01" "httpd_munin_script" "SELinux Policy documentation for httpd_munin_script" +@@ -0,0 +1,175 @@ ++.TH "httpd_munin_script_selinux" "8" "13-01-16" "httpd_munin_script" "SELinux Policy documentation for httpd_munin_script" +.SH "NAME" +httpd_munin_script_selinux \- Security Enhanced Linux Policy for the httpd_munin_script processes +.SH "DESCRIPTION" @@ -33997,9 +60794,11 @@ index 0000000..df7ae1a + +.SH "ENTRYPOINTS" + -+The httpd_munin_script_t SELinux type can be entered via the "httpd_munin_script_exec_t,shell_exec_t,httpd_munin_script_exec_t" file types. The default entrypoint paths for the httpd_munin_script_t domain are the following:" ++The httpd_munin_script_t SELinux type can be entered via the \fBshell_exec_t, httpd_munin_script_exec_t, httpd_munin_script_exec_t\fP file types. + -+/var/www/html/munin/cgi(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/html/munin/cgi(/.*)? ++The default entrypoint paths for the httpd_munin_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/cgi-bin/munin.*, /var/www/html/cgi/munin.*, /var/www/html/munin/cgi(/.*)?, /var/www/cgi-bin/munin.*, /var/www/html/cgi/munin.*, /var/www/html/munin/cgi(/.*)? +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -34015,34 +60814,68 @@ index 0000000..df7ae1a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_munin_script_t ++can be used to make the process type httpd_munin_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_munin_script policy is very flexible allowing users to setup their httpd_munin_script processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_munin_script: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_munin_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_munin_script with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B httpd_munin_script_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the httpd_munin_script_exec_t type, if you want to transition an executable to the httpd_munin_script_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -34052,7 +60885,48 @@ index 0000000..df7ae1a +.B httpd_munin_rw_content_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux httpd_munin_script policy is very flexible allowing users to setup their httpd_munin_script processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_munin_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_munin_script_exec_t '/srv/httpd_munin_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_munin_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_munin_script: ++ ++ ++.EX ++.PP ++.B httpd_munin_script_exec_t ++.EE ++ ++- Set files with the httpd_munin_script_exec_t type, if you want to transition an executable to the httpd_munin_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/var/www/cgi-bin/munin.*, /var/www/html/cgi/munin.*, /var/www/html/munin/cgi(/.*)? ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -34064,6 +60938,9 @@ index 0000000..df7ae1a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -34075,15 +60952,209 @@ index 0000000..df7ae1a + +.SH "SEE ALSO" +selinux(8), httpd_munin_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) +\ No newline at end of file +diff --git a/man/man8/httpd_mythtv_script_selinux.8 b/man/man8/httpd_mythtv_script_selinux.8 +new file mode 100644 +index 0000000..7a489ae +--- /dev/null ++++ b/man/man8/httpd_mythtv_script_selinux.8 +@@ -0,0 +1,187 @@ ++.TH "httpd_mythtv_script_selinux" "8" "13-01-16" "httpd_mythtv_script" "SELinux Policy documentation for httpd_mythtv_script" ++.SH "NAME" ++httpd_mythtv_script_selinux \- Security Enhanced Linux Policy for the httpd_mythtv_script processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the httpd_mythtv_script processes via flexible mandatory access control. ++ ++The httpd_mythtv_script processes execute with the httpd_mythtv_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep httpd_mythtv_script_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The httpd_mythtv_script_t SELinux type can be entered via the \fBshell_exec_t, httpd_mythtv_script_exec_t, httpd_mythtv_script_exec_t\fP file types. ++ ++The default entrypoint paths for the httpd_mythtv_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/mythweb/mythweb\.pl ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux httpd_mythtv_script policy is very flexible allowing users to setup their httpd_mythtv_script processes in as secure a method as possible. ++.PP ++The following process types are defined for httpd_mythtv_script: ++ ++.EX ++.B httpd_mythtv_script_t ++.EE ++.PP ++Note: ++.B semanage permissive -a httpd_mythtv_script_t ++can be used to make the process type httpd_mythtv_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_mythtv_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_mythtv_script with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_mythtv_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B httpd_mythtv_rw_content_t ++ ++ ++.br ++.B mythtv_var_lib_t ++ ++ /var/lib/mythtv(/.*)? ++.br ++ ++.br ++.B mythtv_var_log_t ++ ++ /var/log/mythtv(/.*)? ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux httpd_mythtv_script policy is very flexible allowing users to setup their httpd_mythtv_script processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_mythtv_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_mythtv_script_exec_t '/srv/httpd_mythtv_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_mythtv_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_mythtv_script: ++ ++ ++.EX ++.PP ++.B httpd_mythtv_script_exec_t ++.EE ++ ++- Set files with the httpd_mythtv_script_exec_t type, if you want to transition an executable to the httpd_mythtv_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/mythweb/mythweb\.pl ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), httpd_mythtv_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_nagios_script_selinux.8 b/man/man8/httpd_nagios_script_selinux.8 new file mode 100644 -index 0000000..8bdd9ee +index 0000000..3222908 --- /dev/null +++ b/man/man8/httpd_nagios_script_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "httpd_nagios_script_selinux" "8" "12-11-01" "httpd_nagios_script" "SELinux Policy documentation for httpd_nagios_script" +@@ -0,0 +1,175 @@ ++.TH "httpd_nagios_script_selinux" "8" "13-01-16" "httpd_nagios_script" "SELinux Policy documentation for httpd_nagios_script" +.SH "NAME" +httpd_nagios_script_selinux \- Security Enhanced Linux Policy for the httpd_nagios_script processes +.SH "DESCRIPTION" @@ -34099,9 +61170,11 @@ index 0000000..8bdd9ee + +.SH "ENTRYPOINTS" + -+The httpd_nagios_script_t SELinux type can be entered via the "httpd_nagios_script_exec_t,shell_exec_t,httpd_nagios_script_exec_t" file types. The default entrypoint paths for the httpd_nagios_script_t domain are the following:" ++The httpd_nagios_script_t SELinux type can be entered via the \fBshell_exec_t, httpd_nagios_script_exec_t, httpd_nagios_script_exec_t\fP file types. + -+/usr/lib/nagios/cgi(/.*)?, /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?, /usr/lib/cgi-bin/netsaint(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/nagios/cgi(/.*)?, /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?, /usr/lib/cgi-bin/netsaint(/.*)? ++The default entrypoint paths for the httpd_nagios_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/lib/nagios/cgi(/.*)?, /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?, /usr/lib/cgi-bin/netsaint(/.*)?, /usr/lib/nagios/cgi(/.*)?, /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?, /usr/lib/cgi-bin/netsaint(/.*)? +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -34117,34 +61190,68 @@ index 0000000..8bdd9ee +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_nagios_script_t ++can be used to make the process type httpd_nagios_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_nagios_script policy is very flexible allowing users to setup their httpd_nagios_script processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_nagios_script: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_nagios_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_nagios_script with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B httpd_nagios_script_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the httpd_nagios_script_exec_t type, if you want to transition an executable to the httpd_nagios_script_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -34154,7 +61261,48 @@ index 0000000..8bdd9ee +.B httpd_nagios_rw_content_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux httpd_nagios_script policy is very flexible allowing users to setup their httpd_nagios_script processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_nagios_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_nagios_script_exec_t '/srv/httpd_nagios_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_nagios_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_nagios_script: ++ ++ ++.EX ++.PP ++.B httpd_nagios_script_exec_t ++.EE ++ ++- Set files with the httpd_nagios_script_exec_t type, if you want to transition an executable to the httpd_nagios_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/nagios/cgi(/.*)?, /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?, /usr/lib/cgi-bin/netsaint(/.*)? ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -34166,6 +61314,9 @@ index 0000000..8bdd9ee +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -34177,15 +61328,15 @@ index 0000000..8bdd9ee + +.SH "SEE ALSO" +selinux(8), httpd_nagios_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_nutups_cgi_script_selinux.8 b/man/man8/httpd_nutups_cgi_script_selinux.8 new file mode 100644 -index 0000000..6f120e5 +index 0000000..934627c --- /dev/null +++ b/man/man8/httpd_nutups_cgi_script_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "httpd_nutups_cgi_script_selinux" "8" "12-11-01" "httpd_nutups_cgi_script" "SELinux Policy documentation for httpd_nutups_cgi_script" +@@ -0,0 +1,183 @@ ++.TH "httpd_nutups_cgi_script_selinux" "8" "13-01-16" "httpd_nutups_cgi_script" "SELinux Policy documentation for httpd_nutups_cgi_script" +.SH "NAME" +httpd_nutups_cgi_script_selinux \- Security Enhanced Linux Policy for the httpd_nutups_cgi_script processes +.SH "DESCRIPTION" @@ -34201,9 +61352,11 @@ index 0000000..6f120e5 + +.SH "ENTRYPOINTS" + -+The httpd_nutups_cgi_script_t SELinux type can be entered via the "shell_exec_t,httpd_nutups_cgi_script_exec_t,httpd_nutups_cgi_script_exec_t" file types. The default entrypoint paths for the httpd_nutups_cgi_script_t domain are the following:" ++The httpd_nutups_cgi_script_t SELinux type can be entered via the \fBhttpd_nutups_cgi_script_exec_t, shell_exec_t, httpd_nutups_cgi_script_exec_t\fP file types. + -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/nut-cgi-bin/upsset\.cgi, /var/www/nut-cgi-bin/upsimage\.cgi, /var/www/nut-cgi-bin/upsstats\.cgi, /var/www/nut-cgi-bin/upsset\.cgi, /var/www/nut-cgi-bin/upsimage\.cgi, /var/www/nut-cgi-bin/upsstats\.cgi ++The default entrypoint paths for the httpd_nutups_cgi_script_t domain are the following: ++ ++/var/www/nut-cgi-bin/upsset\.cgi, /var/www/nut-cgi-bin/upsimage\.cgi, /var/www/nut-cgi-bin/upsstats\.cgi, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/www/nut-cgi-bin/upsset\.cgi, /var/www/nut-cgi-bin/upsimage\.cgi, /var/www/nut-cgi-bin/upsstats\.cgi +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -34219,34 +61372,76 @@ index 0000000..6f120e5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_nutups_cgi_script_t ++can be used to make the process type httpd_nutups_cgi_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_nutups_cgi_script policy is very flexible allowing users to setup their httpd_nutups_cgi_script processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_nutups_cgi_script: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_nutups_cgi_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_nutups_cgi_script with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B httpd_nutups_cgi_script_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the httpd_nutups_cgi_script_exec_t type, if you want to transition an executable to the httpd_nutups_cgi_script_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -34256,7 +61451,48 @@ index 0000000..6f120e5 +.B httpd_nutups_cgi_rw_content_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux httpd_nutups_cgi_script policy is very flexible allowing users to setup their httpd_nutups_cgi_script processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_nutups_cgi_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_nutups_cgi_script_exec_t '/srv/httpd_nutups_cgi_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_nutups_cgi_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_nutups_cgi_script: ++ ++ ++.EX ++.PP ++.B httpd_nutups_cgi_script_exec_t ++.EE ++ ++- Set files with the httpd_nutups_cgi_script_exec_t type, if you want to transition an executable to the httpd_nutups_cgi_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/var/www/nut-cgi-bin/upsset\.cgi, /var/www/nut-cgi-bin/upsimage\.cgi, /var/www/nut-cgi-bin/upsstats\.cgi ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -34268,6 +61504,9 @@ index 0000000..6f120e5 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -34279,15 +61518,15 @@ index 0000000..6f120e5 + +.SH "SEE ALSO" +selinux(8), httpd_nutups_cgi_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_openshift_script_selinux.8 b/man/man8/httpd_openshift_script_selinux.8 new file mode 100644 -index 0000000..e19d72d +index 0000000..1f73187 --- /dev/null +++ b/man/man8/httpd_openshift_script_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "httpd_openshift_script_selinux" "8" "12-11-01" "httpd_openshift_script" "SELinux Policy documentation for httpd_openshift_script" +@@ -0,0 +1,171 @@ ++.TH "httpd_openshift_script_selinux" "8" "13-01-16" "httpd_openshift_script" "SELinux Policy documentation for httpd_openshift_script" +.SH "NAME" +httpd_openshift_script_selinux \- Security Enhanced Linux Policy for the httpd_openshift_script processes +.SH "DESCRIPTION" @@ -34303,9 +61542,11 @@ index 0000000..e19d72d + +.SH "ENTRYPOINTS" + -+The httpd_openshift_script_t SELinux type can be entered via the "httpd_openshift_script_exec_t,shell_exec_t,httpd_openshift_script_exec_t" file types. The default entrypoint paths for the httpd_openshift_script_t domain are the following:" ++The httpd_openshift_script_t SELinux type can be entered via the \fBshell_exec_t, httpd_openshift_script_exec_t, httpd_openshift_script_exec_t\fP file types. + -+/usr/bin/(oo|rhc)-restorer-wrapper.sh, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/bin/(oo|rhc)-restorer-wrapper.sh ++The default entrypoint paths for the httpd_openshift_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/s?bin/(oo|rhc)-restorer-wrapper.sh, /usr/s?bin/(oo|rhc)-restorer-wrapper.sh +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -34321,8 +61562,76 @@ index 0000000..e19d72d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_openshift_script_t ++can be used to make the process type httpd_openshift_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_openshift_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_openshift_script with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_openshift_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B httpd_openshift_rw_content_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -34332,7 +61641,20 @@ index 0000000..e19d72d +Policy governs the access confined processes have to these files. +SELinux httpd_openshift_script policy is very flexible allowing users to setup their httpd_openshift_script processes in as secure a method as possible. +.PP -+The following file types are defined for httpd_openshift_script: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_openshift_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_openshift_script_exec_t '/srv/httpd_openshift_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_openshift_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_openshift_script: + + +.EX @@ -34350,16 +61672,6 @@ index 0000000..e19d72d +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type httpd_openshift_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B httpd_openshift_rw_content_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -34370,6 +61682,9 @@ index 0000000..e19d72d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -34381,15 +61696,15 @@ index 0000000..e19d72d + +.SH "SEE ALSO" +selinux(8), httpd_openshift_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_passwd_selinux.8 b/man/man8/httpd_passwd_selinux.8 new file mode 100644 -index 0000000..11ff56f +index 0000000..1bb6c61 --- /dev/null +++ b/man/man8/httpd_passwd_selinux.8 -@@ -0,0 +1,113 @@ -+.TH "httpd_passwd_selinux" "8" "12-11-01" "httpd_passwd" "SELinux Policy documentation for httpd_passwd" +@@ -0,0 +1,207 @@ ++.TH "httpd_passwd_selinux" "8" "13-01-16" "httpd_passwd" "SELinux Policy documentation for httpd_passwd" +.SH "NAME" +httpd_passwd_selinux \- Security Enhanced Linux Policy for the httpd_passwd processes +.SH "DESCRIPTION" @@ -34405,7 +61720,9 @@ index 0000000..11ff56f + +.SH "ENTRYPOINTS" + -+The httpd_passwd_t SELinux type can be entered via the "httpd_passwd_exec_t" file type. The default entrypoint paths for the httpd_passwd_t domain are the following:" ++The httpd_passwd_t SELinux type can be entered via the \fBhttpd_passwd_exec_t\fP file type. ++ ++The default entrypoint paths for the httpd_passwd_t domain are the following: + +/usr/libexec/httpd-ssl-pass-dialog +.SH PROCESS TYPES @@ -34423,8 +61740,112 @@ index 0000000..11ff56f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_passwd_t ++can be used to make the process type httpd_passwd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_passwd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_passwd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the httpd_passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the httpd_passwd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_passwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -34434,7 +61855,20 @@ index 0000000..11ff56f +Policy governs the access confined processes have to these files. +SELinux httpd_passwd policy is very flexible allowing users to setup their httpd_passwd processes in as secure a method as possible. +.PP -+The following file types are defined for httpd_passwd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_passwd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_passwd_exec_t '/srv/httpd_passwd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_passwd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_passwd: + + +.EX @@ -34452,34 +61886,6 @@ index 0000000..11ff56f +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type httpd_passwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B systemd_passwd_var_run_t -+ -+ /var/run/systemd/ask-password(/.*)? -+.br -+ /var/run/systemd/ask-password-block(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the httpd_passwd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -34490,6 +61896,9 @@ index 0000000..11ff56f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -34501,15 +61910,15 @@ index 0000000..11ff56f + +.SH "SEE ALSO" +selinux(8), httpd_passwd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_php_selinux.8 b/man/man8/httpd_php_selinux.8 new file mode 100644 -index 0000000..6690ac0 +index 0000000..0d42b0b --- /dev/null +++ b/man/man8/httpd_php_selinux.8 -@@ -0,0 +1,117 @@ -+.TH "httpd_php_selinux" "8" "12-11-01" "httpd_php" "SELinux Policy documentation for httpd_php" +@@ -0,0 +1,172 @@ ++.TH "httpd_php_selinux" "8" "13-01-16" "httpd_php" "SELinux Policy documentation for httpd_php" +.SH "NAME" +httpd_php_selinux \- Security Enhanced Linux Policy for the httpd_php processes +.SH "DESCRIPTION" @@ -34525,7 +61934,9 @@ index 0000000..6690ac0 + +.SH "ENTRYPOINTS" + -+The httpd_php_t SELinux type can be entered via the "httpd_php_exec_t" file type. The default entrypoint paths for the httpd_php_t domain are the following:" ++The httpd_php_t SELinux type can be entered via the \fBhttpd_php_exec_t\fP file type. ++ ++The default entrypoint paths for the httpd_php_t domain are the following: + + +.SH PROCESS TYPES @@ -34543,55 +61954,97 @@ index 0000000..6690ac0 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_php_t ++can be used to make the process type httpd_php_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_php policy is very flexible allowing users to setup their httpd_php processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_php: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_php policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_php with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B httpd_php_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the httpd_php_exec_t type, if you want to transition an executable to the httpd_php_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B httpd_php_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the httpd_php_tmp_t type, if you want to store httpd php temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + -+.SH "MANAGED FILES" ++.EX ++.B setsebool -P domain_kernel_load_modules 1 + -+The SELinux process type httpd_php_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++.EE + -+.br -+.B httpd_php_tmp_t ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_network_connect_db 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_php_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the httpd_php_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -34604,6 +62057,14 @@ index 0000000..6690ac0 +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_php_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B httpd_php_tmp_t ++ ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -34614,6 +62075,9 @@ index 0000000..6690ac0 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -34625,15 +62089,15 @@ index 0000000..6690ac0 + +.SH "SEE ALSO" +selinux(8), httpd_php(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_prewikka_script_selinux.8 b/man/man8/httpd_prewikka_script_selinux.8 new file mode 100644 -index 0000000..8b729f1 +index 0000000..12bb00b --- /dev/null +++ b/man/man8/httpd_prewikka_script_selinux.8 -@@ -0,0 +1,109 @@ -+.TH "httpd_prewikka_script_selinux" "8" "12-11-01" "httpd_prewikka_script" "SELinux Policy documentation for httpd_prewikka_script" +@@ -0,0 +1,211 @@ ++.TH "httpd_prewikka_script_selinux" "8" "13-01-16" "httpd_prewikka_script" "SELinux Policy documentation for httpd_prewikka_script" +.SH "NAME" +httpd_prewikka_script_selinux \- Security Enhanced Linux Policy for the httpd_prewikka_script processes +.SH "DESCRIPTION" @@ -34649,9 +62113,11 @@ index 0000000..8b729f1 + +.SH "ENTRYPOINTS" + -+The httpd_prewikka_script_t SELinux type can be entered via the "shell_exec_t,httpd_prewikka_script_exec_t,httpd_prewikka_script_exec_t" file types. The default entrypoint paths for the httpd_prewikka_script_t domain are the following:" ++The httpd_prewikka_script_t SELinux type can be entered via the \fBshell_exec_t, httpd_prewikka_script_exec_t, httpd_prewikka_script_exec_t\fP file types. + -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/prewikka/cgi-bin(/.*)?, /usr/share/prewikka/cgi-bin(/.*)? ++The default entrypoint paths for the httpd_prewikka_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/prewikka/cgi-bin(/.*)?, /usr/share/prewikka/cgi-bin(/.*)? +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -34667,8 +62133,116 @@ index 0000000..8b729f1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_prewikka_script_t ++can be used to make the process type httpd_prewikka_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_prewikka_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_prewikka_script with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the httpd_prewikka_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the httpd_prewikka_script_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_prewikka_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B httpd_prewikka_rw_content_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -34678,7 +62252,20 @@ index 0000000..8b729f1 +Policy governs the access confined processes have to these files. +SELinux httpd_prewikka_script policy is very flexible allowing users to setup their httpd_prewikka_script processes in as secure a method as possible. +.PP -+The following file types are defined for httpd_prewikka_script: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_prewikka_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_prewikka_script_exec_t '/srv/httpd_prewikka_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_prewikka_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_prewikka_script: + + +.EX @@ -34696,30 +62283,6 @@ index 0000000..8b729f1 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type httpd_prewikka_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B httpd_prewikka_rw_content_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_prewikka_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the httpd_prewikka_script_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -34730,6 +62293,9 @@ index 0000000..8b729f1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -34741,15 +62307,15 @@ index 0000000..8b729f1 + +.SH "SEE ALSO" +selinux(8), httpd_prewikka_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_rotatelogs_selinux.8 b/man/man8/httpd_rotatelogs_selinux.8 new file mode 100644 -index 0000000..bbe80c8 +index 0000000..8ffa33c --- /dev/null +++ b/man/man8/httpd_rotatelogs_selinux.8 -@@ -0,0 +1,121 @@ -+.TH "httpd_rotatelogs_selinux" "8" "12-11-01" "httpd_rotatelogs" "SELinux Policy documentation for httpd_rotatelogs" +@@ -0,0 +1,223 @@ ++.TH "httpd_rotatelogs_selinux" "8" "13-01-16" "httpd_rotatelogs" "SELinux Policy documentation for httpd_rotatelogs" +.SH "NAME" +httpd_rotatelogs_selinux \- Security Enhanced Linux Policy for the httpd_rotatelogs processes +.SH "DESCRIPTION" @@ -34765,7 +62331,9 @@ index 0000000..bbe80c8 + +.SH "ENTRYPOINTS" + -+The httpd_rotatelogs_t SELinux type can be entered via the "httpd_rotatelogs_exec_t" file type. The default entrypoint paths for the httpd_rotatelogs_t domain are the following:" ++The httpd_rotatelogs_t SELinux type can be entered via the \fBhttpd_rotatelogs_exec_t\fP file type. ++ ++The default entrypoint paths for the httpd_rotatelogs_t domain are the following: + +/usr/sbin/rotatelogs +.SH PROCESS TYPES @@ -34783,34 +62351,76 @@ index 0000000..bbe80c8 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_rotatelogs_t ++can be used to make the process type httpd_rotatelogs_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_rotatelogs policy is very flexible allowing users to setup their httpd_rotatelogs processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_rotatelogs: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_rotatelogs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_rotatelogs with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B httpd_rotatelogs_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the httpd_rotatelogs_exec_t type, if you want to transition an executable to the httpd_rotatelogs_t domain. ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -34827,6 +62437,8 @@ index 0000000..bbe80c8 +.br + /var/log/apache(2)?(/.*)? +.br ++ /var/log/php-fpm(/.*)? ++.br + /var/log/cherokee(/.*)? +.br + /var/log/lighttpd(/.*)? @@ -34843,10 +62455,63 @@ index 0000000..bbe80c8 +.br + /var/log/dirsrv/admin-serv(/.*)? +.br ++ /var/lib/openshift/\.log/httpd(/.*)? ++.br ++ /var/www/openshift/console/log(/.*)? ++.br ++ /var/www/openshift/broker/httpd/logs(/.*)? ++.br ++ /var/www/openshift/console/httpd/logs(/.*)? ++.br + /etc/httpd/logs +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux httpd_rotatelogs policy is very flexible allowing users to setup their httpd_rotatelogs processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_rotatelogs, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_rotatelogs_exec_t '/srv/httpd_rotatelogs/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_rotatelogs_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_rotatelogs: ++ ++ ++.EX ++.PP ++.B httpd_rotatelogs_exec_t ++.EE ++ ++- Set files with the httpd_rotatelogs_exec_t type, if you want to transition an executable to the httpd_rotatelogs_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -34858,6 +62523,9 @@ index 0000000..bbe80c8 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -34869,13 +62537,13 @@ index 0000000..bbe80c8 + +.SH "SEE ALSO" +selinux(8), httpd_rotatelogs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 -index 16e8b13..d05f08b 100644 +index 16e8b13..ed5fb0a 100644 --- a/man/man8/httpd_selinux.8 +++ b/man/man8/httpd_selinux.8 -@@ -1,120 +1,2164 @@ +@@ -1,120 +1,2305 @@ -.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation" -.de EX -.nf @@ -34885,7 +62553,7 @@ index 16e8b13..d05f08b 100644 -.ft R -.fi -.. -+.TH "httpd_selinux" "8" "12-11-01" "httpd" "SELinux Policy documentation for httpd" ++.TH "httpd_selinux" "8" "13-01-16" "httpd" "SELinux Policy documentation for httpd" .SH "NAME" -httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon +httpd_selinux \- Security Enhanced Linux Policy for the httpd processes @@ -34910,9 +62578,11 @@ index 16e8b13..d05f08b 100644 + +.SH "ENTRYPOINTS" + -+The httpd_t SELinux type can be entered via the "httpd_exec_t" file type. The default entrypoint paths for the httpd_t domain are the following:" ++The httpd_t SELinux type can be entered via the \fBhttpd_exec_t\fP file type. + -+/usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails ++The default entrypoint paths for the httpd_t domain are the following: ++ ++/usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -34924,553 +62594,886 @@ index 16e8b13..d05f08b 100644 +The following process types are defined for httpd: + +.EX -+.B httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_mojomojo_script_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_zoneminder_script_t, httpd_openshift_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_t, httpd_man2html_script_t, httpd_passwd_t, httpd_helper_t, httpd_squid_script_t, httpd_cobbler_script_t, httpd_mediawiki_script_t ++.B httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_mojomojo_script_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_zoneminder_script_t, httpd_openshift_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_t, httpd_man2html_script_t, httpd_passwd_t, httpd_helper_t, httpd_squid_script_t, httpd_mythtv_script_t, httpd_webalizer_script_t, httpd_mediawiki_script_t +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_t ++can be used to make the process type httpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. + + +.PP -+If you want to allow httpd processes to manage IPA content, you must turn on the httpd_manage_ipa boolean. -+ -+.EX -+.B setsebool -P httpd_manage_ipa 1 -+.EE -+ -+.PP -+If you want to allow Apache to run in stickshift mode, not transition to passenger, you must turn on the httpd_run_stickshift boolean. -+ -+.EX -+.B setsebool -P httpd_run_stickshift 1 -+.EE -+ -+.PP -+If you want to allow httpd to access FUSE file systems, you must turn on the httpd_use_fusefs boolean. -+ -+.EX -+.B setsebool -P httpd_use_fusefs 1 -+.EE -+ -+.PP -+If you want to allow httpd to access openstack ports, you must turn on the httpd_use_openstack boolean. -+ -+.EX -+.B setsebool -P httpd_use_openstack 1 -+.EE -+ -+.PP -+If you want to allow httpd to connect to the ldap port, you must turn on the httpd_can_connect_ldap boolean. -+ -+.EX -+.B setsebool -P httpd_can_connect_ldap 1 -+.EE -+ -+.PP -+If you want to allow httpd daemon to change its resource limits, you must turn on the httpd_setrlimit boolean. -+ -+.EX -+.B setsebool -P httpd_setrlimit 1 -+.EE -+ -+.PP -+If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean. -+ -+.EX -+.B setsebool -P httpd_use_oddjob 1 -+.EE -+ -+.PP -+If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean. -+ -+.EX -+.B setsebool -P httpd_enable_ftp_server 1 -+.EE -+ -+.PP -+If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean. -+ -+.EX -+.B setsebool -P httpd_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow httpd to act as a relay, you must turn on the httpd_can_network_relay boolean. -+ -+.EX -+.B setsebool -P httpd_can_network_relay 1 -+.EE -+ -+.PP -+If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean. -+ -+.EX -+.B setsebool -P httpd_can_check_spam 1 -+.EE -+ -+.PP -+If you want to unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal, you must turn on the httpd_tty_comm boolean. -+ -+.EX -+.B setsebool -P httpd_tty_comm 1 -+.EE -+ -+.PP -+If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean. -+ -+.EX -+.B setsebool -P httpd_unified 1 -+.EE -+ -+.PP -+If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean. -+ -+.EX -+.B setsebool -P httpd_can_network_memcache 1 -+.EE -+ -+.PP -+If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean. -+ -+.EX -+.B setsebool -P httpd_graceful_shutdown 1 -+.EE -+ -+.PP -+If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean. -+ -+.EX -+.B setsebool -P httpd_use_gpg 1 -+.EE -+ -+.PP -+If you want to allow httpd to use built in scripting (usually php), you must turn on the httpd_builtin_scripting boolean. ++If you want to allow httpd to use built in scripting (usually php), you must turn on the httpd_builtin_scripting boolean. Enabled by default. + +.EX +.B setsebool -P httpd_builtin_scripting 1 ++ +.EE + +.PP -+If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. -+ -+.EX -+.B setsebool -P httpd_can_sendmail 1 -+.EE -+ -+.PP -+If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. -+ -+.EX -+.B setsebool -P httpd_enable_cgi 1 -+.EE -+ -+.PP -+If you want to allow Apache to use mod_auth_pam, you must turn on the httpd_mod_auth_pam boolean. -+ -+.EX -+.B setsebool -P httpd_mod_auth_pam 1 -+.EE -+ -+.PP -+If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean. -+ -+.EX -+.B setsebool -P httpd_read_user_content 1 -+.EE -+ -+.PP -+If you want to allow Apache to query NS records, you must turn on the httpd_verify_dns boolean. -+ -+.EX -+.B setsebool -P httpd_verify_dns 1 -+.EE -+ -+.PP -+If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean. -+ -+.EX -+.B setsebool -P named_bind_http_port 1 -+.EE -+ -+.PP -+If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean. -+ -+.EX -+.B setsebool -P httpd_can_connect_ftp 1 -+.EE -+ -+.PP -+If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean. -+ -+.EX -+.B setsebool -P httpd_can_network_connect_cobbler 1 -+.EE -+ -+.PP -+If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean. -+ -+.EX -+.B setsebool -P httpd_mod_auth_ntlm_winbind 1 -+.EE -+ -+.PP -+If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean. -+ -+.EX -+.B setsebool -P httpd_dbus_avahi 1 -+.EE -+ -+.PP -+If you want to allow httpd to read home directories, you must turn on the httpd_enable_homedirs boolean. -+ -+.EX -+.B setsebool -P httpd_enable_homedirs 1 -+.EE -+ -+.PP -+If you want to allow HTTPD to run SSI executables in the same domain as system CGI scripts, you must turn on the httpd_ssi_exec boolean. -+ -+.EX -+.B setsebool -P httpd_ssi_exec 1 -+.EE -+ -+.PP -+If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean. -+ -+.EX -+.B setsebool -P httpd_tmp_exec 1 -+.EE -+ -+.PP -+If you want to allow httpd to access cifs file systems, you must turn on the httpd_use_cifs boolean. -+ -+.EX -+.B setsebool -P httpd_use_cifs 1 -+.EE -+ -+.PP -+If you want to allow httpd scripts and modules execmem/execstack, you must turn on the httpd_execmem boolean. -+ -+.EX -+.B setsebool -P httpd_execmem 1 -+.EE -+ -+.PP -+If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean. -+ -+.EX -+.B setsebool -P httpd_can_connect_zabbix 1 -+.EE -+ -+.PP -+If you want to allow HTTPD scripts and modules to connect to the network using TCP, you must turn on the httpd_can_network_connect boolean. -+ -+.EX -+.B setsebool -P httpd_can_network_connect 1 -+.EE -+ -+.PP -+If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean. -+ -+.EX -+.B setsebool -P httpd_can_network_connect_db 1 -+.EE -+ -+.PP -+If you want to allow httpd processes to manage IPA content, you must turn on the httpd_manage_ipa boolean. -+ -+.EX -+.B setsebool -P httpd_manage_ipa 1 -+.EE -+ -+.PP -+If you want to allow Apache to run in stickshift mode, not transition to passenger, you must turn on the httpd_run_stickshift boolean. -+ -+.EX -+.B setsebool -P httpd_run_stickshift 1 -+.EE -+ -+.PP -+If you want to allow httpd to access FUSE file systems, you must turn on the httpd_use_fusefs boolean. -+ -+.EX -+.B setsebool -P httpd_use_fusefs 1 -+.EE -+ -+.PP -+If you want to allow httpd to access openstack ports, you must turn on the httpd_use_openstack boolean. -+ -+.EX -+.B setsebool -P httpd_use_openstack 1 -+.EE -+ -+.PP -+If you want to allow httpd to connect to the ldap port, you must turn on the httpd_can_connect_ldap boolean. -+ -+.EX -+.B setsebool -P httpd_can_connect_ldap 1 -+.EE -+ -+.PP -+If you want to allow httpd daemon to change its resource limits, you must turn on the httpd_setrlimit boolean. -+ -+.EX -+.B setsebool -P httpd_setrlimit 1 -+.EE -+ -+.PP -+If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean. -+ -+.EX -+.B setsebool -P httpd_use_oddjob 1 -+.EE -+ -+.PP -+If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean. -+ -+.EX -+.B setsebool -P httpd_enable_ftp_server 1 -+.EE -+ -+.PP -+If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean. -+ -+.EX -+.B setsebool -P httpd_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow httpd to act as a relay, you must turn on the httpd_can_network_relay boolean. -+ -+.EX -+.B setsebool -P httpd_can_network_relay 1 -+.EE -+ -+.PP -+If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean. ++If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean. Disabled by default. + +.EX +.B setsebool -P httpd_can_check_spam 1 ++ +.EE + +.PP -+If you want to unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal, you must turn on the httpd_tty_comm boolean. -+ -+.EX -+.B setsebool -P httpd_tty_comm 1 -+.EE -+ -+.PP -+If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean. -+ -+.EX -+.B setsebool -P httpd_unified 1 -+.EE -+ -+.PP -+If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean. -+ -+.EX -+.B setsebool -P httpd_can_network_memcache 1 -+.EE -+ -+.PP -+If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean. -+ -+.EX -+.B setsebool -P httpd_graceful_shutdown 1 -+.EE -+ -+.PP -+If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean. -+ -+.EX -+.B setsebool -P httpd_use_gpg 1 -+.EE -+ -+.PP -+If you want to allow httpd to use built in scripting (usually php), you must turn on the httpd_builtin_scripting boolean. -+ -+.EX -+.B setsebool -P httpd_builtin_scripting 1 -+.EE -+ -+.PP -+If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. -+ -+.EX -+.B setsebool -P httpd_can_sendmail 1 -+.EE -+ -+.PP -+If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. -+ -+.EX -+.B setsebool -P httpd_enable_cgi 1 -+.EE -+ -+.PP -+If you want to allow Apache to use mod_auth_pam, you must turn on the httpd_mod_auth_pam boolean. -+ -+.EX -+.B setsebool -P httpd_mod_auth_pam 1 -+.EE -+ -+.PP -+If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean. -+ -+.EX -+.B setsebool -P httpd_read_user_content 1 -+.EE -+ -+.PP -+If you want to allow Apache to query NS records, you must turn on the httpd_verify_dns boolean. -+ -+.EX -+.B setsebool -P httpd_verify_dns 1 -+.EE -+ -+.PP -+If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean. -+ -+.EX -+.B setsebool -P named_bind_http_port 1 -+.EE -+ -+.PP -+If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean. ++If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral ports, you must turn on the httpd_can_connect_ftp boolean. Disabled by default. + +.EX +.B setsebool -P httpd_can_connect_ftp 1 ++ +.EE + +.PP -+If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean. ++If you want to allow httpd to connect to the ldap port, you must turn on the httpd_can_connect_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_can_network_connect_cobbler 1 ++.B setsebool -P httpd_can_connect_ldap 1 ++ +.EE + +.PP -+If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean. -+ -+.EX -+.B setsebool -P httpd_mod_auth_ntlm_winbind 1 -+.EE -+ -+.PP -+If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean. -+ -+.EX -+.B setsebool -P httpd_dbus_avahi 1 -+.EE -+ -+.PP -+If you want to allow httpd to read home directories, you must turn on the httpd_enable_homedirs boolean. -+ -+.EX -+.B setsebool -P httpd_enable_homedirs 1 -+.EE -+ -+.PP -+If you want to allow HTTPD to run SSI executables in the same domain as system CGI scripts, you must turn on the httpd_ssi_exec boolean. -+ -+.EX -+.B setsebool -P httpd_ssi_exec 1 -+.EE -+ -+.PP -+If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean. -+ -+.EX -+.B setsebool -P httpd_tmp_exec 1 -+.EE -+ -+.PP -+If you want to allow httpd to access cifs file systems, you must turn on the httpd_use_cifs boolean. -+ -+.EX -+.B setsebool -P httpd_use_cifs 1 -+.EE -+ -+.PP -+If you want to allow httpd scripts and modules execmem/execstack, you must turn on the httpd_execmem boolean. -+ -+.EX -+.B setsebool -P httpd_execmem 1 -+.EE -+ -+.PP -+If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean. ++If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean. Disabled by default. + +.EX +.B setsebool -P httpd_can_connect_zabbix 1 ++ +.EE + +.PP -+If you want to allow HTTPD scripts and modules to connect to the network using TCP, you must turn on the httpd_can_network_connect boolean. ++If you want to allow HTTPD scripts and modules to connect to the network using TCP, you must turn on the httpd_can_network_connect boolean. Disabled by default. + +.EX +.B setsebool -P httpd_can_network_connect 1 ++ +.EE + +.PP -+If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean. ++If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean. Disabled by default. + +.EX +.B setsebool -P httpd_can_network_connect_db 1 ++ +.EE + -+.SH SHARING FILES -+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. -+.TP -+Allow httpd servers to read the /var/httpd directory by adding the public_content_t file type to the directory and by restoring the file type. +.PP -+.B -+semanage fcontext -a -t public_content_t "/var/httpd(/.*)?" ++If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_network_memcache 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to act as a relay, you must turn on the httpd_can_network_relay boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_network_relay 1 ++ ++.EE ++ ++.PP ++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_sendmail 1 ++ ++.EE ++ ++.PP ++If you want to allow Apache to communicate with avahi service via dbus, you must turn on the httpd_dbus_avahi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_dbus_avahi 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_ftp_server 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to read home directories, you must turn on the httpd_enable_homedirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_homedirs 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd scripts and modules execmem/execstack, you must turn on the httpd_execmem boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_graceful_shutdown 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd processes to manage IPA content, you must turn on the httpd_manage_ipa boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_manage_ipa 1 ++ ++.EE ++ ++.PP ++If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_mod_auth_ntlm_winbind 1 ++ ++.EE ++ ++.PP ++If you want to allow Apache to use mod_auth_pam, you must turn on the httpd_mod_auth_pam boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_mod_auth_pam 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_read_user_content 1 ++ ++.EE ++ ++.PP ++If you want to allow Apache to run in stickshift mode, not transition to passenger, you must turn on the httpd_run_stickshift boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_run_stickshift 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd daemon to change its resource limits, you must turn on the httpd_setrlimit boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_setrlimit 1 ++ ++.EE ++ ++.PP ++If you want to allow HTTPD to run SSI executables in the same domain as system CGI scripts, you must turn on the httpd_ssi_exec boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_ssi_exec 1 ++ ++.EE ++ ++.PP ++If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_tmp_exec 1 ++ ++.EE ++ ++.PP ++If you want to unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal, you must turn on the httpd_tty_comm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_tty_comm 1 ++ ++.EE ++ ++.PP ++If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_unified 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to access cifs file systems, you must turn on the httpd_use_cifs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_use_cifs 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to access FUSE file systems, you must turn on the httpd_use_fusefs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_use_fusefs 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to run gpg, you must turn on the httpd_use_gpg boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_use_gpg 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_use_nfs 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to access openstack ports, you must turn on the httpd_use_openstack boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_use_openstack 1 ++ ++.EE ++ ++.PP ++If you want to allow Apache to query NS records, you must turn on the httpd_verify_dns boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_verify_dns 1 ++ ++.EE ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Git system daemon can access cifs file systems, you must turn on the git_system_use_cifs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P git_system_use_cifs 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Git system daemon can access nfs file systems, you must turn on the git_system_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P git_system_use_nfs 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible. ++.PP ++The following port types are defined for httpd: ++ ++.EX ++.TP 5 ++.B http_cache_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 8080,8118,8123,10001-10010 ++.EE ++udp 3130 ++.EE ++ ++.EX ++.TP 5 ++.B http_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 80,81,443,488,8008,8009,8443,9000 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ +.br -+.B restorecon -F -R -v /var/httpd -+.pp -+.TP -+Allow httpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpdd_anon_write boolean to be set. -+.PP -+.B -+semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?" ++.B abrt_retrace_spool_t ++ ++ /var/spool/abrt-retrace(/.*)? +.br -+.B restorecon -F -R -v /var/httpd/incoming ++ /var/spool/retrace-server(/.*)? ++.br ++ ++.br ++.B cifs_t + + -+.PP -+If you want to allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t., you must turn on the httpd_anon_write boolean. ++.br ++.B dirsrv_config_t + -+.EX -+.B setsebool -P httpd_anon_write 1 -+.EE ++ /etc/dirsrv(/.*)? ++.br + -+.PP -+If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the httpd_sys_script_anon_write boolean. ++.br ++.B dirsrv_var_log_t + -+.EX -+.B setsebool -P httpd_sys_script_anon_write 1 -+.EE ++ /var/log/dirsrv(/.*)? ++.br + -+.PP -+If you want to allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t., you must turn on the httpd_anon_write boolean. ++.br ++.B dirsrv_var_run_t + -+.EX -+.B setsebool -P httpd_anon_write 1 -+.EE ++ /var/run/dirsrv(/.*)? ++.br + -+.PP -+If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the httpd_sys_script_anon_write boolean. ++.br ++.B dirsrvadmin_config_t + -+.EX -+.B setsebool -P httpd_sys_script_anon_write 1 -+.EE ++ /etc/dirsrv/dsgw(/.*)? ++.br ++ /etc/dirsrv/admin-serv(/.*)? ++.br ++ ++.br ++.B dirsrvadmin_tmp_t ++ ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B httpd_apcupsd_cgi_rw_content_t ++ ++ ++.br ++.B httpd_awstats_rw_content_t ++ ++ ++.br ++.B httpd_bugzilla_rw_content_t ++ ++ /var/lib/bugzilla(/.*)? ++.br ++ ++.br ++.B httpd_cache_t ++ ++ /var/cache/rt(3|4)(/.*)? ++.br ++ /var/cache/ssl.*\.sem ++.br ++ /var/cache/mod_.* ++.br ++ /var/cache/php-.* ++.br ++ /var/cache/httpd(/.*)? ++.br ++ /var/cache/mason(/.*)? ++.br ++ /var/cache/mod_ssl(/.*)? ++.br ++ /var/cache/lighttpd(/.*)? ++.br ++ /var/cache/mediawiki(/.*)? ++.br ++ /var/cache/mod_proxy(/.*)? ++.br ++ /var/cache/mod_gnutls(/.*)? ++.br ++ /var/cache/php-mmcache(/.*)? ++.br ++ /var/cache/php-eaccelerator(/.*)? ++.br ++ ++.br ++.B httpd_collectd_rw_content_t ++ ++ ++.br ++.B httpd_cvs_rw_content_t ++ ++ ++.br ++.B httpd_dirsrvadmin_rw_content_t ++ ++ ++.br ++.B httpd_dspam_rw_content_t ++ ++ ++.br ++.B httpd_git_rw_content_t ++ ++ /var/cache/cgit(/.*)? ++.br ++ /var/cache/gitweb-caching(/.*)? ++.br ++ ++.br ++.B httpd_lock_t ++ ++ ++.br ++.B httpd_man2html_rw_content_t ++ ++ ++.br ++.B httpd_mediawiki_rw_content_t ++ ++ /var/www/wiki(/.*)? ++.br ++ ++.br ++.B httpd_mojomojo_rw_content_t ++ ++ /var/lib/mojomojo(/.*)? ++.br ++ ++.br ++.B httpd_munin_rw_content_t ++ ++ ++.br ++.B httpd_mythtv_rw_content_t ++ ++ ++.br ++.B httpd_nagios_rw_content_t ++ ++ ++.br ++.B httpd_nutups_cgi_rw_content_t ++ ++ ++.br ++.B httpd_openshift_rw_content_t ++ ++ ++.br ++.B httpd_prewikka_rw_content_t ++ ++ ++.br ++.B httpd_smokeping_cgi_rw_content_t ++ ++ ++.br ++.B httpd_squid_rw_content_t ++ ++ ++.br ++.B httpd_squirrelmail_t ++ ++ /var/lib/squirrelmail/prefs(/.*)? ++.br ++ ++.br ++.B httpd_sys_rw_content_t ++ ++ /etc/horde(/.*)? ++.br ++ /etc/drupal.* ++.br ++ /etc/z-push(/.*)? ++.br ++ /var/lib/svn(/.*)? ++.br ++ /var/www/svn(/.*)? ++.br ++ /etc/mock/koji(/.*)? ++.br ++ /var/www/html/[^/]*/sites/default/files(/.*)? ++.br ++ /var/www/html/[^/]*/sites/default/settings\.php ++.br ++ /var/lib/drupal.* ++.br ++ /etc/zabbix/web(/.*)? ++.br ++ /var/log/z-push(/.*)? ++.br ++ /var/spool/gosa(/.*)? ++.br ++ /etc/WebCalendar(/.*)? ++.br ++ /var/lib/dokuwiki(/.*)? ++.br ++ /var/spool/viewvc(/.*)? ++.br ++ /var/lib/pootle/po(/.*)? ++.br ++ /var/www/moodledata(/.*)? ++.br ++ /var/www/gallery/albums(/.*)? ++.br ++ /var/www/html/wp-content(/.*)? ++.br ++ /usr/share/wordpress-mu/wp-content(/.*)? ++.br ++ /usr/share/wordpress/wp-content/uploads(/.*)? ++.br ++ /usr/share/wordpress/wp-content/upgrade(/.*)? ++.br ++ /etc/owncloud/config\.php ++.br ++ /var/www/html/configuration\.php ++.br ++ ++.br ++.B httpd_tmp_t ++ ++ /var/run/user/apache(/.*)? ++.br ++ /var/www/openshift/console/tmp(/.*)? ++.br ++ ++.br ++.B httpd_tmpfs_t ++ ++ ++.br ++.B httpd_user_rw_content_t ++ ++ ++.br ++.B httpd_var_lib_t ++ ++ /var/lib/rt(3|4)/data/RT-Shredder(/.*)? ++.br ++ /var/lib/dav(/.*)? ++.br ++ /var/lib/php(/.*)? ++.br ++ /var/lib/httpd(/.*)? ++.br ++ /var/lib/z-push(/.*)? ++.br ++ /var/lib/cherokee(/.*)? ++.br ++ /var/lib/lighttpd(/.*)? ++.br ++ ++.br ++.B httpd_var_run_t ++ ++ /var/run/mod_.* ++.br ++ /var/run/wsgi.* ++.br ++ /var/run/httpd.* ++.br ++ /var/run/apache.* ++.br ++ /var/run/php-fpm(/.*)? ++.br ++ /var/run/lighttpd(/.*)? ++.br ++ /var/lib/php/session(/.*)? ++.br ++ /var/run/dirsrv/admin-serv.* ++.br ++ /var/www/openshift/broker/httpd/run(/.*)? ++.br ++ /var/www/openshift/console/httpd/run(/.*)? ++.br ++ /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? ++.br ++ /var/run/gcache_port ++.br ++ /var/run/cherokee\.pid ++.br ++ ++.br ++.B httpd_w3c_validator_rw_content_t ++ ++ ++.br ++.B httpd_webalizer_rw_content_t ++ ++ ++.br ++.B httpd_zoneminder_rw_content_t ++ ++ ++.br ++.B httpdcontent ++ ++ ++.br ++.B jetty_cache_t ++ ++ /var/cache/jetty(/.*)? ++.br ++ ++.br ++.B jetty_log_t ++ ++ /var/log/jetty(/.*)? ++.br ++ ++.br ++.B jetty_var_lib_t ++ ++ /var/lib/jetty(/.*)? ++.br ++ ++.br ++.B jetty_var_run_t ++ ++ /var/run/jetty(/.*)? ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B memcached_var_run_t ++ ++ /var/run/memcached(/.*)? ++.br ++ /var/run/ipa_memcached(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B passenger_tmp_t ++ ++ ++.br ++.B passenger_var_lib_t ++ ++ /var/lib/passenger(/.*)? ++.br ++ ++.br ++.B passenger_var_run_t ++ ++ /var/run/passenger(/.*)? ++.br ++ ++.br ++.B pki_apache_config ++ ++ ++.br ++.B pki_apache_var_lib ++ ++ ++.br ++.B pki_apache_var_log ++ ++ ++.br ++.B public_content_rw_t ++ ++ /var/spool/abrt-upload(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B squirrelmail_spool_t ++ ++ /var/spool/squirrelmail(/.*)? ++.br ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br ++ ++.br ++.B zarafa_var_lib_t ++ ++ /var/lib/zarafa(/.*)? ++.br ++ /var/lib/zarafa-webapp(/.*)? ++.br ++ /var/lib/zarafa-webaccess(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -35480,7 +63483,39 @@ index 16e8b13..d05f08b 100644 +Policy governs the access confined processes have to these files. +SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible. +.PP -+The following file types are defined for httpd: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++httpd policy stores data with multiple different file context types under the /var/lib/php directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/php /srv/php ++.br ++.B restorecon -R -v /srv/php ++.PP ++ ++.PP ++httpd policy stores data with multiple different file context types under the /var/www directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/www /srv/www ++.br ++.B restorecon -R -v /srv/www ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_apcupsd_cgi_content_t '/srv/httpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd: + + +.EX @@ -35522,6 +63557,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_apcupsd_cgi_script_exec_t type, if you want to transition an executable to the httpd_apcupsd_cgi_script_t domain. + ++.br ++.TP 5 ++Paths: ++/var/www/cgi-bin/apcgui(/.*)?, /var/www/apcupsd/multimon\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsfstats\.cgi + +.EX +.PP @@ -35618,46 +63657,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_cache_t type, if you want to store the files under the /var/cache directory. + -+ -+.EX -+.PP -+.B httpd_cobbler_content_t -+.EE -+ -+- Set files with the httpd_cobbler_content_t type, if you want to treat the files as httpd cobbler content. -+ -+ -+.EX -+.PP -+.B httpd_cobbler_htaccess_t -+.EE -+ -+- Set files with the httpd_cobbler_htaccess_t type, if you want to treat the file as a httpd cobbler access file. -+ -+ -+.EX -+.PP -+.B httpd_cobbler_ra_content_t -+.EE -+ -+- Set files with the httpd_cobbler_ra_content_t type, if you want to treat the files as httpd cobbler read/append content. -+ -+ -+.EX -+.PP -+.B httpd_cobbler_rw_content_t -+.EE -+ -+- Set files with the httpd_cobbler_rw_content_t type, if you want to treat the files as httpd cobbler read/write content. -+ -+ -+.EX -+.PP -+.B httpd_cobbler_script_exec_t -+.EE -+ -+- Set files with the httpd_cobbler_script_exec_t type, if you want to transition an executable to the httpd_cobbler_script_t domain. -+ ++.br ++.TP 5 ++Paths: ++/var/cache/rt(3|4)(/.*)?, /var/cache/ssl.*\.sem, /var/cache/mod_.*, /var/cache/php-.*, /var/cache/httpd(/.*)?, /var/cache/mason(/.*)?, /var/cache/mod_ssl(/.*)?, /var/cache/lighttpd(/.*)?, /var/cache/mediawiki(/.*)?, /var/cache/mod_proxy(/.*)?, /var/cache/mod_gnutls(/.*)?, /var/cache/php-mmcache(/.*)?, /var/cache/php-eaccelerator(/.*)? + +.EX +.PP @@ -35706,6 +63709,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_config_t type, if you want to treat the files as httpd configuration data, usually stored under the /etc directory. + ++.br ++.TP 5 ++Paths: ++/etc/httpd(/.*)?, /etc/apache(2)?(/.*)?, /etc/cherokee(/.*)?, /etc/lighttpd(/.*)?, /etc/apache-ssl(2)?(/.*)?, /var/lib/openshift/\.httpd\.d(/.*)?, /var/lib/stickshift/\.httpd\.d(/.*)?, /etc/vhosts + +.EX +.PP @@ -35746,6 +63753,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_cvs_script_exec_t type, if you want to transition an executable to the httpd_cvs_script_t domain. + ++.br ++.TP 5 ++Paths: ++/var/www/cgi-bin/cvsweb\.cgi, /usr/share/cvsweb/cvsweb\.cgi + +.EX +.PP @@ -35786,6 +63797,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_dirsrvadmin_script_exec_t type, if you want to transition an executable to the httpd_dirsrvadmin_script_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/dirsrv/cgi-bin(/.*)?, /usr/lib/dirsrv/dsgw-cgi-bin(/.*)? + +.EX +.PP @@ -35826,6 +63841,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_dspam_script_exec_t type, if you want to transition an executable to the httpd_dspam_script_t domain. + ++.br ++.TP 5 ++Paths: ++/var/www/dspam/.*\.cgi, /usr/share/dspam-web/dspam\.cgi + +.EX +.PP @@ -35834,6 +63853,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_exec_t type, if you want to transition an executable to the httpd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails + +.EX +.PP @@ -35866,6 +63889,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_git_rw_content_t type, if you want to treat the files as httpd git read/write content. + ++.br ++.TP 5 ++Paths: ++/var/cache/cgit(/.*)?, /var/cache/gitweb-caching(/.*)? + +.EX +.PP @@ -35874,6 +63901,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_git_script_exec_t type, if you want to transition an executable to the httpd_git_script_t domain. + ++.br ++.TP 5 ++Paths: ++/var/www/cgi-bin/cgit, /var/www/git/gitweb\.cgi, /var/www/gitweb-caching/gitweb\.cgi + +.EX +.PP @@ -35890,6 +63921,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_initrc_exec_t type, if you want to transition an executable to the httpd_initrc_t domain. + ++.br ++.TP 5 ++Paths: ++/etc/init\.d/cherokee, /etc/rc\.d/init\.d/httpd, /etc/rc\.d/init\.d/lighttpd + +.EX +.PP @@ -35914,6 +63949,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_log_t type, if you want to treat the data as httpd log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/www(/.*)?/logs(/.*)?, /var/log/cacti(/.*)?, /var/log/httpd(/.*)?, /var/log/apache(2)?(/.*)?, /var/log/php-fpm(/.*)?, /var/log/cherokee(/.*)?, /var/log/lighttpd(/.*)?, /var/log/suphp\.log.*, /var/log/apache-ssl(2)?(/.*)?, /var/log/cgiwrap\.log.*, /var/www/stickshift/[^/]*/log(/.*)?, /var/log/roundcubemail(/.*)?, /var/log/dirsrv/admin-serv(/.*)?, /var/lib/openshift/\.log/httpd(/.*)?, /var/www/openshift/console/log(/.*)?, /var/www/openshift/broker/httpd/logs(/.*)?, /var/www/openshift/console/httpd/logs(/.*)?, /etc/httpd/logs + +.EX +.PP @@ -35962,6 +64001,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_man2html_script_exec_t type, if you want to transition an executable to the httpd_man2html_script_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/man2html/cgi-bin/man/mansec, /usr/lib/man2html/cgi-bin/man/man2html, /usr/lib/man2html/cgi-bin/man/manwhatis + +.EX +.PP @@ -35970,6 +64013,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_mediawiki_content_t type, if you want to treat the files as httpd mediawiki content. + ++.br ++.TP 5 ++Paths: ++/var/www/wiki/.*\.php, /usr/share/mediawiki(/.*)? + +.EX +.PP @@ -36002,6 +64049,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_mediawiki_script_exec_t type, if you want to transition an executable to the httpd_mediawiki_script_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc_tes + +.EX +.PP @@ -36010,6 +64061,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_modules_t type, if you want to treat the files as httpd modules. + ++.br ++.TP 5 ++Paths: ++/usr/lib/httpd(/.*)?, /usr/lib/apache(/.*)?, /usr/lib/cherokee(/.*)?, /usr/lib/lighttpd(/.*)?, /usr/lib/apache2/modules(/.*)?, /etc/httpd/modules + +.EX +.PP @@ -36098,6 +64153,58 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_munin_script_exec_t type, if you want to transition an executable to the httpd_munin_script_t domain. + ++.br ++.TP 5 ++Paths: ++/var/www/cgi-bin/munin.*, /var/www/html/cgi/munin.*, /var/www/html/munin/cgi(/.*)? ++ ++.EX ++.PP ++.B httpd_mythtv_content_t ++.EE ++ ++- Set files with the httpd_mythtv_content_t type, if you want to treat the files as httpd mythtv content. ++ ++.br ++.TP 5 ++Paths: ++/usr/share/mythtv(/.*)?, /usr/share/mythweb(/.*)? ++ ++.EX ++.PP ++.B httpd_mythtv_htaccess_t ++.EE ++ ++- Set files with the httpd_mythtv_htaccess_t type, if you want to treat the file as a httpd mythtv access file. ++ ++ ++.EX ++.PP ++.B httpd_mythtv_ra_content_t ++.EE ++ ++- Set files with the httpd_mythtv_ra_content_t type, if you want to treat the files as httpd mythtv read/append content. ++ ++ ++.EX ++.PP ++.B httpd_mythtv_rw_content_t ++.EE ++ ++- Set files with the httpd_mythtv_rw_content_t type, if you want to treat the files as httpd mythtv read/write content. ++ ++ ++.EX ++.PP ++.B httpd_mythtv_script_exec_t ++.EE ++ ++- Set files with the httpd_mythtv_script_exec_t type, if you want to transition an executable to the httpd_mythtv_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/mythweb/mythweb\.pl + +.EX +.PP @@ -36138,6 +64245,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_nagios_script_exec_t type, if you want to transition an executable to the httpd_nagios_script_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/nagios/cgi(/.*)?, /usr/lib/cgi-bin/nagios(/.+)?, /usr/lib/nagios/cgi-bin(/.*)?, /usr/lib/cgi-bin/netsaint(/.*)? + +.EX +.PP @@ -36178,6 +64289,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_nutups_cgi_script_exec_t type, if you want to transition an executable to the httpd_nutups_cgi_script_t domain. + ++.br ++.TP 5 ++Paths: ++/var/www/nut-cgi-bin/upsset\.cgi, /var/www/nut-cgi-bin/upsimage\.cgi, /var/www/nut-cgi-bin/upsstats\.cgi + +.EX +.PP @@ -36259,7 +64374,10 @@ index 16e8b13..d05f08b 100644 +- Set files with the httpd_prewikka_htaccess_t type, if you want to treat the file as a httpd prewikka access file. + + -+.EX + .EX +-httpd_sys_content_t +-.EE +-- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access. +.PP +.B httpd_prewikka_ra_content_t +.EE @@ -36267,7 +64385,10 @@ index 16e8b13..d05f08b 100644 +- Set files with the httpd_prewikka_ra_content_t type, if you want to treat the files as httpd prewikka read/append content. + + -+.EX + .EX +-httpd_sys_script_exec_t +-.EE +-- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. +.PP +.B httpd_prewikka_rw_content_t +.EE @@ -36275,43 +64396,59 @@ index 16e8b13..d05f08b 100644 +- Set files with the httpd_prewikka_rw_content_t type, if you want to treat the files as httpd prewikka read/write content. + + -+.EX + .EX +-httpd_sys_content_rw_t +.PP +.B httpd_prewikka_script_exec_t -+.EE + .EE +-- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. + +- Set files with the httpd_prewikka_script_exec_t type, if you want to transition an executable to the httpd_prewikka_script_t domain. + + -+.EX + .EX +-httpd_sys_content_ra_t +.PP +.B httpd_rotatelogs_exec_t -+.EE + .EE +-- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access. + +- Set files with the httpd_rotatelogs_exec_t type, if you want to transition an executable to the httpd_rotatelogs_t domain. + + -+.EX + .EX +-httpd_unconfined_script_exec_t +-.EE +-- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. +.PP +.B httpd_smokeping_cgi_content_t +.EE -+ + +-.SH NOTE +-With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. +- Set files with the httpd_smokeping_cgi_content_t type, if you want to treat the files as httpd smokeping cgi content. -+ -+ -+.EX + +-.SH SHARING FILES +-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: + + .EX +-setsebool -P allow_httpd_anon_write=1 +.PP +.B httpd_smokeping_cgi_htaccess_t -+.EE -+ + .EE + +-or +- Set files with the httpd_smokeping_cgi_htaccess_t type, if you want to treat the file as a httpd smokeping cgi access file. + -+ -+.EX + + .EX +-setsebool -P allow_httpd_sys_script_anon_write=1 +.PP +.B httpd_smokeping_cgi_ra_content_t -+.EE -+ + .EE + +-.SH BOOLEANS +-SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. +- Set files with the httpd_smokeping_cgi_ra_content_t type, if you want to treat the files as httpd smokeping cgi read/append content. + + @@ -36370,6 +64507,10 @@ index 16e8b13..d05f08b 100644 + +- Set files with the httpd_squid_script_exec_t type, if you want to transition an executable to the httpd_squid_script_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/share/lightsquid/cgi(/.*)?, /usr/lib/squid/cachemgr\.cgi + +.EX +.PP @@ -36380,227 +64521,105 @@ index 16e8b13..d05f08b 100644 + + +.EX -+.PP + .PP +-httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this +.B httpd_suexec_exec_t +.EE + +- Set files with the httpd_suexec_exec_t type, if you want to transition an executable to the httpd_suexec_t domain. + -+ - .EX --httpd_sys_content_t --.EE --- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access. -+.PP -+.B httpd_suexec_tmp_t -+.EE -+ -+- Set files with the httpd_suexec_tmp_t type, if you want to store httpd suexec temporary files in the /tmp directories. -+ -+ - .EX --httpd_sys_script_exec_t --.EE --- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. -+.PP -+.B httpd_sys_content_t -+.EE -+ -+- Set files with the httpd_sys_content_t type, if you want to treat the files as httpd sys content. -+ -+ - .EX --httpd_sys_content_rw_t -+.PP -+.B httpd_sys_htaccess_t - .EE --- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. -+ -+- Set files with the httpd_sys_htaccess_t type, if you want to treat the file as a httpd sys access file. -+ -+ - .EX --httpd_sys_content_ra_t -+.PP -+.B httpd_sys_ra_content_t - .EE --- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access. -+ -+- Set files with the httpd_sys_ra_content_t type, if you want to treat the files as httpd sys read/append content. -+ -+ - .EX --httpd_unconfined_script_exec_t --.EE --- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. -+.PP -+.B httpd_sys_rw_content_t -+.EE - --.SH NOTE --With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. -+- Set files with the httpd_sys_rw_content_t type, if you want to treat the files as httpd sys read/write content. - --.SH SHARING FILES --If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: - - .EX --setsebool -P allow_httpd_anon_write=1 -+.PP -+.B httpd_sys_script_exec_t - .EE - --or -+- Set files with the httpd_sys_script_exec_t type, if you want to transition an executable to the httpd_sys_script_t domain. -+ - - .EX --setsebool -P allow_httpd_sys_script_anon_write=1 -+.PP -+.B httpd_tmp_t - .EE - --.SH BOOLEANS --SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. -+- Set files with the httpd_tmp_t type, if you want to store httpd temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B httpd_tmpfs_t -+.EE -+ -+- Set files with the httpd_tmpfs_t type, if you want to store httpd files on a tmpfs file system. -+ -+ -+.EX -+.PP -+.B httpd_unit_file_t -+.EE -+ -+- Set files with the httpd_unit_file_t type, if you want to treat the files as httpd unit content. -+ -+ -+.EX -+.PP -+.B httpd_user_content_t -+.EE -+ -+- Set files with the httpd_user_content_t type, if you want to treat the files as httpd user content. -+ -+ -+.EX -+.PP -+.B httpd_user_htaccess_t -+.EE -+ -+- Set files with the httpd_user_htaccess_t type, if you want to treat the file as a httpd user access file. -+ -+ -+.EX -+.PP -+.B httpd_user_ra_content_t -+.EE -+ -+- Set files with the httpd_user_ra_content_t type, if you want to treat the files as httpd user read/append content. -+ -+ -+.EX -+.PP -+.B httpd_user_rw_content_t -+.EE -+ -+- Set files with the httpd_user_rw_content_t type, if you want to treat the files as httpd user read/write content. -+ -+ -+.EX -+.PP -+.B httpd_user_script_exec_t -+.EE -+ -+- Set files with the httpd_user_script_exec_t type, if you want to transition an executable to the httpd_user_script_t domain. -+ -+ -+.EX - .PP --httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this -+.B httpd_var_lib_t -+.EE -+ -+- Set files with the httpd_var_lib_t type, if you want to store the httpd files under the /var/lib directory. -+ ++.br ++.TP 5 ++Paths: ++/usr/lib/apache(2)?/suexec(2)?, /usr/lib/cgi-bin/(nph-)?cgiwrap(d)?, /usr/sbin/suexec .EX -setsebool -P httpd_enable_cgi 1 +.PP -+.B httpd_var_run_t ++.B httpd_suexec_tmp_t .EE -+- Set files with the httpd_var_run_t type, if you want to store the httpd files under the /run directory. ++- Set files with the httpd_suexec_tmp_t type, if you want to store httpd suexec temporary files in the /tmp directories. + + +.EX .PP -SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. -+.B httpd_w3c_validator_content_t ++.B httpd_sys_content_t +.EE + -+- Set files with the httpd_w3c_validator_content_t type, if you want to treat the files as httpd w3c validator content. ++- Set files with the httpd_sys_content_t type, if you want to treat the files as httpd sys content. + ++.br ++.TP 5 ++Paths: ++/srv/([^/]*/)?www(/.*)?, /var/www(/.*)?, /etc/htdig(/.*)?, /srv/gallery2(/.*)?, /var/lib/trac(/.*)?, /var/lib/htdig(/.*)?, /var/www/icons(/.*)?, /usr/share/htdig(/.*)?, /usr/share/drupal.*, /usr/share/z-push(/.*)?, /var/www/svn/conf(/.*)?, /usr/share/icecast(/.*)?, /var/lib/cacti/rra(/.*)?, /usr/share/ntop/html(/.*)?, /usr/share/doc/ghc/html(/.*)?, /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-policy[^/]*/html(/.*)? .EX -setsebool -P httpd_enable_homedirs 1 -chcon -R -t httpd_sys_content_t ~user/public_html +.PP -+.B httpd_w3c_validator_htaccess_t ++.B httpd_sys_htaccess_t .EE -+- Set files with the httpd_w3c_validator_htaccess_t type, if you want to treat the file as a httpd w3c validator access file. ++- Set files with the httpd_sys_htaccess_t type, if you want to treat the file as a httpd sys access file. + + +.EX .PP -SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. -+.B httpd_w3c_validator_ra_content_t ++.B httpd_sys_ra_content_t +.EE + -+- Set files with the httpd_w3c_validator_ra_content_t type, if you want to treat the files as httpd w3c validator read/append content. ++- Set files with the httpd_sys_ra_content_t type, if you want to treat the files as httpd sys read/append content. + .EX -setsebool -P httpd_tty_comm 1 +.PP -+.B httpd_w3c_validator_rw_content_t ++.B httpd_sys_rw_content_t .EE -+- Set files with the httpd_w3c_validator_rw_content_t type, if you want to treat the files as httpd w3c validator read/write content. ++- Set files with the httpd_sys_rw_content_t type, if you want to treat the files as httpd sys read/write content. + ++.br ++.TP 5 ++Paths: ++/etc/horde(/.*)?, /etc/drupal.*, /etc/z-push(/.*)?, /var/lib/svn(/.*)?, /var/www/svn(/.*)?, /etc/mock/koji(/.*)?, /var/www/html/[^/]*/sites/default/files(/.*)?, /var/www/html/[^/]*/sites/default/settings\.php, /var/lib/drupal.*, /etc/zabbix/web(/.*)?, /var/log/z-push(/.*)?, /var/spool/gosa(/.*)?, /etc/WebCalendar(/.*)?, /var/lib/dokuwiki(/.*)?, /var/spool/viewvc(/.*)?, /var/lib/pootle/po(/.*)?, /var/www/moodledata(/.*)?, /var/www/gallery/albums(/.*)?, /var/www/html/wp-content(/.*)?, /usr/share/wordpress-mu/wp-content(/.*)?, /usr/share/wordpress/wp-content/uploads(/.*)?, /usr/share/wordpress/wp-content/upgrade(/.*)?, /etc/owncloud/config\.php, /var/www/html/configuration\.php + +.EX .PP -httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another. -+.B httpd_w3c_validator_script_exec_t ++.B httpd_sys_script_exec_t +.EE + -+- Set files with the httpd_w3c_validator_script_exec_t type, if you want to transition an executable to the httpd_w3c_validator_script_t domain. ++- Set files with the httpd_sys_script_exec_t type, if you want to transition an executable to the httpd_sys_script_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/.*\.cgi, /opt/.*\.cgi, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?, /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*\.php, /usr/share/wordpress/wp-includes/.*\.php, /usr/share/wordpress-mu/wp-config\.php .EX -setsebool -P httpd_unified 0 +.PP -+.B httpd_w3c_validator_tmp_t ++.B httpd_tmp_t .EE -+- Set files with the httpd_w3c_validator_tmp_t type, if you want to store httpd w3c validator temporary files in the /tmp directories. ++- Set files with the httpd_tmp_t type, if you want to store httpd temporary files in the /tmp directories. + ++.br ++.TP 5 ++Paths: ++/var/run/user/apache(/.*)?, /var/www/openshift/console/tmp(/.*)? + +.EX .PP -SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean. -+.B httpd_zoneminder_content_t ++.B httpd_tmpfs_t +.EE + -+- Set files with the httpd_zoneminder_content_t type, if you want to treat the files as httpd zoneminder content. ++- Set files with the httpd_tmpfs_t type, if you want to store httpd files on a tmpfs file system. + .EX @@ -36608,471 +64627,261 @@ index 16e8b13..d05f08b 100644 .PP -httpd can be configured to turn off internal scripting (PHP). PHP and other -loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts. -+.B httpd_zoneminder_htaccess_t ++.B httpd_unit_file_t +.EE + -+- Set files with the httpd_zoneminder_htaccess_t type, if you want to treat the file as a httpd zoneminder access file. ++- Set files with the httpd_unit_file_t type, if you want to treat the files as httpd unit content. + ++.br ++.TP 5 ++Paths: ++/usr/lib/systemd/system/httpd.*, /usr/lib/systemd/system/jetty.*, /usr/lib/systemd/system/php-fpm.* .EX -setsebool -P httpd_builtin_scripting 0 +.PP -+.B httpd_zoneminder_ra_content_t ++.B httpd_user_content_t .EE -+- Set files with the httpd_zoneminder_ra_content_t type, if you want to treat the files as httpd zoneminder read/append content. ++- Set files with the httpd_user_content_t type, if you want to treat the files as httpd user content. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/((www)|(web)|(public_html))(/.+)?, /home/pwalsh/((www)|(web)|(public_html))(/.+)?, /home/dwalsh/((www)|(web)|(public_html))(/.+)?, /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)? + +.EX .PP -SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. -This would prevent a hacker from breaking into you httpd server and attacking -other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. ++.B httpd_user_htaccess_t ++.EE ++ ++- Set files with the httpd_user_htaccess_t type, if you want to treat the file as a httpd user access file. ++ ++.br ++.TP 5 ++Paths: ++/home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess, /home/pwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess, /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess, /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess + + .EX +-setsebool -P httpd_can_network_connect 1 ++.PP ++.B httpd_user_ra_content_t + .EE + ++- Set files with the httpd_user_ra_content_t type, if you want to treat the files as httpd user read/append content. ++ ++.br ++.TP 5 ++Paths: ++/home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)?, /home/pwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)?, /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)?, /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)? ++ ++.EX + .PP +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +-.SH AUTHOR +-This manual page was written by Dan Walsh . ++.B httpd_user_rw_content_t ++.EE ++ ++- Set files with the httpd_user_rw_content_t type, if you want to treat the files as httpd user read/write content. + +-.SH "SEE ALSO" +-selinux(8), httpd(8), chcon(1), setsebool(8) + ++.EX ++.PP ++.B httpd_user_script_exec_t ++.EE ++ ++- Set files with the httpd_user_script_exec_t type, if you want to transition an executable to the httpd_user_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/pwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?, /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)? ++ ++.EX ++.PP ++.B httpd_var_lib_t ++.EE ++ ++- Set files with the httpd_var_lib_t type, if you want to store the httpd files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/rt(3|4)/data/RT-Shredder(/.*)?, /var/lib/dav(/.*)?, /var/lib/php(/.*)?, /var/lib/httpd(/.*)?, /var/lib/z-push(/.*)?, /var/lib/cherokee(/.*)?, /var/lib/lighttpd(/.*)? ++ ++.EX ++.PP ++.B httpd_var_run_t ++.EE ++ ++- Set files with the httpd_var_run_t type, if you want to store the httpd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/mod_.*, /var/run/wsgi.*, /var/run/httpd.*, /var/run/apache.*, /var/run/php-fpm(/.*)?, /var/run/lighttpd(/.*)?, /var/lib/php/session(/.*)?, /var/run/dirsrv/admin-serv.*, /var/www/openshift/broker/httpd/run(/.*)?, /var/www/openshift/console/httpd/run(/.*)?, /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?, /var/run/gcache_port, /var/run/cherokee\.pid ++ ++.EX ++.PP ++.B httpd_w3c_validator_content_t ++.EE ++ ++- Set files with the httpd_w3c_validator_content_t type, if you want to treat the files as httpd w3c validator content. ++ ++ ++.EX ++.PP ++.B httpd_w3c_validator_htaccess_t ++.EE ++ ++- Set files with the httpd_w3c_validator_htaccess_t type, if you want to treat the file as a httpd w3c validator access file. ++ ++ ++.EX ++.PP ++.B httpd_w3c_validator_ra_content_t ++.EE ++ ++- Set files with the httpd_w3c_validator_ra_content_t type, if you want to treat the files as httpd w3c validator read/append content. ++ ++ ++.EX ++.PP ++.B httpd_w3c_validator_rw_content_t ++.EE ++ ++- Set files with the httpd_w3c_validator_rw_content_t type, if you want to treat the files as httpd w3c validator read/write content. ++ ++ ++.EX ++.PP ++.B httpd_w3c_validator_script_exec_t ++.EE ++ ++- Set files with the httpd_w3c_validator_script_exec_t type, if you want to transition an executable to the httpd_w3c_validator_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/share/w3c-markup-validator/cgi-bin(/.*)?, /usr/lib/cgi-bin/check ++ ++.EX ++.PP ++.B httpd_webalizer_content_t ++.EE ++ ++- Set files with the httpd_webalizer_content_t type, if you want to treat the files as httpd webalizer content. ++ ++ ++.EX ++.PP ++.B httpd_webalizer_htaccess_t ++.EE ++ ++- Set files with the httpd_webalizer_htaccess_t type, if you want to treat the file as a httpd webalizer access file. ++ ++ ++.EX ++.PP ++.B httpd_webalizer_ra_content_t ++.EE ++ ++- Set files with the httpd_webalizer_ra_content_t type, if you want to treat the files as httpd webalizer read/append content. + ++ ++.EX ++.PP ++.B httpd_webalizer_rw_content_t ++.EE ++ ++- Set files with the httpd_webalizer_rw_content_t type, if you want to treat the files as httpd webalizer read/write content. ++ ++ ++.EX ++.PP ++.B httpd_webalizer_script_exec_t ++.EE ++ ++- Set files with the httpd_webalizer_script_exec_t type, if you want to transition an executable to the httpd_webalizer_script_t domain. ++ ++ ++.EX ++.PP ++.B httpd_zoneminder_content_t ++.EE ++ ++- Set files with the httpd_zoneminder_content_t type, if you want to treat the files as httpd zoneminder content. ++ ++ ++.EX ++.PP ++.B httpd_zoneminder_htaccess_t ++.EE ++ ++- Set files with the httpd_zoneminder_htaccess_t type, if you want to treat the file as a httpd zoneminder access file. ++ ++ ++.EX ++.PP ++.B httpd_zoneminder_ra_content_t ++.EE ++ ++- Set files with the httpd_zoneminder_ra_content_t type, if you want to treat the files as httpd zoneminder read/append content. ++ ++ ++.EX ++.PP +.B httpd_zoneminder_rw_content_t +.EE + +- Set files with the httpd_zoneminder_rw_content_t type, if you want to treat the files as httpd zoneminder read/write content. + - - .EX --setsebool -P httpd_can_network_connect 1 ++ ++.EX +.PP +.B httpd_zoneminder_script_exec_t - .EE - ++.EE ++ +- Set files with the httpd_zoneminder_script_exec_t type, if you want to transition an executable to the httpd_zoneminder_script_t domain. + + - .PP --system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR --This manual page was written by Dan Walsh . ++.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon +to apply the labels. - --.SH "SEE ALSO" --selinux(8), httpd(8), chcon(1), setsebool(8) -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: + -+.B semanage port -l ++.SH SHARING FILES ++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. ++.TP ++Allow httpd servers to read the /var/httpd directory by adding the public_content_t file type to the directory and by restoring the file type. ++.PP ++.B ++semanage fcontext -a -t public_content_t "/var/httpd(/.*)?" ++.br ++.B restorecon -F -R -v /var/httpd ++.pp ++.TP ++Allow httpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpdd_anon_write boolean to be set. ++.PP ++.B ++semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?" ++.br ++.B restorecon -F -R -v /var/httpd/incoming ++ + +.PP -+Policy governs the access confined processes have to these ports. -+SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible. -+.PP -+The following port types are defined for httpd: ++If you want to allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t., you must turn on the httpd_anon_write boolean. + +.EX -+.TP 5 -+.B http_cache_port_t -+.TP 10 -+.EE - - -+Default Defined Ports: -+tcp 8080,8118,10001-10010 -+.EE -+udp 3130 -+.EE -+ -+.EX -+.TP 5 -+.B http_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 80,81,443,488,8008,8009,8443 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type httpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B abrt_retrace_spool_t -+ -+ /var/spool/abrt-retrace(/.*)? -+.br -+ /var/spool/retrace-server(/.*)? -+.br -+ -+.br -+.B dirsrv_config_t -+ -+ /etc/dirsrv(/.*)? -+.br -+ -+.br -+.B dirsrv_var_log_t -+ -+ /var/log/dirsrv(/.*)? -+.br -+ -+.br -+.B dirsrv_var_run_t -+ -+ /var/run/dirsrv(/.*)? -+.br -+ -+.br -+.B dirsrvadmin_config_t -+ -+ /etc/dirsrv/dsgw(/.*)? -+.br -+ /etc/dirsrv/admin-serv(/.*)? -+.br -+ -+.br -+.B dirsrvadmin_tmp_t -+ -+ -+.br -+.B httpd_apcupsd_cgi_rw_content_t -+ -+ -+.br -+.B httpd_awstats_rw_content_t -+ -+ -+.br -+.B httpd_bugzilla_rw_content_t -+ -+ /var/lib/bugzilla(/.*)? -+.br -+ -+.br -+.B httpd_cache_t -+ -+ /var/cache/rt3(/.*)? -+.br -+ /var/cache/ssl.*\.sem -+.br -+ /var/cache/mod_.* -+.br -+ /var/cache/php-.* -+.br -+ /var/cache/httpd(/.*)? -+.br -+ /var/cache/mason(/.*)? -+.br -+ /var/cache/mod_ssl(/.*)? -+.br -+ /var/cache/lighttpd(/.*)? -+.br -+ /var/cache/mediawiki(/.*)? -+.br -+ /var/cache/mod_proxy(/.*)? -+.br -+ /var/cache/mod_gnutls(/.*)? -+.br -+ /var/cache/php-mmcache(/.*)? -+.br -+ /var/cache/php-eaccelerator(/.*)? -+.br -+ -+.br -+.B httpd_cobbler_rw_content_t -+ -+ -+.br -+.B httpd_collectd_rw_content_t -+ -+ -+.br -+.B httpd_cvs_rw_content_t -+ -+ -+.br -+.B httpd_dirsrvadmin_rw_content_t -+ -+ -+.br -+.B httpd_dspam_rw_content_t -+ -+ -+.br -+.B httpd_git_rw_content_t -+ -+ /var/cache/cgit(/.*)? -+.br -+ /var/cache/gitweb-caching(/.*)? -+.br -+ -+.br -+.B httpd_lock_t -+ -+ -+.br -+.B httpd_man2html_rw_content_t -+ -+ -+.br -+.B httpd_mediawiki_rw_content_t -+ -+ /var/www/wiki(/.*)? -+.br -+ -+.br -+.B httpd_mojomojo_rw_content_t -+ -+ /var/lib/mojomojo(/.*)? -+.br -+ -+.br -+.B httpd_munin_rw_content_t -+ -+ -+.br -+.B httpd_nagios_rw_content_t -+ -+ -+.br -+.B httpd_nutups_cgi_rw_content_t -+ -+ -+.br -+.B httpd_openshift_rw_content_t -+ -+ -+.br -+.B httpd_prewikka_rw_content_t -+ -+ -+.br -+.B httpd_smokeping_cgi_rw_content_t -+ -+ -+.br -+.B httpd_squid_rw_content_t -+ -+ -+.br -+.B httpd_squirrelmail_t -+ -+ /var/lib/squirrelmail/prefs(/.*)? -+.br -+ -+.br -+.B httpd_sys_rw_content_t -+ -+ /etc/drupal.* -+.br -+ /var/lib/svn(/.*)? -+.br -+ /var/www/svn(/.*)? -+.br -+ /etc/mock/koji(/.*)? -+.br -+ /var/www/html/[^/]*/sites/default/files(/.*)? -+.br -+ /var/www/html/[^/]*/sites/default/settings\.php -+.br -+ /var/lib/drupal.* -+.br -+ /etc/zabbix/web(/.*)? -+.br -+ /var/spool/gosa(/.*)? -+.br -+ /etc/WebCalendar(/.*)? -+.br -+ /var/lib/dokuwiki(/.*)? -+.br -+ /var/spool/viewvc(/.*)? -+.br -+ /var/lib/pootle/po(/.*)? -+.br -+ /var/www/moodledata(/.*)? -+.br -+ /var/www/gallery/albums(/.*)? -+.br -+ /var/www/html/wp-content(/.*)? -+.br -+ /usr/share/wordpress-mu/wp-content(/.*)? -+.br -+ /usr/share/wordpress/wp-content/uploads(/.*)? -+.br -+ /usr/share/wordpress/wp-content/upgrade(/.*)? -+.br -+ /etc/owncloud/config\.php -+.br -+ /var/www/html/configuration\.php -+.br -+ -+.br -+.B httpd_tmp_t -+ -+ /var/run/user/apache(/.*)? -+.br -+ -+.br -+.B httpd_tmpfs_t -+ -+ -+.br -+.B httpd_user_rw_content_t -+ -+ -+.br -+.B httpd_var_lib_t -+ -+ /var/lib/dav(/.*)? -+.br -+ /var/lib/php(/.*)? -+.br -+ /var/lib/httpd(/.*)? -+.br -+ /var/lib/cherokee(/.*)? -+.br -+ /var/lib/lighttpd(/.*)? -+.br -+ /var/lib/rt3/data/RT-Shredder(/.*)? -+.br -+ -+.br -+.B httpd_var_run_t -+ -+ /var/run/mod_.* -+.br -+ /var/run/wsgi.* -+.br -+ /var/run/httpd.* -+.br -+ /var/run/apache.* -+.br -+ /var/run/lighttpd(/.*)? -+.br -+ /var/lib/php/session(/.*)? -+.br -+ /var/run/dirsrv/admin-serv.* -+.br -+ /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? -+.br -+ /var/run/gcache_port -+.br -+ /var/run/cherokee\.pid -+.br -+ -+.br -+.B httpd_w3c_validator_rw_content_t -+ -+ -+.br -+.B httpd_zoneminder_rw_content_t -+ -+ -+.br -+.B jetty_cache_t -+ -+ /var/cache/jetty(/.*)? -+.br -+ -+.br -+.B jetty_log_t -+ -+ /var/log/jetty(/.*)? -+.br -+ -+.br -+.B jetty_var_lib_t -+ -+ /var/lib/jetty(/.*)? -+.br -+ -+.br -+.B jetty_var_run_t -+ -+ /var/run/jetty(/.*)? -+.br -+ -+.br -+.B krb5_host_rcache_t -+ -+ /var/cache/krb5rcache(/.*)? -+.br -+ /var/tmp/nfs_0 -+.br -+ /var/tmp/DNS_25 -+.br -+ /var/tmp/host_0 -+.br -+ /var/tmp/imap_0 -+.br -+ /var/tmp/HTTP_23 -+.br -+ /var/tmp/HTTP_48 -+.br -+ /var/tmp/ldap_55 -+.br -+ /var/tmp/ldap_487 -+.br -+ /var/tmp/ldapmap1_0 -+.br -+ -+.br -+.B passenger_tmp_t -+ -+ -+.br -+.B passenger_var_run_t -+ -+ /var/run/passenger(/.*)? -+.br -+ -+.br -+.B pki_apache_config -+ -+ -+.br -+.B pki_apache_var_lib -+ -+ -+.br -+.B pki_apache_var_log -+ -+ -+.br -+.B squirrelmail_spool_t -+ -+ /var/spool/squirrelmail(/.*)? -+.br -+ -+.br -+.B systemd_passwd_var_run_t -+ -+ /var/run/systemd/ask-password(/.*)? -+.br -+ /var/run/systemd/ask-password-block(/.*)? -+.br -+ -+.br -+.B zarafa_var_lib_t -+ -+ /var/lib/zarafa(/.*)? -+.br -+ /var/lib/zarafa-webaccess(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 ++.B setsebool -P httpd_anon_write 1 +.EE + +.SH "COMMANDS" @@ -37102,15 +64911,15 @@ index 16e8b13..d05f08b 100644 + +.SH "SEE ALSO" +selinux(8), httpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_smokeping_cgi_script_selinux.8 b/man/man8/httpd_smokeping_cgi_script_selinux.8 new file mode 100644 -index 0000000..d4560e5 +index 0000000..897dde3 --- /dev/null +++ b/man/man8/httpd_smokeping_cgi_script_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "httpd_smokeping_cgi_script_selinux" "8" "12-11-01" "httpd_smokeping_cgi_script" "SELinux Policy documentation for httpd_smokeping_cgi_script" +@@ -0,0 +1,185 @@ ++.TH "httpd_smokeping_cgi_script_selinux" "8" "13-01-16" "httpd_smokeping_cgi_script" "SELinux Policy documentation for httpd_smokeping_cgi_script" +.SH "NAME" +httpd_smokeping_cgi_script_selinux \- Security Enhanced Linux Policy for the httpd_smokeping_cgi_script processes +.SH "DESCRIPTION" @@ -37126,9 +64935,11 @@ index 0000000..d4560e5 + +.SH "ENTRYPOINTS" + -+The httpd_smokeping_cgi_script_t SELinux type can be entered via the "shell_exec_t,httpd_smokeping_cgi_script_exec_t,httpd_smokeping_cgi_script_exec_t" file types. The default entrypoint paths for the httpd_smokeping_cgi_script_t domain are the following:" ++The httpd_smokeping_cgi_script_t SELinux type can be entered via the \fBshell_exec_t, httpd_smokeping_cgi_script_exec_t, httpd_smokeping_cgi_script_exec_t\fP file types. + -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/smokeping/cgi(/.*)?, /usr/share/smokeping/cgi(/.*)? ++The default entrypoint paths for the httpd_smokeping_cgi_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/smokeping/cgi(/.*)?, /usr/share/smokeping/cgi(/.*)? +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -37144,8 +64955,90 @@ index 0000000..d4560e5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_smokeping_cgi_script_t ++can be used to make the process type httpd_smokeping_cgi_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_smokeping_cgi_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_smokeping_cgi_script with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_smokeping_cgi_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B httpd_smokeping_cgi_rw_content_t ++ ++ ++.br ++.B smokeping_var_lib_t ++ ++ /var/lib/smokeping(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37155,7 +65048,20 @@ index 0000000..d4560e5 +Policy governs the access confined processes have to these files. +SELinux httpd_smokeping_cgi_script policy is very flexible allowing users to setup their httpd_smokeping_cgi_script processes in as secure a method as possible. +.PP -+The following file types are defined for httpd_smokeping_cgi_script: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_smokeping_cgi_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_smokeping_cgi_script_exec_t '/srv/httpd_smokeping_cgi_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_smokeping_cgi_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_smokeping_cgi_script: + + +.EX @@ -37173,22 +65079,6 @@ index 0000000..d4560e5 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type httpd_smokeping_cgi_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B httpd_smokeping_cgi_rw_content_t -+ -+ -+.br -+.B smokeping_var_lib_t -+ -+ /var/lib/smokeping(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -37199,6 +65089,9 @@ index 0000000..d4560e5 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -37210,15 +65103,15 @@ index 0000000..d4560e5 + +.SH "SEE ALSO" +selinux(8), httpd_smokeping_cgi_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_squid_script_selinux.8 b/man/man8/httpd_squid_script_selinux.8 new file mode 100644 -index 0000000..fa0892f +index 0000000..7ab940f --- /dev/null +++ b/man/man8/httpd_squid_script_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "httpd_squid_script_selinux" "8" "12-11-01" "httpd_squid_script" "SELinux Policy documentation for httpd_squid_script" +@@ -0,0 +1,183 @@ ++.TH "httpd_squid_script_selinux" "8" "13-01-16" "httpd_squid_script" "SELinux Policy documentation for httpd_squid_script" +.SH "NAME" +httpd_squid_script_selinux \- Security Enhanced Linux Policy for the httpd_squid_script processes +.SH "DESCRIPTION" @@ -37234,9 +65127,11 @@ index 0000000..fa0892f + +.SH "ENTRYPOINTS" + -+The httpd_squid_script_t SELinux type can be entered via the "httpd_squid_script_exec_t,shell_exec_t,httpd_squid_script_exec_t" file types. The default entrypoint paths for the httpd_squid_script_t domain are the following:" ++The httpd_squid_script_t SELinux type can be entered via the \fBshell_exec_t, httpd_squid_script_exec_t, httpd_squid_script_exec_t\fP file types. + -+/usr/share/lightsquid/cgi(/.*)?, /usr/lib/squid/cachemgr\.cgi, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/lightsquid/cgi(/.*)?, /usr/lib/squid/cachemgr\.cgi ++The default entrypoint paths for the httpd_squid_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/lightsquid/cgi(/.*)?, /usr/lib/squid/cachemgr\.cgi, /usr/share/lightsquid/cgi(/.*)?, /usr/lib/squid/cachemgr\.cgi +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -37252,34 +65147,76 @@ index 0000000..fa0892f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_squid_script_t ++can be used to make the process type httpd_squid_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_squid_script policy is very flexible allowing users to setup their httpd_squid_script processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_squid_script: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_squid_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_squid_script with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B httpd_squid_script_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the httpd_squid_script_exec_t type, if you want to transition an executable to the httpd_squid_script_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -37289,7 +65226,48 @@ index 0000000..fa0892f +.B httpd_squid_rw_content_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux httpd_squid_script policy is very flexible allowing users to setup their httpd_squid_script processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_squid_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_squid_script_exec_t '/srv/httpd_squid_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_squid_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_squid_script: ++ ++ ++.EX ++.PP ++.B httpd_squid_script_exec_t ++.EE ++ ++- Set files with the httpd_squid_script_exec_t type, if you want to transition an executable to the httpd_squid_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/share/lightsquid/cgi(/.*)?, /usr/lib/squid/cachemgr\.cgi ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -37301,6 +65279,9 @@ index 0000000..fa0892f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -37312,15 +65293,15 @@ index 0000000..fa0892f + +.SH "SEE ALSO" +selinux(8), httpd_squid_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_suexec_selinux.8 b/man/man8/httpd_suexec_selinux.8 new file mode 100644 -index 0000000..2f8bbb0 +index 0000000..0e0d30e --- /dev/null +++ b/man/man8/httpd_suexec_selinux.8 -@@ -0,0 +1,117 @@ -+.TH "httpd_suexec_selinux" "8" "12-11-01" "httpd_suexec" "SELinux Policy documentation for httpd_suexec" +@@ -0,0 +1,347 @@ ++.TH "httpd_suexec_selinux" "8" "13-01-16" "httpd_suexec" "SELinux Policy documentation for httpd_suexec" +.SH "NAME" +httpd_suexec_selinux \- Security Enhanced Linux Policy for the httpd_suexec processes +.SH "DESCRIPTION" @@ -37336,7 +65317,9 @@ index 0000000..2f8bbb0 + +.SH "ENTRYPOINTS" + -+The httpd_suexec_t SELinux type can be entered via the "httpd_suexec_exec_t" file type. The default entrypoint paths for the httpd_suexec_t domain are the following:" ++The httpd_suexec_t SELinux type can be entered via the \fBhttpd_suexec_exec_t\fP file type. ++ ++The default entrypoint paths for the httpd_suexec_t domain are the following: + +/usr/lib/apache(2)?/suexec(2)?, /usr/lib/cgi-bin/(nph-)?cgiwrap(d)?, /usr/sbin/suexec +.SH PROCESS TYPES @@ -37354,8 +65337,240 @@ index 0000000..2f8bbb0 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_suexec_t ++can be used to make the process type httpd_suexec_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_suexec policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_suexec with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to use built in scripting (usually php), you must turn on the httpd_builtin_scripting boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_builtin_scripting 1 ++ ++.EE ++ ++.PP ++If you want to allow HTTPD scripts and modules to connect to the network using TCP, you must turn on the httpd_can_network_connect boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_network_connect 1 ++ ++.EE ++ ++.PP ++If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_network_connect_db 1 ++ ++.EE ++ ++.PP ++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_sendmail 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to read home directories, you must turn on the httpd_enable_homedirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_homedirs 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd scripts and modules execmem/execstack, you must turn on the httpd_execmem boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_read_user_content 1 ++ ++.EE ++ ++.PP ++If you want to unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal, you must turn on the httpd_tty_comm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_tty_comm 1 ++ ++.EE ++ ++.PP ++If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_unified 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to access cifs file systems, you must turn on the httpd_use_cifs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_use_cifs 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to access FUSE file systems, you must turn on the httpd_use_fusefs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_use_fusefs 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_use_nfs 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the httpd_suexec_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the httpd_suexec_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_suexec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B httpd_suexec_tmp_t ++ ++ ++.br ++.B nfs_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37365,7 +65580,20 @@ index 0000000..2f8bbb0 +Policy governs the access confined processes have to these files. +SELinux httpd_suexec policy is very flexible allowing users to setup their httpd_suexec processes in as secure a method as possible. +.PP -+The following file types are defined for httpd_suexec: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_suexec, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_suexec_exec_t '/srv/httpd_suexec/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_suexec_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_suexec: + + +.EX @@ -37375,6 +65603,10 @@ index 0000000..2f8bbb0 + +- Set files with the httpd_suexec_exec_t type, if you want to transition an executable to the httpd_suexec_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/apache(2)?/suexec(2)?, /usr/lib/cgi-bin/(nph-)?cgiwrap(d)?, /usr/sbin/suexec + +.EX +.PP @@ -37391,30 +65623,6 @@ index 0000000..2f8bbb0 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type httpd_suexec_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B httpd_suexec_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_suexec_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the httpd_suexec_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -37425,6 +65633,9 @@ index 0000000..2f8bbb0 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -37436,15 +65647,15 @@ index 0000000..2f8bbb0 + +.SH "SEE ALSO" +selinux(8), httpd_suexec(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_sys_script_selinux.8 b/man/man8/httpd_sys_script_selinux.8 new file mode 100644 -index 0000000..566f6fa +index 0000000..7cc5cbd --- /dev/null +++ b/man/man8/httpd_sys_script_selinux.8 -@@ -0,0 +1,190 @@ -+.TH "httpd_sys_script_selinux" "8" "12-11-01" "httpd_sys_script" "SELinux Policy documentation for httpd_sys_script" +@@ -0,0 +1,447 @@ ++.TH "httpd_sys_script_selinux" "8" "13-01-16" "httpd_sys_script" "SELinux Policy documentation for httpd_sys_script" +.SH "NAME" +httpd_sys_script_selinux \- Security Enhanced Linux Policy for the httpd_sys_script processes +.SH "DESCRIPTION" @@ -37460,9 +65671,11 @@ index 0000000..566f6fa + +.SH "ENTRYPOINTS" + -+The httpd_sys_script_t SELinux type can be entered via the "httpd_sys_script_exec_t,httpd_sys_content_t,cifs_t,shell_exec_t,nfs_t,httpd_sys_script_exec_t" file types. The default entrypoint paths for the httpd_sys_script_t domain are the following:" ++The httpd_sys_script_t SELinux type can be entered via the \fBcifs_t, nfs_t, shell_exec_t, httpd_sys_script_exec_t, httpd_sys_content_t, httpdcontent, httpd_sys_script_exec_t, httpd_sys_content_t\fP file types. + -+/usr/.*\.cgi, /opt/.*\.cgi, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?, /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*\.php, /usr/share/wordpress/wp-includes/.*\.php, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress-mu/wp-config\.php, /srv/([^/]*/)?www(/.*)?, /var/www(/.*)?, /etc/htdig(/.*)?, /srv/gallery2(/.*)?, /var/lib/trac(/.*)?, /var/lib/htdig(/.*)?, /var/www/icons(/.*)?, /usr/share/htdig(/.*)?, /usr/share/drupal.*, /var/www/svn/conf(/.*)?, /usr/share/icecast(/.*)?, /usr/share/mythweb(/.*)?, /var/lib/cacti/rra(/.*)?, /usr/share/ntop/html(/.*)?, /usr/share/mythtv/data(/.*)?, /usr/share/doc/ghc/html(/.*)?, /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-policy[^/]*/html(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/.*\.cgi, /opt/.*\.cgi, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?, /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*\.php, /usr/share/wordpress/wp-includes/.*\.php, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress-mu/wp-config\.php ++The default entrypoint paths for the httpd_sys_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/.*\.cgi, /opt/.*\.cgi, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?, /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*\.php, /usr/share/wordpress/wp-includes/.*\.php, /usr/share/wordpress-mu/wp-config\.php, /srv/([^/]*/)?www(/.*)?, /var/www(/.*)?, /etc/htdig(/.*)?, /srv/gallery2(/.*)?, /var/lib/trac(/.*)?, /var/lib/htdig(/.*)?, /var/www/icons(/.*)?, /usr/share/htdig(/.*)?, /usr/share/drupal.*, /usr/share/z-push(/.*)?, /var/www/svn/conf(/.*)?, /usr/share/icecast(/.*)?, /var/lib/cacti/rra(/.*)?, /usr/share/ntop/html(/.*)?, /usr/share/doc/ghc/html(/.*)?, /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-policy[^/]*/html(/.*)?, /usr/.*\.cgi, /opt/.*\.cgi, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?, /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*\.php, /usr/share/wordpress/wp-includes/.*\.php, /usr/share/wordpress-mu/wp-config\.php, /srv/([^/]*/)?www(/.*)?, /var/www(/.*)?, /etc/htdig(/.*)?, /srv/gallery2(/.*)?, /var/lib/trac(/.*)?, /var/lib/htdig(/.*)?, /var/www/icons(/.*)?, /usr/share/htdig(/.*)?, /usr/share/drupal.*, /usr/share/z-push(/.*)?, /var/www/svn/conf(/.*)?, /usr/share/icecast(/.*)?, /var/lib/cacti/rra(/.*)?, /usr/share/ntop/html(/.*)?, /usr/share/doc/ghc/html(/.*)?, /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-policy[^/]*/html(/.*)? +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -37478,77 +65691,258 @@ index 0000000..566f6fa +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_sys_script_t ++can be used to make the process type httpd_sys_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH SHARING FILES -+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. -+.TP -+Allow httpd_sys_script servers to read the /var/httpd_sys_script directory by adding the public_content_t file type to the directory and by restoring the file type. -+.PP -+.B -+semanage fcontext -a -t public_content_t "/var/httpd_sys_script(/.*)?" -+.br -+.B restorecon -F -R -v /var/httpd_sys_script -+.pp -+.TP -+Allow httpd_sys_script servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpd_sys_scriptd_anon_write boolean to be set. -+.PP -+.B -+semanage fcontext -a -t public_content_rw_t "/var/httpd_sys_script/incoming(/.*)?" -+.br -+.B restorecon -F -R -v /var/httpd_sys_script/incoming ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_sys_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_sys_script with the tightest access possible. + + +.PP -+If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the httpd_sys_script_anon_write boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_sys_script_anon_write 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the httpd_sys_script_anon_write boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P httpd_sys_script_anon_write 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_sys_script policy is very flexible allowing users to setup their httpd_sys_script processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_sys_script: -+ ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B httpd_sys_script_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the httpd_sys_script_exec_t type, if you want to transition an executable to the httpd_sys_script_t domain. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to use built in scripting (usually php), you must turn on the httpd_builtin_scripting boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_builtin_scripting 1 ++ ++.EE ++ ++.PP ++If you want to allow HTTPD scripts and modules to connect to the network using TCP, you must turn on the httpd_can_network_connect boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_network_connect 1 ++ ++.EE ++ ++.PP ++If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_network_connect_db 1 ++ ++.EE ++ ++.PP ++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_sendmail 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to read home directories, you must turn on the httpd_enable_homedirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_homedirs 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd scripts and modules execmem/execstack, you must turn on the httpd_execmem boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_read_user_content 1 ++ ++.EE ++ ++.PP ++If you want to allow HTTPD to run SSI executables in the same domain as system CGI scripts, you must turn on the httpd_ssi_exec boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_ssi_exec 1 ++ ++.EE ++ ++.PP ++If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_tmp_exec 1 ++ ++.EE ++ ++.PP ++If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_unified 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to access cifs file systems, you must turn on the httpd_use_cifs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_use_cifs 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to access FUSE file systems, you must turn on the httpd_use_fusefs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_use_fusefs 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_use_nfs 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to access openstack ports, you must turn on the httpd_use_openstack boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_use_openstack 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the httpd_sys_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the httpd_sys_script_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type httpd_sys_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br ++.B fusefs_t ++ ++ ++.br +.B httpd_sys_rw_content_t + ++ /etc/horde(/.*)? ++.br + /etc/drupal.* +.br ++ /etc/z-push(/.*)? ++.br + /var/lib/svn(/.*)? +.br + /var/www/svn(/.*)? @@ -37563,6 +65957,8 @@ index 0000000..566f6fa +.br + /etc/zabbix/web(/.*)? +.br ++ /var/log/z-push(/.*)? ++.br + /var/spool/gosa(/.*)? +.br + /etc/WebCalendar(/.*)? @@ -37595,21 +65991,90 @@ index 0000000..566f6fa + + /var/run/user/apache(/.*)? +.br ++ /var/www/openshift/console/tmp(/.*)? ++.br + -+.SH NSSWITCH DOMAIN ++.br ++.B httpdcontent ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B public_content_rw_t ++ ++ /var/spool/abrt-upload(/.*)? ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux httpd_sys_script policy is very flexible allowing users to setup their httpd_sys_script processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_sys_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_sys_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_sys_script_exec_t '/srv/httpd_sys_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_sys_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_sys_script: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B httpd_sys_script_exec_t +.EE + ++- Set files with the httpd_sys_script_exec_t type, if you want to transition an executable to the httpd_sys_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/.*\.cgi, /opt/.*\.cgi, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?, /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*\.php, /usr/share/wordpress/wp-includes/.*\.php, /usr/share/wordpress-mu/wp-config\.php ++ +.PP -+If you want to allow confined applications to run with kerberos for the httpd_sys_script_t, you must turn on the kerberos_enabled boolean. ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH SHARING FILES ++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. ++.TP ++Allow httpd_sys_script servers to read the /var/httpd_sys_script directory by adding the public_content_t file type to the directory and by restoring the file type. ++.PP ++.B ++semanage fcontext -a -t public_content_t "/var/httpd_sys_script(/.*)?" ++.br ++.B restorecon -F -R -v /var/httpd_sys_script ++.pp ++.TP ++Allow httpd_sys_script servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpd_sys_scriptd_anon_write boolean to be set. ++.PP ++.B ++semanage fcontext -a -t public_content_rw_t "/var/httpd_sys_script/incoming(/.*)?" ++.br ++.B restorecon -F -R -v /var/httpd_sys_script/incoming ++ ++ ++.PP ++If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the httpd_sys_script_anon_write boolean. + +.EX -+.B setsebool -P kerberos_enabled 1 ++.B setsebool -P httpd_sys_script_anon_write 1 +.EE + +.SH "COMMANDS" @@ -37622,6 +66087,9 @@ index 0000000..566f6fa +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -37633,15 +66101,15 @@ index 0000000..566f6fa + +.SH "SEE ALSO" +selinux(8), httpd_sys_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_user_script_selinux.8 b/man/man8/httpd_user_script_selinux.8 new file mode 100644 -index 0000000..4764520 +index 0000000..a05ee0e --- /dev/null +++ b/man/man8/httpd_user_script_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "httpd_user_script_selinux" "8" "12-11-01" "httpd_user_script" "SELinux Policy documentation for httpd_user_script" +@@ -0,0 +1,223 @@ ++.TH "httpd_user_script_selinux" "8" "13-01-16" "httpd_user_script" "SELinux Policy documentation for httpd_user_script" +.SH "NAME" +httpd_user_script_selinux \- Security Enhanced Linux Policy for the httpd_user_script processes +.SH "DESCRIPTION" @@ -37657,9 +66125,11 @@ index 0000000..4764520 + +.SH "ENTRYPOINTS" + -+The httpd_user_script_t SELinux type can be entered via the "shell_exec_t,httpd_user_script_exec_t,httpd_user_script_exec_t" file types. The default entrypoint paths for the httpd_user_script_t domain are the following:" ++The httpd_user_script_t SELinux type can be entered via the \fBhttpd_user_script_exec_t, shell_exec_t, httpd_user_script_exec_t, httpdcontent\fP file types. + -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?, /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?, /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)? ++The default entrypoint paths for the httpd_user_script_t domain are the following: ++ ++/home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/pwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?, /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/pwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?, /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)? +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -37675,8 +66145,124 @@ index 0000000..4764520 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_user_script_t ++can be used to make the process type httpd_user_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_user_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_user_script with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to read home directories, you must turn on the httpd_enable_homedirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_homedirs 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_read_user_content 1 ++ ++.EE ++ ++.PP ++If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_unified 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_user_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B httpd_user_content_t ++ ++ /home/[^/]*/((www)|(web)|(public_html))(/.+)? ++.br ++ /home/pwalsh/((www)|(web)|(public_html))(/.+)? ++.br ++ /home/dwalsh/((www)|(web)|(public_html))(/.+)? ++.br ++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)? ++.br ++ ++.br ++.B httpd_user_ra_content_t ++ ++ /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)? ++.br ++ /home/pwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)? ++.br ++ /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)? ++.br ++ ++.br ++.B httpd_user_rw_content_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37686,7 +66272,20 @@ index 0000000..4764520 +Policy governs the access confined processes have to these files. +SELinux httpd_user_script policy is very flexible allowing users to setup their httpd_user_script processes in as secure a method as possible. +.PP -+The following file types are defined for httpd_user_script: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_user_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_user_script_exec_t '/srv/httpd_user_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_user_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_user_script: + + +.EX @@ -37696,6 +66295,10 @@ index 0000000..4764520 + +- Set files with the httpd_user_script_exec_t type, if you want to transition an executable to the httpd_user_script_t domain. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/pwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?, /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)?, /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)? + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -37704,16 +66307,6 @@ index 0000000..4764520 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type httpd_user_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B httpd_user_rw_content_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -37724,6 +66317,9 @@ index 0000000..4764520 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -37735,15 +66331,15 @@ index 0000000..4764520 + +.SH "SEE ALSO" +selinux(8), httpd_user_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_w3c_validator_script_selinux.8 b/man/man8/httpd_w3c_validator_script_selinux.8 new file mode 100644 -index 0000000..1191c99 +index 0000000..36ca5dd --- /dev/null +++ b/man/man8/httpd_w3c_validator_script_selinux.8 -@@ -0,0 +1,99 @@ -+.TH "httpd_w3c_validator_script_selinux" "8" "12-11-01" "httpd_w3c_validator_script" "SELinux Policy documentation for httpd_w3c_validator_script" +@@ -0,0 +1,183 @@ ++.TH "httpd_w3c_validator_script_selinux" "8" "13-01-16" "httpd_w3c_validator_script" "SELinux Policy documentation for httpd_w3c_validator_script" +.SH "NAME" +httpd_w3c_validator_script_selinux \- Security Enhanced Linux Policy for the httpd_w3c_validator_script processes +.SH "DESCRIPTION" @@ -37759,9 +66355,11 @@ index 0000000..1191c99 + +.SH "ENTRYPOINTS" + -+The httpd_w3c_validator_script_t SELinux type can be entered via the "shell_exec_t,httpd_w3c_validator_script_exec_t,httpd_w3c_validator_script_exec_t" file types. The default entrypoint paths for the httpd_w3c_validator_script_t domain are the following:" ++The httpd_w3c_validator_script_t SELinux type can be entered via the \fBhttpd_w3c_validator_script_exec_t, shell_exec_t, httpd_w3c_validator_script_exec_t\fP file types. + -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/w3c-markup-validator/cgi-bin(/.*)?, /usr/lib/cgi-bin/check, /usr/share/w3c-markup-validator/cgi-bin(/.*)?, /usr/lib/cgi-bin/check ++The default entrypoint paths for the httpd_w3c_validator_script_t domain are the following: ++ ++/usr/share/w3c-markup-validator/cgi-bin(/.*)?, /usr/lib/cgi-bin/check, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/share/w3c-markup-validator/cgi-bin(/.*)?, /usr/lib/cgi-bin/check +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -37777,34 +66375,76 @@ index 0000000..1191c99 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_w3c_validator_script_t ++can be used to make the process type httpd_w3c_validator_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux httpd_w3c_validator_script policy is very flexible allowing users to setup their httpd_w3c_validator_script processes in as secure a method as possible. -+.PP -+The following file types are defined for httpd_w3c_validator_script: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_w3c_validator_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_w3c_validator_script with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B httpd_w3c_validator_script_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the httpd_w3c_validator_script_exec_t type, if you want to transition an executable to the httpd_w3c_validator_script_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -37814,11 +66454,48 @@ index 0000000..1191c99 +.B httpd_w3c_validator_rw_content_t + + ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux httpd_w3c_validator_script policy is very flexible allowing users to setup their httpd_w3c_validator_script processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_w3c_validator_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_w3c_validator_script_exec_t '/srv/httpd_w3c_validator_script/content(/.*)?' +.br -+.B httpd_w3c_validator_tmp_t ++.B restorecon -R -v /srv/myhttpd_w3c_validator_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_w3c_validator_script: + + -+.SH NSSWITCH DOMAIN ++.EX ++.PP ++.B httpd_w3c_validator_script_exec_t ++.EE ++ ++- Set files with the httpd_w3c_validator_script_exec_t type, if you want to transition an executable to the httpd_w3c_validator_script_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/share/w3c-markup-validator/cgi-bin(/.*)?, /usr/lib/cgi-bin/check ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -37830,6 +66507,9 @@ index 0000000..1191c99 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -37841,15 +66521,154 @@ index 0000000..1191c99 + +.SH "SEE ALSO" +selinux(8), httpd_w3c_validator_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_zoneminder_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_webalizer_script_selinux(8), httpd_zoneminder_script_selinux(8) +\ No newline at end of file +diff --git a/man/man8/httpd_webalizer_script_selinux.8 b/man/man8/httpd_webalizer_script_selinux.8 +new file mode 100644 +index 0000000..8be772c +--- /dev/null ++++ b/man/man8/httpd_webalizer_script_selinux.8 +@@ -0,0 +1,132 @@ ++.TH "httpd_webalizer_script_selinux" "8" "13-01-16" "httpd_webalizer_script" "SELinux Policy documentation for httpd_webalizer_script" ++.SH "NAME" ++httpd_webalizer_script_selinux \- Security Enhanced Linux Policy for the httpd_webalizer_script processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the httpd_webalizer_script processes via flexible mandatory access control. ++ ++The httpd_webalizer_script processes execute with the httpd_webalizer_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep httpd_webalizer_script_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The httpd_webalizer_script_t SELinux type can be entered via the \fBshell_exec_t, httpd_webalizer_script_exec_t, httpd_webalizer_script_exec_t\fP file types. ++ ++The default entrypoint paths for the httpd_webalizer_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux httpd_webalizer_script policy is very flexible allowing users to setup their httpd_webalizer_script processes in as secure a method as possible. ++.PP ++The following process types are defined for httpd_webalizer_script: ++ ++.EX ++.B httpd_webalizer_script_t ++.EE ++.PP ++Note: ++.B semanage permissive -a httpd_webalizer_script_t ++can be used to make the process type httpd_webalizer_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_webalizer_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_webalizer_script with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_webalizer_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B httpd_webalizer_rw_content_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), httpd_webalizer_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_zoneminder_script_selinux(8) \ No newline at end of file diff --git a/man/man8/httpd_zoneminder_script_selinux.8 b/man/man8/httpd_zoneminder_script_selinux.8 new file mode 100644 -index 0000000..9666a60 +index 0000000..a7c3970 --- /dev/null +++ b/man/man8/httpd_zoneminder_script_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "httpd_zoneminder_script_selinux" "8" "12-11-01" "httpd_zoneminder_script" "SELinux Policy documentation for httpd_zoneminder_script" +@@ -0,0 +1,171 @@ ++.TH "httpd_zoneminder_script_selinux" "8" "13-01-16" "httpd_zoneminder_script" "SELinux Policy documentation for httpd_zoneminder_script" +.SH "NAME" +httpd_zoneminder_script_selinux \- Security Enhanced Linux Policy for the httpd_zoneminder_script processes +.SH "DESCRIPTION" @@ -37865,9 +66684,11 @@ index 0000000..9666a60 + +.SH "ENTRYPOINTS" + -+The httpd_zoneminder_script_t SELinux type can be entered via the "httpd_zoneminder_script_exec_t,shell_exec_t,httpd_zoneminder_script_exec_t" file types. The default entrypoint paths for the httpd_zoneminder_script_t domain are the following:" ++The httpd_zoneminder_script_t SELinux type can be entered via the \fBshell_exec_t, httpd_zoneminder_script_exec_t, httpd_zoneminder_script_exec_t\fP file types. + -+/usr/libexec/zoneminder/cgi-bin(/.*)?, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/libexec/zoneminder/cgi-bin(/.*)? ++The default entrypoint paths for the httpd_zoneminder_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/libexec/zoneminder/cgi-bin(/.*)?, /usr/libexec/zoneminder/cgi-bin(/.*)? +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -37883,8 +66704,76 @@ index 0000000..9666a60 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a httpd_zoneminder_script_t ++can be used to make the process type httpd_zoneminder_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. httpd_zoneminder_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd_zoneminder_script with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type httpd_zoneminder_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B httpd_zoneminder_rw_content_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37894,7 +66783,20 @@ index 0000000..9666a60 +Policy governs the access confined processes have to these files. +SELinux httpd_zoneminder_script policy is very flexible allowing users to setup their httpd_zoneminder_script processes in as secure a method as possible. +.PP -+The following file types are defined for httpd_zoneminder_script: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the httpd_zoneminder_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t httpd_zoneminder_script_exec_t '/srv/httpd_zoneminder_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhttpd_zoneminder_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for httpd_zoneminder_script: + + +.EX @@ -37912,16 +66814,6 @@ index 0000000..9666a60 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type httpd_zoneminder_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B httpd_zoneminder_rw_content_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -37932,6 +66824,9 @@ index 0000000..9666a60 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -37943,15 +66838,15 @@ index 0000000..9666a60 + +.SH "SEE ALSO" +selinux(8), httpd_zoneminder_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8) ++, setsebool(8), httpd_selinux(8), httpd_selinux(8), httpd_apcupsd_cgi_script_selinux(8), httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8), httpd_collectd_script_selinux(8), httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8), httpd_dspam_script_selinux(8), httpd_git_script_selinux(8), httpd_helper_selinux(8), httpd_man2html_script_selinux(8), httpd_mediawiki_script_selinux(8), httpd_mojomojo_script_selinux(8), httpd_munin_script_selinux(8), httpd_mythtv_script_selinux(8), httpd_nagios_script_selinux(8), httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8), httpd_passwd_selinux(8), httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatelogs_selinux(8), httpd_smokeping_cgi_script_selinux(8), httpd_squid_script_selinux(8), httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8), httpd_webalizer_script_selinux(8) \ No newline at end of file diff --git a/man/man8/hwclock_selinux.8 b/man/man8/hwclock_selinux.8 new file mode 100644 -index 0000000..5f81eee +index 0000000..a92e802 --- /dev/null +++ b/man/man8/hwclock_selinux.8 -@@ -0,0 +1,110 @@ -+.TH "hwclock_selinux" "8" "12-11-01" "hwclock" "SELinux Policy documentation for hwclock" +@@ -0,0 +1,217 @@ ++.TH "hwclock_selinux" "8" "13-01-16" "hwclock" "SELinux Policy documentation for hwclock" +.SH "NAME" +hwclock_selinux \- Security Enhanced Linux Policy for the hwclock processes +.SH "DESCRIPTION" @@ -37967,7 +66862,9 @@ index 0000000..5f81eee + +.SH "ENTRYPOINTS" + -+The hwclock_t SELinux type can be entered via the "hwclock_exec_t" file type. The default entrypoint paths for the hwclock_t domain are the following:" ++The hwclock_t SELinux type can be entered via the \fBhwclock_exec_t\fP file type. ++ ++The default entrypoint paths for the hwclock_t domain are the following: + +/sbin/hwclock, /usr/sbin/hwclock +.SH PROCESS TYPES @@ -37985,49 +66882,97 @@ index 0000000..5f81eee +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a hwclock_t ++can be used to make the process type hwclock_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux hwclock policy is very flexible allowing users to setup their hwclock processes in as secure a method as possible. -+.PP -+The following file types are defined for hwclock: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. hwclock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run hwclock with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B hwclock_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the hwclock_exec_t type, if you want to transition an executable to the hwclock_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + -+.SH "MANAGED FILES" ++.EX ++.B setsebool -P deny_ptrace 1 + -+The SELinux process type hwclock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++.EE + -+.br -+.B adjtime_t ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + -+ /etc/adjtime -+.br ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the hwclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the hwclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -38040,6 +66985,59 @@ index 0000000..5f81eee +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH "MANAGED FILES" ++ ++The SELinux process type hwclock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B adjtime_t ++ ++ /etc/adjtime ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux hwclock policy is very flexible allowing users to setup their hwclock processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the hwclock, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t hwclock_exec_t '/srv/hwclock/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myhwclock_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for hwclock: ++ ++ ++.EX ++.PP ++.B hwclock_exec_t ++.EE ++ ++- Set files with the hwclock_exec_t type, if you want to transition an executable to the hwclock_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/hwclock, /usr/sbin/hwclock ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -38050,6 +67048,9 @@ index 0000000..5f81eee +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -38061,13 +67062,15 @@ index 0000000..5f81eee + +.SH "SEE ALSO" +selinux(8), hwclock(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/iceauth_selinux.8 b/man/man8/iceauth_selinux.8 new file mode 100644 -index 0000000..2459ffa +index 0000000..6ac8965 --- /dev/null +++ b/man/man8/iceauth_selinux.8 -@@ -0,0 +1,118 @@ -+.TH "iceauth_selinux" "8" "12-11-01" "iceauth" "SELinux Policy documentation for iceauth" +@@ -0,0 +1,255 @@ ++.TH "iceauth_selinux" "8" "13-01-16" "iceauth" "SELinux Policy documentation for iceauth" +.SH "NAME" +iceauth_selinux \- Security Enhanced Linux Policy for the iceauth processes +.SH "DESCRIPTION" @@ -38083,7 +67086,9 @@ index 0000000..2459ffa + +.SH "ENTRYPOINTS" + -+The iceauth_t SELinux type can be entered via the "iceauth_exec_t" file type. The default entrypoint paths for the iceauth_t domain are the following:" ++The iceauth_t SELinux type can be entered via the \fBiceauth_exec_t\fP file type. ++ ++The default entrypoint paths for the iceauth_t domain are the following: + +/usr/bin/iceauth, /usr/X11R6/bin/iceauth +.SH PROCESS TYPES @@ -38101,48 +67106,118 @@ index 0000000..2459ffa +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a iceauth_t ++can be used to make the process type iceauth_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux iceauth policy is very flexible allowing users to setup their iceauth processes in as secure a method as possible. -+.PP -+The following file types are defined for iceauth: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. iceauth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run iceauth with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B iceauth_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the iceauth_exec_t type, if you want to transition an executable to the iceauth_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B iceauth_home_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the iceauth_home_t type, if you want to store iceauth files in the users home directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE + +.SH "MANAGED FILES" + +The SELinux process type iceauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br +.B iceauth_home_t + + /root/\.DCOP.* @@ -38153,6 +67228,10 @@ index 0000000..2459ffa +.br + /home/[^/]*/\.ICEauthority.* +.br ++ /home/pwalsh/\.DCOP.* ++.br ++ /home/pwalsh/\.ICEauthority.* ++.br + /home/dwalsh/\.DCOP.* +.br + /home/dwalsh/\.ICEauthority.* @@ -38162,7 +67241,64 @@ index 0000000..2459ffa + /var/lib/xguest/home/xguest/\.ICEauthority.* +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B nfs_t ++ ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux iceauth policy is very flexible allowing users to setup their iceauth processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the iceauth, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t iceauth_exec_t '/srv/iceauth/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myiceauth_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for iceauth: ++ ++ ++.EX ++.PP ++.B iceauth_exec_t ++.EE ++ ++- Set files with the iceauth_exec_t type, if you want to transition an executable to the iceauth_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/iceauth, /usr/X11R6/bin/iceauth ++ ++.EX ++.PP ++.B iceauth_home_t ++.EE ++ ++- Set files with the iceauth_home_t type, if you want to store iceauth files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/root/\.DCOP.*, /root/\.ICEauthority.*, /home/[^/]*/\.DCOP.*, /home/[^/]*/\.ICEauthority.*, /home/pwalsh/\.DCOP.*, /home/pwalsh/\.ICEauthority.*, /home/dwalsh/\.DCOP.*, /home/dwalsh/\.ICEauthority.*, /var/lib/xguest/home/xguest/\.DCOP.*, /var/lib/xguest/home/xguest/\.ICEauthority.* ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -38174,6 +67310,9 @@ index 0000000..2459ffa +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -38185,13 +67324,15 @@ index 0000000..2459ffa + +.SH "SEE ALSO" +selinux(8), iceauth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/icecast_selinux.8 b/man/man8/icecast_selinux.8 new file mode 100644 -index 0000000..f0455d7 +index 0000000..18f667d --- /dev/null +++ b/man/man8/icecast_selinux.8 -@@ -0,0 +1,162 @@ -+.TH "icecast_selinux" "8" "12-11-01" "icecast" "SELinux Policy documentation for icecast" +@@ -0,0 +1,286 @@ ++.TH "icecast_selinux" "8" "13-01-16" "icecast" "SELinux Policy documentation for icecast" +.SH "NAME" +icecast_selinux \- Security Enhanced Linux Policy for the icecast processes +.SH "DESCRIPTION" @@ -38207,7 +67348,9 @@ index 0000000..f0455d7 + +.SH "ENTRYPOINTS" + -+The icecast_t SELinux type can be entered via the "icecast_exec_t" file type. The default entrypoint paths for the icecast_t domain are the following:" ++The icecast_t SELinux type can be entered via the \fBicecast_exec_t\fP file type. ++ ++The default entrypoint paths for the icecast_t domain are the following: + +/usr/bin/icecast +.SH PROCESS TYPES @@ -38225,27 +67368,153 @@ index 0000000..f0455d7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a icecast_t ++can be used to make the process type icecast_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. icecast policy is extremely flexible and has several booleans that allow you to manipulate the policy and run icecast with the tightest access possible. + + +.PP -+If you want to allow icecast to connect to all ports, not just sound ports, you must turn on the icecast_connect_any boolean. ++If you want to determine whether icecast can listen on and connect to any TCP port, you must turn on the icecast_use_any_tcp_ports boolean. Disabled by default. + +.EX -+.B setsebool -P icecast_connect_any 1 ++.B setsebool -P icecast_use_any_tcp_ports 1 ++ +.EE + +.PP -+If you want to allow icecast to connect to all ports, not just sound ports, you must turn on the icecast_connect_any boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P icecast_connect_any 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the icecast_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the icecast_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type icecast_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B icecast_var_run_t ++ ++ /var/run/icecast(/.*)? ++.br ++ /var/run/icecast\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -38254,7 +67523,31 @@ index 0000000..f0455d7 +Policy governs the access confined processes have to these files. +SELinux icecast policy is very flexible allowing users to setup their icecast processes in as secure a method as possible. +.PP -+The following file types are defined for icecast: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++icecast policy stores data with multiple different file context types under the /var/run/icecast directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/icecast /srv/icecast ++.br ++.B restorecon -R -v /srv/icecast ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the icecast, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t icecast_exec_t '/srv/icecast/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myicecast_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for icecast: + + +.EX @@ -38286,8 +67579,12 @@ index 0000000..f0455d7 +.B icecast_var_run_t +.EE + -+- Set files with the icecast_var_run_t type, if you want to store the icecast files under the /run directory. ++- Set files with the icecast_var_run_t type, if you want to store the icecast files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/icecast(/.*)?, /var/run/icecast\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -38296,38 +67593,6 @@ index 0000000..f0455d7 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type icecast_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B icecast_log_t -+ -+ /var/log/icecast(/.*)? -+.br -+ -+.br -+.B icecast_var_run_t -+ -+ /var/run/icecast(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the icecast_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the icecast_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -38356,11 +67621,11 @@ index 0000000..f0455d7 \ No newline at end of file diff --git a/man/man8/ifconfig_selinux.8 b/man/man8/ifconfig_selinux.8 new file mode 100644 -index 0000000..955a7ad +index 0000000..b8f9968 --- /dev/null +++ b/man/man8/ifconfig_selinux.8 -@@ -0,0 +1,114 @@ -+.TH "ifconfig_selinux" "8" "12-11-01" "ifconfig" "SELinux Policy documentation for ifconfig" +@@ -0,0 +1,221 @@ ++.TH "ifconfig_selinux" "8" "13-01-16" "ifconfig" "SELinux Policy documentation for ifconfig" +.SH "NAME" +ifconfig_selinux \- Security Enhanced Linux Policy for the ifconfig processes +.SH "DESCRIPTION" @@ -38376,7 +67641,9 @@ index 0000000..955a7ad + +.SH "ENTRYPOINTS" + -+The ifconfig_t SELinux type can be entered via the "ifconfig_exec_t" file type. The default entrypoint paths for the ifconfig_t domain are the following:" ++The ifconfig_t SELinux type can be entered via the \fBifconfig_exec_t\fP file type. ++ ++The default entrypoint paths for the ifconfig_t domain are the following: + +/bin/ip, /sbin/ip, /sbin/tc, /usr/bin/ip, /usr/sbin/ip, /usr/sbin/tc, /sbin/ethtool, /sbin/ifconfig, /sbin/iwconfig, /sbin/mii-tool, /usr/sbin/ethtool, /usr/sbin/ifconfig, /usr/sbin/iwconfig, /usr/sbin/mii-tool, /sbin/ipx_configure, /sbin/ipx_interface, /sbin/ipx_internal_net, /usr/sbin/ipx_configure, /usr/sbin/ipx_interface, /usr/sbin/ipx_internal_net +.SH PROCESS TYPES @@ -38394,34 +67661,108 @@ index 0000000..955a7ad +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ifconfig_t ++can be used to make the process type ifconfig_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux ifconfig policy is very flexible allowing users to setup their ifconfig processes in as secure a method as possible. -+.PP -+The following file types are defined for ifconfig: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ifconfig policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ifconfig with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B ifconfig_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the ifconfig_exec_t type, if you want to transition an executable to the ifconfig_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ifconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ifconfig_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -38437,21 +67778,48 @@ index 0000000..955a7ad + /var/run/racoon\.pid +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux ifconfig policy is very flexible allowing users to setup their ifconfig processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ifconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ifconfig, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ifconfig_exec_t '/srv/ifconfig/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myifconfig_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ifconfig: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B ifconfig_exec_t +.EE + ++- Set files with the ifconfig_exec_t type, if you want to transition an executable to the ifconfig_t domain. ++ ++.br ++.TP 5 ++Paths: ++/bin/ip, /sbin/ip, /sbin/tc, /usr/bin/ip, /usr/sbin/ip, /usr/sbin/tc, /sbin/ethtool, /sbin/ifconfig, /sbin/iwconfig, /sbin/mii-tool, /usr/sbin/ethtool, /usr/sbin/ifconfig, /usr/sbin/iwconfig, /usr/sbin/mii-tool, /sbin/ipx_configure, /sbin/ipx_interface, /sbin/ipx_internal_net, /usr/sbin/ipx_configure, /usr/sbin/ipx_interface, /usr/sbin/ipx_internal_net ++ +.PP -+If you want to allow confined applications to run with kerberos for the ifconfig_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -38463,6 +67831,9 @@ index 0000000..955a7ad +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -38474,13 +67845,15 @@ index 0000000..955a7ad + +.SH "SEE ALSO" +selinux(8), ifconfig(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/inetd_child_selinux.8 b/man/man8/inetd_child_selinux.8 new file mode 100644 -index 0000000..8239b51 +index 0000000..9a2b696 --- /dev/null +++ b/man/man8/inetd_child_selinux.8 -@@ -0,0 +1,157 @@ -+.TH "inetd_child_selinux" "8" "12-11-01" "inetd_child" "SELinux Policy documentation for inetd_child" +@@ -0,0 +1,255 @@ ++.TH "inetd_child_selinux" "8" "13-01-16" "inetd_child" "SELinux Policy documentation for inetd_child" +.SH "NAME" +inetd_child_selinux \- Security Enhanced Linux Policy for the inetd_child processes +.SH "DESCRIPTION" @@ -38496,9 +67869,11 @@ index 0000000..8239b51 + +.SH "ENTRYPOINTS" + -+The inetd_child_t SELinux type can be entered via the "inetd_child_exec_t" file type. The default entrypoint paths for the inetd_child_t domain are the following:" ++The inetd_child_t SELinux type can be entered via the \fBinetd_child_exec_t\fP file type. + -+/usr/sbin/in\..*d, /usr/local/lib/pysieved/pysieved.*\.py, /usr/sbin/identd ++The default entrypoint paths for the inetd_child_t domain are the following: ++ ++/usr/sbin/in\..*d, /usr/lib/pysieved/pysieved.*\.py, /usr/local/lib/pysieved/pysieved.*\.py, /usr/sbin/identd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -38514,50 +67889,100 @@ index 0000000..8239b51 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a inetd_child_t ++can be used to make the process type inetd_child_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux inetd_child policy is very flexible allowing users to setup their inetd_child processes in as secure a method as possible. -+.PP -+The following file types are defined for inetd_child: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. inetd_child policy is extremely flexible and has several booleans that allow you to manipulate the policy and run inetd_child with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B inetd_child_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the inetd_child_exec_t type, if you want to transition an executable to the inetd_child_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B inetd_child_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the inetd_child_tmp_t type, if you want to store inetd child temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B inetd_child_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the inetd_child_var_run_t type, if you want to store the inetd child files under the /run directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the inetd_child_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the inetd_child_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -38596,21 +68021,64 @@ index 0000000..8239b51 +.B inetd_child_var_run_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux inetd_child policy is very flexible allowing users to setup their inetd_child processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the inetd_child_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the inetd_child, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t inetd_child_exec_t '/srv/inetd_child/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myinetd_child_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for inetd_child: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B inetd_child_exec_t +.EE + ++- Set files with the inetd_child_exec_t type, if you want to transition an executable to the inetd_child_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/in\..*d, /usr/lib/pysieved/pysieved.*\.py, /usr/local/lib/pysieved/pysieved.*\.py, /usr/sbin/identd ++ ++.EX ++.PP ++.B inetd_child_tmp_t ++.EE ++ ++- Set files with the inetd_child_tmp_t type, if you want to store inetd child temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B inetd_child_var_run_t ++.EE ++ ++- Set files with the inetd_child_var_run_t type, if you want to store the inetd child files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the inetd_child_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -38625,6 +68093,9 @@ index 0000000..8239b51 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -38636,15 +68107,15 @@ index 0000000..8239b51 + +.SH "SEE ALSO" +selinux(8), inetd_child(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, inetd_selinux(8), inetd_selinux(8) ++, setsebool(8), inetd_selinux(8), inetd_selinux(8) \ No newline at end of file diff --git a/man/man8/inetd_selinux.8 b/man/man8/inetd_selinux.8 new file mode 100644 -index 0000000..3f605ab +index 0000000..1d21845 --- /dev/null +++ b/man/man8/inetd_selinux.8 -@@ -0,0 +1,203 @@ -+.TH "inetd_selinux" "8" "12-11-01" "inetd" "SELinux Policy documentation for inetd" +@@ -0,0 +1,331 @@ ++.TH "inetd_selinux" "8" "13-01-16" "inetd" "SELinux Policy documentation for inetd" +.SH "NAME" +inetd_selinux \- Security Enhanced Linux Policy for the inetd processes +.SH "DESCRIPTION" @@ -38660,7 +68131,9 @@ index 0000000..3f605ab + +.SH "ENTRYPOINTS" + -+The inetd_t SELinux type can be entered via the "inetd_exec_t" file type. The default entrypoint paths for the inetd_t domain are the following:" ++The inetd_t SELinux type can be entered via the \fBinetd_exec_t\fP file type. ++ ++The default entrypoint paths for the inetd_t domain are the following: + +/usr/sbin/inetd, /usr/sbin/xinetd, /usr/sbin/rlinetd +.SH PROCESS TYPES @@ -38678,82 +68151,124 @@ index 0000000..3f605ab +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a inetd_t ++can be used to make the process type inetd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux inetd policy is very flexible allowing users to setup their inetd processes in as secure a method as possible. -+.PP -+The following file types are defined for inetd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. inetd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run inetd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B inetd_child_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the inetd_child_exec_t type, if you want to transition an executable to the inetd_child_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B inetd_child_tmp_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the inetd_child_tmp_t type, if you want to store inetd child temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B inetd_child_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the inetd_child_var_run_t type, if you want to store the inetd child files under the /run directory. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B inetd_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the inetd_exec_t type, if you want to transition an executable to the inetd_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B inetd_log_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the inetd_log_t type, if you want to treat the data as inetd log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B inetd_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the inetd_tmp_t type, if you want to store inetd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B inetd_var_run_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the inetd_var_run_t type, if you want to store the inetd files under the /run directory. ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the inetd_t, inetd_child_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the inetd_t, inetd_child_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -38785,12 +68300,6 @@ index 0000000..3f605ab +The SELinux process type inetd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B inetd_log_t -+ -+ /var/log/(x)?inetd\.log.* -+.br -+ -+.br +.B inetd_tmp_t + + @@ -38801,26 +68310,113 @@ index 0000000..3f605ab +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux inetd policy is very flexible allowing users to setup their inetd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the inetd_t, inetd_child_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the inetd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t inetd_child_exec_t '/srv/inetd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myinetd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for inetd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B inetd_child_exec_t +.EE + ++- Set files with the inetd_child_exec_t type, if you want to transition an executable to the inetd_child_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/in\..*d, /usr/lib/pysieved/pysieved.*\.py, /usr/local/lib/pysieved/pysieved.*\.py, /usr/sbin/identd ++ ++.EX ++.PP ++.B inetd_child_tmp_t ++.EE ++ ++- Set files with the inetd_child_tmp_t type, if you want to store inetd child temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B inetd_child_var_run_t ++.EE ++ ++- Set files with the inetd_child_var_run_t type, if you want to store the inetd child files under the /run or /var/run directory. ++ ++ ++.EX ++.PP ++.B inetd_exec_t ++.EE ++ ++- Set files with the inetd_exec_t type, if you want to transition an executable to the inetd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/inetd, /usr/sbin/xinetd, /usr/sbin/rlinetd ++ ++.EX ++.PP ++.B inetd_log_t ++.EE ++ ++- Set files with the inetd_log_t type, if you want to treat the data as inetd log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B inetd_tmp_t ++.EE ++ ++- Set files with the inetd_tmp_t type, if you want to store inetd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B inetd_var_run_t ++.EE ++ ++- Set files with the inetd_var_run_t type, if you want to store the inetd files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the inetd_t, inetd_child_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -38835,6 +68431,9 @@ index 0000000..3f605ab +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -38846,15 +68445,15 @@ index 0000000..3f605ab + +.SH "SEE ALSO" +selinux(8), inetd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, inetd_child_selinux(8) ++, setsebool(8), inetd_child_selinux(8) \ No newline at end of file diff --git a/man/man8/init_selinux.8 b/man/man8/init_selinux.8 new file mode 100644 -index 0000000..d772d9a +index 0000000..544fd87 --- /dev/null +++ b/man/man8/init_selinux.8 -@@ -0,0 +1,465 @@ -+.TH "init_selinux" "8" "12-11-01" "init" "SELinux Policy documentation for init" +@@ -0,0 +1,581 @@ ++.TH "init_selinux" "8" "13-01-16" "init" "SELinux Policy documentation for init" +.SH "NAME" +init_selinux \- Security Enhanced Linux Policy for the init processes +.SH "DESCRIPTION" @@ -38870,7 +68469,9 @@ index 0000000..d772d9a + +.SH "ENTRYPOINTS" + -+The init_t SELinux type can be entered via the "init_exec_t" file type. The default entrypoint paths for the init_t domain are the following:" ++The init_t SELinux type can be entered via the \fBinit_exec_t\fP file type. ++ ++The default entrypoint paths for the init_t domain are the following: + +/sbin/init(ng)?, /usr/sbin/init(ng)?, /usr/lib/systemd/[^/]*, /usr/lib/systemd/system-generators/[^/]*, /bin/systemd, /sbin/upstart, /usr/bin/systemd, /usr/sbin/upstart +.SH PROCESS TYPES @@ -38888,106 +68489,108 @@ index 0000000..d772d9a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a init_t ++can be used to make the process type init_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux init policy is very flexible allowing users to setup their init processes in as secure a method as possible. -+.PP -+The following file types are defined for init: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. init policy is extremely flexible and has several booleans that allow you to manipulate the policy and run init with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B init_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the init_exec_t type, if you want to transition an executable to the init_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B init_var_lib_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the init_var_lib_t type, if you want to store the init files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B init_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the init_var_run_t type, if you want to store the init files under the /run directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B initctl_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the initctl_t type, if you want to treat the files as initctl data. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B initrc_devpts_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the initrc_devpts_t type, if you want to treat the files as initrc devpts data. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B initrc_exec_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the initrc_exec_t type, if you want to transition an executable to the initrc_t domain. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B initrc_state_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the initrc_state_t type, if you want to treat the files as initrc state data. -+ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.PP -+.B initrc_tmp_t ++.B setsebool -P nis_enabled 1 ++ +.EE + -+- Set files with the initrc_tmp_t type, if you want to store initrc temporary files in the /tmp directories. -+ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX -+.PP -+.B initrc_var_log_t ++.B setsebool -P nscd_use_shm 1 ++ +.EE + -+- Set files with the initrc_var_log_t type, if you want to treat the data as initrc var log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. + +.EX -+.PP -+.B initrc_var_run_t ++.B setsebool -P secure_mode_policyload 1 ++ +.EE + -+- Set files with the initrc_var_run_t type, if you want to store the initrc files under the /run directory. -+ ++.SH NSSWITCH DOMAIN + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the init_t, initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the init_t, initrc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -39012,8 +68615,6 @@ index 0000000..d772d9a +.br +.B consolekit_log_t + -+ /var/log/ConsoleKit(/.*)? -+.br + +.br +.B device_t @@ -39054,10 +68655,10 @@ index 0000000..d772d9a +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -39066,10 +68667,10 @@ index 0000000..d772d9a +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -39130,6 +68731,8 @@ index 0000000..d772d9a + + /etc/locale.conf +.br ++ /etc/vconsole.conf ++.br + /usr/lib/locale(/.*)? +.br + /usr/share/locale(/.*)? @@ -39178,6 +68781,10 @@ index 0000000..d772d9a +.br + +.br ++.B sysctl_type ++ ++ ++.br +.B sysfs_t + + /sys(/.*)? @@ -39222,8 +68829,6 @@ index 0000000..d772d9a +.br + /var/webmin(/.*)? +.br -+ /var/log/cron[^/]* -+.br + /var/log/secure[^/]* +.br + /opt/zimbra/log(/.*)? @@ -39281,97 +68886,64 @@ index 0000000..d772d9a + /var/log/wtmp.* +.br + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the init_t, initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the init_t, initrc_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, initrc_selinux(8) -\ No newline at end of file -diff --git a/man/man8/initrc_selinux.8 b/man/man8/initrc_selinux.8 -new file mode 100644 -index 0000000..6dc8740 ---- /dev/null -+++ b/man/man8/initrc_selinux.8 -@@ -0,0 +1,815 @@ -+.TH "initrc_selinux" "8" "12-11-01" "initrc" "SELinux Policy documentation for initrc" -+.SH "NAME" -+initrc_selinux \- Security Enhanced Linux Policy for the initrc processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the initrc processes via flexible mandatory access control. -+ -+The initrc processes execute with the initrc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep initrc_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The initrc_t SELinux type can be entered via the "glance_api_initrc_exec_t,slapd_initrc_exec_t,clamd_initrc_exec_t,ntop_initrc_exec_t,ntpd_initrc_exec_t,syslogd_initrc_exec_t,ulogd_initrc_exec_t,nscd_initrc_exec_t,bluetooth_initrc_exec_t,chronyd_initrc_exec_t,polipo_initrc_exec_t,boinc_initrc_exec_t,openvpn_initrc_exec_t,nfsd_initrc_exec_t,denyhosts_initrc_exec_t,cgconfig_initrc_exec_t,ddclient_initrc_exec_t,dictd_initrc_exec_t,mongod_initrc_exec_t,ricci_initrc_exec_t,automount_initrc_exec_t,innd_initrc_exec_t,pingd_initrc_exec_t,roundup_initrc_exec_t,zoneminder_initrc_exec_t,certmonger_initrc_exec_t,snort_initrc_exec_t,iwhd_initrc_exec_t,snmpd_initrc_exec_t,radiusd_initrc_exec_t,dhcpd_initrc_exec_t,lircd_initrc_exec_t,cyrus_initrc_exec_t,varnishd_initrc_exec_t,virtd_initrc_exec_t,aiccu_initrc_exec_t,mysqlmanagerd_initrc_exec_t,zabbix_agent_initrc_exec_t,varnishlog_initrc_exec_t,piranha_pulse_initrc_exec_t,glance_registry_initrc_exec_t,collectd_initrc_exec_t,puppetmaster_initrc_exec_t,dovecot_initrc_exec_t,zebra_initrc_exec_t,lldpad_initrc_exec_t,httpd_initrc_exec_t,kdump_initrc_exec_t,munin_initrc_exec_t,soundd_initrc_exec_t,bin_t,uuidd_initrc_exec_t,postfix_initrc_exec_t,ctdbd_initrc_exec_t,glusterd_initrc_exec_t,saslauthd_initrc_exec_t,postgresql_initrc_exec_t,kerberos_initrc_exec_t,apcupsd_initrc_exec_t,cupsd_initrc_exec_t,ksmtuned_initrc_exec_t,tuned_initrc_exec_t,exim_initrc_exec_t,fsdaemon_initrc_exec_t,tgtd_initrc_exec_t,ftpd_initrc_exec_t,ajaxterm_initrc_exec_t,hddtemp_initrc_exec_t,tcsd_initrc_exec_t,rhsmcertd_initrc_exec_t,svnserve_initrc_exec_t,shorewall_initrc_exec_t,aisexec_initrc_exec_t,auditd_initrc_exec_t,likewise_initrc_exec_t,cfengine_initrc_exec_t,initrc_exec_t,wdmd_initrc_exec_t,postgrey_initrc_exec_t,avahi_initrc_exec_t,gpsd_initrc_exec_t,privoxy_initrc_exec_t,pki_ra_script_exec_t,shell_exec_t,nagios_initrc_exec_t,rgmanager_initrc_exec_t,tor_initrc_exec_t,radvd_initrc_exec_t,cgred_initrc_exec_t,abrt_initrc_exec_t,ipsec_initrc_exec_t,puppet_initrc_exec_t,named_initrc_exec_t,squid_initrc_exec_t,cvs_initrc_exec_t,psad_initrc_exec_t,pppd_initrc_exec_t,afs_initrc_exec_t,canna_initrc_exec_t,firewalld_initrc_exec_t,spamd_initrc_exec_t,nis_initrc_exec_t,samba_initrc_exec_t,pacemaker_initrc_exec_t,mpd_initrc_exec_t,amavis_initrc_exec_t,arpwatch_initrc_exec_t,qpidd_initrc_exec_t,smokeping_initrc_exec_t,bcfg2_initrc_exec_t,callweaver_initrc_exec_t,pki_tps_script_exec_t,pads_initrc_exec_t,mscan_initrc_exec_t,isnsd_initrc_exec_t,rwho_initrc_exec_t,l2tpd_initrc_exec_t,portreserve_initrc_exec_t,NetworkManager_initrc_exec_t,icecast_initrc_exec_t,jabberd_initrc_exec_t,rpcd_initrc_exec_t,vhostmd_initrc_exec_t,nslcd_initrc_exec_t,certmaster_initrc_exec_t,slpd_initrc_exec_t,mysqld_initrc_exec_t,memcached_initrc_exec_t,crond_initrc_exec_t,asterisk_initrc_exec_t,fail2ban_initrc_exec_t,corosync_initrc_exec_t,sssd_initrc_exec_t,zabbix_initrc_exec_t,ypbind_initrc_exec_t,sshd_initrc_exec_t,clvmd_initrc_exec_t,dspam_initrc_exec_t,dhcpc_helper_exec_t,setrans_initrc_exec_t,cmirrord_initrc_exec_t,rngd_initrc_exec_t,prelude_initrc_exec_t,iptables_initrc_exec_t,sendmail_initrc_exec_t,rpcbind_initrc_exec_t,cobblerd_initrc_exec_t,dnsmasq_initrc_exec_t,bitlbee_initrc_exec_t,sanlock_initrc_exec_t" file types. The default entrypoint paths for the initrc_t domain are the following:" -+ -+/etc/rc\.d/init\.d/openstack-glance-api, /etc/rc\.d/init\.d/slapd, /etc/rc\.d/init\.d/clamd-wrapper, /etc/rc\.d/init\.d/ntpd, /etc/rc\.d/init\.d/rsyslog, /etc/rc\.d/init\.d/ulogd, /etc/rc\.d/init\.d/nscd, /etc/rc\.d/init\.d/dund, /etc/rc\.d/init\.d/pand, /etc/rc\.d/init\.d/bluetooth, /etc/rc\.d/init\.d/chronyd, /etc/rc\.d/init\.d/polipo, /etc/rc\.d/init\.d/boinc-client, /etc/rc\.d/init\.d/openvpn, /etc/rc\.d/init\.d/nfs, /etc/rc\.d/init\.d/denyhosts, /etc/rc\.d/init\.d/cgconfig, /etc/rc\.d/init\.d/ddclient, /etc/rc\.d/init\.d/dictd, /etc/rc\.d/init\.d/mongod, /etc/rc\.d/init\.d/ricci, /etc/rc\.d/init\.d/autofs, /etc/rc\.d/init\.d/innd, /etc/rc\.d/init\.d/whatsup-pingd, /etc/rc\.d/init\.d/roundup, /etc/rc\.d/init\.d/motion, /etc/rc\.d/init\.d/zoneminder, /etc/rc\.d/init\.d/certmonger, /etc/rc\.d/init\.d/snortd, /etc/rc\.d/init\.d/iwhd, /etc/rc\.d/init\.d/snmpd, /etc/rc\.d/init\.d/snmptrapd, /etc/rc\.d/init\.d/radiusd, /etc/rc\.d/init\.d/dhcpd(6)?, /etc/rc\.d/init\.d/lirc, /etc/rc\.d/init\.d/cyrus, /etc/rc\.d/init\.d/varnish, /etc/rc\.d/init\.d/libvirtd, /etc/rc\.d/init\.d/aiccu, /etc/rc\.d/init\.d/mysqlmanager, /etc/rc\.d/init\.d/zabbix-agentd, /etc/rc\.d/init\.d/varnishlog, /etc/rc\.d/init\.d/varnishncsa, /etc/rc\.d/init\.d/pulse, /etc/rc\.d/init\.d/openstack-glance-registry, /etc/rc\.d/init\.d/collectd, /etc/rc\.d/init\.d/puppetmaster, /etc/rc\.d/init\.d/dovecot, /etc/rc\.d/init\.d/bgpd, /etc/rc\.d/init\.d/ripd, /etc/rc\.d/init\.d/ospfd, /etc/rc\.d/init\.d/zebra, /etc/rc\.d/init\.d/ospf6d, /etc/rc\.d/init\.d/ripngd, /etc/rc\.d/init\.d/lldpad, /etc/init\.d/cherokee, /etc/rc\.d/init\.d/httpd, /etc/rc\.d/init\.d/lighttpd, /etc/rc\.d/init\.d/kdump, /etc/rc\.d/init\.d/munin-node, /etc/rc\.d/init\.d/nasd, /bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py, /etc/rc\.d/init\.d/uuidd, /etc/rc\.d/init\.d/postfix, /etc/rc\.d/init\.d/ctdb, /usr/sbin/glusterd, /etc/rc\.d/init\.d/glusterd, /etc/rc\.d/init\.d/sasl, /etc/rc\.d/init\.d/(se)?postgresql, /etc/rc\.d/init\.d/kprop, /etc/rc\.d/init\.d/kadmind, /etc/rc\.d/init\.d/krb524d, /etc/rc\.d/init\.d/krb5kdc, /etc/rc\.d/init\.d/apcupsd, /etc/rc\.d/init\.d/cups, /etc/rc\.d/init\.d/ksmtuned, /etc/rc\.d/init\.d/tuned, /etc/rc\.d/init\.d/exim, /etc/rc\.d/init\.d/smartd, /etc/rc\.d/init\.d/tgtd, /etc/rc\.d/init\.d/vsftpd, /etc/rc\.d/init\.d/proftpd, /etc/rc\.d/init\.d/ajaxterm, /etc/rc\.d/init\.d/hddtemp, /etc/rc\.d/init\.d/tcsd, /etc/rc\.d/init\.d/rhsmcertd, /etc/rc.d/init.d/svnserve, /etc/rc\.d/init\.d/shorewall, /etc/rc\.d/init\.d/shorewall-lite, /etc/rc\.d/init\.d/openais, /etc/rc\.d/init\.d/auditd, /etc/rc\.d/init\.d/lwiod, /etc/rc\.d/init\.d/lwsmd, /etc/rc\.d/init\.d/lsassd, /etc/rc\.d/init\.d/lwregd, /etc/rc\.d/init\.d/dcerpcd, /etc/rc\.d/init\.d/srvsvcd, /etc/rc\.d/init\.d/eventlogd, /etc/rc\.d/init\.d/netlogond, /etc/rc\.d/init\.d/cf-execd, /etc/rc\.d/init\.d/cf-serverd, /etc/rc\.d/init\.d/cf-monitord, /etc/init\.d/.*, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/stop-.*, /usr/libexec/dcc/start-.*, /usr/lib/systemd/fedora[^/]*, /opt/nfast/scripts/init.d/(.*), /etc/rc\.d/rc, /etc/X11/prefdm, /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/apachectl, /usr/sbin/ldap-agent, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/share/system-config-services/system-config-services-mechanism\.py, /etc/rc\.d/init\.d/wdmd, /etc/rc\.d/init\.d/postgrey, /etc/rc\.d/init\.d/avahi.*, /etc/rc\.d/init\.d/gpsd, /etc/rc\.d/init\.d/privoxy, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /etc/rc\.d/init\.d/nrpe, /etc/rc\.d/init\.d/nagios, /etc/rc\.d/init\.d/cpglockd, /etc/rc\.d/init\.d/rgmanager, /etc/rc\.d/init\.d/heartbeat, /etc/rc\.d/init\.d/tor, /etc/rc\.d/init\.d/radvd, /etc/rc\.d/init\.d/cgred, /etc/rc\.d/init\.d/abrt, /etc/rc\.d/init\.d/ipsec, /etc/rc\.d/init\.d/racoon, /etc/rc\.d/init\.d/puppet, /etc/rc\.d/init\.d/named, /etc/rc\.d/init\.d/unbound, /etc/rc\.d/init\.d/squid, /etc/rc\.d/init\.d/psad, /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc\.d/init\.d/ppp, /etc/rc\.d/init\.d/afs, /etc/rc\.d/init\.d/openafs-client, /etc/rc\.d/init\.d/canna, /etc/rc\.d/init\.d/firewalld, /etc/rc\.d/init\.d/mimedefang.*, /etc/rc\.d/init\.d/spamd, /etc/rc\.d/init\.d/spampd, /etc/rc\.d/init\.d/pyzord, /etc/rc\.d/init\.d/ypserv, /etc/rc\.d/init\.d/ypxfrd, /etc/rc\.d/init\.d/yppasswd, /etc/rc\.d/init\.d/nmb, /etc/rc\.d/init\.d/smb, /etc/rc\.d/init\.d/winbind, /etc/rc\.d/init\.d/pacemaker, /etc/rc\.d/init\.d/mpd, /etc/rc\.d/init\.d/amavis, /etc/rc\.d/init\.d/amavisd-snmp, /etc/rc\.d/init\.d/arpwatch, /etc/rc\.d/init\.d/qpidd, /etc/rc\.d/init\.d/smokeping, /etc/rc\.d/init\.d/bcfg2, /etc/rc\.d/init\.d/callweaver, /etc/rc\.d/init\.d/pads, /etc/rc\.d/init\.d/MailScanner, /etc/rc\.d/init\.d/isnsd, /etc/rc\.d/init\.d/rwhod, /etc/rc\.d/init\.d/xl2tpd, /etc/rc\.d/init\.d/prol2tpd, /etc/rc\.d/init\.d/openl2tpd, /etc/rc\.d/init\.d/portreserve, /usr/libexec/nm-dispatcher.action, /etc/NetworkManager/dispatcher\.d(/.*)?, /etc/rc\.d/init\.d/wicd, /etc/rc\.d/init\.d/icecast, /etc/rc\.d/init\.d/jabberd, /etc/rc\.d/init\.d/nfslock, /etc/rc\.d/init\.d/rpcidmapd, /etc/rc.d/init.d/vhostmd, /etc/rc\.d/init\.d/nslcd, /etc/rc\.d/init\.d/certmaster, /etc/rc\.d/init\.d/slpd, /etc/rc\.d/init\.d/mysqld, /etc/rc\.d/init\.d/memcached, /etc/rc\.d/init\.d/atd, /etc/rc\.d/init\.d/asterisk, /etc/rc\.d/init\.d/fail2ban, /etc/rc\.d/init\.d/corosync, /etc/rc\.d/init\.d/sssd, /etc/rc\.d/init\.d/zabbix, /etc/rc\.d/init\.d/zabbix-server, /etc/rc\.d/init\.d/ypbind, /etc/rc\.d/init\.d/sshd, /etc/rc\.d/init\.d/dspam, /etc/firestarter/firestarter\.sh, /etc/rc\.d/init\.d/mcstrans, /etc/rc\.d/init\.d/cmirrord, /etc/rc\.d/init\.d/rngd, /etc/rc\.d/init\.d/prelude-lml, /etc/rc\.d/init\.d/prelude-manager, /etc/rc\.d/init\.d/prelude-correlator, /etc/rc\.d/init\.d/ip6?tables, /etc/rc\.d/init\.d/ebtables, /etc/rc\.d/init\.d/sendmail, /etc/rc\.d/init\.d/rpcbind, /etc/rc\.d/init\.d/cobblerd, /etc/rc\.d/init\.d/dnsmasq, /etc/rc\.d/init\.d/bitlbee, /etc/rc\.d/init\.d/sanlock -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux initrc policy is very flexible allowing users to setup their initrc processes in as secure a method as possible. -+.PP -+The following process types are defined for initrc: -+ -+.EX -+.B initrc_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP +You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP +Policy governs the access confined processes have to these files. -+SELinux initrc policy is very flexible allowing users to setup their initrc processes in as secure a method as possible. ++SELinux init policy is very flexible allowing users to setup their init processes in as secure a method as possible. +.PP -+The following file types are defined for initrc: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the init, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t init_exec_t '/srv/init/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myinit_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for init: ++ ++ ++.EX ++.PP ++.B init_exec_t ++.EE ++ ++- Set files with the init_exec_t type, if you want to transition an executable to the init_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/init(ng)?, /usr/sbin/init(ng)?, /usr/lib/systemd/[^/]*, /usr/lib/systemd/system-generators/[^/]*, /bin/systemd, /sbin/upstart, /usr/bin/systemd, /usr/sbin/upstart ++ ++.EX ++.PP ++.B init_var_lib_t ++.EE ++ ++- Set files with the init_var_lib_t type, if you want to store the init files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B init_var_run_t ++.EE ++ ++- Set files with the init_var_run_t type, if you want to store the init files under the /run or /var/run directory. ++ ++ ++.EX ++.PP ++.B initctl_t ++.EE ++ ++- Set files with the initctl_t type, if you want to treat the files as initctl data. + + +.EX @@ -39389,6 +68961,10 @@ index 0000000..6dc8740 + +- Set files with the initrc_exec_t type, if you want to transition an executable to the initrc_t domain. + ++.br ++.TP 5 ++Paths: ++/etc/init\.d/.*, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/stop-.*, /usr/libexec/dcc/start-.*, /usr/lib/systemd/fedora[^/]*, /opt/nfast/scripts/init.d/(.*), /etc/rc\.d/rc, /etc/X11/prefdm, /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/apachectl, /usr/sbin/ldap-agent, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/share/system-config-services/system-config-services-mechanism\.py + +.EX +.PP @@ -39419,8 +68995,12 @@ index 0000000..6dc8740 +.B initrc_var_run_t +.EE + -+- Set files with the initrc_var_run_t type, if you want to store the initrc files under the /run directory. ++- Set files with the initrc_var_run_t type, if you want to store the initrc files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/utmp, /var/run/random-seed, /var/run/runlevel\.dir, /var/run/setmixer_flag + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -39429,6 +69009,170 @@ index 0000000..6dc8740 +.B restorecon +to apply the labels. + ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), initrc_selinux(8) +\ No newline at end of file +diff --git a/man/man8/initrc_selinux.8 b/man/man8/initrc_selinux.8 +new file mode 100644 +index 0000000..b177a50 +--- /dev/null ++++ b/man/man8/initrc_selinux.8 +@@ -0,0 +1,920 @@ ++.TH "initrc_selinux" "8" "13-01-16" "initrc" "SELinux Policy documentation for initrc" ++.SH "NAME" ++initrc_selinux \- Security Enhanced Linux Policy for the initrc processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the initrc processes via flexible mandatory access control. ++ ++The initrc processes execute with the initrc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep initrc_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The initrc_t SELinux type can be entered via the \fBpolipo_initrc_exec_t, entropyd_initrc_exec_t, openvpn_initrc_exec_t, quantum_initrc_exec_t, ddclient_initrc_exec_t, dictd_initrc_exec_t, ricci_initrc_exec_t, innd_initrc_exec_t, pingd_initrc_exec_t, cgconfig_initrc_exec_t, mongod_initrc_exec_t, iwhd_initrc_exec_t, condor_initrc_exec_t, rabbitmq_initrc_exec_t, radiusd_initrc_exec_t, automount_initrc_exec_t, dhcpd_initrc_exec_t, lircd_initrc_exec_t, cyrus_initrc_exec_t, varnishd_initrc_exec_t, roundup_initrc_exec_t, virtd_initrc_exec_t, zoneminder_initrc_exec_t, certmonger_initrc_exec_t, snort_initrc_exec_t, snmpd_initrc_exec_t, aiccu_initrc_exec_t, mysqlmanagerd_initrc_exec_t, zabbix_agent_initrc_exec_t, ciped_initrc_exec_t, foghorn_initrc_exec_t, varnishlog_initrc_exec_t, piranha_pulse_initrc_exec_t, glance_registry_initrc_exec_t, collectd_initrc_exec_t, drbd_initrc_exec_t, uucpd_initrc_exec_t, dovecot_initrc_exec_t, zebra_initrc_exec_t, lldpad_initrc_exec_t, puppetmaster_initrc_exec_t, munin_initrc_exec_t, openct_initrc_exec_t, soundd_initrc_exec_t, httpd_initrc_exec_t, kdump_initrc_exec_t, uuidd_initrc_exec_t, postfix_initrc_exec_t, ctdbd_initrc_exec_t, glusterd_initrc_exec_t, bin_t, saslauthd_initrc_exec_t, postgresql_initrc_exec_t, kerberos_initrc_exec_t, cyphesis_initrc_exec_t, vnstatd_initrc_exec_t, apcupsd_initrc_exec_t, cupsd_initrc_exec_t, keystone_initrc_exec_t, exim_initrc_exec_t, ksmtuned_initrc_exec_t, tuned_initrc_exec_t, vdagentd_initrc_exec_t, mcelog_initrc_exec_t, ftpd_initrc_exec_t, fcoemon_initrc_exec_t, fsdaemon_initrc_exec_t, tgtd_initrc_exec_t, ajaxterm_initrc_exec_t, shorewall_initrc_exec_t, hddtemp_initrc_exec_t, tcsd_initrc_exec_t, rhsmcertd_initrc_exec_t, svnserve_initrc_exec_t, mdadm_initrc_exec_t, likewise_initrc_exec_t, cfengine_initrc_exec_t, portmap_initrc_exec_t, initrc_exec_t, aisexec_initrc_exec_t, postgrey_initrc_exec_t, auditd_initrc_exec_t, avahi_initrc_exec_t, gpsd_initrc_exec_t, privoxy_initrc_exec_t, wdmd_initrc_exec_t, shell_exec_t, rgmanager_initrc_exec_t, pki_ra_script_exec_t, tor_initrc_exec_t, radvd_initrc_exec_t, abrt_initrc_exec_t, acct_initrc_exec_t, nagios_initrc_exec_t, ipsec_initrc_exec_t, puppet_initrc_exec_t, cgred_initrc_exec_t, amtu_initrc_exec_t, named_initrc_exec_t, irqbalance_initrc_exec_t, gpm_initrc_exec_t, squid_initrc_exec_t, cvs_initrc_exec_t, ccs_initrc_exec_t, apmd_initrc_exec_t, afs_initrc_exec_t, spamd_initrc_exec_t, nis_initrc_exec_t, psad_initrc_exec_t, rtkit_daemon_initrc_exec_t, pppd_initrc_exec_t, mpd_initrc_exec_t, canna_initrc_exec_t, firewalld_initrc_exec_t, samba_initrc_exec_t, pacemaker_initrc_exec_t, qpidd_initrc_exec_t, smokeping_initrc_exec_t, bcfg2_initrc_exec_t, amavis_initrc_exec_t, pki_tps_script_exec_t, arpwatch_initrc_exec_t, dlm_controld_initrc_exec_t, iscsi_initrc_exec_t, callweaver_initrc_exec_t, mscan_initrc_exec_t, pads_initrc_exec_t, isnsd_initrc_exec_t, kismet_initrc_exec_t, NetworkManager_initrc_exec_t, rwho_initrc_exec_t, jabberd_initrc_exec_t, l2tpd_initrc_exec_t, portreserve_initrc_exec_t, sysstat_initrc_exec_t, vhostmd_initrc_exec_t, certmaster_initrc_exec_t, pcscd_initrc_exec_t, icecast_initrc_exec_t, rpcd_initrc_exec_t, mysqld_initrc_exec_t, sensord_initrc_exec_t, nslcd_initrc_exec_t, crond_initrc_exec_t, smsd_initrc_exec_t, slpd_initrc_exec_t, couchdb_initrc_exec_t, memcached_initrc_exec_t, asterisk_initrc_exec_t, corosync_initrc_exec_t, ypbind_initrc_exec_t, clvmd_initrc_exec_t, fetchmail_initrc_exec_t, sendmail_initrc_exec_t, dhcpc_helper_exec_t, fail2ban_initrc_exec_t, sssd_initrc_exec_t, zabbix_initrc_exec_t, prelude_initrc_exec_t, sshd_initrc_exec_t, dspam_initrc_exec_t, setrans_initrc_exec_t, cmirrord_initrc_exec_t, rngd_initrc_exec_t, cobblerd_initrc_exec_t, bitlbee_initrc_exec_t, iptables_initrc_exec_t, sblim_initrc_exec_t, mrtg_initrc_exec_t, sanlock_initrc_exec_t, dnsmasq_initrc_exec_t, rpcbind_initrc_exec_t, glance_api_initrc_exec_t, ntop_initrc_exec_t, ntpd_initrc_exec_t, nscd_initrc_exec_t, bluetooth_initrc_exec_t, chronyd_initrc_exec_t, slapd_initrc_exec_t, clamd_initrc_exec_t, syslogd_initrc_exec_t, ulogd_initrc_exec_t, boinc_initrc_exec_t, nfsd_initrc_exec_t, denyhosts_initrc_exec_t\fP file types. ++ ++The default entrypoint paths for the initrc_t domain are the following: ++ ++All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin. ++/etc/rc\.d/init\.d/polipo, /etc/rc\.d/init\.d/((audio-entropyd)|(haveged)), /etc/rc\.d/init\.d/openvpn, /etc/rc\.d/init\.d/quantum.*, /etc/rc\.d/init\.d/ddclient, /etc/rc\.d/init\.d/dictd, /etc/rc\.d/init\.d/ricci, /etc/rc\.d/init\.d/innd, /etc/rc\.d/init\.d/whatsup-pingd, /etc/rc\.d/init\.d/cgconfig, /etc/rc\.d/init\.d/mongod, /etc/rc\.d/init\.d/iwhd, /etc/rc\.d/init\.d/condor, /etc/rc\.d/init\.d/rabbitmq-server, /etc/rc\.d/init\.d/radiusd, /etc/rc\.d/init\.d/autofs, /etc/rc\.d/init\.d/dhcpd(6)?, /etc/rc\.d/init\.d/lirc, /etc/rc\.d/init\.d/cyrus.*, /etc/rc\.d/init\.d/varnish, /etc/rc\.d/init\.d/roundup, /etc/rc\.d/init\.d/libvirtd, /etc/rc\.d/init\.d/motion, /etc/rc\.d/init\.d/zoneminder, /etc/rc\.d/init\.d/certmonger, /etc/rc\.d/init\.d/snortd, /etc/rc\.d/init\.d/((snmpd)|(snmptrapd)), /etc/rc\.d/init\.d/aiccu, /etc/rc\.d/init\.d/mysqlmanager, /etc/rc\.d/init\.d/zabbix-agentd, /etc/rc\.d/init\.d/ciped.*, /etc/rc\.d/init\.d/varnishlog, /etc/rc\.d/init\.d/varnishncsa, /etc/rc\.d/init\.d/pulse, /etc/rc\.d/init\.d/openstack-glance-registry, /etc/rc\.d/init\.d/collectd, /etc/rc\.d/init\.d/drbd, /etc/rc\.d/init\.d/uucp, /etc/rc\.d/init\.d/dovecot, /etc/rc\.d/init\.d/bgpd, /etc/rc\.d/init\.d/ripd, /etc/rc\.d/init\.d/ospfd, /etc/rc\.d/init\.d/zebra, /etc/rc\.d/init\.d/ospf6d, /etc/rc\.d/init\.d/ripngd, /etc/rc\.d/init\.d/lldpad, /etc/rc\.d/init\.d/puppetmaster, /etc/rc\.d/init\.d/munin-node, /etc/rc\.d/init\.d/openct, /etc/rc\.d/init\.d/nasd, /etc/init\.d/cherokee, /etc/rc\.d/init\.d/httpd, /etc/rc\.d/init\.d/lighttpd, /etc/rc\.d/init\.d/kdump, /etc/rc\.d/init\.d/uuidd, /etc/rc\.d/init\.d/postfix, /etc/rc\.d/init\.d/ctdb, /etc/rc\.d/init\.d/gluster.*, /usr/sbin/glusterd, /etc/rc\.d/init\.d/sasl, /etc/rc\.d/init\.d/(se)?postgresql, /etc/rc\.d/init\.d/kprop, /etc/rc\.d/init\.d/kadmind, /etc/rc\.d/init\.d/krb524d, /etc/rc\.d/init\.d/krb5kdc, /etc/rc\.d/init\.d/cyphesis, /etc/rc\.d/init\.d/vnstat, /etc/rc\.d/init\.d/apcupsd, /etc/rc\.d/init\.d/cups, /etc/rc\.d/init\.d/openstack-keystone, /etc/rc\.d/init\.d/exim, /etc/rc\.d/init\.d/ksmtuned, /etc/rc\.d/init\.d/tuned, /etc/rc\.d/init\.d/spice-vdagentd, /etc/rc\.d/init\.d/mcelog, /etc/rc\.d/init\.d/vsftpd, /etc/rc\.d/init\.d/proftpd, /etc/rc\.d/init\.d/fcoe, /etc/rc\.d/init\.d/((smartd)|(smartmontools)), /etc/rc\.d/init\.d/tgtd, /etc/rc\.d/init\.d/ajaxterm, /etc/rc\.d/init\.d/shorewall.*, /etc/rc\.d/init\.d/hddtemp, /etc/rc\.d/init\.d/tcsd, /etc/rc\.d/init\.d/trousers, /etc/rc\.d/init\.d/rhsmcertd, /etc/rc.d/init.d/svnserve, /etc/rc\.d/init\.d/mdmonitor, /etc/rc\.d/init\.d/lwiod, /etc/rc\.d/init\.d/lwsmd, /etc/rc\.d/init\.d/lsassd, /etc/rc\.d/init\.d/lwregd, /etc/rc\.d/init\.d/dcerpcd, /etc/rc\.d/init\.d/srvsvcd, /etc/rc\.d/init\.d/likewise, /etc/rc\.d/init\.d/eventlogd, /etc/rc\.d/init\.d/netlogond, /etc/rc\.d/init\.d/((cf-serverd)|(cf-monitord)|(cf-execd)), /etc/rc\.d/init\.d/portmap, /etc/init\.d/.*, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/stop-.*, /usr/libexec/dcc/start-.*, /usr/lib/systemd/fedora[^/]*, /opt/nfast/scripts/init.d/(.*), /etc/rc\.d/rc, /etc/X11/prefdm, /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/apachectl, /usr/sbin/ldap-agent, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/share/system-config-services/system-config-services-mechanism\.py, /etc/rc\.d/init\.d/openais, /etc/rc\.d/init\.d/postgrey, /etc/rc\.d/init\.d/auditd, /etc/rc\.d/init\.d/avahi.*, /etc/rc\.d/init\.d/gpsd, /etc/rc\.d/init\.d/privoxy, /etc/rc\.d/init\.d/wdmd, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /etc/rc\.d/init\.d/cpglockd, /etc/rc\.d/init\.d/rgmanager, /etc/rc\.d/init\.d/heartbeat, /etc/rc\.d/init\.d/tor, /etc/rc\.d/init\.d/radvd, /etc/rc\.d/init\.d/abrt, /etc/rc\.d/init\.d/psacct, /etc/rc\.d/init\.d/nrpe, /etc/rc\.d/init\.d/nagios, /etc/rc\.d/init\.d/ipsec, /etc/rc\.d/init\.d/racoon, /etc/rc\.d/init\.d/puppet, /etc/rc\.d/init\.d/cgred, /etc/rc\.d/init\.d/amtu, /etc/rc\.d/init\.d/named, /etc/rc\.d/init\.d/unbound, /etc/rc\.d/init\.d/irqbalance, /etc/rc\.d/init\.d/gpm, /etc/rc\.d/init\.d/squid, /etc/rc\.d/init\.d/cvs, /etc/rc\.d/init\.d/((ccs)|(ccsd)), /etc/rc\.d/init\.d/acpid, /etc/rc\.d/init\.d/(open)?afs, /etc/rc\.d/init\.d/openafs-client, /etc/rc\.d/init\.d/mimedefang.*, /etc/rc\.d/init\.d/spamd, /etc/rc\.d/init\.d/spampd, /etc/rc\.d/init\.d/pyzord, /etc/rc\.d/init\.d/ypserv, /etc/rc\.d/init\.d/ypxfrd, /etc/rc\.d/init\.d/yppasswd, /etc/rc\.d/init\.d/psad, /etc/rc\.d/init\.d/rtkit-daemon, /etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc\.d/init\.d/ppp, /etc/rc\.d/init\.d/mpd, /etc/rc\.d/init\.d/canna, /etc/rc\.d/init\.d/firewalld, /etc/rc\.d/init\.d/nmb, /etc/rc\.d/init\.d/smb, /etc/rc\.d/init\.d/winbind, /etc/rc\.d/init\.d/pacemaker, /etc/rc\.d/init\.d/qpidd, /etc/rc\.d/init\.d/smokeping, /etc/rc\.d/init\.d/bcfg2-server, /etc/rc\.d/init\.d/amavis, /etc/rc\.d/init\.d/amavisd-snmp, /etc/rc\.d/init\.d/arpwatch, /etc/rc\.d/init\.d/((iscsi)|(iscsid)), /etc/rc\.d/init\.d/callweaver, /etc/rc\.d/init\.d/MailScanner, /etc/rc\.d/init\.d/pads, /etc/rc\.d/init\.d/isnsd, /etc/rc\.d/init\.d/kismet.*, /usr/libexec/nm-dispatcher.action, /etc/NetworkManager/dispatcher\.d(/.*)?, /etc/rc\.d/init\.d/wicd, /etc/rc\.d/init\.d/rwhod, /etc/rc\.d/init\.d/jabberd, /etc/rc\.d/init\.d/.*l2tpd, /etc/rc\.d/init\.d/portreserve, /etc/rc\.d/init\.d/sysstat, /etc/rc\.d/init\.d/vhostmd, /etc/rc\.d/init\.d/certmaster, /etc/rc\.d/init\.d/pcscd, /etc/rc\.d/init\.d/icecast, /etc/rc\.d/init\.d/nfslock, /etc/rc\.d/init\.d/rpcidmapd, /etc/rc\.d/init\.d/mysqld, /etc/rc\.d/init\.d/sensord, /etc/rc\.d/init\.d/nslcd, /etc/rc\.d/init\.d/atd, /etc/rc\.d/init\.d/smsd, /etc/rc\.d/init\.d/slpd, /etc/rc\.d/init\.d/couchdb, /etc/rc\.d/init\.d/memcached, /etc/rc\.d/init\.d/asterisk, /etc/rc\.d/init\.d/corosync, /etc/rc\.d/init\.d/ypbind, /etc/rc\.d/init\.d/fetchmail, /etc/rc\.d/init\.d/sendmail, /etc/firestarter/firestarter\.sh, /etc/rc\.d/init\.d/fail2ban, /etc/rc\.d/init\.d/sssd, /etc/rc\.d/init\.d/((zabbix)|(zabbix-server)), /etc/rc\.d/init\.d/prelude-lml, /etc/rc\.d/init\.d/prelude-manager, /etc/rc\.d/init\.d/prelude-correlator, /etc/rc\.d/init\.d/sshd, /etc/rc\.d/init\.d/dspam, /etc/rc\.d/init\.d/mcstrans, /etc/rc\.d/init\.d/cmirrord, /etc/rc\.d/init\.d/rngd, /etc/rc\.d/init\.d/cobblerd, /etc/rc\.d/init\.d/bitlbee, /etc/rc\.d/init\.d/ip6?tables, /etc/rc\.d/init\.d/ebtables, /etc/rc\.d/init\.d/gatherer, /etc/rc\.d/init\.d/mrtg, /etc/rc\.d/init\.d/sanlock, /etc/rc\.d/init\.d/dnsmasq, /etc/rc\.d/init\.d/rpcbind, /etc/rc\.d/init\.d/openstack-glance-api, /etc/rc\.d/init\.d/ntop, /etc/rc\.d/init\.d/ntpd, /etc/rc\.d/init\.d/nscd, /etc/rc\.d/init\.d/dund, /etc/rc\.d/init\.d/pand, /etc/rc\.d/init\.d/bluetooth, /etc/rc\.d/init\.d/chronyd, /etc/rc\.d/init\.d/slapd, /etc/rc\.d/init\.d/clamd.*, /etc/rc\.d/init\.d/rsyslog, /etc/rc\.d/init\.d/ulogd, /etc/rc\.d/init\.d/boinc-client, /etc/rc\.d/init\.d/nfs, /etc/rc\.d/init\.d/denyhosts ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux initrc policy is very flexible allowing users to setup their initrc processes in as secure a method as possible. ++.PP ++The following process types are defined for initrc: ++ ++.EX ++.B initrc_t ++.EE ++.PP ++Note: ++.B semanage permissive -a initrc_t ++can be used to make the process type initrc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. initrc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run initrc with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the initrc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ +.SH "MANAGED FILES" + +The SELinux process type initrc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -39482,6 +69226,8 @@ index 0000000..6dc8740 + + /etc/pki(/.*)? +.br ++ /etc/ssl(/.*)? ++.br + /etc/httpd/alias(/.*)? +.br + /usr/share/ssl/certs(/.*)? @@ -39490,6 +69236,10 @@ index 0000000..6dc8740 +.br + /var/named/chroot/etc/pki(/.*)? +.br ++ /usr/share/ca-certificates(/.*)? ++.br ++ /var/named/chroot/etc/localtime ++.br + +.br +.B cgroup_t @@ -39502,8 +69252,6 @@ index 0000000..6dc8740 +.br +.B consolekit_log_t + -+ /var/log/ConsoleKit(/.*)? -+.br + +.br +.B cupsd_log_t @@ -39616,10 +69364,10 @@ index 0000000..6dc8740 +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -39628,10 +69376,10 @@ index 0000000..6dc8740 +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -39660,12 +69408,12 @@ index 0000000..6dc8740 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B fonts_t @@ -39728,7 +69476,7 @@ index 0000000..6dc8740 +.br +.B lastlog_t + -+ /var/log/lastlog ++ /var/log/lastlog.* +.br + +.br @@ -39748,6 +69496,8 @@ index 0000000..6dc8740 + + /etc/locale.conf +.br ++ /etc/vconsole.conf ++.br + /usr/lib/locale(/.*)? +.br + /usr/share/locale(/.*)? @@ -39776,12 +69526,12 @@ index 0000000..6dc8740 +.br +.B mdadm_var_run_t + -+ /dev/.mdadm\.map -+.br + /dev/md/.* +.br + /var/run/mdadm(/.*)? +.br ++ /dev/\.mdadm\.map ++.br + +.br +.B mnt_t @@ -39848,8 +69598,6 @@ index 0000000..6dc8740 +.br +.B net_conf_t + -+ /etc/ntpd?\.conf.* -+.br + /etc/hosts[^/]* +.br + /etc/yp\.conf.* @@ -39860,8 +69608,6 @@ index 0000000..6dc8740 +.br + /etc/resolv\.conf.* +.br -+ /etc/ntp/step-tickers.* -+.br + /etc/sysconfig/networking(/.*)? +.br + /etc/sysconfig/network-scripts(/.*)? @@ -40032,8 +69778,6 @@ index 0000000..6dc8740 +.br + /var/webmin(/.*)? +.br -+ /var/log/cron[^/]* -+.br + /var/log/secure[^/]* +.br + /opt/zimbra/log(/.*)? @@ -40096,6 +69840,8 @@ index 0000000..6dc8740 + + /var/run/wdmd(/.*)? +.br ++ /var/run/checkquorum-timer ++.br + +.br +.B wtmp_t @@ -40103,21 +69849,92 @@ index 0000000..6dc8740 + /var/log/wtmp.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux initrc policy is very flexible allowing users to setup their initrc processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the initrc, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t initrc_devpts_t '/srv/initrc/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myinitrc_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for initrc: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B initrc_devpts_t +.EE + ++- Set files with the initrc_devpts_t type, if you want to treat the files as initrc devpts data. ++ ++ ++.EX ++.PP ++.B initrc_exec_t ++.EE ++ ++- Set files with the initrc_exec_t type, if you want to transition an executable to the initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/init\.d/.*, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/stop-.*, /usr/libexec/dcc/start-.*, /usr/lib/systemd/fedora[^/]*, /opt/nfast/scripts/init.d/(.*), /etc/rc\.d/rc, /etc/X11/prefdm, /usr/sbin/startx, /usr/bin/sepg_ctl, /usr/sbin/apachectl, /usr/sbin/ldap-agent, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/restart-dirsrv, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/share/system-config-services/system-config-services-mechanism\.py ++ ++.EX ++.PP ++.B initrc_state_t ++.EE ++ ++- Set files with the initrc_state_t type, if you want to treat the files as initrc state data. ++ ++ ++.EX ++.PP ++.B initrc_tmp_t ++.EE ++ ++- Set files with the initrc_tmp_t type, if you want to store initrc temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B initrc_var_log_t ++.EE ++ ++- Set files with the initrc_var_log_t type, if you want to treat the data as initrc var log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B initrc_var_run_t ++.EE ++ ++- Set files with the initrc_var_run_t type, if you want to store the initrc files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/utmp, /var/run/random-seed, /var/run/runlevel\.dir, /var/run/setmixer_flag ++ +.PP -+If you want to allow confined applications to run with kerberos for the initrc_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -40129,6 +69946,9 @@ index 0000000..6dc8740 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -40140,15 +69960,15 @@ index 0000000..6dc8740 + +.SH "SEE ALSO" +selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, init_selinux(8) ++, setsebool(8), init_selinux(8) \ No newline at end of file diff --git a/man/man8/innd_selinux.8 b/man/man8/innd_selinux.8 new file mode 100644 -index 0000000..e89f4a3 +index 0000000..ef531db --- /dev/null +++ b/man/man8/innd_selinux.8 -@@ -0,0 +1,182 @@ -+.TH "innd_selinux" "8" "12-11-01" "innd" "SELinux Policy documentation for innd" +@@ -0,0 +1,348 @@ ++.TH "innd_selinux" "8" "13-01-16" "innd" "SELinux Policy documentation for innd" +.SH "NAME" +innd_selinux \- Security Enhanced Linux Policy for the innd processes +.SH "DESCRIPTION" @@ -40164,7 +69984,9 @@ index 0000000..e89f4a3 + +.SH "ENTRYPOINTS" + -+The innd_t SELinux type can be entered via the "innd_exec_t" file type. The default entrypoint paths for the innd_t domain are the following:" ++The innd_t SELinux type can be entered via the \fBinnd_exec_t\fP file type. ++ ++The default entrypoint paths for the innd_t domain are the following: + +/usr/sbin/innd.*, /usr/bin/suck, /etc/news/boot, /usr/bin/inews, /usr/bin/rnews, /usr/bin/rpost, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/sm, /usr/lib/news/bin/innd, /usr/lib/news/bin/inews, /usr/lib/news/bin/inndf, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/rnews, /usr/lib/news/bin/expire, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/shlock, /usr/lib/news/bin/actsync, /usr/lib/news/bin/archive, /usr/lib/news/bin/batcher, /usr/lib/news/bin/ctlinnd, /usr/lib/news/bin/getlist, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/makedbz, /usr/lib/news/bin/nntpget, /usr/lib/news/bin/buffchan, /usr/lib/news/bin/convdate, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/filechan, /usr/lib/news/bin/overchan, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/innxbatch, /usr/lib/news/bin/expireover, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/shrinkfile, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/ovdb_recover, /usr/lib/news/bin/prunehistory, /usr/lib/news/bin/startinnfeed +.SH PROCESS TYPES @@ -40182,8 +70004,183 @@ index 0000000..e89f4a3 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a innd_t ++can be used to make the process type innd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. innd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run innd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the innd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the innd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux innd policy is very flexible allowing users to setup their innd processes in as secure a method as possible. ++.PP ++The following port types are defined for innd: ++ ++.EX ++.TP 5 ++.B innd_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 119 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type innd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B innd_var_lib_t ++ ++ /var/lib/news(/.*)? ++.br ++ ++.br ++.B innd_var_run_t ++ ++ /var/run/innd(/.*)? ++.br ++ /var/run/news(/.*)? ++.br ++ /var/run/innd\.pid ++.br ++ /var/run/news\.pid ++.br ++ ++.br ++.B news_spool_t ++ ++ /var/spool/news(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -40193,7 +70190,39 @@ index 0000000..e89f4a3 +Policy governs the access confined processes have to these files. +SELinux innd policy is very flexible allowing users to setup their innd processes in as secure a method as possible. +.PP -+The following file types are defined for innd: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++innd policy stores data with multiple different file context types under the /var/run/news directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/news /srv/news ++.br ++.B restorecon -R -v /srv/news ++.PP ++ ++.PP ++innd policy stores data with multiple different file context types under the /var/run/innd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/innd /srv/innd ++.br ++.B restorecon -R -v /srv/innd ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the innd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t innd_etc_t '/srv/innd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myinnd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for innd: + + +.EX @@ -40211,6 +70240,10 @@ index 0000000..e89f4a3 + +- Set files with the innd_exec_t type, if you want to transition an executable to the innd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/innd.*, /usr/bin/suck, /etc/news/boot, /usr/bin/inews, /usr/bin/rnews, /usr/bin/rpost, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/sm, /usr/lib/news/bin/innd, /usr/lib/news/bin/inews, /usr/lib/news/bin/inndf, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/rnews, /usr/lib/news/bin/expire, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/shlock, /usr/lib/news/bin/actsync, /usr/lib/news/bin/archive, /usr/lib/news/bin/batcher, /usr/lib/news/bin/ctlinnd, /usr/lib/news/bin/getlist, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/makedbz, /usr/lib/news/bin/nntpget, /usr/lib/news/bin/buffchan, /usr/lib/news/bin/convdate, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/filechan, /usr/lib/news/bin/overchan, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/innxbatch, /usr/lib/news/bin/expireover, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/shrinkfile, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/ovdb_recover, /usr/lib/news/bin/prunehistory, /usr/lib/news/bin/startinnfeed + +.EX +.PP @@ -40241,8 +70274,12 @@ index 0000000..e89f4a3 +.B innd_var_run_t +.EE + -+- Set files with the innd_var_run_t type, if you want to store the innd files under the /run directory. ++- Set files with the innd_var_run_t type, if you want to store the innd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/innd(/.*)?, /var/run/news(/.*)?, /var/run/innd\.pid, /var/run/news\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -40251,61 +70288,6 @@ index 0000000..e89f4a3 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux innd policy is very flexible allowing users to setup their innd processes in as secure a method as possible. -+.PP -+The following port types are defined for innd: -+ -+.EX -+.TP 5 -+.B innd_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 119 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type innd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B innd_log_t -+ -+ /var/log/news(/.*)? -+.br -+ -+.br -+.B innd_var_lib_t -+ -+ /var/lib/news(/.*)? -+.br -+ -+.br -+.B innd_var_run_t -+ -+ /var/run/innd(/.*)? -+.br -+ /var/run/news(/.*)? -+.br -+ -+.br -+.B news_spool_t -+ -+ /var/spool/news(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -40319,6 +70301,9 @@ index 0000000..e89f4a3 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -40330,13 +70315,15 @@ index 0000000..e89f4a3 + +.SH "SEE ALSO" +selinux(8), innd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/insmod_selinux.8 b/man/man8/insmod_selinux.8 new file mode 100644 -index 0000000..58787ca +index 0000000..8ed90f7 --- /dev/null +++ b/man/man8/insmod_selinux.8 -@@ -0,0 +1,194 @@ -+.TH "insmod_selinux" "8" "12-11-01" "insmod" "SELinux Policy documentation for insmod" +@@ -0,0 +1,273 @@ ++.TH "insmod_selinux" "8" "13-01-16" "insmod" "SELinux Policy documentation for insmod" +.SH "NAME" +insmod_selinux \- Security Enhanced Linux Policy for the insmod processes +.SH "DESCRIPTION" @@ -40352,9 +70339,11 @@ index 0000000..58787ca + +.SH "ENTRYPOINTS" + -+The insmod_t SELinux type can be entered via the "insmod_exec_t" file type. The default entrypoint paths for the insmod_t domain are the following:" ++The insmod_t SELinux type can be entered via the \fBinsmod_exec_t\fP file type. + -+/sbin/rmmod.*, /sbin/insmod.*, /sbin/modprobe.*, /usr/sbin/rmmod.*, /usr/sbin/insmod.*, /usr/sbin/modprobe.*, /usr/bin/kmod ++The default entrypoint paths for the insmod_t domain are the following: ++ ++/sbin/rmmod.*, /sbin/insmod.*, /sbin/modprobe.*, /usr/sbin/rmmod.*, /usr/sbin/insmod.*, /usr/sbin/modprobe.*, /bin/kmod, /usr/bin/kmod +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -40370,75 +70359,117 @@ index 0000000..58787ca +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a insmod_t ++can be used to make the process type insmod_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. insmod policy is extremely flexible and has several booleans that allow you to manipulate the policy and run insmod with the tightest access possible. + + +.PP -+If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean. Disabled by default. + +.EX +.B setsebool -P pppd_can_insmod 1 ++ +.EE + +.PP -+If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean. ++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean. Enabled by default. + +.EX +.B setsebool -P secure_mode_insmod 1 ++ +.EE + ++.SH NSSWITCH DOMAIN ++ +.PP -+If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the insmod_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.B setsebool -P pppd_can_insmod 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + +.PP -+If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean. ++If you want to allow confined applications to run with kerberos for the insmod_t, you must turn on the kerberos_enabled boolean. + +.EX -+.B setsebool -P secure_mode_insmod 1 ++.B setsebool -P kerberos_enabled 1 +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux insmod policy is very flexible allowing users to setup their insmod processes in as secure a method as possible. -+.PP -+The following file types are defined for insmod: -+ -+ -+.EX -+.PP -+.B insmod_exec_t -+.EE -+ -+- Set files with the insmod_exec_t type, if you want to transition an executable to the insmod_t domain. -+ -+ -+.EX -+.PP -+.B insmod_tmpfs_t -+.EE -+ -+- Set files with the insmod_tmpfs_t type, if you want to store insmod files on a tmpfs file system. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH "MANAGED FILES" + +The SELinux process type insmod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -40489,21 +70520,56 @@ index 0000000..58787ca + /sys(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux insmod policy is very flexible allowing users to setup their insmod processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the insmod_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the insmod, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t insmod_exec_t '/srv/insmod/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myinsmod_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for insmod: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B insmod_exec_t +.EE + ++- Set files with the insmod_exec_t type, if you want to transition an executable to the insmod_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/rmmod.*, /sbin/insmod.*, /sbin/modprobe.*, /usr/sbin/rmmod.*, /usr/sbin/insmod.*, /usr/sbin/modprobe.*, /bin/kmod, /usr/bin/kmod ++ ++.EX ++.PP ++.B insmod_tmpfs_t ++.EE ++ ++- Set files with the insmod_tmpfs_t type, if you want to store insmod files on a tmpfs file system. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the insmod_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -40533,11 +70599,11 @@ index 0000000..58787ca \ No newline at end of file diff --git a/man/man8/ipsec_mgmt_selinux.8 b/man/man8/ipsec_mgmt_selinux.8 new file mode 100644 -index 0000000..d3feccd +index 0000000..95e3d10 --- /dev/null +++ b/man/man8/ipsec_mgmt_selinux.8 -@@ -0,0 +1,189 @@ -+.TH "ipsec_mgmt_selinux" "8" "12-11-01" "ipsec_mgmt" "SELinux Policy documentation for ipsec_mgmt" +@@ -0,0 +1,291 @@ ++.TH "ipsec_mgmt_selinux" "8" "13-01-16" "ipsec_mgmt" "SELinux Policy documentation for ipsec_mgmt" +.SH "NAME" +ipsec_mgmt_selinux \- Security Enhanced Linux Policy for the ipsec_mgmt processes +.SH "DESCRIPTION" @@ -40553,9 +70619,11 @@ index 0000000..d3feccd + +.SH "ENTRYPOINTS" + -+The ipsec_mgmt_t SELinux type can be entered via the "shell_exec_t,ipsec_mgmt_exec_t" file types. The default entrypoint paths for the ipsec_mgmt_t domain are the following:" ++The ipsec_mgmt_t SELinux type can be entered via the \fBipsec_mgmt_exec_t, shell_exec_t\fP file types. + -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/sbin/ipsec, /usr/lib/ipsec/_plutorun, /usr/lib/ipsec/_plutoload, /usr/libexec/ipsec/_plutorun, /usr/libexec/ipsec/_plutoload, /usr/libexec/nm-openswan-service ++The default entrypoint paths for the ipsec_mgmt_t domain are the following: ++ ++/usr/sbin/ipsec, /usr/lib/ipsec/_plutorun, /usr/lib/ipsec/_plutoload, /usr/libexec/ipsec/_plutorun, /usr/libexec/ipsec/_plutoload, /usr/libexec/nm-openswan-service, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -40571,50 +70639,108 @@ index 0000000..d3feccd +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ipsec_mgmt_t ++can be used to make the process type ipsec_mgmt_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux ipsec_mgmt policy is very flexible allowing users to setup their ipsec_mgmt processes in as secure a method as possible. -+.PP -+The following file types are defined for ipsec_mgmt: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ipsec_mgmt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ipsec_mgmt with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B ipsec_mgmt_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the ipsec_mgmt_exec_t type, if you want to transition an executable to the ipsec_mgmt_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B ipsec_mgmt_lock_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the ipsec_mgmt_lock_t type, if you want to treat the files as ipsec mgmt lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B ipsec_mgmt_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the ipsec_mgmt_var_run_t type, if you want to store the ipsec mgmt files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ipsec_mgmt_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ipsec_mgmt_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -40665,8 +70791,6 @@ index 0000000..d3feccd +.br +.B net_conf_t + -+ /etc/ntpd?\.conf.* -+.br + /etc/hosts[^/]* +.br + /etc/yp\.conf.* @@ -40677,8 +70801,6 @@ index 0000000..d3feccd +.br + /etc/resolv\.conf.* +.br -+ /etc/ntp/step-tickers.* -+.br + /etc/sysconfig/networking(/.*)? +.br + /etc/sysconfig/network-scripts(/.*)? @@ -40688,21 +70810,64 @@ index 0000000..d3feccd + /etc/ethers +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux ipsec_mgmt policy is very flexible allowing users to setup their ipsec_mgmt processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ipsec_mgmt_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ipsec_mgmt, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ipsec_mgmt_exec_t '/srv/ipsec_mgmt/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myipsec_mgmt_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ipsec_mgmt: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B ipsec_mgmt_exec_t +.EE + ++- Set files with the ipsec_mgmt_exec_t type, if you want to transition an executable to the ipsec_mgmt_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/ipsec, /usr/lib/ipsec/_plutorun, /usr/lib/ipsec/_plutoload, /usr/libexec/ipsec/_plutorun, /usr/libexec/ipsec/_plutoload, /usr/libexec/nm-openswan-service ++ ++.EX ++.PP ++.B ipsec_mgmt_lock_t ++.EE ++ ++- Set files with the ipsec_mgmt_lock_t type, if you want to treat the files as ipsec mgmt lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B ipsec_mgmt_var_run_t ++.EE ++ ++- Set files with the ipsec_mgmt_var_run_t type, if you want to store the ipsec mgmt files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the ipsec_mgmt_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -40714,6 +70879,9 @@ index 0000000..d3feccd +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -40725,15 +70893,15 @@ index 0000000..d3feccd + +.SH "SEE ALSO" +selinux(8), ipsec_mgmt(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, ipsec_selinux(8), ipsec_selinux(8) ++, setsebool(8), ipsec_selinux(8), ipsec_selinux(8) \ No newline at end of file diff --git a/man/man8/ipsec_selinux.8 b/man/man8/ipsec_selinux.8 new file mode 100644 -index 0000000..2c1a0c0 +index 0000000..0441753 --- /dev/null +++ b/man/man8/ipsec_selinux.8 -@@ -0,0 +1,263 @@ -+.TH "ipsec_selinux" "8" "12-11-01" "ipsec" "SELinux Policy documentation for ipsec" +@@ -0,0 +1,409 @@ ++.TH "ipsec_selinux" "8" "13-01-16" "ipsec" "SELinux Policy documentation for ipsec" +.SH "NAME" +ipsec_selinux \- Security Enhanced Linux Policy for the ipsec processes +.SH "DESCRIPTION" @@ -40749,7 +70917,9 @@ index 0000000..2c1a0c0 + +.SH "ENTRYPOINTS" + -+The ipsec_t SELinux type can be entered via the "ipsec_exec_t" file type. The default entrypoint paths for the ipsec_t domain are the following:" ++The ipsec_t SELinux type can be entered via the \fBipsec_exec_t\fP file type. ++ ++The default entrypoint paths for the ipsec_t domain are the following: + +/usr/lib/ipsec/spi, /usr/lib/ipsec/pluto, /usr/lib/ipsec/eroute, /usr/libexec/ipsec/spi, /usr/libexec/ipsec/pluto, /usr/lib/ipsec/klipsdebug, /usr/libexec/ipsec/eroute, /usr/libexec/ipsec/klipsdebug +.SH PROCESS TYPES @@ -40767,106 +70937,124 @@ index 0000000..2c1a0c0 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ipsec_t ++can be used to make the process type ipsec_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux ipsec policy is very flexible allowing users to setup their ipsec processes in as secure a method as possible. -+.PP -+The following file types are defined for ipsec: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ipsec policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ipsec with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B ipsec_conf_file_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the ipsec_conf_file_t type, if you want to treat the files as ipsec conf content. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B ipsec_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the ipsec_exec_t type, if you want to transition an executable to the ipsec_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B ipsec_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the ipsec_initrc_exec_t type, if you want to transition an executable to the ipsec_initrc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B ipsec_key_file_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the ipsec_key_file_t type, if you want to treat the files as ipsec key content. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B ipsec_log_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the ipsec_log_t type, if you want to treat the data as ipsec log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B ipsec_mgmt_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the ipsec_mgmt_exec_t type, if you want to transition an executable to the ipsec_mgmt_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B ipsec_mgmt_lock_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the ipsec_mgmt_lock_t type, if you want to treat the files as ipsec mgmt lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B ipsec_mgmt_var_run_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the ipsec_mgmt_var_run_t type, if you want to store the ipsec mgmt files under the /run directory. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B ipsec_tmp_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the ipsec_tmp_t type, if you want to store ipsec temporary files in the /tmp directories. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B ipsec_var_run_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the ipsec_var_run_t type, if you want to store the ipsec files under the /run directory. ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ipsec_t, ipsec_mgmt_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ipsec_t, ipsec_mgmt_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -40926,8 +71114,6 @@ index 0000000..2c1a0c0 +.br +.B net_conf_t + -+ /etc/ntpd?\.conf.* -+.br + /etc/hosts[^/]* +.br + /etc/yp\.conf.* @@ -40938,8 +71124,6 @@ index 0000000..2c1a0c0 +.br + /etc/resolv\.conf.* +.br -+ /etc/ntp/step-tickers.* -+.br + /etc/sysconfig/networking(/.*)? +.br + /etc/sysconfig/network-scripts(/.*)? @@ -40950,26 +71134,153 @@ index 0000000..2c1a0c0 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux ipsec policy is very flexible allowing users to setup their ipsec processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ipsec_t, ipsec_mgmt_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ipsec, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ipsec_conf_file_t '/srv/ipsec/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myipsec_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ipsec: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B ipsec_conf_file_t +.EE + ++- Set files with the ipsec_conf_file_t type, if you want to treat the files as ipsec conf content. ++ ++.br ++.TP 5 ++Paths: ++/etc/racoon(/.*)?, /etc/ipsec\.conf ++ ++.EX ++.PP ++.B ipsec_exec_t ++.EE ++ ++- Set files with the ipsec_exec_t type, if you want to transition an executable to the ipsec_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/ipsec/spi, /usr/lib/ipsec/pluto, /usr/lib/ipsec/eroute, /usr/libexec/ipsec/spi, /usr/libexec/ipsec/pluto, /usr/lib/ipsec/klipsdebug, /usr/libexec/ipsec/eroute, /usr/libexec/ipsec/klipsdebug ++ ++.EX ++.PP ++.B ipsec_initrc_exec_t ++.EE ++ ++- Set files with the ipsec_initrc_exec_t type, if you want to transition an executable to the ipsec_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/ipsec, /etc/rc\.d/init\.d/racoon ++ ++.EX ++.PP ++.B ipsec_key_file_t ++.EE ++ ++- Set files with the ipsec_key_file_t type, if you want to treat the files as ipsec key content. ++ ++.br ++.TP 5 ++Paths: ++/etc/ipsec\.d(/.*)?, /etc/racoon/certs(/.*)?, /etc/ipsec\.secrets, /etc/racoon/psk\.txt ++ ++.EX ++.PP ++.B ipsec_log_t ++.EE ++ ++- Set files with the ipsec_log_t type, if you want to treat the data as ipsec log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B ipsec_mgmt_exec_t ++.EE ++ ++- Set files with the ipsec_mgmt_exec_t type, if you want to transition an executable to the ipsec_mgmt_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/ipsec, /usr/lib/ipsec/_plutorun, /usr/lib/ipsec/_plutoload, /usr/libexec/ipsec/_plutorun, /usr/libexec/ipsec/_plutoload, /usr/libexec/nm-openswan-service ++ ++.EX ++.PP ++.B ipsec_mgmt_lock_t ++.EE ++ ++- Set files with the ipsec_mgmt_lock_t type, if you want to treat the files as ipsec mgmt lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B ipsec_mgmt_var_run_t ++.EE ++ ++- Set files with the ipsec_mgmt_var_run_t type, if you want to store the ipsec mgmt files under the /run or /var/run directory. ++ ++ ++.EX ++.PP ++.B ipsec_tmp_t ++.EE ++ ++- Set files with the ipsec_tmp_t type, if you want to store ipsec temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B ipsec_var_run_t ++.EE ++ ++- Set files with the ipsec_var_run_t type, if you want to store the ipsec files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/racoon(/.*)?, /var/run/pluto(/.*)?, /var/run/racoon\.pid ++ +.PP -+If you want to allow confined applications to run with kerberos for the ipsec_t, ipsec_mgmt_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -40984,6 +71295,9 @@ index 0000000..2c1a0c0 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -40995,15 +71309,15 @@ index 0000000..2c1a0c0 + +.SH "SEE ALSO" +selinux(8), ipsec(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, ipsec_mgmt_selinux(8) ++, setsebool(8), ipsec_mgmt_selinux(8) \ No newline at end of file diff --git a/man/man8/iptables_selinux.8 b/man/man8/iptables_selinux.8 new file mode 100644 -index 0000000..66ccd4a +index 0000000..53d798d --- /dev/null +++ b/man/man8/iptables_selinux.8 -@@ -0,0 +1,258 @@ -+.TH "iptables_selinux" "8" "12-11-01" "iptables" "SELinux Policy documentation for iptables" +@@ -0,0 +1,359 @@ ++.TH "iptables_selinux" "8" "13-01-16" "iptables" "SELinux Policy documentation for iptables" +.SH "NAME" +iptables_selinux \- Security Enhanced Linux Policy for the iptables processes +.SH "DESCRIPTION" @@ -41019,7 +71333,9 @@ index 0000000..66ccd4a + +.SH "ENTRYPOINTS" + -+The iptables_t SELinux type can be entered via the "iptables_exec_t" file type. The default entrypoint paths for the iptables_t domain are the following:" ++The iptables_t SELinux type can be entered via the \fBiptables_exec_t\fP file type. ++ ++The default entrypoint paths for the iptables_t domain are the following: + +/sbin/ip6?tables, /sbin/ip6?tables-multi, /sbin/ip6?tables-restore, /usr/sbin/ip6?tables, /usr/sbin/ip6?tables-multi, /usr/sbin/ip6?tables-restore, /sbin/ipchains.*, /usr/sbin/ipchains.*, /sbin/ipvsadm, /sbin/ebtables, /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /usr/sbin/ebtables, /sbin/xtables-multi, /sbin/ipvsadm-restore, /sbin/ebtables-restore, /usr/sbin/ipvsadm-save, /usr/sbin/xtables-multi, /usr/sbin/ipvsadm-restore, /usr/sbin/ebtables-restore +.SH PROCESS TYPES @@ -41037,84 +71353,116 @@ index 0000000..66ccd4a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a iptables_t ++can be used to make the process type iptables_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. iptables policy is extremely flexible and has several booleans that allow you to manipulate the policy and run iptables with the tightest access possible. + + +.PP -+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean. Disabled by default. + +.EX +.B setsebool -P dhcpc_exec_iptables 1 ++ +.EE + +.PP -+If you want to allow dhcpc client applications to execute iptables commands, you must turn on the dhcpc_exec_iptables boolean. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.B setsebool -P dhcpc_exec_iptables 1 ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux iptables policy is very flexible allowing users to setup their iptables processes in as secure a method as possible. -+.PP -+The following file types are defined for iptables: -+ ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B iptables_exec_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the iptables_exec_t type, if you want to transition an executable to the iptables_t domain. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B iptables_initrc_exec_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the iptables_initrc_exec_t type, if you want to transition an executable to the iptables_initrc_t domain. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B iptables_tmp_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the iptables_tmp_t type, if you want to store iptables temporary files in the /tmp directories. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B iptables_unit_file_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the iptables_unit_file_t type, if you want to treat the files as iptables unit content. -+ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.PP -+.B iptables_var_run_t ++.B setsebool -P nis_enabled 1 ++ +.EE + -+- Set files with the iptables_var_run_t type, if you want to store the iptables files under the /run directory. ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the iptables_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the iptables_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -41141,10 +71489,10 @@ index 0000000..66ccd4a +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -41153,10 +71501,10 @@ index 0000000..66ccd4a +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -41220,21 +71568,88 @@ index 0000000..66ccd4a + /etc/sysconfig/system-config-firewall.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux iptables policy is very flexible allowing users to setup their iptables processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the iptables_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the iptables, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t iptables_exec_t '/srv/iptables/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myiptables_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for iptables: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B iptables_exec_t +.EE + ++- Set files with the iptables_exec_t type, if you want to transition an executable to the iptables_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/ip6?tables, /sbin/ip6?tables-multi, /sbin/ip6?tables-restore, /usr/sbin/ip6?tables, /usr/sbin/ip6?tables-multi, /usr/sbin/ip6?tables-restore, /sbin/ipchains.*, /usr/sbin/ipchains.*, /sbin/ipvsadm, /sbin/ebtables, /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /usr/sbin/ebtables, /sbin/xtables-multi, /sbin/ipvsadm-restore, /sbin/ebtables-restore, /usr/sbin/ipvsadm-save, /usr/sbin/xtables-multi, /usr/sbin/ipvsadm-restore, /usr/sbin/ebtables-restore ++ ++.EX ++.PP ++.B iptables_initrc_exec_t ++.EE ++ ++- Set files with the iptables_initrc_exec_t type, if you want to transition an executable to the iptables_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/ip6?tables, /etc/rc\.d/init\.d/ebtables ++ ++.EX ++.PP ++.B iptables_tmp_t ++.EE ++ ++- Set files with the iptables_tmp_t type, if you want to store iptables temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B iptables_unit_file_t ++.EE ++ ++- Set files with the iptables_unit_file_t type, if you want to treat the files as iptables unit content. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/systemd/system/ppp.*, /usr/lib/systemd/system/slapd.*, /usr/lib/systemd/system/vsftpd.*, /usr/lib/systemd/system/proftpd.*, /usr/lib/systemd/system/iptables.*, /usr/lib/systemd/system/ip6tables.* ++ ++.EX ++.PP ++.B iptables_var_run_t ++.EE ++ ++- Set files with the iptables_var_run_t type, if you want to store the iptables files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the iptables_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -41264,11 +71679,11 @@ index 0000000..66ccd4a \ No newline at end of file diff --git a/man/man8/irc_selinux.8 b/man/man8/irc_selinux.8 new file mode 100644 -index 0000000..8ca561c +index 0000000..92bb690 --- /dev/null +++ b/man/man8/irc_selinux.8 -@@ -0,0 +1,146 @@ -+.TH "irc_selinux" "8" "12-11-01" "irc" "SELinux Policy documentation for irc" +@@ -0,0 +1,377 @@ ++.TH "irc_selinux" "8" "13-01-16" "irc" "SELinux Policy documentation for irc" +.SH "NAME" +irc_selinux \- Security Enhanced Linux Policy for the irc processes +.SH "DESCRIPTION" @@ -41284,9 +71699,11 @@ index 0000000..8ca561c + +.SH "ENTRYPOINTS" + -+The irc_t SELinux type can be entered via the "irc_exec_t" file type. The default entrypoint paths for the irc_t domain are the following:" ++The irc_t SELinux type can be entered via the \fBirc_exec_t\fP file type. + -+/usr/bin/[st]irc, /usr/bin/ircII, /usr/bin/tinyirc ++The default entrypoint paths for the irc_t domain are the following: ++ ++/usr/bin/[st]irc, /usr/bin/ircII, /usr/bin/irssi, /usr/bin/tinyirc +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -41302,50 +71719,140 @@ index 0000000..8ca561c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a irc_t ++can be used to make the process type irc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux irc policy is very flexible allowing users to setup their irc processes in as secure a method as possible. -+.PP -+The following file types are defined for irc: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. irc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run irc with the tightest access possible. + + ++.PP ++If you want to determine whether irc clients can listen on and connect to any unreserved TCP ports, you must turn on the irc_use_any_tcp_ports boolean. Disabled by default. ++ +.EX -+.PP -+.B irc_exec_t ++.B setsebool -P irc_use_any_tcp_ports 1 ++ +.EE + -+- Set files with the irc_exec_t type, if you want to transition an executable to the irc_t domain. -+ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.PP -+.B irc_home_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the irc_home_t type, if you want to store irc files in the users home directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B irc_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the irc_tmp_t type, if you want to store irc temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the irc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the irc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -41375,12 +71882,50 @@ index 0000000..8ca561c +The SELinux process type irc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br +.B irc_home_t + ++ /home/[^/]*/\.irssi(/.*)? ++.br + /home/[^/]*/\.ircmotd +.br ++ /home/pwalsh/\.irssi(/.*)? ++.br ++ /home/pwalsh/\.ircmotd ++.br ++ /home/dwalsh/\.irssi(/.*)? ++.br + /home/dwalsh/\.ircmotd +.br ++ /var/lib/xguest/home/xguest/\.irssi(/.*)? ++.br + /var/lib/xguest/home/xguest/\.ircmotd +.br + @@ -41388,7 +71933,104 @@ index 0000000..8ca561c +.B irc_tmp_t + + -+.SH NSSWITCH DOMAIN ++.br ++.B nfs_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux irc policy is very flexible allowing users to setup their irc processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the irc, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t irc_conf_t '/srv/irc/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myirc_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for irc: ++ ++ ++.EX ++.PP ++.B irc_conf_t ++.EE ++ ++- Set files with the irc_conf_t type, if you want to treat the files as irc configuration data, usually stored under the /etc directory. ++ ++ ++.EX ++.PP ++.B irc_exec_t ++.EE ++ ++- Set files with the irc_exec_t type, if you want to transition an executable to the irc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/[st]irc, /usr/bin/ircII, /usr/bin/irssi, /usr/bin/tinyirc ++ ++.EX ++.PP ++.B irc_home_t ++.EE ++ ++- Set files with the irc_home_t type, if you want to store irc files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.irssi(/.*)?, /home/[^/]*/\.ircmotd, /home/pwalsh/\.irssi(/.*)?, /home/pwalsh/\.ircmotd, /home/dwalsh/\.irssi(/.*)?, /home/dwalsh/\.ircmotd, /var/lib/xguest/home/xguest/\.irssi(/.*)?, /var/lib/xguest/home/xguest/\.ircmotd ++ ++.EX ++.PP ++.B irc_log_home_t ++.EE ++ ++- Set files with the irc_log_home_t type, if you want to store irc log files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/home/[^/]*/irclogs(/.*)?, /home/pwalsh/irclogs(/.*)?, /home/dwalsh/irclogs(/.*)?, /var/lib/xguest/home/xguest/irclogs(/.*)? ++ ++.EX ++.PP ++.B irc_tmp_t ++.EE ++ ++- Set files with the irc_tmp_t type, if you want to store irc temporary files in the /tmp directories. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -41403,6 +72045,9 @@ index 0000000..8ca561c +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -41414,13 +72059,15 @@ index 0000000..8ca561c + +.SH "SEE ALSO" +selinux(8), irc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/irqbalance_selinux.8 b/man/man8/irqbalance_selinux.8 new file mode 100644 -index 0000000..e967562 +index 0000000..8236b6b --- /dev/null +++ b/man/man8/irqbalance_selinux.8 -@@ -0,0 +1,102 @@ -+.TH "irqbalance_selinux" "8" "12-11-01" "irqbalance" "SELinux Policy documentation for irqbalance" +@@ -0,0 +1,205 @@ ++.TH "irqbalance_selinux" "8" "13-01-16" "irqbalance" "SELinux Policy documentation for irqbalance" +.SH "NAME" +irqbalance_selinux \- Security Enhanced Linux Policy for the irqbalance processes +.SH "DESCRIPTION" @@ -41436,7 +72083,9 @@ index 0000000..e967562 + +.SH "ENTRYPOINTS" + -+The irqbalance_t SELinux type can be entered via the "irqbalance_exec_t" file type. The default entrypoint paths for the irqbalance_t domain are the following:" ++The irqbalance_t SELinux type can be entered via the \fBirqbalance_exec_t\fP file type. ++ ++The default entrypoint paths for the irqbalance_t domain are the following: + +/usr/sbin/irqbalance +.SH PROCESS TYPES @@ -41454,8 +72103,94 @@ index 0000000..e967562 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a irqbalance_t ++can be used to make the process type irqbalance_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. irqbalance policy is extremely flexible and has several booleans that allow you to manipulate the policy and run irqbalance with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type irqbalance_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B irqbalance_var_run_t ++ ++ /var/run/irqbalance\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -41465,7 +72200,20 @@ index 0000000..e967562 +Policy governs the access confined processes have to these files. +SELinux irqbalance policy is very flexible allowing users to setup their irqbalance processes in as secure a method as possible. +.PP -+The following file types are defined for irqbalance: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the irqbalance, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t irqbalance_exec_t '/srv/irqbalance/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myirqbalance_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for irqbalance: + + +.EX @@ -41478,10 +72226,18 @@ index 0000000..e967562 + +.EX +.PP ++.B irqbalance_initrc_exec_t ++.EE ++ ++- Set files with the irqbalance_initrc_exec_t type, if you want to transition an executable to the irqbalance_initrc_t domain. ++ ++ ++.EX ++.PP +.B irqbalance_var_run_t +.EE + -+- Set files with the irqbalance_var_run_t type, if you want to store the irqbalance files under the /run directory. ++- Set files with the irqbalance_var_run_t type, if you want to store the irqbalance files under the /run or /var/run directory. + + +.PP @@ -41491,16 +72247,6 @@ index 0000000..e967562 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type irqbalance_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B irqbalance_var_run_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -41511,6 +72257,9 @@ index 0000000..e967562 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -41522,13 +72271,15 @@ index 0000000..e967562 + +.SH "SEE ALSO" +selinux(8), irqbalance(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/irssi_selinux.8 b/man/man8/irssi_selinux.8 new file mode 100644 -index 0000000..36617d8 +index 0000000..e7f058b --- /dev/null +++ b/man/man8/irssi_selinux.8 -@@ -0,0 +1,158 @@ -+.TH "irssi_selinux" "8" "12-11-01" "irssi" "SELinux Policy documentation for irssi" +@@ -0,0 +1,236 @@ ++.TH "irssi_selinux" "8" "13-01-16" "irssi" "SELinux Policy documentation for irssi" +.SH "NAME" +irssi_selinux \- Security Enhanced Linux Policy for the irssi processes +.SH "DESCRIPTION" @@ -41544,9 +72295,11 @@ index 0000000..36617d8 + +.SH "ENTRYPOINTS" + -+The irssi_t SELinux type can be entered via the "irssi_exec_t" file type. The default entrypoint paths for the irssi_t domain are the following:" ++The irssi_t SELinux type can be entered via the \fBirssi_exec_t\fP file type. ++ ++The default entrypoint paths for the irssi_t domain are the following: ++ + -+/usr/bin/irssi +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -41562,93 +72315,129 @@ index 0000000..36617d8 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a irssi_t ++can be used to make the process type irssi_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. irssi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run irssi with the tightest access possible. + + +.PP -+If you want to allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port, you must turn on the irssi_use_full_network boolean. ++If you want to allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port, you must turn on the irssi_use_full_network boolean. Disabled by default. + +.EX +.B setsebool -P irssi_use_full_network 1 ++ +.EE + +.PP -+If you want to allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port, you must turn on the irssi_use_full_network boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P irssi_use_full_network 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux irssi policy is very flexible allowing users to setup their irssi processes in as secure a method as possible. -+.PP -+The following file types are defined for irssi: -+ ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B irssi_etc_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the irssi_etc_t type, if you want to store irssi files in the /etc directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B irssi_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the irssi_exec_t type, if you want to transition an executable to the irssi_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B irssi_home_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the irssi_home_t type, if you want to store irssi files in the users home directory. ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + -+.SH "MANAGED FILES" ++.EX ++.B setsebool -P global_ssp 1 + -+The SELinux process type irssi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++.EE + -+.br -+.B irssi_home_t ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + -+ /home/[^/]*/\.irssi(/.*)? -+.br -+ /home/[^/]*/irclogs(/.*)? -+.br -+ /home/dwalsh/\.irssi(/.*)? -+.br -+ /home/dwalsh/irclogs(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.irssi(/.*)? -+.br -+ /var/lib/xguest/home/xguest/irclogs(/.*)? -+.br ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the irssi_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the irssi_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -41661,6 +72450,46 @@ index 0000000..36617d8 +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH "MANAGED FILES" ++ ++The SELinux process type irssi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B irssi_home_t ++ ++ ++.br ++.B nfs_t ++ ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -41689,11 +72518,11 @@ index 0000000..36617d8 \ No newline at end of file diff --git a/man/man8/iscsid_selinux.8 b/man/man8/iscsid_selinux.8 new file mode 100644 -index 0000000..4e63ee8 +index 0000000..081a2b4 --- /dev/null +++ b/man/man8/iscsid_selinux.8 -@@ -0,0 +1,160 @@ -+.TH "iscsid_selinux" "8" "12-11-01" "iscsid" "SELinux Policy documentation for iscsid" +@@ -0,0 +1,285 @@ ++.TH "iscsid_selinux" "8" "13-01-16" "iscsid" "SELinux Policy documentation for iscsid" +.SH "NAME" +iscsid_selinux \- Security Enhanced Linux Policy for the iscsid processes +.SH "DESCRIPTION" @@ -41709,7 +72538,9 @@ index 0000000..4e63ee8 + +.SH "ENTRYPOINTS" + -+The iscsid_t SELinux type can be entered via the "iscsid_exec_t" file type. The default entrypoint paths for the iscsid_t domain are the following:" ++The iscsid_t SELinux type can be entered via the \fBiscsid_exec_t\fP file type. ++ ++The default entrypoint paths for the iscsid_t domain are the following: + +/sbin/iscsid, /sbin/iscsiuio, /usr/sbin/iscsid, /usr/sbin/iscsiuio, /sbin/brcm_iscsiuio, /usr/sbin/brcm_iscsiuio +.SH PROCESS TYPES @@ -41727,34 +72558,124 @@ index 0000000..4e63ee8 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a iscsid_t ++can be used to make the process type iscsid_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible. -+.PP -+The following file types are defined for iscsid: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. iscsid policy is extremely flexible and has several booleans that allow you to manipulate the policy and run iscsid with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B iscsid_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the iscsid_exec_t type, if you want to transition an executable to the iscsid_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the iscsid_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the iscsid_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -41790,14 +72711,6 @@ index 0000000..4e63ee8 +.br + +.br -+.B iscsi_log_t -+ -+ /var/log/iscsiuio\.log.* -+.br -+ /var/log/brcm-iscsi\.log.* -+.br -+ -+.br +.B iscsi_tmp_t + + @@ -41806,6 +72719,16 @@ index 0000000..4e63ee8 + + /var/run/iscsid\.pid +.br ++ /var/run/iscsiuio\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.br +.B sysfs_t @@ -41813,21 +72736,48 @@ index 0000000..4e63ee8 + /sys(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the iscsid_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the iscsid, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t iscsid_exec_t '/srv/iscsid/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myiscsid_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for iscsid: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B iscsid_exec_t +.EE + ++- Set files with the iscsid_exec_t type, if you want to transition an executable to the iscsid_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/iscsid, /sbin/iscsiuio, /usr/sbin/iscsid, /usr/sbin/iscsiuio, /sbin/brcm_iscsiuio, /usr/sbin/brcm_iscsiuio ++ +.PP -+If you want to allow confined applications to run with kerberos for the iscsid_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -41842,6 +72792,9 @@ index 0000000..4e63ee8 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -41853,13 +72806,15 @@ index 0000000..4e63ee8 + +.SH "SEE ALSO" +selinux(8), iscsid(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/isnsd_selinux.8 b/man/man8/isnsd_selinux.8 new file mode 100644 -index 0000000..9811117 +index 0000000..c3f3dd3 --- /dev/null +++ b/man/man8/isnsd_selinux.8 -@@ -0,0 +1,156 @@ -+.TH "isnsd_selinux" "8" "12-11-01" "isnsd" "SELinux Policy documentation for isnsd" +@@ -0,0 +1,261 @@ ++.TH "isnsd_selinux" "8" "13-01-16" "isnsd" "SELinux Policy documentation for isnsd" +.SH "NAME" +isnsd_selinux \- Security Enhanced Linux Policy for the isnsd processes +.SH "DESCRIPTION" @@ -41875,7 +72830,9 @@ index 0000000..9811117 + +.SH "ENTRYPOINTS" + -+The isnsd_t SELinux type can be entered via the "isnsd_exec_t" file type. The default entrypoint paths for the isnsd_t domain are the following:" ++The isnsd_t SELinux type can be entered via the \fBisnsd_exec_t\fP file type. ++ ++The default entrypoint paths for the isnsd_t domain are the following: + +/usr/sbin/isnsd +.SH PROCESS TYPES @@ -41893,58 +72850,84 @@ index 0000000..9811117 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a isnsd_t ++can be used to make the process type isnsd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux isnsd policy is very flexible allowing users to setup their isnsd processes in as secure a method as possible. -+.PP -+The following file types are defined for isnsd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. isnsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run isnsd with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B isnsd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the isnsd_exec_t type, if you want to transition an executable to the isnsd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B isnsd_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the isnsd_initrc_exec_t type, if you want to transition an executable to the isnsd_initrc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B isnsd_var_lib_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the isnsd_var_lib_t type, if you want to store the isnsd files under the /var/lib directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B isnsd_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the isnsd_var_run_t type, if you want to store the isnsd files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -41989,7 +72972,80 @@ index 0000000..9811117 + /var/run/isnsd\.pid +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux isnsd policy is very flexible allowing users to setup their isnsd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the isnsd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t isnsd_exec_t '/srv/isnsd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myisnsd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for isnsd: ++ ++ ++.EX ++.PP ++.B isnsd_exec_t ++.EE ++ ++- Set files with the isnsd_exec_t type, if you want to transition an executable to the isnsd_t domain. ++ ++ ++.EX ++.PP ++.B isnsd_initrc_exec_t ++.EE ++ ++- Set files with the isnsd_initrc_exec_t type, if you want to transition an executable to the isnsd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B isnsd_var_lib_t ++.EE ++ ++- Set files with the isnsd_var_lib_t type, if you want to store the isnsd files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B isnsd_var_run_t ++.EE ++ ++- Set files with the isnsd_var_run_t type, if you want to store the isnsd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/isnsctl, /var/run/isnsd\.pid ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -42004,6 +73060,9 @@ index 0000000..9811117 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -42015,13 +73074,15 @@ index 0000000..9811117 + +.SH "SEE ALSO" +selinux(8), isnsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/iwhd_selinux.8 b/man/man8/iwhd_selinux.8 new file mode 100644 -index 0000000..cea1bb7 +index 0000000..0bdf74c --- /dev/null +++ b/man/man8/iwhd_selinux.8 -@@ -0,0 +1,140 @@ -+.TH "iwhd_selinux" "8" "12-11-01" "iwhd" "SELinux Policy documentation for iwhd" +@@ -0,0 +1,297 @@ ++.TH "iwhd_selinux" "8" "13-01-16" "iwhd" "SELinux Policy documentation for iwhd" +.SH "NAME" +iwhd_selinux \- Security Enhanced Linux Policy for the iwhd processes +.SH "DESCRIPTION" @@ -42037,7 +73098,9 @@ index 0000000..cea1bb7 + +.SH "ENTRYPOINTS" + -+The iwhd_t SELinux type can be entered via the "iwhd_exec_t" file type. The default entrypoint paths for the iwhd_t domain are the following:" ++The iwhd_t SELinux type can be entered via the \fBiwhd_exec_t\fP file type. ++ ++The default entrypoint paths for the iwhd_t domain are the following: + +/usr/bin/iwhd +.SH PROCESS TYPES @@ -42055,8 +73118,170 @@ index 0000000..cea1bb7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a iwhd_t ++can be used to make the process type iwhd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. iwhd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run iwhd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type iwhd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B iwhd_log_t ++ ++ /var/log/iwhd\.log.* ++.br ++ ++.br ++.B iwhd_var_lib_t ++ ++ /var/lib/iwhd(/.*)? ++.br ++ ++.br ++.B iwhd_var_run_t ++ ++ /var/run/iwhd\.pid ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -42066,7 +73291,20 @@ index 0000000..cea1bb7 +Policy governs the access confined processes have to these files. +SELinux iwhd policy is very flexible allowing users to setup their iwhd processes in as secure a method as possible. +.PP -+The following file types are defined for iwhd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the iwhd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t iwhd_exec_t '/srv/iwhd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myiwhd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for iwhd: + + +.EX @@ -42106,7 +73344,7 @@ index 0000000..cea1bb7 +.B iwhd_var_run_t +.EE + -+- Set files with the iwhd_var_run_t type, if you want to store the iwhd files under the /run directory. ++- Set files with the iwhd_var_run_t type, if you want to store the iwhd files under the /run or /var/run directory. + + +.PP @@ -42116,30 +73354,6 @@ index 0000000..cea1bb7 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type iwhd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B iwhd_log_t -+ -+ /var/log/iwhd\.log.* -+.br -+ -+.br -+.B iwhd_var_lib_t -+ -+ /var/lib/iwhd(/.*)? -+.br -+ -+.br -+.B iwhd_var_run_t -+ -+ /var/run/iwhd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -42150,6 +73364,9 @@ index 0000000..cea1bb7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -42161,13 +73378,15 @@ index 0000000..cea1bb7 + +.SH "SEE ALSO" +selinux(8), iwhd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/jabberd_router_selinux.8 b/man/man8/jabberd_router_selinux.8 new file mode 100644 -index 0000000..6c57f11 +index 0000000..4823424 --- /dev/null +++ b/man/man8/jabberd_router_selinux.8 -@@ -0,0 +1,97 @@ -+.TH "jabberd_router_selinux" "8" "12-11-01" "jabberd_router" "SELinux Policy documentation for jabberd_router" +@@ -0,0 +1,209 @@ ++.TH "jabberd_router_selinux" "8" "13-01-16" "jabberd_router" "SELinux Policy documentation for jabberd_router" +.SH "NAME" +jabberd_router_selinux \- Security Enhanced Linux Policy for the jabberd_router processes +.SH "DESCRIPTION" @@ -42183,7 +73402,9 @@ index 0000000..6c57f11 + +.SH "ENTRYPOINTS" + -+The jabberd_router_t SELinux type can be entered via the "jabberd_router_exec_t" file type. The default entrypoint paths for the jabberd_router_t domain are the following:" ++The jabberd_router_t SELinux type can be entered via the \fBjabberd_router_exec_t\fP file type. ++ ++The default entrypoint paths for the jabberd_router_t domain are the following: + +/usr/bin/c2s, /usr/bin/router +.SH PROCESS TYPES @@ -42201,34 +73422,92 @@ index 0000000..6c57f11 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a jabberd_router_t ++can be used to make the process type jabberd_router_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux jabberd_router policy is very flexible allowing users to setup their jabberd_router processes in as secure a method as possible. -+.PP -+The following file types are defined for jabberd_router: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. jabberd_router policy is extremely flexible and has several booleans that allow you to manipulate the policy and run jabberd_router with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B jabberd_router_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the jabberd_router_exec_t type, if you want to transition an executable to the jabberd_router_t domain. ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -42240,7 +73519,56 @@ index 0000000..6c57f11 + /var/lib/jabberd(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux jabberd_router policy is very flexible allowing users to setup their jabberd_router processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the jabberd_router, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t jabberd_router_exec_t '/srv/jabberd_router/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myjabberd_router_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for jabberd_router: ++ ++ ++.EX ++.PP ++.B jabberd_router_exec_t ++.EE ++ ++- Set files with the jabberd_router_exec_t type, if you want to transition an executable to the jabberd_router_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/c2s, /usr/bin/router ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -42252,6 +73580,9 @@ index 0000000..6c57f11 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -42263,15 +73594,15 @@ index 0000000..6c57f11 + +.SH "SEE ALSO" +selinux(8), jabberd_router(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, jabberd_selinux(8), jabberd_selinux(8) ++, setsebool(8), jabberd_selinux(8), jabberd_selinux(8) \ No newline at end of file diff --git a/man/man8/jabberd_selinux.8 b/man/man8/jabberd_selinux.8 new file mode 100644 -index 0000000..520a42b +index 0000000..26ecb9d --- /dev/null +++ b/man/man8/jabberd_selinux.8 -@@ -0,0 +1,169 @@ -+.TH "jabberd_selinux" "8" "12-11-01" "jabberd" "SELinux Policy documentation for jabberd" +@@ -0,0 +1,269 @@ ++.TH "jabberd_selinux" "8" "13-01-16" "jabberd" "SELinux Policy documentation for jabberd" +.SH "NAME" +jabberd_selinux \- Security Enhanced Linux Policy for the jabberd processes +.SH "DESCRIPTION" @@ -42287,7 +73618,9 @@ index 0000000..520a42b + +.SH "ENTRYPOINTS" + -+The jabberd_t SELinux type can be entered via the "jabberd_exec_t" file type. The default entrypoint paths for the jabberd_t domain are the following:" ++The jabberd_t SELinux type can be entered via the \fBjabberd_exec_t\fP file type. ++ ++The default entrypoint paths for the jabberd_t domain are the following: + +/usr/bin/sm, /usr/bin/s2s +.SH PROCESS TYPES @@ -42305,58 +73638,76 @@ index 0000000..520a42b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a jabberd_t ++can be used to make the process type jabberd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux jabberd policy is very flexible allowing users to setup their jabberd processes in as secure a method as possible. -+.PP -+The following file types are defined for jabberd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. jabberd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run jabberd with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B jabberd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the jabberd_exec_t type, if you want to transition an executable to the jabberd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B jabberd_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the jabberd_initrc_exec_t type, if you want to transition an executable to the jabberd_initrc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B jabberd_router_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the jabberd_router_exec_t type, if you want to transition an executable to the jabberd_router_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B jabberd_var_lib_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the jabberd_var_lib_t type, if you want to store the jabberd files under the /var/lib directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -42413,7 +73764,84 @@ index 0000000..520a42b + /var/lib/jabberd(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux jabberd policy is very flexible allowing users to setup their jabberd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the jabberd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t jabberd_exec_t '/srv/jabberd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myjabberd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for jabberd: ++ ++ ++.EX ++.PP ++.B jabberd_exec_t ++.EE ++ ++- Set files with the jabberd_exec_t type, if you want to transition an executable to the jabberd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/sm, /usr/bin/s2s ++ ++.EX ++.PP ++.B jabberd_initrc_exec_t ++.EE ++ ++- Set files with the jabberd_initrc_exec_t type, if you want to transition an executable to the jabberd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B jabberd_router_exec_t ++.EE ++ ++- Set files with the jabberd_router_exec_t type, if you want to transition an executable to the jabberd_router_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/c2s, /usr/bin/router ++ ++.EX ++.PP ++.B jabberd_var_lib_t ++.EE ++ ++- Set files with the jabberd_var_lib_t type, if you want to store the jabberd files under the /var/lib directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -42428,6 +73856,9 @@ index 0000000..520a42b +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -42439,15 +73870,15 @@ index 0000000..520a42b + +.SH "SEE ALSO" +selinux(8), jabberd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, jabberd_router_selinux(8) ++, setsebool(8), jabberd_router_selinux(8) \ No newline at end of file diff --git a/man/man8/jockey_selinux.8 b/man/man8/jockey_selinux.8 new file mode 100644 -index 0000000..2615dc1 +index 0000000..a47dfb5 --- /dev/null +++ b/man/man8/jockey_selinux.8 -@@ -0,0 +1,120 @@ -+.TH "jockey_selinux" "8" "12-11-01" "jockey" "SELinux Policy documentation for jockey" +@@ -0,0 +1,220 @@ ++.TH "jockey_selinux" "8" "13-01-16" "jockey" "SELinux Policy documentation for jockey" +.SH "NAME" +jockey_selinux \- Security Enhanced Linux Policy for the jockey processes +.SH "DESCRIPTION" @@ -42463,7 +73894,9 @@ index 0000000..2615dc1 + +.SH "ENTRYPOINTS" + -+The jockey_t SELinux type can be entered via the "jockey_exec_t" file type. The default entrypoint paths for the jockey_t domain are the following:" ++The jockey_t SELinux type can be entered via the \fBjockey_exec_t\fP file type. ++ ++The default entrypoint paths for the jockey_t domain are the following: + +/usr/share/jockey/jockey-backend +.SH PROCESS TYPES @@ -42481,8 +73914,94 @@ index 0000000..2615dc1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a jockey_t ++can be used to make the process type jockey_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. jockey policy is extremely flexible and has several booleans that allow you to manipulate the policy and run jockey with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type jockey_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B jockey_cache_t ++ ++ /var/cache/jockey(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -42492,7 +74011,31 @@ index 0000000..2615dc1 +Policy governs the access confined processes have to these files. +SELinux jockey policy is very flexible allowing users to setup their jockey processes in as secure a method as possible. +.PP -+The following file types are defined for jockey: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++jockey policy stores data with multiple different file context types under the /var/log/jockey directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/log/jockey /srv/jockey ++.br ++.B restorecon -R -v /srv/jockey ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the jockey, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t jockey_cache_t '/srv/jockey/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myjockey_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for jockey: + + +.EX @@ -42518,6 +74061,10 @@ index 0000000..2615dc1 + +- Set files with the jockey_var_log_t type, if you want to treat the data as jockey var log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/jockey(/.*)?, /var/log/jockey\.log.* + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -42526,26 +74073,6 @@ index 0000000..2615dc1 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type jockey_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B jockey_cache_t -+ -+ /var/cache/jockey(/.*)? -+.br -+ -+.br -+.B jockey_var_log_t -+ -+ /var/log/jockey(/.*)? -+.br -+ /var/log/jockey\.log.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -42556,6 +74083,9 @@ index 0000000..2615dc1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -42567,13 +74097,15 @@ index 0000000..2615dc1 + +.SH "SEE ALSO" +selinux(8), jockey(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/kadmind_selinux.8 b/man/man8/kadmind_selinux.8 new file mode 100644 -index 0000000..f4e852a +index 0000000..46f9376 --- /dev/null +++ b/man/man8/kadmind_selinux.8 -@@ -0,0 +1,162 @@ -+.TH "kadmind_selinux" "8" "12-11-01" "kadmind" "SELinux Policy documentation for kadmind" +@@ -0,0 +1,271 @@ ++.TH "kadmind_selinux" "8" "13-01-16" "kadmind" "SELinux Policy documentation for kadmind" +.SH "NAME" +kadmind_selinux \- Security Enhanced Linux Policy for the kadmind processes +.SH "DESCRIPTION" @@ -42589,7 +74121,9 @@ index 0000000..f4e852a + +.SH "ENTRYPOINTS" + -+The kadmind_t SELinux type can be entered via the "kadmind_exec_t" file type. The default entrypoint paths for the kadmind_t domain are the following:" ++The kadmind_t SELinux type can be entered via the \fBkadmind_exec_t\fP file type. ++ ++The default entrypoint paths for the kadmind_t domain are the following: + +/usr/(kerberos/)?sbin/kadmind, /usr/kerberos/sbin/kadmin\.local +.SH PROCESS TYPES @@ -42607,64 +74141,94 @@ index 0000000..f4e852a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a kadmind_t ++can be used to make the process type kadmind_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux kadmind policy is very flexible allowing users to setup their kadmind processes in as secure a method as possible. -+.PP -+The following file types are defined for kadmind: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. kadmind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run kadmind with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B kadmind_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the kadmind_exec_t type, if you want to transition an executable to the kadmind_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B kadmind_log_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the kadmind_log_t type, if you want to treat the data as kadmind log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B kadmind_tmp_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the kadmind_tmp_t type, if you want to store kadmind temporary files in the /tmp directories. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B kadmind_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the kadmind_var_run_t type, if you want to store the kadmind files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.SH "MANAGED FILES" + +The SELinux process type kadmind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B anon_inodefs_t ++ ++ ++.br +.B kadmind_log_t + + /var/log/kadmin(d)?\.log.* @@ -42707,12 +74271,85 @@ index 0000000..f4e852a +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux kadmind policy is very flexible allowing users to setup their kadmind processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the kadmind, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t kadmind_exec_t '/srv/kadmind/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mykadmind_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for kadmind: ++ ++ ++.EX ++.PP ++.B kadmind_exec_t ++.EE ++ ++- Set files with the kadmind_exec_t type, if you want to transition an executable to the kadmind_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/(kerberos/)?sbin/kadmind, /usr/kerberos/sbin/kadmin\.local ++ ++.EX ++.PP ++.B kadmind_log_t ++.EE ++ ++- Set files with the kadmind_log_t type, if you want to treat the data as kadmind log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B kadmind_tmp_t ++.EE ++ ++- Set files with the kadmind_tmp_t type, if you want to store kadmind temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B kadmind_var_run_t ++.EE ++ ++- Set files with the kadmind_var_run_t type, if you want to store the kadmind files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -42724,6 +74361,9 @@ index 0000000..f4e852a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -42735,13 +74375,15 @@ index 0000000..f4e852a + +.SH "SEE ALSO" +selinux(8), kadmind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/kdump_selinux.8 b/man/man8/kdump_selinux.8 new file mode 100644 -index 0000000..5b31590 +index 0000000..144c611 --- /dev/null +++ b/man/man8/kdump_selinux.8 -@@ -0,0 +1,157 @@ -+.TH "kdump_selinux" "8" "12-11-01" "kdump" "SELinux Policy documentation for kdump" +@@ -0,0 +1,231 @@ ++.TH "kdump_selinux" "8" "13-01-16" "kdump" "SELinux Policy documentation for kdump" +.SH "NAME" +kdump_selinux \- Security Enhanced Linux Policy for the kdump processes +.SH "DESCRIPTION" @@ -42757,7 +74399,9 @@ index 0000000..5b31590 + +.SH "ENTRYPOINTS" + -+The kdump_t SELinux type can be entered via the "kdump_exec_t" file type. The default entrypoint paths for the kdump_t domain are the following:" ++The kdump_t SELinux type can be entered via the \fBkdump_exec_t\fP file type. ++ ++The default entrypoint paths for the kdump_t domain are the following: + +/sbin/kdump, /sbin/kexec, /usr/sbin/kdump, /usr/sbin/kexec +.SH PROCESS TYPES @@ -42775,8 +74419,76 @@ index 0000000..5b31590 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a kdump_t ++can be used to make the process type kdump_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. kdump policy is extremely flexible and has several booleans that allow you to manipulate the policy and run kdump with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -42786,7 +74498,20 @@ index 0000000..5b31590 +Policy governs the access confined processes have to these files. +SELinux kdump policy is very flexible allowing users to setup their kdump processes in as secure a method as possible. +.PP -+The following file types are defined for kdump: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the kdump, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t kdump_etc_t '/srv/kdump/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mykdump_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for kdump: + + +.EX @@ -42804,6 +74529,10 @@ index 0000000..5b31590 + +- Set files with the kdump_exec_t type, if you want to transition an executable to the kdump_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/kdump, /sbin/kexec, /usr/sbin/kdump, /usr/sbin/kexec + +.EX +.PP @@ -42860,22 +74589,6 @@ index 0000000..5b31590 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -42886,6 +74599,9 @@ index 0000000..5b31590 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -42897,15 +74613,15 @@ index 0000000..5b31590 + +.SH "SEE ALSO" +selinux(8), kdump(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, kdumpctl_selinux(8), kdumpgui_selinux(8) ++, setsebool(8), kdumpctl_selinux(8), kdumpgui_selinux(8) \ No newline at end of file diff --git a/man/man8/kdumpctl_selinux.8 b/man/man8/kdumpctl_selinux.8 new file mode 100644 -index 0000000..64c0c6f +index 0000000..6ff7210 --- /dev/null +++ b/man/man8/kdumpctl_selinux.8 -@@ -0,0 +1,169 @@ -+.TH "kdumpctl_selinux" "8" "12-11-01" "kdumpctl" "SELinux Policy documentation for kdumpctl" +@@ -0,0 +1,259 @@ ++.TH "kdumpctl_selinux" "8" "13-01-16" "kdumpctl" "SELinux Policy documentation for kdumpctl" +.SH "NAME" +kdumpctl_selinux \- Security Enhanced Linux Policy for the kdumpctl processes +.SH "DESCRIPTION" @@ -42921,7 +74637,9 @@ index 0000000..64c0c6f + +.SH "ENTRYPOINTS" + -+The kdumpctl_t SELinux type can be entered via the "kdumpctl_exec_t" file type. The default entrypoint paths for the kdumpctl_t domain are the following:" ++The kdumpctl_t SELinux type can be entered via the \fBkdumpctl_exec_t\fP file type. ++ ++The default entrypoint paths for the kdumpctl_t domain are the following: + +/usr/bin/kdumpctl +.SH PROCESS TYPES @@ -42939,42 +74657,76 @@ index 0000000..64c0c6f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a kdumpctl_t ++can be used to make the process type kdumpctl_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux kdumpctl policy is very flexible allowing users to setup their kdumpctl processes in as secure a method as possible. -+.PP -+The following file types are defined for kdumpctl: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. kdumpctl policy is extremely flexible and has several booleans that allow you to manipulate the policy and run kdumpctl with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B kdumpctl_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the kdumpctl_exec_t type, if you want to transition an executable to the kdumpctl_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B kdumpctl_tmp_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the kdumpctl_tmp_t type, if you want to store kdumpctl temporary files in the /tmp directories. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -42997,6 +74749,14 @@ index 0000000..64c0c6f + + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B systemd_passwd_var_run_t + + /var/run/systemd/ask-password(/.*)? @@ -43013,8 +74773,6 @@ index 0000000..64c0c6f +.br + /var/webmin(/.*)? +.br -+ /var/log/cron[^/]* -+.br + /var/log/secure[^/]* +.br + /opt/zimbra/log(/.*)? @@ -43050,7 +74808,52 @@ index 0000000..64c0c6f + /var/named/chroot/var/log +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux kdumpctl policy is very flexible allowing users to setup their kdumpctl processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the kdumpctl, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t kdumpctl_exec_t '/srv/kdumpctl/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mykdumpctl_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for kdumpctl: ++ ++ ++.EX ++.PP ++.B kdumpctl_exec_t ++.EE ++ ++- Set files with the kdumpctl_exec_t type, if you want to transition an executable to the kdumpctl_t domain. ++ ++ ++.EX ++.PP ++.B kdumpctl_tmp_t ++.EE ++ ++- Set files with the kdumpctl_tmp_t type, if you want to store kdumpctl temporary files in the /tmp directories. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -43062,6 +74865,9 @@ index 0000000..64c0c6f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -43073,15 +74879,15 @@ index 0000000..64c0c6f + +.SH "SEE ALSO" +selinux(8), kdumpctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, kdump_selinux(8) ++, setsebool(8), kdump_selinux(8) \ No newline at end of file diff --git a/man/man8/kdumpgui_selinux.8 b/man/man8/kdumpgui_selinux.8 new file mode 100644 -index 0000000..cdb1f42 +index 0000000..f39541c --- /dev/null +++ b/man/man8/kdumpgui_selinux.8 -@@ -0,0 +1,197 @@ -+.TH "kdumpgui_selinux" "8" "12-11-01" "kdumpgui" "SELinux Policy documentation for kdumpgui" +@@ -0,0 +1,335 @@ ++.TH "kdumpgui_selinux" "8" "13-01-16" "kdumpgui" "SELinux Policy documentation for kdumpgui" +.SH "NAME" +kdumpgui_selinux \- Security Enhanced Linux Policy for the kdumpgui processes +.SH "DESCRIPTION" @@ -43097,7 +74903,9 @@ index 0000000..cdb1f42 + +.SH "ENTRYPOINTS" + -+The kdumpgui_t SELinux type can be entered via the "kdumpgui_exec_t" file type. The default entrypoint paths for the kdumpgui_t domain are the following:" ++The kdumpgui_t SELinux type can be entered via the \fBkdumpgui_exec_t\fP file type. ++ ++The default entrypoint paths for the kdumpgui_t domain are the following: + +/usr/share/system-config-kdump/system-config-kdump-backend\.py +.SH PROCESS TYPES @@ -43115,42 +74923,124 @@ index 0000000..cdb1f42 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a kdumpgui_t ++can be used to make the process type kdumpgui_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux kdumpgui policy is very flexible allowing users to setup their kdumpgui processes in as secure a method as possible. -+.PP -+The following file types are defined for kdumpgui: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. kdumpgui policy is extremely flexible and has several booleans that allow you to manipulate the policy and run kdumpgui with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B kdumpgui_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the kdumpgui_exec_t type, if you want to transition an executable to the kdumpgui_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B kdumpgui_tmp_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the kdumpgui_tmp_t type, if you want to store kdumpgui temporary files in the /tmp directories. ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -43169,6 +75059,18 @@ index 0000000..cdb1f42 +.br + +.br ++.B bootloader_etc_t ++ ++ /etc/lilo\.conf.* ++.br ++ /etc/zipl\.conf.* ++.br ++ /etc/yaboot\.conf.* ++.br ++ /etc/default/grub ++.br ++ ++.br +.B etc_runtime_t + + /[^/]+ @@ -43189,10 +75091,10 @@ index 0000000..cdb1f42 +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -43201,10 +75103,10 @@ index 0000000..cdb1f42 +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -43233,6 +75135,14 @@ index 0000000..cdb1f42 + + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B systemd_passwd_var_run_t + + /var/run/systemd/ask-password(/.*)? @@ -43240,21 +75150,52 @@ index 0000000..cdb1f42 + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux kdumpgui policy is very flexible allowing users to setup their kdumpgui processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the kdumpgui, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t kdumpgui_exec_t '/srv/kdumpgui/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mykdumpgui_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for kdumpgui: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B kdumpgui_exec_t +.EE + ++- Set files with the kdumpgui_exec_t type, if you want to transition an executable to the kdumpgui_t domain. ++ ++ ++.EX ++.PP ++.B kdumpgui_tmp_t ++.EE ++ ++- Set files with the kdumpgui_tmp_t type, if you want to store kdumpgui temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -43266,6 +75207,9 @@ index 0000000..cdb1f42 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -43277,7 +75221,7 @@ index 0000000..cdb1f42 + +.SH "SEE ALSO" +selinux(8), kdumpgui(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, kdump_selinux(8) ++, setsebool(8), kdump_selinux(8) \ No newline at end of file diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8 deleted file mode 100644 @@ -43313,13 +75257,226 @@ index a8f81c8..0000000 - -.SH "SEE ALSO" -selinux(8), kerberos(1), chcon(1), setsebool(8) +diff --git a/man/man8/kernel_selinux.8 b/man/man8/kernel_selinux.8 +new file mode 100644 +index 0000000..5ed25f1 +--- /dev/null ++++ b/man/man8/kernel_selinux.8 +@@ -0,0 +1,206 @@ ++.TH "kernel_selinux" "8" "13-01-16" "kernel" "SELinux Policy documentation for kernel" ++.SH "NAME" ++kernel_selinux \- Security Enhanced Linux Policy for the kernel processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the kernel processes via flexible mandatory access control. ++ ++The kernel processes execute with the kernel_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep kernel_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The kernel_t SELinux type can be entered via the \fBsysctl_type, filesystem_type, mtrr_device_t, unlabeled_t, proc_type, file_type\fP file types. ++ ++The default entrypoint paths for the kernel_t domain are the following: ++ ++/dev/cpu/mtrr, all files on the system ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux kernel policy is very flexible allowing users to setup their kernel processes in as secure a method as possible. ++.PP ++The following process types are defined for kernel: ++ ++.EX ++.B kernel_t ++.EE ++.PP ++Note: ++.B semanage permissive -a kernel_t ++can be used to make the process type kernel_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. kernel policy is extremely flexible and has several booleans that allow you to manipulate the policy and run kernel with the tightest access possible. ++ ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE ++ ++.PP ++If you want to allow any files/directories to be exported read/only via NFS, you must turn on the nfs_export_all_ro boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nfs_export_all_ro 1 ++ ++.EE ++ ++.PP ++If you want to allow any files/directories to be exported read/write via NFS, you must turn on the nfs_export_all_rw boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nfs_export_all_rw 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_insmod 1 ++ ++.EE ++ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_policyload 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execheap 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type kernel_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B file_type ++ ++ all files on the system ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), kernel(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/keyboardd_selinux.8 b/man/man8/keyboardd_selinux.8 new file mode 100644 -index 0000000..d16fc27 +index 0000000..6653ade --- /dev/null +++ b/man/man8/keyboardd_selinux.8 -@@ -0,0 +1,144 @@ -+.TH "keyboardd_selinux" "8" "12-11-01" "keyboardd" "SELinux Policy documentation for keyboardd" +@@ -0,0 +1,237 @@ ++.TH "keyboardd_selinux" "8" "13-01-16" "keyboardd" "SELinux Policy documentation for keyboardd" +.SH "NAME" +keyboardd_selinux \- Security Enhanced Linux Policy for the keyboardd processes +.SH "DESCRIPTION" @@ -43335,7 +75492,9 @@ index 0000000..d16fc27 + +.SH "ENTRYPOINTS" + -+The keyboardd_t SELinux type can be entered via the "keyboardd_exec_t" file type. The default entrypoint paths for the keyboardd_t domain are the following:" ++The keyboardd_t SELinux type can be entered via the \fBkeyboardd_exec_t\fP file type. ++ ++The default entrypoint paths for the keyboardd_t domain are the following: + +/usr/bin/system-setup-keyboard +.SH PROCESS TYPES @@ -43353,34 +75512,76 @@ index 0000000..d16fc27 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a keyboardd_t ++can be used to make the process type keyboardd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux keyboardd policy is very flexible allowing users to setup their keyboardd processes in as secure a method as possible. -+.PP -+The following file types are defined for keyboardd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. keyboardd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run keyboardd with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B keyboardd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the keyboardd_exec_t type, if you want to transition an executable to the keyboardd_t domain. ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -43407,10 +75608,10 @@ index 0000000..d16fc27 +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -43419,10 +75620,10 @@ index 0000000..d16fc27 +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -43440,7 +75641,52 @@ index 0000000..d16fc27 + /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux keyboardd policy is very flexible allowing users to setup their keyboardd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the keyboardd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t keyboardd_exec_t '/srv/keyboardd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mykeyboardd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for keyboardd: ++ ++ ++.EX ++.PP ++.B keyboardd_exec_t ++.EE ++ ++- Set files with the keyboardd_exec_t type, if you want to transition an executable to the keyboardd_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -43452,6 +75698,9 @@ index 0000000..d16fc27 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -43463,13 +75712,15 @@ index 0000000..d16fc27 + +.SH "SEE ALSO" +selinux(8), keyboardd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/keystone_selinux.8 b/man/man8/keystone_selinux.8 new file mode 100644 -index 0000000..92a2ad3 +index 0000000..0b1114f --- /dev/null +++ b/man/man8/keystone_selinux.8 -@@ -0,0 +1,242 @@ -+.TH "keystone_selinux" "8" "12-11-01" "keystone" "SELinux Policy documentation for keystone" +@@ -0,0 +1,357 @@ ++.TH "keystone_selinux" "8" "13-01-16" "keystone" "SELinux Policy documentation for keystone" +.SH "NAME" +keystone_selinux \- Security Enhanced Linux Policy for the keystone processes +.SH "DESCRIPTION" @@ -43485,7 +75736,9 @@ index 0000000..92a2ad3 + +.SH "ENTRYPOINTS" + -+The keystone_t SELinux type can be entered via the "keystone_exec_t" file type. The default entrypoint paths for the keystone_t domain are the following:" ++The keystone_t SELinux type can be entered via the \fBkeystone_exec_t\fP file type. ++ ++The default entrypoint paths for the keystone_t domain are the following: + +/usr/bin/keystone-all +.SH PROCESS TYPES @@ -43503,8 +75756,219 @@ index 0000000..92a2ad3 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a keystone_t ++can be used to make the process type keystone_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. keystone policy is extremely flexible and has several booleans that allow you to manipulate the policy and run keystone with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the keystone_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the keystone_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible. ++.PP ++The following port types are defined for keystone: ++ ++.EX ++.TP 5 ++.B keystone_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 35357 ++.EE ++udp 35357 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type keystone_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B keystone_tmp_t ++ ++ ++.br ++.B keystone_var_lib_t ++ ++ /var/lib/keystone(/.*)? ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B lastlog_t ++ ++ /var/log/lastlog.* ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43514,7 +75978,20 @@ index 0000000..92a2ad3 +Policy governs the access confined processes have to these files. +SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible. +.PP -+The following file types are defined for keystone: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the keystone, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t keystone_exec_t '/srv/keystone/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mykeystone_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for keystone: + + +.EX @@ -43527,6 +76004,14 @@ index 0000000..92a2ad3 + +.EX +.PP ++.B keystone_initrc_exec_t ++.EE ++ ++- Set files with the keystone_initrc_exec_t type, if you want to transition an executable to the keystone_initrc_t domain. ++ ++ ++.EX ++.PP +.B keystone_log_t +.EE + @@ -43564,129 +76049,6 @@ index 0000000..92a2ad3 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible. -+.PP -+The following port types are defined for keystone: -+ -+.EX -+.TP 5 -+.B keystone_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 5000 -+.EE -+udp 5000 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type keystone_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B faillog_t -+ -+ /var/log/btmp.* -+.br -+ /var/run/faillock(/.*)? -+.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br -+ -+.br -+.B keystone_log_t -+ -+ /var/log/keystone(/.*)? -+.br -+ -+.br -+.B keystone_tmp_t -+ -+ -+.br -+.B keystone_var_lib_t -+ -+ /var/lib/keystone(/.*)? -+.br -+ -+.br -+.B krb5_host_rcache_t -+ -+ /var/cache/krb5rcache(/.*)? -+.br -+ /var/tmp/nfs_0 -+.br -+ /var/tmp/DNS_25 -+.br -+ /var/tmp/host_0 -+.br -+ /var/tmp/imap_0 -+.br -+ /var/tmp/HTTP_23 -+.br -+ /var/tmp/HTTP_48 -+.br -+ /var/tmp/ldap_55 -+.br -+ /var/tmp/ldap_487 -+.br -+ /var/tmp/ldapmap1_0 -+.br -+ -+.br -+.B lastlog_t -+ -+ /var/log/lastlog -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br -+.B security_t -+ -+ /selinux -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the keystone_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the keystone_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -43700,6 +76062,9 @@ index 0000000..92a2ad3 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -43711,13 +76076,15 @@ index 0000000..92a2ad3 + +.SH "SEE ALSO" +selinux(8), keystone(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/kismet_selinux.8 b/man/man8/kismet_selinux.8 new file mode 100644 -index 0000000..74f62b3 +index 0000000..6820ae6 --- /dev/null +++ b/man/man8/kismet_selinux.8 -@@ -0,0 +1,188 @@ -+.TH "kismet_selinux" "8" "12-11-01" "kismet" "SELinux Policy documentation for kismet" +@@ -0,0 +1,297 @@ ++.TH "kismet_selinux" "8" "13-01-16" "kismet" "SELinux Policy documentation for kismet" +.SH "NAME" +kismet_selinux \- Security Enhanced Linux Policy for the kismet processes +.SH "DESCRIPTION" @@ -43733,9 +76100,11 @@ index 0000000..74f62b3 + +.SH "ENTRYPOINTS" + -+The kismet_t SELinux type can be entered via the "kismet_exec_t" file type. The default entrypoint paths for the kismet_t domain are the following:" ++The kismet_t SELinux type can be entered via the \fBkismet_exec_t\fP file type. + -+/usr/bin/kismet ++The default entrypoint paths for the kismet_t domain are the following: ++ ++/usr/bin/kismet, /usr/bin/kismet_drone, /usr/bin/kismet_server +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -43751,8 +76120,138 @@ index 0000000..74f62b3 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a kismet_t ++can be used to make the process type kismet_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. kismet policy is extremely flexible and has several booleans that allow you to manipulate the policy and run kismet with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the kismet_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the kismet_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type kismet_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B kismet_home_t ++ ++ /home/[^/]*/\.kismet(/.*)? ++.br ++ /home/pwalsh/\.kismet(/.*)? ++.br ++ /home/dwalsh/\.kismet(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.kismet(/.*)? ++.br ++ ++.br ++.B kismet_tmp_t ++ ++ ++.br ++.B kismet_tmpfs_t ++ ++ ++.br ++.B kismet_var_lib_t ++ ++ /var/lib/kismet(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43762,7 +76261,20 @@ index 0000000..74f62b3 +Policy governs the access confined processes have to these files. +SELinux kismet policy is very flexible allowing users to setup their kismet processes in as secure a method as possible. +.PP -+The following file types are defined for kismet: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the kismet, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t kismet_exec_t '/srv/kismet/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mykismet_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for kismet: + + +.EX @@ -43772,6 +76284,10 @@ index 0000000..74f62b3 + +- Set files with the kismet_exec_t type, if you want to transition an executable to the kismet_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/kismet, /usr/bin/kismet_drone, /usr/bin/kismet_server + +.EX +.PP @@ -43780,6 +76296,18 @@ index 0000000..74f62b3 + +- Set files with the kismet_home_t type, if you want to store kismet files in the users home directory. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.kismet(/.*)?, /home/pwalsh/\.kismet(/.*)?, /home/dwalsh/\.kismet(/.*)?, /var/lib/xguest/home/xguest/\.kismet(/.*)? ++ ++.EX ++.PP ++.B kismet_initrc_exec_t ++.EE ++ ++- Set files with the kismet_initrc_exec_t type, if you want to transition an executable to the kismet_initrc_t domain. ++ + +.EX +.PP @@ -43818,7 +76346,7 @@ index 0000000..74f62b3 +.B kismet_var_run_t +.EE + -+- Set files with the kismet_var_run_t type, if you want to store the kismet files under the /run directory. ++- Set files with the kismet_var_run_t type, if you want to store the kismet files under the /run or /var/run directory. + + +.PP @@ -43828,62 +76356,6 @@ index 0000000..74f62b3 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type kismet_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B kismet_home_t -+ -+ /home/[^/]*/\.kismet(/.*)? -+.br -+ /home/dwalsh/\.kismet(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.kismet(/.*)? -+.br -+ -+.br -+.B kismet_log_t -+ -+ /var/log/kismet(/.*)? -+.br -+ -+.br -+.B kismet_tmp_t -+ -+ -+.br -+.B kismet_tmpfs_t -+ -+ -+.br -+.B kismet_var_lib_t -+ -+ /var/lib/kismet(/.*)? -+.br -+ -+.br -+.B kismet_var_run_t -+ -+ /var/run/kismet_server.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kismet_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the kismet_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -43894,6 +76366,9 @@ index 0000000..74f62b3 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -43905,13 +76380,15 @@ index 0000000..74f62b3 + +.SH "SEE ALSO" +selinux(8), kismet(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/klogd_selinux.8 b/man/man8/klogd_selinux.8 new file mode 100644 -index 0000000..729c100 +index 0000000..8f12b00 --- /dev/null +++ b/man/man8/klogd_selinux.8 -@@ -0,0 +1,116 @@ -+.TH "klogd_selinux" "8" "12-11-01" "klogd" "SELinux Policy documentation for klogd" +@@ -0,0 +1,213 @@ ++.TH "klogd_selinux" "8" "13-01-16" "klogd" "SELinux Policy documentation for klogd" +.SH "NAME" +klogd_selinux \- Security Enhanced Linux Policy for the klogd processes +.SH "DESCRIPTION" @@ -43927,7 +76404,9 @@ index 0000000..729c100 + +.SH "ENTRYPOINTS" + -+The klogd_t SELinux type can be entered via the "klogd_exec_t" file type. The default entrypoint paths for the klogd_t domain are the following:" ++The klogd_t SELinux type can be entered via the \fBklogd_exec_t\fP file type. ++ ++The default entrypoint paths for the klogd_t domain are the following: + +/sbin/klogd, /sbin/rklogd, /usr/sbin/klogd, /usr/sbin/rklogd +.SH PROCESS TYPES @@ -43945,50 +76424,76 @@ index 0000000..729c100 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a klogd_t ++can be used to make the process type klogd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux klogd policy is very flexible allowing users to setup their klogd processes in as secure a method as possible. -+.PP -+The following file types are defined for klogd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. klogd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run klogd with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B klogd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the klogd_exec_t type, if you want to transition an executable to the klogd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B klogd_tmp_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the klogd_tmp_t type, if you want to store klogd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B klogd_var_run_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the klogd_var_run_t type, if you want to store the klogd files under the /run directory. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -44004,7 +76509,72 @@ index 0000000..729c100 + /var/run/klogd\.pid +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux klogd policy is very flexible allowing users to setup their klogd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the klogd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t klogd_exec_t '/srv/klogd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myklogd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for klogd: ++ ++ ++.EX ++.PP ++.B klogd_exec_t ++.EE ++ ++- Set files with the klogd_exec_t type, if you want to transition an executable to the klogd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/klogd, /sbin/rklogd, /usr/sbin/klogd, /usr/sbin/rklogd ++ ++.EX ++.PP ++.B klogd_tmp_t ++.EE ++ ++- Set files with the klogd_tmp_t type, if you want to store klogd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B klogd_var_run_t ++.EE ++ ++- Set files with the klogd_var_run_t type, if you want to store the klogd files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -44016,6 +76586,9 @@ index 0000000..729c100 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -44027,13 +76600,15 @@ index 0000000..729c100 + +.SH "SEE ALSO" +selinux(8), klogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/kpropd_selinux.8 b/man/man8/kpropd_selinux.8 new file mode 100644 -index 0000000..37b1a4f +index 0000000..7acb6b9 --- /dev/null +++ b/man/man8/kpropd_selinux.8 -@@ -0,0 +1,168 @@ -+.TH "kpropd_selinux" "8" "12-11-01" "kpropd" "SELinux Policy documentation for kpropd" +@@ -0,0 +1,281 @@ ++.TH "kpropd_selinux" "8" "13-01-16" "kpropd" "SELinux Policy documentation for kpropd" +.SH "NAME" +kpropd_selinux \- Security Enhanced Linux Policy for the kpropd processes +.SH "DESCRIPTION" @@ -44049,7 +76624,9 @@ index 0000000..37b1a4f + +.SH "ENTRYPOINTS" + -+The kpropd_t SELinux type can be entered via the "kpropd_exec_t" file type. The default entrypoint paths for the kpropd_t domain are the following:" ++The kpropd_t SELinux type can be entered via the \fBkpropd_exec_t\fP file type. ++ ++The default entrypoint paths for the kpropd_t domain are the following: + +/usr/sbin/kpropd, /usr/kerberos/sbin/kpropd +.SH PROCESS TYPES @@ -44067,34 +76644,92 @@ index 0000000..37b1a4f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a kpropd_t ++can be used to make the process type kpropd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux kpropd policy is very flexible allowing users to setup their kpropd processes in as secure a method as possible. -+.PP -+The following file types are defined for kpropd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. kpropd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run kpropd with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B kpropd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the kpropd_exec_t type, if you want to transition an executable to the kpropd_t domain. ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -44170,12 +76805,61 @@ index 0000000..37b1a4f + + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux kpropd policy is very flexible allowing users to setup their kpropd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the kpropd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t kpropd_exec_t '/srv/kpropd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mykpropd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for kpropd: ++ ++ ++.EX ++.PP ++.B kpropd_exec_t ++.EE ++ ++- Set files with the kpropd_exec_t type, if you want to transition an executable to the kpropd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/kpropd, /usr/kerberos/sbin/kpropd ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -44190,6 +76874,9 @@ index 0000000..37b1a4f +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -44201,13 +76888,15 @@ index 0000000..37b1a4f + +.SH "SEE ALSO" +selinux(8), kpropd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/krb5kdc_selinux.8 b/man/man8/krb5kdc_selinux.8 new file mode 100644 -index 0000000..5b1f8f4 +index 0000000..b9e634d --- /dev/null +++ b/man/man8/krb5kdc_selinux.8 -@@ -0,0 +1,176 @@ -+.TH "krb5kdc_selinux" "8" "12-11-01" "krb5kdc" "SELinux Policy documentation for krb5kdc" +@@ -0,0 +1,304 @@ ++.TH "krb5kdc_selinux" "8" "13-01-16" "krb5kdc" "SELinux Policy documentation for krb5kdc" +.SH "NAME" +krb5kdc_selinux \- Security Enhanced Linux Policy for the krb5kdc processes +.SH "DESCRIPTION" @@ -44223,7 +76912,9 @@ index 0000000..5b1f8f4 + +.SH "ENTRYPOINTS" + -+The krb5kdc_t SELinux type can be entered via the "krb5kdc_exec_t" file type. The default entrypoint paths for the krb5kdc_t domain are the following:" ++The krb5kdc_t SELinux type can be entered via the \fBkrb5kdc_exec_t\fP file type. ++ ++The default entrypoint paths for the krb5kdc_t domain are the following: + +/usr/(kerberos/)?sbin/krb5kdc +.SH PROCESS TYPES @@ -44241,88 +76932,94 @@ index 0000000..5b1f8f4 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a krb5kdc_t ++can be used to make the process type krb5kdc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux krb5kdc policy is very flexible allowing users to setup their krb5kdc processes in as secure a method as possible. -+.PP -+The following file types are defined for krb5kdc: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. krb5kdc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run krb5kdc with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B krb5kdc_conf_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the krb5kdc_conf_t type, if you want to treat the files as krb5kdc configuration data, usually stored under the /etc directory. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B krb5kdc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the krb5kdc_exec_t type, if you want to transition an executable to the krb5kdc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B krb5kdc_lock_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the krb5kdc_lock_t type, if you want to treat the files as krb5kdc lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B krb5kdc_log_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the krb5kdc_log_t type, if you want to treat the data as krb5kdc log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B krb5kdc_principal_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the krb5kdc_principal_t type, if you want to treat the files as krb5kdc principal data. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B krb5kdc_tmp_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the krb5kdc_tmp_t type, if you want to store krb5kdc temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B krb5kdc_var_run_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the krb5kdc_var_run_t type, if you want to store the krb5kdc files under the /run directory. ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.SH "MANAGED FILES" + +The SELinux process type krb5kdc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B anon_inodefs_t ++ ++ ++.br +.B krb5kdc_lock_t + + /var/kerberos/krb5kdc/principal.*\.ok @@ -44355,12 +77052,128 @@ index 0000000..5b1f8f4 + + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux krb5kdc policy is very flexible allowing users to setup their krb5kdc processes in as secure a method as possible. ++.PP ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++krb5kdc policy stores data with multiple different file context types under the /var/kerberos/krb5kdc directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/kerberos/krb5kdc /srv/krb5kdc ++.br ++.B restorecon -R -v /srv/krb5kdc ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the krb5kdc, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t krb5kdc_conf_t '/srv/krb5kdc/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mykrb5kdc_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for krb5kdc: ++ ++ ++.EX ++.PP ++.B krb5kdc_conf_t ++.EE ++ ++- Set files with the krb5kdc_conf_t type, if you want to treat the files as krb5kdc configuration data, usually stored under the /etc directory. ++ ++.br ++.TP 5 ++Paths: ++/etc/krb5kdc(/.*)?, /usr/var/krb5kdc(/.*)?, /var/kerberos/krb5kdc(/.*)? ++ ++.EX ++.PP ++.B krb5kdc_exec_t ++.EE ++ ++- Set files with the krb5kdc_exec_t type, if you want to transition an executable to the krb5kdc_t domain. ++ ++ ++.EX ++.PP ++.B krb5kdc_lock_t ++.EE ++ ++- Set files with the krb5kdc_lock_t type, if you want to treat the files as krb5kdc lock data, stored under the /var/lock directory ++ ++.br ++.TP 5 ++Paths: ++/var/kerberos/krb5kdc/principal.*\.ok, /var/kerberos/krb5kdc/from_master.* ++ ++.EX ++.PP ++.B krb5kdc_log_t ++.EE ++ ++- Set files with the krb5kdc_log_t type, if you want to treat the data as krb5kdc log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B krb5kdc_principal_t ++.EE ++ ++- Set files with the krb5kdc_principal_t type, if you want to treat the files as krb5kdc principal data. ++ ++.br ++.TP 5 ++Paths: ++/etc/krb5kdc/principal.*, /usr/var/krb5kdc/principal.*, /var/kerberos/krb5kdc/principal.* ++ ++.EX ++.PP ++.B krb5kdc_tmp_t ++.EE ++ ++- Set files with the krb5kdc_tmp_t type, if you want to store krb5kdc temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B krb5kdc_var_run_t ++.EE ++ ++- Set files with the krb5kdc_var_run_t type, if you want to store the krb5kdc files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -44372,6 +77185,9 @@ index 0000000..5b1f8f4 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -44383,13 +77199,15 @@ index 0000000..5b1f8f4 + +.SH "SEE ALSO" +selinux(8), krb5kdc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ksmtuned_selinux.8 b/man/man8/ksmtuned_selinux.8 new file mode 100644 -index 0000000..dba373c +index 0000000..f9c1413 --- /dev/null +++ b/man/man8/ksmtuned_selinux.8 -@@ -0,0 +1,146 @@ -+.TH "ksmtuned_selinux" "8" "12-11-01" "ksmtuned" "SELinux Policy documentation for ksmtuned" +@@ -0,0 +1,267 @@ ++.TH "ksmtuned_selinux" "8" "13-01-16" "ksmtuned" "SELinux Policy documentation for ksmtuned" +.SH "NAME" +ksmtuned_selinux \- Security Enhanced Linux Policy for the ksmtuned processes +.SH "DESCRIPTION" @@ -44405,7 +77223,9 @@ index 0000000..dba373c + +.SH "ENTRYPOINTS" + -+The ksmtuned_t SELinux type can be entered via the "ksmtuned_exec_t" file type. The default entrypoint paths for the ksmtuned_t domain are the following:" ++The ksmtuned_t SELinux type can be entered via the \fBksmtuned_exec_t\fP file type. ++ ++The default entrypoint paths for the ksmtuned_t domain are the following: + +/usr/sbin/ksmtuned +.SH PROCESS TYPES @@ -44423,8 +77243,148 @@ index 0000000..dba373c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ksmtuned_t ++can be used to make the process type ksmtuned_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ksmtuned policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ksmtuned with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ksmtuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ksmtuned_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type ksmtuned_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B ksmtuned_var_run_t ++ ++ /var/run/ksmtune\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sysfs_t ++ ++ /sys(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -44434,7 +77394,20 @@ index 0000000..dba373c +Policy governs the access confined processes have to these files. +SELinux ksmtuned policy is very flexible allowing users to setup their ksmtuned processes in as secure a method as possible. +.PP -+The following file types are defined for ksmtuned: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ksmtuned, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ksmtuned_exec_t '/srv/ksmtuned/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myksmtuned_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ksmtuned: + + +.EX @@ -44466,7 +77439,7 @@ index 0000000..dba373c +.B ksmtuned_var_run_t +.EE + -+- Set files with the ksmtuned_var_run_t type, if you want to store the ksmtuned files under the /run directory. ++- Set files with the ksmtuned_var_run_t type, if you want to store the ksmtuned files under the /run or /var/run directory. + + +.PP @@ -44476,44 +77449,6 @@ index 0000000..dba373c +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type ksmtuned_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B ksmtuned_log_t -+ -+ /var/log/ksmtuned.* -+.br -+ -+.br -+.B ksmtuned_var_run_t -+ -+ /var/run/ksmtune\.pid -+.br -+ -+.br -+.B sysfs_t -+ -+ /sys(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ksmtuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the ksmtuned_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -44524,6 +77459,9 @@ index 0000000..dba373c +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -44535,13 +77473,15 @@ index 0000000..dba373c + +.SH "SEE ALSO" +selinux(8), ksmtuned(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ktalkd_selinux.8 b/man/man8/ktalkd_selinux.8 new file mode 100644 -index 0000000..090a1a6 +index 0000000..19ae946 --- /dev/null +++ b/man/man8/ktalkd_selinux.8 -@@ -0,0 +1,168 @@ -+.TH "ktalkd_selinux" "8" "12-11-01" "ktalkd" "SELinux Policy documentation for ktalkd" +@@ -0,0 +1,249 @@ ++.TH "ktalkd_selinux" "8" "13-01-16" "ktalkd" "SELinux Policy documentation for ktalkd" +.SH "NAME" +ktalkd_selinux \- Security Enhanced Linux Policy for the ktalkd processes +.SH "DESCRIPTION" @@ -44557,9 +77497,11 @@ index 0000000..090a1a6 + +.SH "ENTRYPOINTS" + -+The ktalkd_t SELinux type can be entered via the "ktalkd_exec_t" file type. The default entrypoint paths for the ktalkd_t domain are the following:" ++The ktalkd_t SELinux type can be entered via the \fBktalkd_exec_t\fP file type. + -+/usr/bin/ktalkd, /usr/sbin/in\.talkd, /usr/sbin/in\.ntalkd ++The default entrypoint paths for the ktalkd_t domain are the following: ++ ++/usr/bin/ktalkd, /usr/sbin/ktalkd, /usr/sbin/in\.talkd, /usr/sbin/in\.ntalkd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -44575,58 +77517,100 @@ index 0000000..090a1a6 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ktalkd_t ++can be used to make the process type ktalkd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux ktalkd policy is very flexible allowing users to setup their ktalkd processes in as secure a method as possible. -+.PP -+The following file types are defined for ktalkd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ktalkd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ktalkd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B ktalkd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the ktalkd_exec_t type, if you want to transition an executable to the ktalkd_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B ktalkd_log_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the ktalkd_log_t type, if you want to treat the data as ktalkd log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B ktalkd_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the ktalkd_tmp_t type, if you want to store ktalkd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B ktalkd_var_run_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the ktalkd_var_run_t type, if you want to store the ktalkd files under the /run directory. ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ktalkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ktalkd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -44656,35 +77640,68 @@ index 0000000..090a1a6 +The SELinux process type ktalkd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B ktalkd_log_t -+ -+ /var/log/talkd.* -+.br -+ -+.br +.B ktalkd_tmp_t + + ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux ktalkd policy is very flexible allowing users to setup their ktalkd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ktalkd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ktalkd_exec_t '/srv/ktalkd/content(/.*)?' +.br -+.B ktalkd_var_run_t ++.B restorecon -R -v /srv/myktalkd_content + ++Note: SELinux often uses regular expressions to specify labels that match multiple files. + -+.SH NSSWITCH DOMAIN ++.I The following file types are defined for ktalkd: + -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ktalkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B ktalkd_exec_t +.EE + -+.PP -+If you want to allow confined applications to run with kerberos for the ktalkd_t, you must turn on the kerberos_enabled boolean. ++- Set files with the ktalkd_exec_t type, if you want to transition an executable to the ktalkd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/ktalkd, /usr/sbin/ktalkd, /usr/sbin/in\.talkd, /usr/sbin/in\.ntalkd + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B ktalkd_log_t +.EE + ++- Set files with the ktalkd_log_t type, if you want to treat the data as ktalkd log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B ktalkd_tmp_t ++.EE ++ ++- Set files with the ktalkd_tmp_t type, if you want to store ktalkd temporary files in the /tmp directories. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -44698,6 +77715,9 @@ index 0000000..090a1a6 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -44709,13 +77729,15 @@ index 0000000..090a1a6 + +.SH "SEE ALSO" +selinux(8), ktalkd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/l2tpd_selinux.8 b/man/man8/l2tpd_selinux.8 new file mode 100644 -index 0000000..d28edaa +index 0000000..ab9a8d2 --- /dev/null +++ b/man/man8/l2tpd_selinux.8 -@@ -0,0 +1,158 @@ -+.TH "l2tpd_selinux" "8" "12-11-01" "l2tpd" "SELinux Policy documentation for l2tpd" +@@ -0,0 +1,268 @@ ++.TH "l2tpd_selinux" "8" "13-01-16" "l2tpd" "SELinux Policy documentation for l2tpd" +.SH "NAME" +l2tpd_selinux \- Security Enhanced Linux Policy for the l2tpd processes +.SH "DESCRIPTION" @@ -44731,9 +77753,11 @@ index 0000000..d28edaa + +.SH "ENTRYPOINTS" + -+The l2tpd_t SELinux type can be entered via the "l2tpd_exec_t" file type. The default entrypoint paths for the l2tpd_t domain are the following:" ++The l2tpd_t SELinux type can be entered via the \fBl2tpd_exec_t\fP file type. + -+/usr/sbin/xl2tpd, /usr/sbin/prol2tpd, /usr/sbin/openl2tpd ++The default entrypoint paths for the l2tpd_t domain are the following: ++ ++/usr/sbin/.*l2tpd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -44749,58 +77773,84 @@ index 0000000..d28edaa +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a l2tpd_t ++can be used to make the process type l2tpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible. -+.PP -+The following file types are defined for l2tpd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. l2tpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run l2tpd with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B l2tpd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the l2tpd_exec_t type, if you want to transition an executable to the l2tpd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B l2tpd_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the l2tpd_initrc_exec_t type, if you want to transition an executable to the l2tpd_initrc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B l2tpd_tmp_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the l2tpd_tmp_t type, if you want to store l2tpd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B l2tpd_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the l2tpd_var_run_t type, if you want to store the l2tpd files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -44834,20 +77884,98 @@ index 0000000..d28edaa +.br +.B l2tpd_var_run_t + -+ /var/run/xl2tpd(/.*)? ++ /var/run/.*l2tpd\.pid +.br -+ /var/run/prol2tpd(/.*)? -+.br -+ /var/run/xl2tpd\.pid ++ /var/run/.*l2tpd(/.*)? +.br + /var/run/prol2tpd\.ctl +.br -+ /var/run/prol2tpd\.pid ++ +.br -+ /var/run/openl2tpd\.pid ++.B root_t ++ ++ / ++.br ++ /initrd +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++l2tpd policy stores data with multiple different file context types under the /var/run/.*l2tpd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/.*l2tpd /srv/.*l2tpd ++.br ++.B restorecon -R -v /srv/.*l2tpd ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the l2tpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t l2tpd_exec_t '/srv/l2tpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myl2tpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for l2tpd: ++ ++ ++.EX ++.PP ++.B l2tpd_exec_t ++.EE ++ ++- Set files with the l2tpd_exec_t type, if you want to transition an executable to the l2tpd_t domain. ++ ++ ++.EX ++.PP ++.B l2tpd_initrc_exec_t ++.EE ++ ++- Set files with the l2tpd_initrc_exec_t type, if you want to transition an executable to the l2tpd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B l2tpd_tmp_t ++.EE ++ ++- Set files with the l2tpd_tmp_t type, if you want to store l2tpd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B l2tpd_var_run_t ++.EE ++ ++- Set files with the l2tpd_var_run_t type, if you want to store the l2tpd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/.*l2tpd\.pid, /var/run/.*l2tpd(/.*)?, /var/run/prol2tpd\.ctl ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -44862,6 +77990,9 @@ index 0000000..d28edaa +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -44873,13 +78004,15 @@ index 0000000..d28edaa + +.SH "SEE ALSO" +selinux(8), l2tpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ldconfig_selinux.8 b/man/man8/ldconfig_selinux.8 new file mode 100644 -index 0000000..ff3b691 +index 0000000..be8f089 --- /dev/null +++ b/man/man8/ldconfig_selinux.8 -@@ -0,0 +1,158 @@ -+.TH "ldconfig_selinux" "8" "12-11-01" "ldconfig" "SELinux Policy documentation for ldconfig" +@@ -0,0 +1,251 @@ ++.TH "ldconfig_selinux" "8" "13-01-16" "ldconfig" "SELinux Policy documentation for ldconfig" +.SH "NAME" +ldconfig_selinux \- Security Enhanced Linux Policy for the ldconfig processes +.SH "DESCRIPTION" @@ -44895,7 +78028,9 @@ index 0000000..ff3b691 + +.SH "ENTRYPOINTS" + -+The ldconfig_t SELinux type can be entered via the "ldconfig_exec_t" file type. The default entrypoint paths for the ldconfig_t domain are the following:" ++The ldconfig_t SELinux type can be entered via the \fBldconfig_exec_t\fP file type. ++ ++The default entrypoint paths for the ldconfig_t domain are the following: + +/sbin/ldconfig, /usr/sbin/ldconfig +.SH PROCESS TYPES @@ -44913,50 +78048,76 @@ index 0000000..ff3b691 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ldconfig_t ++can be used to make the process type ldconfig_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux ldconfig policy is very flexible allowing users to setup their ldconfig processes in as secure a method as possible. -+.PP -+The following file types are defined for ldconfig: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ldconfig policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ldconfig with the tightest access possible. + + ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ +.EX -+.PP -+.B ldconfig_cache_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the ldconfig_cache_t type, if you want to store the files under the /var/cache directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B ldconfig_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the ldconfig_exec_t type, if you want to transition an executable to the ldconfig_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B ldconfig_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the ldconfig_tmp_t type, if you want to store ldconfig temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -44997,6 +78158,8 @@ index 0000000..ff3b691 + + /home/[^/]*/.+ +.br ++ /home/pwalsh/.+ ++.br + /home/dwalsh/.+ +.br + /var/lib/xguest/home/xguest/.+ @@ -45009,12 +78172,71 @@ index 0000000..ff3b691 +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux ldconfig policy is very flexible allowing users to setup their ldconfig processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ldconfig, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ldconfig_cache_t '/srv/ldconfig/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myldconfig_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ldconfig: ++ ++ ++.EX ++.PP ++.B ldconfig_cache_t ++.EE ++ ++- Set files with the ldconfig_cache_t type, if you want to store the files under the /var/cache directory. ++ ++ ++.EX ++.PP ++.B ldconfig_exec_t ++.EE ++ ++- Set files with the ldconfig_exec_t type, if you want to transition an executable to the ldconfig_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/ldconfig, /usr/sbin/ldconfig ++ ++.EX ++.PP ++.B ldconfig_tmp_t ++.EE ++ ++- Set files with the ldconfig_tmp_t type, if you want to store ldconfig temporary files in the /tmp directories. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -45026,6 +78248,9 @@ index 0000000..ff3b691 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -45037,6 +78262,8 @@ index 0000000..ff3b691 + +.SH "SEE ALSO" +selinux(8), ldconfig(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/libvirt_selinux.8 b/man/man8/libvirt_selinux.8 new file mode 100644 index 0000000..ee560da @@ -45047,11 +78274,11 @@ index 0000000..ee560da \ No newline at end of file diff --git a/man/man8/lircd_selinux.8 b/man/man8/lircd_selinux.8 new file mode 100644 -index 0000000..4f9932c +index 0000000..4cea287 --- /dev/null +++ b/man/man8/lircd_selinux.8 -@@ -0,0 +1,160 @@ -+.TH "lircd_selinux" "8" "12-11-01" "lircd" "SELinux Policy documentation for lircd" +@@ -0,0 +1,282 @@ ++.TH "lircd_selinux" "8" "13-01-16" "lircd" "SELinux Policy documentation for lircd" +.SH "NAME" +lircd_selinux \- Security Enhanced Linux Policy for the lircd processes +.SH "DESCRIPTION" @@ -45067,7 +78294,9 @@ index 0000000..4f9932c + +.SH "ENTRYPOINTS" + -+The lircd_t SELinux type can be entered via the "lircd_exec_t" file type. The default entrypoint paths for the lircd_t domain are the following:" ++The lircd_t SELinux type can be entered via the \fBlircd_exec_t\fP file type. ++ ++The default entrypoint paths for the lircd_t domain are the following: + +/usr/sbin/lircd +.SH PROCESS TYPES @@ -45085,58 +78314,84 @@ index 0000000..4f9932c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a lircd_t ++can be used to make the process type lircd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux lircd policy is very flexible allowing users to setup their lircd processes in as secure a method as possible. -+.PP -+The following file types are defined for lircd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. lircd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lircd with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B lircd_etc_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the lircd_etc_t type, if you want to store lircd files in the /etc directories. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B lircd_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the lircd_exec_t type, if you want to transition an executable to the lircd_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B lircd_initrc_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the lircd_initrc_exec_t type, if you want to transition an executable to the lircd_initrc_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B lircd_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the lircd_var_run_t type, if you want to store the lircd files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -45172,10 +78427,20 @@ index 0000000..4f9932c +.br + /var/run/lircd(/.*)? +.br ++ /dev/lircd ++.br + /var/run/lircd\.pid +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B var_lock_t + + /var/lock(/.*)? @@ -45185,7 +78450,87 @@ index 0000000..4f9932c + /var/lock +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux lircd policy is very flexible allowing users to setup their lircd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++lircd policy stores data with multiple different file context types under the /var/run/lirc directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/lirc /srv/lirc ++.br ++.B restorecon -R -v /srv/lirc ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the lircd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t lircd_etc_t '/srv/lircd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylircd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for lircd: ++ ++ ++.EX ++.PP ++.B lircd_etc_t ++.EE ++ ++- Set files with the lircd_etc_t type, if you want to store lircd files in the /etc directories. ++ ++.br ++.TP 5 ++Paths: ++/etc/lirc(/.*)?, /etc/lircd\.conf ++ ++.EX ++.PP ++.B lircd_exec_t ++.EE ++ ++- Set files with the lircd_exec_t type, if you want to transition an executable to the lircd_t domain. ++ ++ ++.EX ++.PP ++.B lircd_initrc_exec_t ++.EE ++ ++- Set files with the lircd_initrc_exec_t type, if you want to transition an executable to the lircd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B lircd_var_run_t ++.EE ++ ++- Set files with the lircd_var_run_t type, if you want to store the lircd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/lirc(/.*)?, /var/run/lircd(/.*)?, /dev/lircd, /var/run/lircd\.pid ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -45200,6 +78545,9 @@ index 0000000..4f9932c +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -45211,13 +78559,15 @@ index 0000000..4f9932c + +.SH "SEE ALSO" +selinux(8), lircd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/livecd_selinux.8 b/man/man8/livecd_selinux.8 new file mode 100644 -index 0000000..d7d48dd +index 0000000..625f719 --- /dev/null +++ b/man/man8/livecd_selinux.8 -@@ -0,0 +1,104 @@ -+.TH "livecd_selinux" "8" "12-11-01" "livecd" "SELinux Policy documentation for livecd" +@@ -0,0 +1,229 @@ ++.TH "livecd_selinux" "8" "13-01-16" "livecd" "SELinux Policy documentation for livecd" +.SH "NAME" +livecd_selinux \- Security Enhanced Linux Policy for the livecd processes +.SH "DESCRIPTION" @@ -45233,7 +78583,9 @@ index 0000000..d7d48dd + +.SH "ENTRYPOINTS" + -+The livecd_t SELinux type can be entered via the "filesystem_type,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type,livecd_exec_t" file types. The default entrypoint paths for the livecd_t domain are the following:" ++The livecd_t SELinux type can be entered via the \fBsysctl_type, filesystem_type, mtrr_device_t, unlabeled_t, proc_type, file_type, livecd_exec_t\fP file types. ++ ++The default entrypoint paths for the livecd_t domain are the following: + +/dev/cpu/mtrr, all files on the system, /usr/bin/livecd-creator +.SH PROCESS TYPES @@ -45251,8 +78603,126 @@ index 0000000..d7d48dd +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a livecd_t ++can be used to make the process type livecd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. livecd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run livecd with the tightest access possible. ++ ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE ++ ++.PP ++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_insmod 1 ++ ++.EE ++ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_policyload 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execheap 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type livecd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B file_type ++ ++ all files on the system ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45262,7 +78732,20 @@ index 0000000..d7d48dd +Policy governs the access confined processes have to these files. +SELinux livecd policy is very flexible allowing users to setup their livecd processes in as secure a method as possible. +.PP -+The following file types are defined for livecd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the livecd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t livecd_exec_t '/srv/livecd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylivecd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for livecd: + + +.EX @@ -45288,18 +78771,6 @@ index 0000000..d7d48dd +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type livecd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B file_type -+ -+ all files on the system -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -45310,6 +78781,9 @@ index 0000000..d7d48dd +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -45321,13 +78795,15 @@ index 0000000..d7d48dd + +.SH "SEE ALSO" +selinux(8), livecd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/lldpad_selinux.8 b/man/man8/lldpad_selinux.8 new file mode 100644 -index 0000000..3cbeec5 +index 0000000..09445d7 --- /dev/null +++ b/man/man8/lldpad_selinux.8 -@@ -0,0 +1,138 @@ -+.TH "lldpad_selinux" "8" "12-11-01" "lldpad" "SELinux Policy documentation for lldpad" +@@ -0,0 +1,231 @@ ++.TH "lldpad_selinux" "8" "13-01-16" "lldpad" "SELinux Policy documentation for lldpad" +.SH "NAME" +lldpad_selinux \- Security Enhanced Linux Policy for the lldpad processes +.SH "DESCRIPTION" @@ -45343,7 +78819,9 @@ index 0000000..3cbeec5 + +.SH "ENTRYPOINTS" + -+The lldpad_t SELinux type can be entered via the "lldpad_exec_t" file type. The default entrypoint paths for the lldpad_t domain are the following:" ++The lldpad_t SELinux type can be entered via the \fBlldpad_exec_t\fP file type. ++ ++The default entrypoint paths for the lldpad_t domain are the following: + +/usr/sbin/lldpad +.SH PROCESS TYPES @@ -45361,8 +78839,104 @@ index 0000000..3cbeec5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a lldpad_t ++can be used to make the process type lldpad_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. lldpad policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lldpad with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type lldpad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B lldpad_tmpfs_t ++ ++ ++.br ++.B lldpad_var_lib_t ++ ++ /var/lib/lldpad(/.*)? ++.br ++ ++.br ++.B lldpad_var_run_t ++ ++ /var/run/lldpad.* ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45372,7 +78946,20 @@ index 0000000..3cbeec5 +Policy governs the access confined processes have to these files. +SELinux lldpad policy is very flexible allowing users to setup their lldpad processes in as secure a method as possible. +.PP -+The following file types are defined for lldpad: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the lldpad, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t lldpad_exec_t '/srv/lldpad/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylldpad_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for lldpad: + + +.EX @@ -45412,7 +78999,7 @@ index 0000000..3cbeec5 +.B lldpad_var_run_t +.EE + -+- Set files with the lldpad_var_run_t type, if you want to store the lldpad files under the /run directory. ++- Set files with the lldpad_var_run_t type, if you want to store the lldpad files under the /run or /var/run directory. + + +.PP @@ -45422,28 +79009,6 @@ index 0000000..3cbeec5 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type lldpad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B lldpad_tmpfs_t -+ -+ -+.br -+.B lldpad_var_lib_t -+ -+ /var/lib/lldpad(/.*)? -+.br -+ -+.br -+.B lldpad_var_run_t -+ -+ /var/run/lldpad\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -45454,6 +79019,9 @@ index 0000000..3cbeec5 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -45465,13 +79033,15 @@ index 0000000..3cbeec5 + +.SH "SEE ALSO" +selinux(8), lldpad(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/load_policy_selinux.8 b/man/man8/load_policy_selinux.8 new file mode 100644 -index 0000000..30c76e6 +index 0000000..5abe357 --- /dev/null +++ b/man/man8/load_policy_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "load_policy_selinux" "8" "12-11-01" "load_policy" "SELinux Policy documentation for load_policy" +@@ -0,0 +1,167 @@ ++.TH "load_policy_selinux" "8" "13-01-16" "load_policy" "SELinux Policy documentation for load_policy" +.SH "NAME" +load_policy_selinux \- Security Enhanced Linux Policy for the load_policy processes +.SH "DESCRIPTION" @@ -45487,7 +79057,9 @@ index 0000000..30c76e6 + +.SH "ENTRYPOINTS" + -+The load_policy_t SELinux type can be entered via the "load_policy_exec_t" file type. The default entrypoint paths for the load_policy_t domain are the following:" ++The load_policy_t SELinux type can be entered via the \fBload_policy_exec_t\fP file type. ++ ++The default entrypoint paths for the load_policy_t domain are the following: + +/sbin/load_policy, /usr/sbin/load_policy +.SH PROCESS TYPES @@ -45505,34 +79077,60 @@ index 0000000..30c76e6 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a load_policy_t ++can be used to make the process type load_policy_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux load_policy policy is very flexible allowing users to setup their load_policy processes in as secure a method as possible. -+.PP -+The following file types are defined for load_policy: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. load_policy policy is extremely flexible and has several booleans that allow you to manipulate the policy and run load_policy with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B load_policy_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the load_policy_exec_t type, if you want to transition an executable to the load_policy_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_policyload 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -45542,7 +79140,48 @@ index 0000000..30c76e6 +.B boolean_type + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux load_policy policy is very flexible allowing users to setup their load_policy processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the load_policy, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t load_policy_exec_t '/srv/load_policy/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myload_policy_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for load_policy: ++ ++ ++.EX ++.PP ++.B load_policy_exec_t ++.EE ++ ++- Set files with the load_policy_exec_t type, if you want to transition an executable to the load_policy_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/load_policy, /usr/sbin/load_policy ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -45554,6 +79193,9 @@ index 0000000..30c76e6 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -45565,15 +79207,15 @@ index 0000000..30c76e6 + +.SH "SEE ALSO" +selinux(8), load_policy(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, loadkeys_selinux(8) ++, setsebool(8), loadkeys_selinux(8) \ No newline at end of file diff --git a/man/man8/loadkeys_selinux.8 b/man/man8/loadkeys_selinux.8 new file mode 100644 -index 0000000..3c43c48 +index 0000000..eefc857 --- /dev/null +++ b/man/man8/loadkeys_selinux.8 -@@ -0,0 +1,86 @@ -+.TH "loadkeys_selinux" "8" "12-11-01" "loadkeys" "SELinux Policy documentation for loadkeys" +@@ -0,0 +1,159 @@ ++.TH "loadkeys_selinux" "8" "13-01-16" "loadkeys" "SELinux Policy documentation for loadkeys" +.SH "NAME" +loadkeys_selinux \- Security Enhanced Linux Policy for the loadkeys processes +.SH "DESCRIPTION" @@ -45589,9 +79231,11 @@ index 0000000..3c43c48 + +.SH "ENTRYPOINTS" + -+The loadkeys_t SELinux type can be entered via the "loadkeys_exec_t" file type. The default entrypoint paths for the loadkeys_t domain are the following:" ++The loadkeys_t SELinux type can be entered via the \fBloadkeys_exec_t\fP file type. + -+/usr/bin/unikeys, /usr/bin/loadkeys ++The default entrypoint paths for the loadkeys_t domain are the following: ++ ++/bin/unikeys, /bin/loadkeys, /usr/bin/unikeys, /usr/bin/loadkeys +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -45607,8 +79251,60 @@ index 0000000..3c43c48 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a loadkeys_t ++can be used to make the process type loadkeys_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. loadkeys policy is extremely flexible and has several booleans that allow you to manipulate the policy and run loadkeys with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45618,7 +79314,20 @@ index 0000000..3c43c48 +Policy governs the access confined processes have to these files. +SELinux loadkeys policy is very flexible allowing users to setup their loadkeys processes in as secure a method as possible. +.PP -+The following file types are defined for loadkeys: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the loadkeys, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t loadkeys_exec_t '/srv/loadkeys/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myloadkeys_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for loadkeys: + + +.EX @@ -45628,6 +79337,10 @@ index 0000000..3c43c48 + +- Set files with the loadkeys_exec_t type, if you want to transition an executable to the loadkeys_t domain. + ++.br ++.TP 5 ++Paths: ++/bin/unikeys, /bin/loadkeys, /usr/bin/unikeys, /usr/bin/loadkeys + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -45636,8 +79349,6 @@ index 0000000..3c43c48 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -45648,6 +79359,9 @@ index 0000000..3c43c48 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -45659,13 +79373,477 @@ index 0000000..3c43c48 + +.SH "SEE ALSO" +selinux(8), loadkeys(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/local_login_selinux.8 b/man/man8/local_login_selinux.8 +new file mode 100644 +index 0000000..931f349 +--- /dev/null ++++ b/man/man8/local_login_selinux.8 +@@ -0,0 +1,455 @@ ++.TH "local_login_selinux" "8" "13-01-16" "local_login" "SELinux Policy documentation for local_login" ++.SH "NAME" ++local_login_selinux \- Security Enhanced Linux Policy for the local_login processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the local_login processes via flexible mandatory access control. ++ ++The local_login processes execute with the local_login_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep local_login_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The local_login_t SELinux type can be entered via the \fBlogin_exec_t\fP file type. ++ ++The default entrypoint paths for the local_login_t domain are the following: ++ ++/bin/login, /usr/bin/login, /usr/kerberos/sbin/login\.krb5 ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux local_login policy is very flexible allowing users to setup their local_login processes in as secure a method as possible. ++.PP ++The following process types are defined for local_login: ++ ++.EX ++.B local_login_t ++.EE ++.PP ++Note: ++.B semanage permissive -a local_login_t ++can be used to make the process type local_login_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. local_login policy is extremely flexible and has several booleans that allow you to manipulate the policy and run local_login with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_radius 1 ++ ++.EE ++ ++.PP ++If you want to allow users to login using a yubikey server, you must turn on the authlogin_yubikey boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_yubikey 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to enable polyinstantiated directory support, you must turn on the polyinstantiation_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P polyinstantiation_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow a user to login as an unconfined domain, you must turn on the unconfined_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P unconfined_login 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the local_login_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the local_login_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type local_login_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B auth_cache_t ++ ++ /var/cache/coolkey(/.*)? ++.br ++ ++.br ++.B auth_home_t ++ ++ /root/\.google_authenticator ++.br ++ /root/\.google_authenticator~ ++.br ++ /home/[^/]*/\.google_authenticator ++.br ++ /home/[^/]*/\.google_authenticator~ ++.br ++ /home/pwalsh/\.google_authenticator ++.br ++ /home/pwalsh/\.google_authenticator~ ++.br ++ /home/dwalsh/\.google_authenticator ++.br ++ /home/dwalsh/\.google_authenticator~ ++.br ++ /var/lib/xguest/home/xguest/\.google_authenticator ++.br ++ /var/lib/xguest/home/xguest/\.google_authenticator~ ++.br ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B lastlog_t ++ ++ /var/log/lastlog.* ++.br ++ ++.br ++.B local_login_lock_t ++ ++ ++.br ++.B pam_var_console_t ++ ++ /var/run/console(/.*)? ++.br ++ ++.br ++.B pam_var_run_t ++ ++ /var/(db|lib|adm)/sudo(/.*)? ++.br ++ /var/run/sudo(/.*)? ++.br ++ /var/run/sepermit(/.*)? ++.br ++ /var/run/pam_mount(/.*)? ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.br ++.B var_auth_t ++ ++ /var/ace(/.*)? ++.br ++ /var/rsa(/.*)? ++.br ++ /var/lib/abl(/.*)? ++.br ++ /var/lib/rsa(/.*)? ++.br ++ /var/lib/pam_ssh(/.*)? ++.br ++ /var/run/pam_ssh(/.*)? ++.br ++ /var/lib/pam_shield(/.*)? ++.br ++ /var/opt/quest/vas/vasd(/.*)? ++.br ++ /var/lib/google-authenticator(/.*)? ++.br ++ ++.br ++.B wtmp_t ++ ++ /var/log/wtmp.* ++.br ++ ++.br ++.B xdm_tmp_t ++ ++ /tmp/\.X11-unix(/.*)? ++.br ++ /tmp/\.ICE-unix(/.*)? ++.br ++ /tmp/\.X0-lock ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux local_login policy is very flexible allowing users to setup their local_login processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the local_login, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t local_login_home_t '/srv/local_login/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylocal_login_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for local_login: ++ ++ ++.EX ++.PP ++.B local_login_home_t ++.EE ++ ++- Set files with the local_login_home_t type, if you want to store local login files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/root/\.hushlogin, /home/[^/]*/\.hushlogin, /home/pwalsh/\.hushlogin, /home/dwalsh/\.hushlogin, /var/lib/xguest/home/xguest/\.hushlogin ++ ++.EX ++.PP ++.B local_login_lock_t ++.EE ++ ++- Set files with the local_login_lock_t type, if you want to treat the files as local login lock data, stored under the /var/lock directory ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), local_login(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/locate_selinux.8 b/man/man8/locate_selinux.8 new file mode 100644 -index 0000000..1ab1c6b +index 0000000..5d900d0 --- /dev/null +++ b/man/man8/locate_selinux.8 -@@ -0,0 +1,126 @@ -+.TH "locate_selinux" "8" "12-11-01" "locate" "SELinux Policy documentation for locate" +@@ -0,0 +1,221 @@ ++.TH "locate_selinux" "8" "13-01-16" "locate" "SELinux Policy documentation for locate" +.SH "NAME" +locate_selinux \- Security Enhanced Linux Policy for the locate processes +.SH "DESCRIPTION" @@ -45681,7 +79859,9 @@ index 0000000..1ab1c6b + +.SH "ENTRYPOINTS" + -+The locate_t SELinux type can be entered via the "locate_exec_t" file type. The default entrypoint paths for the locate_t domain are the following:" ++The locate_t SELinux type can be entered via the \fBlocate_exec_t\fP file type. ++ ++The default entrypoint paths for the locate_t domain are the following: + +/usr/bin/updatedb +.SH PROCESS TYPES @@ -45699,8 +79879,118 @@ index 0000000..1ab1c6b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a locate_t ++can be used to make the process type locate_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. locate policy is extremely flexible and has several booleans that allow you to manipulate the policy and run locate with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the locate_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the locate_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type locate_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B locate_var_lib_t ++ ++ /var/lib/[sm]locate(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45710,7 +80000,20 @@ index 0000000..1ab1c6b +Policy governs the access confined processes have to these files. +SELinux locate policy is very flexible allowing users to setup their locate processes in as secure a method as possible. +.PP -+The following file types are defined for locate: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the locate, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t locate_exec_t '/srv/locate/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylocate_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for locate: + + +.EX @@ -45723,14 +80026,6 @@ index 0000000..1ab1c6b + +.EX +.PP -+.B locate_log_t -+.EE -+ -+- Set files with the locate_log_t type, if you want to treat the data as locate log data, usually stored under the /var/log directory. -+ -+ -+.EX -+.PP +.B locate_var_lib_t +.EE + @@ -45744,32 +80039,6 @@ index 0000000..1ab1c6b +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type locate_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B locate_var_lib_t -+ -+ /var/lib/[sm]locate(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the locate_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the locate_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -45780,6 +80049,9 @@ index 0000000..1ab1c6b +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -45791,13 +80063,15 @@ index 0000000..1ab1c6b + +.SH "SEE ALSO" +selinux(8), locate(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/lockdev_selinux.8 b/man/man8/lockdev_selinux.8 new file mode 100644 -index 0000000..8c5a3fe +index 0000000..121a647 --- /dev/null +++ b/man/man8/lockdev_selinux.8 -@@ -0,0 +1,102 @@ -+.TH "lockdev_selinux" "8" "12-11-01" "lockdev" "SELinux Policy documentation for lockdev" +@@ -0,0 +1,165 @@ ++.TH "lockdev_selinux" "8" "13-01-16" "lockdev" "SELinux Policy documentation for lockdev" +.SH "NAME" +lockdev_selinux \- Security Enhanced Linux Policy for the lockdev processes +.SH "DESCRIPTION" @@ -45813,7 +80087,9 @@ index 0000000..8c5a3fe + +.SH "ENTRYPOINTS" + -+The lockdev_t SELinux type can be entered via the "lockdev_exec_t" file type. The default entrypoint paths for the lockdev_t domain are the following:" ++The lockdev_t SELinux type can be entered via the \fBlockdev_exec_t\fP file type. ++ ++The default entrypoint paths for the lockdev_t domain are the following: + +/usr/sbin/lockdev +.SH PROCESS TYPES @@ -45831,8 +80107,62 @@ index 0000000..8c5a3fe +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a lockdev_t ++can be used to make the process type lockdev_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. lockdev policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lockdev with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type lockdev_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B lockdev_lock_t ++ ++ /var/lock/lockdev(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45842,7 +80172,20 @@ index 0000000..8c5a3fe +Policy governs the access confined processes have to these files. +SELinux lockdev policy is very flexible allowing users to setup their lockdev processes in as secure a method as possible. +.PP -+The following file types are defined for lockdev: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the lockdev, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t lockdev_exec_t '/srv/lockdev/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylockdev_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for lockdev: + + +.EX @@ -45868,16 +80211,6 @@ index 0000000..8c5a3fe +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type lockdev_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B lockdev_lock_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -45888,6 +80221,9 @@ index 0000000..8c5a3fe +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -45899,12 +80235,14 @@ index 0000000..8c5a3fe + +.SH "SEE ALSO" +selinux(8), lockdev(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/logadm_selinux.8 b/man/man8/logadm_selinux.8 new file mode 100644 -index 0000000..9e18695 +index 0000000..a7eea62 --- /dev/null +++ b/man/man8/logadm_selinux.8 -@@ -0,0 +1,161 @@ +@@ -0,0 +1,293 @@ +.TH "logadm_selinux" "8" "logadm" "mgrepl@redhat.com" "logadm SELinux Policy documentation" +.SH "NAME" +logadm_r \- \fBLog administrator role\fP - Security Enhanced Linux Policy @@ -45947,6 +80285,130 @@ index 0000000..9e18695 +.B $ semanage user -m -R 'staff_r system_r logadm_r' staff_u + + ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. logadm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run logadm with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ssh_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xdm_sysadm_login 1 ++ ++.EE ++ +.SH "MANAGED FILES" + +The SELinux process type logadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -46004,6 +80466,8 @@ index 0000000..9e18695 +.br + /etc/rsyslog.conf +.br ++ /etc/rsyslog.d(/.*)? ++.br + +.br +.B syslogd_tmp_t @@ -46018,6 +80482,8 @@ index 0000000..9e18695 +.br + /var/lib/syslog-ng.persist +.br ++ /var/lib/misc/syslog-ng.persist-? ++.br + +.br +.B syslogd_var_run_t @@ -46055,6 +80521,9 @@ index 0000000..9e18695 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -46066,13 +80535,266 @@ index 0000000..9e18695 + +.SH "SEE ALSO" +selinux(8), logadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/logrotate_mail_selinux.8 b/man/man8/logrotate_mail_selinux.8 +new file mode 100644 +index 0000000..d223d19 +--- /dev/null ++++ b/man/man8/logrotate_mail_selinux.8 +@@ -0,0 +1,244 @@ ++.TH "logrotate_mail_selinux" "8" "13-01-16" "logrotate_mail" "SELinux Policy documentation for logrotate_mail" ++.SH "NAME" ++logrotate_mail_selinux \- Security Enhanced Linux Policy for the logrotate_mail processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the logrotate_mail processes via flexible mandatory access control. ++ ++The logrotate_mail processes execute with the logrotate_mail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep logrotate_mail_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The logrotate_mail_t SELinux type can be entered via the \fBmta_exec_type, mta_exec_type, sendmail_exec_t\fP file types. ++ ++The default entrypoint paths for the logrotate_mail_t domain are the following: ++ ++/bin/mail(x)?, /usr/bin/mail(x)?, /usr/sbin/sendmail(\.sendmail)?, /usr/bin/esmtp, /usr/sbin/rmail, /usr/sbin/ssmtp, /usr/lib/sendmail, /var/qmail/bin/sendmail, /usr/sbin/sendmail\.postfix, /usr/lib/courier/bin/sendmail ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux logrotate_mail policy is very flexible allowing users to setup their logrotate_mail processes in as secure a method as possible. ++.PP ++The following process types are defined for logrotate_mail: ++ ++.EX ++.B logrotate_mail_t ++.EE ++.PP ++Note: ++.B semanage permissive -a logrotate_mail_t ++can be used to make the process type logrotate_mail_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. logrotate_mail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run logrotate_mail with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the logrotate_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the logrotate_mail_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type logrotate_mail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B courier_spool_t ++ ++ /var/spool/courier(/.*)? ++.br ++ /var/spool/authdaemon(/.*)? ++.br ++ ++.br ++.B exim_log_t ++ ++ /var/log/exim[0-9]?(/.*)? ++.br ++ ++.br ++.B exim_spool_t ++ ++ /var/spool/exim[0-9]?(/.*)? ++.br ++ ++.br ++.B logrotate_mail_tmp_t ++ ++ ++.br ++.B logrotate_tmp_t ++ ++ ++.br ++.B mail_home_rw_t ++ ++ /root/Maildir(/.*)? ++.br ++ /home/[^/]*/.maildir(/.*)? ++.br ++ /home/[^/]*/Maildir(/.*)? ++.br ++ /home/pwalsh/.maildir(/.*)? ++.br ++ /home/pwalsh/Maildir(/.*)? ++.br ++ /home/dwalsh/.maildir(/.*)? ++.br ++ /home/dwalsh/Maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/.maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/Maildir(/.*)? ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B mqueue_spool_t ++ ++ /var/spool/(client)?mqueue(/.*)? ++.br ++ /var/spool/mqueue\.in(/.*)? ++.br ++ ++.br ++.B sendmail_log_t ++ ++ /var/log/mail(/.*)? ++.br ++ /var/log/sendmail\.st.* ++.br ++ ++.br ++.B uucpd_spool_t ++ ++ /var/spool/uucp(/.*)? ++.br ++ /var/spool/uucppublic(/.*)? ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), logrotate_mail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), logrotate_selinux(8), logrotate_selinux(8) +\ No newline at end of file diff --git a/man/man8/logrotate_selinux.8 b/man/man8/logrotate_selinux.8 new file mode 100644 -index 0000000..b7cec54 +index 0000000..cb77089 --- /dev/null +++ b/man/man8/logrotate_selinux.8 -@@ -0,0 +1,198 @@ -+.TH "logrotate_selinux" "8" "12-11-01" "logrotate" "SELinux Policy documentation for logrotate" +@@ -0,0 +1,317 @@ ++.TH "logrotate_selinux" "8" "13-01-16" "logrotate" "SELinux Policy documentation for logrotate" +.SH "NAME" +logrotate_selinux \- Security Enhanced Linux Policy for the logrotate processes +.SH "DESCRIPTION" @@ -46088,7 +80810,9 @@ index 0000000..b7cec54 + +.SH "ENTRYPOINTS" + -+The logrotate_t SELinux type can be entered via the "logrotate_exec_t" file type. The default entrypoint paths for the logrotate_t domain are the following:" ++The logrotate_t SELinux type can be entered via the \fBlogrotate_exec_t\fP file type. ++ ++The default entrypoint paths for the logrotate_t domain are the following: + +/etc/cron\.(daily|weekly)/sysklogd, /usr/sbin/logrotate +.SH PROCESS TYPES @@ -46106,8 +80830,186 @@ index 0000000..b7cec54 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a logrotate_t ++can be used to make the process type logrotate_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. logrotate policy is extremely flexible and has several booleans that allow you to manipulate the policy and run logrotate with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the logrotate_t, logrotate_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the logrotate_t, logrotate_mail_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type logrotate_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B abrt_var_cache_t ++ ++ /var/tmp/abrt(/.*)? ++.br ++ /var/cache/abrt(/.*)? ++.br ++ /var/spool/abrt(/.*)? ++.br ++ /var/cache/abrt-di(/.*)? ++.br ++ ++.br ++.B logfile ++ ++ all log files ++.br ++ ++.br ++.B logrotate_lock_t ++ ++ ++.br ++.B logrotate_tmp_t ++ ++ ++.br ++.B logrotate_var_lib_t ++ ++ /var/lib/logrotate\.status ++.br ++ ++.br ++.B named_cache_t ++ ++ /var/named/data(/.*)? ++.br ++ /var/lib/unbound(/.*)? ++.br ++ /var/named/slaves(/.*)? ++.br ++ /var/named/dynamic(/.*)? ++.br ++ /var/named/chroot/var/tmp(/.*)? ++.br ++ /var/named/chroot/var/named/data(/.*)? ++.br ++ /var/named/chroot/var/named/slaves(/.*)? ++.br ++ /var/named/chroot/var/named/dynamic(/.*)? ++.br ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br ++ ++.br ++.B var_spool_t ++ ++ /var/spool(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -46117,7 +81019,20 @@ index 0000000..b7cec54 +Policy governs the access confined processes have to these files. +SELinux logrotate policy is very flexible allowing users to setup their logrotate processes in as secure a method as possible. +.PP -+The following file types are defined for logrotate: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the logrotate, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t logrotate_exec_t '/srv/logrotate/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylogrotate_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for logrotate: + + +.EX @@ -46127,6 +81042,10 @@ index 0000000..b7cec54 + +- Set files with the logrotate_exec_t type, if you want to transition an executable to the logrotate_t domain. + ++.br ++.TP 5 ++Paths: ++/etc/cron\.(daily|weekly)/sysklogd, /usr/sbin/logrotate + +.EX +.PP @@ -46167,88 +81086,6 @@ index 0000000..b7cec54 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type logrotate_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B abrt_var_cache_t -+ -+ /var/cache/abrt(/.*)? -+.br -+ /var/spool/abrt(/.*)? -+.br -+ /var/cache/abrt-di(/.*)? -+.br -+ -+.br -+.B logfile -+ -+ all log files -+.br -+ -+.br -+.B logrotate_lock_t -+ -+ -+.br -+.B logrotate_tmp_t -+ -+ -+.br -+.B logrotate_var_lib_t -+ -+ /var/lib/logrotate\.status -+.br -+ -+.br -+.B named_cache_t -+ -+ /var/named/data(/.*)? -+.br -+ /var/named/slaves(/.*)? -+.br -+ /var/named/dynamic(/.*)? -+.br -+ /var/named/chroot/var/tmp(/.*)? -+.br -+ /var/named/chroot/var/named/data(/.*)? -+.br -+ /var/named/chroot/var/named/slaves(/.*)? -+.br -+ /var/named/chroot/var/named/dynamic(/.*)? -+.br -+ -+.br -+.B systemd_passwd_var_run_t -+ -+ /var/run/systemd/ask-password(/.*)? -+.br -+ /var/run/systemd/ask-password-block(/.*)? -+.br -+ -+.br -+.B var_spool_t -+ -+ /var/spool(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the logrotate_t, logrotate_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the logrotate_t, logrotate_mail_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -46259,6 +81096,9 @@ index 0000000..b7cec54 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -46270,13 +81110,266 @@ index 0000000..b7cec54 + +.SH "SEE ALSO" +selinux(8), logrotate(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), logrotate_mail_selinux(8) +\ No newline at end of file +diff --git a/man/man8/logwatch_mail_selinux.8 b/man/man8/logwatch_mail_selinux.8 +new file mode 100644 +index 0000000..accdfe9 +--- /dev/null ++++ b/man/man8/logwatch_mail_selinux.8 +@@ -0,0 +1,244 @@ ++.TH "logwatch_mail_selinux" "8" "13-01-16" "logwatch_mail" "SELinux Policy documentation for logwatch_mail" ++.SH "NAME" ++logwatch_mail_selinux \- Security Enhanced Linux Policy for the logwatch_mail processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the logwatch_mail processes via flexible mandatory access control. ++ ++The logwatch_mail processes execute with the logwatch_mail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep logwatch_mail_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The logwatch_mail_t SELinux type can be entered via the \fBmta_exec_type, mta_exec_type, sendmail_exec_t\fP file types. ++ ++The default entrypoint paths for the logwatch_mail_t domain are the following: ++ ++/bin/mail(x)?, /usr/bin/mail(x)?, /usr/sbin/sendmail(\.sendmail)?, /usr/bin/esmtp, /usr/sbin/rmail, /usr/sbin/ssmtp, /usr/lib/sendmail, /var/qmail/bin/sendmail, /usr/sbin/sendmail\.postfix, /usr/lib/courier/bin/sendmail ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux logwatch_mail policy is very flexible allowing users to setup their logwatch_mail processes in as secure a method as possible. ++.PP ++The following process types are defined for logwatch_mail: ++ ++.EX ++.B logwatch_mail_t ++.EE ++.PP ++Note: ++.B semanage permissive -a logwatch_mail_t ++can be used to make the process type logwatch_mail_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. logwatch_mail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run logwatch_mail with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the logwatch_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the logwatch_mail_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type logwatch_mail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B courier_spool_t ++ ++ /var/spool/courier(/.*)? ++.br ++ /var/spool/authdaemon(/.*)? ++.br ++ ++.br ++.B exim_log_t ++ ++ /var/log/exim[0-9]?(/.*)? ++.br ++ ++.br ++.B exim_spool_t ++ ++ /var/spool/exim[0-9]?(/.*)? ++.br ++ ++.br ++.B logwatch_mail_tmp_t ++ ++ ++.br ++.B logwatch_tmp_t ++ ++ ++.br ++.B mail_home_rw_t ++ ++ /root/Maildir(/.*)? ++.br ++ /home/[^/]*/.maildir(/.*)? ++.br ++ /home/[^/]*/Maildir(/.*)? ++.br ++ /home/pwalsh/.maildir(/.*)? ++.br ++ /home/pwalsh/Maildir(/.*)? ++.br ++ /home/dwalsh/.maildir(/.*)? ++.br ++ /home/dwalsh/Maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/.maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/Maildir(/.*)? ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B mqueue_spool_t ++ ++ /var/spool/(client)?mqueue(/.*)? ++.br ++ /var/spool/mqueue\.in(/.*)? ++.br ++ ++.br ++.B sendmail_log_t ++ ++ /var/log/mail(/.*)? ++.br ++ /var/log/sendmail\.st.* ++.br ++ ++.br ++.B uucpd_spool_t ++ ++ /var/spool/uucp(/.*)? ++.br ++ /var/spool/uucppublic(/.*)? ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), logwatch_mail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), logwatch_selinux(8), logwatch_selinux(8) +\ No newline at end of file diff --git a/man/man8/logwatch_selinux.8 b/man/man8/logwatch_selinux.8 new file mode 100644 -index 0000000..bc7bf81 +index 0000000..30cd4aa --- /dev/null +++ b/man/man8/logwatch_selinux.8 -@@ -0,0 +1,170 @@ -+.TH "logwatch_selinux" "8" "12-11-01" "logwatch" "SELinux Policy documentation for logwatch" +@@ -0,0 +1,321 @@ ++.TH "logwatch_selinux" "8" "13-01-16" "logwatch" "SELinux Policy documentation for logwatch" +.SH "NAME" +logwatch_selinux \- Security Enhanced Linux Policy for the logwatch processes +.SH "DESCRIPTION" @@ -46292,9 +81385,11 @@ index 0000000..bc7bf81 + +.SH "ENTRYPOINTS" + -+The logwatch_t SELinux type can be entered via the "logwatch_exec_t" file type. The default entrypoint paths for the logwatch_t domain are the following:" ++The logwatch_t SELinux type can be entered via the \fBlogwatch_exec_t\fP file type. + -+/usr/sbin/epylog, /usr/sbin/logcheck, /usr/share/logwatch/scripts/logwatch\.pl ++The default entrypoint paths for the logwatch_t domain are the following: ++ ++/usr/sbin/epylog, /usr/sbin/logcheck, /usr/sbin/logwatch\.pl, /usr/share/logwatch/scripts/logwatch\.pl +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -46310,8 +81405,178 @@ index 0000000..bc7bf81 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a logwatch_t ++can be used to make the process type logwatch_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. logwatch policy is extremely flexible and has several booleans that allow you to manipulate the policy and run logwatch with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the logwatch_mail_t, logwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the logwatch_mail_t, logwatch_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type logwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B logwatch_cache_t ++ ++ /var/lib/epylog(/.*)? ++.br ++ /var/lib/logcheck(/.*)? ++.br ++ /var/cache/logwatch(/.*)? ++.br ++ ++.br ++.B logwatch_lock_t ++ ++ /var/lock/logcheck.* ++.br ++ ++.br ++.B logwatch_tmp_t ++ ++ ++.br ++.B logwatch_var_run_t ++ ++ /var/run/epylog\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -46321,7 +81586,20 @@ index 0000000..bc7bf81 +Policy governs the access confined processes have to these files. +SELinux logwatch policy is very flexible allowing users to setup their logwatch processes in as secure a method as possible. +.PP -+The following file types are defined for logwatch: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the logwatch, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t logwatch_cache_t '/srv/logwatch/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylogwatch_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for logwatch: + + +.EX @@ -46331,6 +81609,10 @@ index 0000000..bc7bf81 + +- Set files with the logwatch_cache_t type, if you want to store the files under the /var/cache directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/epylog(/.*)?, /var/lib/logcheck(/.*)?, /var/cache/logwatch(/.*)? + +.EX +.PP @@ -46339,6 +81621,10 @@ index 0000000..bc7bf81 + +- Set files with the logwatch_exec_t type, if you want to transition an executable to the logwatch_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/epylog, /usr/sbin/logcheck, /usr/sbin/logwatch\.pl, /usr/share/logwatch/scripts/logwatch\.pl + +.EX +.PP @@ -46369,7 +81655,7 @@ index 0000000..bc7bf81 +.B logwatch_var_run_t +.EE + -+- Set files with the logwatch_var_run_t type, if you want to store the logwatch files under the /run directory. ++- Set files with the logwatch_var_run_t type, if you want to store the logwatch files under the /run or /var/run directory. + + +.PP @@ -46379,52 +81665,6 @@ index 0000000..bc7bf81 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type logwatch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B logwatch_cache_t -+ -+ /var/lib/epylog(/.*)? -+.br -+ /var/lib/logcheck(/.*)? -+.br -+ /var/cache/logwatch(/.*)? -+.br -+ -+.br -+.B logwatch_lock_t -+ -+ /var/log/logcheck/.+ -+.br -+ -+.br -+.B logwatch_tmp_t -+ -+ -+.br -+.B logwatch_var_run_t -+ -+ /var/run/epylog\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the logwatch_mail_t, logwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the logwatch_mail_t, logwatch_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -46435,6 +81675,9 @@ index 0000000..bc7bf81 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -46446,13 +81689,15 @@ index 0000000..bc7bf81 + +.SH "SEE ALSO" +selinux(8), logwatch(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), logwatch_mail_selinux(8) +\ No newline at end of file diff --git a/man/man8/lpd_selinux.8 b/man/man8/lpd_selinux.8 new file mode 100644 -index 0000000..0b08fa7 +index 0000000..dfa6f72 --- /dev/null +++ b/man/man8/lpd_selinux.8 -@@ -0,0 +1,164 @@ -+.TH "lpd_selinux" "8" "12-11-01" "lpd" "SELinux Policy documentation for lpd" +@@ -0,0 +1,249 @@ ++.TH "lpd_selinux" "8" "13-01-16" "lpd" "SELinux Policy documentation for lpd" +.SH "NAME" +lpd_selinux \- Security Enhanced Linux Policy for the lpd processes +.SH "DESCRIPTION" @@ -46468,7 +81713,9 @@ index 0000000..0b08fa7 + +.SH "ENTRYPOINTS" + -+The lpd_t SELinux type can be entered via the "lpd_exec_t" file type. The default entrypoint paths for the lpd_t domain are the following:" ++The lpd_t SELinux type can be entered via the \fBlpd_exec_t\fP file type. ++ ++The default entrypoint paths for the lpd_t domain are the following: + +/usr/sbin/lpd +.SH PROCESS TYPES @@ -46486,68 +81733,100 @@ index 0000000..0b08fa7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a lpd_t ++can be used to make the process type lpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. lpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lpd with the tightest access possible. + + +.PP -+If you want to use lpd server instead of cups, you must turn on the use_lpd_server boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P use_lpd_server 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to use lpd server instead of cups, you must turn on the use_lpd_server boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.B setsebool -P use_lpd_server 1 ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux lpd policy is very flexible allowing users to setup their lpd processes in as secure a method as possible. -+.PP -+The following file types are defined for lpd: -+ ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B lpd_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the lpd_exec_t type, if you want to transition an executable to the lpd_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B lpd_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the lpd_tmp_t type, if you want to store lpd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B lpd_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the lpd_var_run_t type, if you want to store the lpd files under the /run directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -46575,21 +81854,72 @@ index 0000000..0b08fa7 + /var/spool/cups-pdf(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux lpd policy is very flexible allowing users to setup their lpd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the lpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t lpd_exec_t '/srv/lpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for lpd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B lpd_exec_t +.EE + ++- Set files with the lpd_exec_t type, if you want to transition an executable to the lpd_t domain. ++ ++ ++.EX ++.PP ++.B lpd_tmp_t ++.EE ++ ++- Set files with the lpd_tmp_t type, if you want to store lpd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B lpd_var_run_t ++.EE ++ ++- Set files with the lpd_var_run_t type, if you want to store the lpd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/lprng(/.*)?, /var/spool/turboprint(/.*)? ++ +.PP -+If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -46619,11 +81949,11 @@ index 0000000..0b08fa7 \ No newline at end of file diff --git a/man/man8/lpr_selinux.8 b/man/man8/lpr_selinux.8 new file mode 100644 -index 0000000..2aa3249 +index 0000000..3e618f4 --- /dev/null +++ b/man/man8/lpr_selinux.8 -@@ -0,0 +1,108 @@ -+.TH "lpr_selinux" "8" "12-11-01" "lpr" "SELinux Policy documentation for lpr" +@@ -0,0 +1,265 @@ ++.TH "lpr_selinux" "8" "13-01-16" "lpr" "SELinux Policy documentation for lpr" +.SH "NAME" +lpr_selinux \- Security Enhanced Linux Policy for the lpr processes +.SH "DESCRIPTION" @@ -46639,9 +81969,11 @@ index 0000000..2aa3249 + +.SH "ENTRYPOINTS" + -+The lpr_t SELinux type can be entered via the "lpr_exec_t" file type. The default entrypoint paths for the lpr_t domain are the following:" ++The lpr_t SELinux type can be entered via the \fBlpr_exec_t\fP file type. + -+/usr/bin/lp(\.cups)?, /usr/bin/lpq(\.cups)?, /usr/bin/lpr(\.cups)?, /usr/bin/lprm(\.cups)?, /usr/sbin/lpc(\.cups)?, /usr/bin/cancel(\.cups)?, /usr/bin/lpstat(\.cups)?, /opt/gutenprint/s?bin(/.*)?, /usr/linuxprinter/bin/l?lpr, /usr/sbin/accept, /usr/sbin/lpinfo, /usr/sbin/lpmove, /usr/sbin/lpadmin, /usr/bin/lpoptions ++The default entrypoint paths for the lpr_t domain are the following: ++ ++/usr/bin/lp(\.cups)?, /usr/bin/lpq(\.cups)?, /usr/bin/lpr(\.cups)?, /usr/bin/lprm(\.cups)?, /usr/sbin/lpc(\.cups)?, /usr/bin/cancel(\.cups)?, /usr/bin/lpstat(\.cups)?, /opt/gutenprint/bin(/.*)?, /opt/gutenprint/sbin(/.*)?, /usr/linuxprinter/bin/l?lpr, /usr/local/linuxprinter/bin/l?lpr, /usr/sbin/accept, /usr/sbin/lpinfo, /usr/sbin/lpmove, /usr/sbin/lpadmin, /usr/bin/lpoptions +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -46657,8 +81989,158 @@ index 0000000..2aa3249 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a lpr_t ++can be used to make the process type lpr_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. lpr policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lpr with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to determine whether to support lpd server, you must turn on the use_lpd_server boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_lpd_server 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type lpr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B lpr_tmp_t ++ ++ ++.br ++.B print_spool_t ++ ++ /var/spool/lpd(/.*)? ++.br ++ /var/spool/cups(/.*)? ++.br ++ /var/spool/cups-pdf(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -46668,7 +82150,20 @@ index 0000000..2aa3249 +Policy governs the access confined processes have to these files. +SELinux lpr policy is very flexible allowing users to setup their lpr processes in as secure a method as possible. +.PP -+The following file types are defined for lpr: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the lpr, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t lpr_exec_t '/srv/lpr/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylpr_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for lpr: + + +.EX @@ -46678,6 +82173,10 @@ index 0000000..2aa3249 + +- Set files with the lpr_exec_t type, if you want to transition an executable to the lpr_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/lp(\.cups)?, /usr/bin/lpq(\.cups)?, /usr/bin/lpr(\.cups)?, /usr/bin/lprm(\.cups)?, /usr/sbin/lpc(\.cups)?, /usr/bin/cancel(\.cups)?, /usr/bin/lpstat(\.cups)?, /opt/gutenprint/bin(/.*)?, /opt/gutenprint/sbin(/.*)?, /usr/linuxprinter/bin/l?lpr, /usr/local/linuxprinter/bin/l?lpr, /usr/sbin/accept, /usr/sbin/lpinfo, /usr/sbin/lpmove, /usr/sbin/lpadmin, /usr/bin/lpoptions + +.EX +.PP @@ -46694,22 +82193,6 @@ index 0000000..2aa3249 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -46720,6 +82203,9 @@ index 0000000..2aa3249 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -46731,13 +82217,15 @@ index 0000000..2aa3249 + +.SH "SEE ALSO" +selinux(8), lpr(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/lsassd_selinux.8 b/man/man8/lsassd_selinux.8 new file mode 100644 -index 0000000..9b130b2 +index 0000000..361a2ed --- /dev/null +++ b/man/man8/lsassd_selinux.8 -@@ -0,0 +1,264 @@ -+.TH "lsassd_selinux" "8" "12-11-01" "lsassd" "SELinux Policy documentation for lsassd" +@@ -0,0 +1,401 @@ ++.TH "lsassd_selinux" "8" "13-01-16" "lsassd" "SELinux Policy documentation for lsassd" +.SH "NAME" +lsassd_selinux \- Security Enhanced Linux Policy for the lsassd processes +.SH "DESCRIPTION" @@ -46753,9 +82241,11 @@ index 0000000..9b130b2 + +.SH "ENTRYPOINTS" + -+The lsassd_t SELinux type can be entered via the "lsassd_exec_t" file type. The default entrypoint paths for the lsassd_t domain are the following:" ++The lsassd_t SELinux type can be entered via the \fBlsassd_exec_t\fP file type. + -+/usr/sbin/lsassd ++The default entrypoint paths for the lsassd_t domain are the following: ++ ++/usr/sbin/lsassd, /opt/likewise/sbin/lsassd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -46771,66 +82261,84 @@ index 0000000..9b130b2 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a lsassd_t ++can be used to make the process type lsassd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux lsassd policy is very flexible allowing users to setup their lsassd processes in as secure a method as possible. -+.PP -+The following file types are defined for lsassd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. lsassd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lsassd with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B lsassd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the lsassd_exec_t type, if you want to transition an executable to the lsassd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B lsassd_tmp_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the lsassd_tmp_t type, if you want to store lsassd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B lsassd_var_lib_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the lsassd_var_lib_t type, if you want to store the lsassd files under the /var/lib directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B lsassd_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the lsassd_var_run_t type, if you want to store the lsassd files under the /run directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B lsassd_var_socket_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the lsassd_var_socket_t type, if you want to treat the files as lsassd var socket data. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -46857,10 +82365,10 @@ index 0000000..9b130b2 +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -46869,10 +82377,10 @@ index 0000000..9b130b2 +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -46945,12 +82453,34 @@ index 0000000..9b130b2 +.br +.B lsassd_var_lib_t + ++ /var/lib/likewise/krb5cc.* ++.br ++ /var/lib/likewise-open/krb5cc.* ++.br ++ /var/lib/likewise/krb5ccr_lsass\..* ++.br ++ /var/lib/likewise-open/krb5ccr_lsass\..* ++.br ++ /var/lib/likewise/db/lsass-adcache\.filedb\..* ++.br ++ /var/lib/likewise-open/db/lsass-adcache\.filedb\..* ++.br ++ /var/lib/likewise/lsasd\.err ++.br ++ /var/lib/likewise/db/sam\.db ++.br ++ /var/lib/likewise/krb5ccr_lsass ++.br + /var/lib/likewise-open/lsasd\.err +.br + /var/lib/likewise-open/db/sam\.db +.br + /var/lib/likewise-open/krb5ccr_lsass +.br ++ /var/lib/likewise/db/lsass-adcache\.db ++.br ++ /var/lib/likewise/db/lsass-adstate\.filedb ++.br + /var/lib/likewise-open/db/lsass-adcache\.db +.br + /var/lib/likewise-open/db/lsass-adstate\.filedb @@ -46959,7 +82489,15 @@ index 0000000..9b130b2 +.br +.B lsassd_var_run_t + -+ /var/run/lsassd.pid ++ /var/run/lsassd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd +.br + +.br @@ -46973,12 +82511,95 @@ index 0000000..9b130b2 + + /home/[^/]*/.+ +.br ++ /home/pwalsh/.+ ++.br + /home/dwalsh/.+ +.br + /var/lib/xguest/home/xguest/.+ +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux lsassd policy is very flexible allowing users to setup their lsassd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the lsassd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t lsassd_exec_t '/srv/lsassd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylsassd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for lsassd: ++ ++ ++.EX ++.PP ++.B lsassd_exec_t ++.EE ++ ++- Set files with the lsassd_exec_t type, if you want to transition an executable to the lsassd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/lsassd, /opt/likewise/sbin/lsassd ++ ++.EX ++.PP ++.B lsassd_tmp_t ++.EE ++ ++- Set files with the lsassd_tmp_t type, if you want to store lsassd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B lsassd_var_lib_t ++.EE ++ ++- Set files with the lsassd_var_lib_t type, if you want to store the lsassd files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/likewise/krb5cc.*, /var/lib/likewise-open/krb5cc.*, /var/lib/likewise/krb5ccr_lsass\..*, /var/lib/likewise-open/krb5ccr_lsass\..*, /var/lib/likewise/db/lsass-adcache\.filedb\..*, /var/lib/likewise-open/db/lsass-adcache\.filedb\..*, /var/lib/likewise/lsasd\.err, /var/lib/likewise/db/sam\.db, /var/lib/likewise/krb5ccr_lsass, /var/lib/likewise-open/lsasd\.err, /var/lib/likewise-open/db/sam\.db, /var/lib/likewise-open/krb5ccr_lsass, /var/lib/likewise/db/lsass-adcache\.db, /var/lib/likewise/db/lsass-adstate\.filedb, /var/lib/likewise-open/db/lsass-adcache\.db, /var/lib/likewise-open/db/lsass-adstate\.filedb ++ ++.EX ++.PP ++.B lsassd_var_run_t ++.EE ++ ++- Set files with the lsassd_var_run_t type, if you want to store the lsassd files under the /run or /var/run directory. ++ ++ ++.EX ++.PP ++.B lsassd_var_socket_t ++.EE ++ ++- Set files with the lsassd_var_socket_t type, if you want to treat the files as lsassd var socket data. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/likewise/\.ntlmd, /var/lib/likewise/\.lsassd, /var/lib/likewise/rpc/lsass, /var/lib/likewise-open/\.ntlmd, /var/lib/likewise-open/\.lsassd, /var/lib/likewise-open/rpc/lsass ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -46990,6 +82611,9 @@ index 0000000..9b130b2 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -47001,13 +82625,15 @@ index 0000000..9b130b2 + +.SH "SEE ALSO" +selinux(8), lsassd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/lvm_selinux.8 b/man/man8/lvm_selinux.8 new file mode 100644 -index 0000000..9793bb8 +index 0000000..b55ddda --- /dev/null +++ b/man/man8/lvm_selinux.8 -@@ -0,0 +1,236 @@ -+.TH "lvm_selinux" "8" "12-11-01" "lvm" "SELinux Policy documentation for lvm" +@@ -0,0 +1,323 @@ ++.TH "lvm_selinux" "8" "13-01-16" "lvm" "SELinux Policy documentation for lvm" +.SH "NAME" +lvm_selinux \- Security Enhanced Linux Policy for the lvm processes +.SH "DESCRIPTION" @@ -47023,9 +82649,11 @@ index 0000000..9793bb8 + +.SH "ENTRYPOINTS" + -+The lvm_t SELinux type can be entered via the "lvm_exec_t" file type. The default entrypoint paths for the lvm_t domain are the following:" ++The lvm_t SELinux type can be entered via the \fBlvm_exec_t\fP file type. + -+/lib/lvm-10/.*, /lib/lvm-200/.*, /usr/lib/lvm-10/.*, /usr/lib/lvm-200/.*, /sbin/lvm, /sbin/lvs, /sbin/pvs, /sbin/vgs, /sbin/vgck, /sbin/dmraid, /sbin/kpartx, /sbin/lvmsar, /sbin/lvscan, /sbin/pvdata, /sbin/pvmove, /sbin/pvscan, /sbin/vgscan, /sbin/dmsetup, /sbin/e2fsadm, /sbin/lvmetad, /sbin/lvmsadc, /sbin/vgmerge, /sbin/vgsplit, /usr/sbin/lvm, /usr/sbin/lvs, /usr/sbin/pvs, /usr/sbin/vgs, /sbin/lvchange, /sbin/lvcreate, /sbin/lvextend, /sbin/lvreduce, /sbin/lvremove, /sbin/lvrename, /sbin/lvresize, /sbin/pvchange, /sbin/pvcreate, /sbin/pvremove, /sbin/vgchange, /sbin/vgcreate, /sbin/vgexport, /sbin/vgextend, /sbin/vgimport, /sbin/vgreduce, /sbin/vgremove, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /sbin/lvmchange, /sbin/pvdisplay, /sbin/vgdisplay, /sbin/vgmknodes, /sbin/vgwrapper, /sbin/cryptsetup, /sbin/lvm\.static, /sbin/multipathd, /usr/sbin/dmraid, /usr/sbin/kpartx, /usr/sbin/lvmsar, /usr/sbin/lvscan, /usr/sbin/pvdata, /usr/sbin/pvmove, /usr/sbin/pvscan, /usr/sbin/vgscan, /sbin/mount\.crypt, /sbin/lvmdiskscan, /sbin/vgcfgbackup, /usr/sbin/dmsetup, /usr/sbin/e2fsadm, /usr/sbin/lvmetad, /usr/sbin/lvmsadc, /usr/sbin/vgmerge, /usr/sbin/vgsplit, /sbin/vgcfgrestore, /usr/sbin/dmeventd, /usr/sbin/lvchange, /usr/sbin/lvcreate, /usr/sbin/lvextend, /usr/sbin/lvreduce, /usr/sbin/lvremove, /usr/sbin/lvrename, /usr/sbin/lvresize, /usr/sbin/pvchange, /usr/sbin/pvcreate, /usr/sbin/pvremove, /usr/sbin/vgchange, /usr/sbin/vgcreate, /usr/sbin/vgexport, /usr/sbin/vgextend, /usr/sbin/vgimport, /usr/sbin/vgreduce, /usr/sbin/vgremove, /usr/sbin/vgrename, /sbin/lvmiopversion, /sbin/vgscan\.static, /usr/sbin/lvdisplay, /usr/sbin/lvmchange, /usr/sbin/pvdisplay, /usr/sbin/vgdisplay, /usr/sbin/vgmknodes, /usr/sbin/vgwrapper, /sbin/dmsetup\.static, /usr/sbin/cryptsetup, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/vgchange\.static, /usr/sbin/lvmdiskscan, /usr/sbin/mount\.crypt, /usr/sbin/vgcfgbackup, /sbin/multipath\.static, /usr/sbin/vgcfgrestore, /usr/sbin/lvmiopversion, /usr/sbin/vgscan\.static, /usr/sbin/dmsetup\.static, /usr/sbin/vgchange\.static, /usr/sbin/multipath\.static, /lib/udev/udisks-lvm-pv-export, /usr/lib/udev/udisks-lvm-pv-export, /usr/lib/systemd/systemd-cryptsetup ++The default entrypoint paths for the lvm_t domain are the following: ++ ++/lib/lvm-10/.*, /lib/lvm-200/.*, /usr/lib/lvm-10/.*, /usr/lib/lvm-200/.*, /usr/lib/systemd/system-generators/lvm2.*, /sbin/lvm, /sbin/lvs, /sbin/pvs, /sbin/vgs, /sbin/vgck, /sbin/dmraid, /sbin/kpartx, /sbin/lvmsar, /sbin/lvscan, /sbin/pvdata, /sbin/pvmove, /sbin/pvscan, /sbin/vgscan, /sbin/dmsetup, /sbin/e2fsadm, /sbin/lvmetad, /sbin/lvmsadc, /sbin/vgmerge, /sbin/vgsplit, /usr/sbin/lvm, /usr/sbin/lvs, /usr/sbin/pvs, /usr/sbin/vgs, /sbin/lvchange, /sbin/lvcreate, /sbin/lvextend, /sbin/lvreduce, /sbin/lvremove, /sbin/lvrename, /sbin/lvresize, /sbin/pvchange, /sbin/pvcreate, /sbin/pvremove, /sbin/vgchange, /sbin/vgcreate, /sbin/vgexport, /sbin/vgextend, /sbin/vgimport, /sbin/vgreduce, /sbin/vgremove, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /sbin/lvmchange, /sbin/pvdisplay, /sbin/vgdisplay, /sbin/vgmknodes, /sbin/vgwrapper, /sbin/cryptsetup, /sbin/lvm\.static, /sbin/multipathd, /usr/sbin/dmraid, /usr/sbin/kpartx, /usr/sbin/lvmsar, /usr/sbin/lvscan, /usr/sbin/pvdata, /usr/sbin/pvmove, /usr/sbin/pvscan, /usr/sbin/vgscan, /sbin/mount\.crypt, /sbin/lvmdiskscan, /sbin/vgcfgbackup, /usr/sbin/dmsetup, /usr/sbin/e2fsadm, /usr/sbin/lvmetad, /usr/sbin/lvmsadc, /usr/sbin/vgmerge, /usr/sbin/vgsplit, /sbin/vgcfgrestore, /usr/sbin/dmeventd, /usr/sbin/lvchange, /usr/sbin/lvcreate, /usr/sbin/lvextend, /usr/sbin/lvreduce, /usr/sbin/lvremove, /usr/sbin/lvrename, /usr/sbin/lvresize, /usr/sbin/pvchange, /usr/sbin/pvcreate, /usr/sbin/pvremove, /usr/sbin/vgchange, /usr/sbin/vgcreate, /usr/sbin/vgexport, /usr/sbin/vgextend, /usr/sbin/vgimport, /usr/sbin/vgreduce, /usr/sbin/vgremove, /usr/sbin/vgrename, /sbin/lvmiopversion, /sbin/vgscan\.static, /usr/sbin/lvdisplay, /usr/sbin/lvmchange, /usr/sbin/pvdisplay, /usr/sbin/vgdisplay, /usr/sbin/vgmknodes, /usr/sbin/vgwrapper, /sbin/dmsetup\.static, /usr/sbin/cryptsetup, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/vgchange\.static, /usr/sbin/lvmdiskscan, /usr/sbin/mount\.crypt, /usr/sbin/vgcfgbackup, /sbin/multipath\.static, /usr/sbin/vgcfgrestore, /usr/sbin/lvmiopversion, /usr/sbin/vgscan\.static, /usr/sbin/dmsetup\.static, /usr/sbin/vgchange\.static, /usr/sbin/multipath\.static, /lib/udev/udisks-lvm-pv-export, /usr/lib/udev/udisks-lvm-pv-export, /usr/lib/systemd/systemd-cryptsetup +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -47041,83 +82669,61 @@ index 0000000..9793bb8 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a lvm_t ++can be used to make the process type lvm_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux lvm policy is very flexible allowing users to setup their lvm processes in as secure a method as possible. -+.PP -+The following file types are defined for lvm: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. lvm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lvm with the tightest access possible. + + ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ +.EX -+.PP -+.B lvm_etc_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the lvm_etc_t type, if you want to store lvm files in the /etc directories. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B lvm_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the lvm_exec_t type, if you want to transition an executable to the lvm_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B lvm_lock_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the lvm_lock_t type, if you want to treat the files as lvm lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B lvm_metadata_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the lvm_metadata_t type, if you want to treat the files as lvm metadata data. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B lvm_tmp_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the lvm_tmp_t type, if you want to store lvm temporary files in the /tmp directories. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B lvm_var_lib_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the lvm_var_lib_t type, if you want to store the lvm files under the /var/lib directory. -+ -+ -+.EX -+.PP -+.B lvm_var_run_t -+.EE -+ -+- Set files with the lvm_var_run_t type, if you want to store the lvm files under the /run directory. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH "MANAGED FILES" + +The SELinux process type lvm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -47161,6 +82767,8 @@ index 0000000..9793bb8 +.br + /etc/lvm/cache(/.*)? +.br ++ /etc/multipath(/.*)? ++.br + /etc/lvm/backup(/.*)? +.br + /etc/lvm/archive(/.*)? @@ -47220,7 +82828,108 @@ index 0000000..9793bb8 + all virtual image files +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux lvm policy is very flexible allowing users to setup their lvm processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the lvm, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t lvm_etc_t '/srv/lvm/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylvm_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for lvm: ++ ++ ++.EX ++.PP ++.B lvm_etc_t ++.EE ++ ++- Set files with the lvm_etc_t type, if you want to store lvm files in the /etc directories. ++ ++ ++.EX ++.PP ++.B lvm_exec_t ++.EE ++ ++- Set files with the lvm_exec_t type, if you want to transition an executable to the lvm_t domain. ++ ++.br ++.TP 5 ++Paths: ++/lib/lvm-10/.*, /lib/lvm-200/.*, /usr/lib/lvm-10/.*, /usr/lib/lvm-200/.*, /usr/lib/systemd/system-generators/lvm2.*, /sbin/lvm, /sbin/lvs, /sbin/pvs, /sbin/vgs, /sbin/vgck, /sbin/dmraid, /sbin/kpartx, /sbin/lvmsar, /sbin/lvscan, /sbin/pvdata, /sbin/pvmove, /sbin/pvscan, /sbin/vgscan, /sbin/dmsetup, /sbin/e2fsadm, /sbin/lvmetad, /sbin/lvmsadc, /sbin/vgmerge, /sbin/vgsplit, /usr/sbin/lvm, /usr/sbin/lvs, /usr/sbin/pvs, /usr/sbin/vgs, /sbin/lvchange, /sbin/lvcreate, /sbin/lvextend, /sbin/lvreduce, /sbin/lvremove, /sbin/lvrename, /sbin/lvresize, /sbin/pvchange, /sbin/pvcreate, /sbin/pvremove, /sbin/vgchange, /sbin/vgcreate, /sbin/vgexport, /sbin/vgextend, /sbin/vgimport, /sbin/vgreduce, /sbin/vgremove, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /sbin/lvmchange, /sbin/pvdisplay, /sbin/vgdisplay, /sbin/vgmknodes, /sbin/vgwrapper, /sbin/cryptsetup, /sbin/lvm\.static, /sbin/multipathd, /usr/sbin/dmraid, /usr/sbin/kpartx, /usr/sbin/lvmsar, /usr/sbin/lvscan, /usr/sbin/pvdata, /usr/sbin/pvmove, /usr/sbin/pvscan, /usr/sbin/vgscan, /sbin/mount\.crypt, /sbin/lvmdiskscan, /sbin/vgcfgbackup, /usr/sbin/dmsetup, /usr/sbin/e2fsadm, /usr/sbin/lvmetad, /usr/sbin/lvmsadc, /usr/sbin/vgmerge, /usr/sbin/vgsplit, /sbin/vgcfgrestore, /usr/sbin/dmeventd, /usr/sbin/lvchange, /usr/sbin/lvcreate, /usr/sbin/lvextend, /usr/sbin/lvreduce, /usr/sbin/lvremove, /usr/sbin/lvrename, /usr/sbin/lvresize, /usr/sbin/pvchange, /usr/sbin/pvcreate, /usr/sbin/pvremove, /usr/sbin/vgchange, /usr/sbin/vgcreate, /usr/sbin/vgexport, /usr/sbin/vgextend, /usr/sbin/vgimport, /usr/sbin/vgreduce, /usr/sbin/vgremove, /usr/sbin/vgrename, /sbin/lvmiopversion, /sbin/vgscan\.static, /usr/sbin/lvdisplay, /usr/sbin/lvmchange, /usr/sbin/pvdisplay, /usr/sbin/vgdisplay, /usr/sbin/vgmknodes, /usr/sbin/vgwrapper, /sbin/dmsetup\.static, /usr/sbin/cryptsetup, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/vgchange\.static, /usr/sbin/lvmdiskscan, /usr/sbin/mount\.crypt, /usr/sbin/vgcfgbackup, /sbin/multipath\.static, /usr/sbin/vgcfgrestore, /usr/sbin/lvmiopversion, /usr/sbin/vgscan\.static, /usr/sbin/dmsetup\.static, /usr/sbin/vgchange\.static, /usr/sbin/multipath\.static, /lib/udev/udisks-lvm-pv-export, /usr/lib/udev/udisks-lvm-pv-export, /usr/lib/systemd/systemd-cryptsetup ++ ++.EX ++.PP ++.B lvm_lock_t ++.EE ++ ++- Set files with the lvm_lock_t type, if you want to treat the files as lvm lock data, stored under the /var/lock directory ++ ++.br ++.TP 5 ++Paths: ++/etc/lvm/lock(/.*)?, /var/lock/lvm(/.*)? ++ ++.EX ++.PP ++.B lvm_metadata_t ++.EE ++ ++- Set files with the lvm_metadata_t type, if you want to treat the files as lvm metadata data. ++ ++.br ++.TP 5 ++Paths: ++/etc/lvmtab(/.*)?, /etc/lvmtab\.d(/.*)?, /etc/lvm/cache(/.*)?, /etc/multipath(/.*)?, /etc/lvm/backup(/.*)?, /etc/lvm/archive(/.*)?, /var/cache/multipathd(/.*)?, /etc/lvm/\.cache ++ ++.EX ++.PP ++.B lvm_tmp_t ++.EE ++ ++- Set files with the lvm_tmp_t type, if you want to store lvm temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B lvm_var_lib_t ++.EE ++ ++- Set files with the lvm_var_lib_t type, if you want to store the lvm files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B lvm_var_run_t ++.EE ++ ++- Set files with the lvm_var_run_t type, if you want to store the lvm files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/lvm(/.*)?, /var/run/dmevent.*, /var/run/multipathd\.sock ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -47232,6 +82941,9 @@ index 0000000..9793bb8 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -47243,13 +82955,15 @@ index 0000000..9793bb8 + +.SH "SEE ALSO" +selinux(8), lvm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/lwiod_selinux.8 b/man/man8/lwiod_selinux.8 new file mode 100644 -index 0000000..249014f +index 0000000..5e6343c --- /dev/null +++ b/man/man8/lwiod_selinux.8 -@@ -0,0 +1,130 @@ -+.TH "lwiod_selinux" "8" "12-11-01" "lwiod" "SELinux Policy documentation for lwiod" +@@ -0,0 +1,239 @@ ++.TH "lwiod_selinux" "8" "13-01-16" "lwiod" "SELinux Policy documentation for lwiod" +.SH "NAME" +lwiod_selinux \- Security Enhanced Linux Policy for the lwiod processes +.SH "DESCRIPTION" @@ -47265,9 +82979,11 @@ index 0000000..249014f + +.SH "ENTRYPOINTS" + -+The lwiod_t SELinux type can be entered via the "lwiod_exec_t" file type. The default entrypoint paths for the lwiod_t domain are the following:" ++The lwiod_t SELinux type can be entered via the \fBlwiod_exec_t\fP file type. + -+/usr/sbin/lwiod ++The default entrypoint paths for the lwiod_t domain are the following: ++ ++/usr/sbin/lwiod, /opt/likewise/sbin/lwiod +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -47283,58 +82999,84 @@ index 0000000..249014f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a lwiod_t ++can be used to make the process type lwiod_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux lwiod policy is very flexible allowing users to setup their lwiod processes in as secure a method as possible. -+.PP -+The following file types are defined for lwiod: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. lwiod policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lwiod with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B lwiod_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the lwiod_exec_t type, if you want to transition an executable to the lwiod_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B lwiod_var_lib_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the lwiod_var_lib_t type, if you want to store the lwiod files under the /var/lib directory. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B lwiod_var_run_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the lwiod_var_run_t type, if you want to store the lwiod files under the /run directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B lwiod_var_socket_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the lwiod_var_socket_t type, if you want to treat the files as lwiod var socket data. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -47353,10 +83095,87 @@ index 0000000..249014f +.br +.B lwiod_var_run_t + -+ /var/run/lwiod.pid ++ /var/run/lwiod\.pid +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux lwiod policy is very flexible allowing users to setup their lwiod processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the lwiod, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t lwiod_exec_t '/srv/lwiod/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylwiod_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for lwiod: ++ ++ ++.EX ++.PP ++.B lwiod_exec_t ++.EE ++ ++- Set files with the lwiod_exec_t type, if you want to transition an executable to the lwiod_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/lwiod, /opt/likewise/sbin/lwiod ++ ++.EX ++.PP ++.B lwiod_var_lib_t ++.EE ++ ++- Set files with the lwiod_var_lib_t type, if you want to store the lwiod files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B lwiod_var_run_t ++.EE ++ ++- Set files with the lwiod_var_run_t type, if you want to store the lwiod files under the /run or /var/run directory. ++ ++ ++.EX ++.PP ++.B lwiod_var_socket_t ++.EE ++ ++- Set files with the lwiod_var_socket_t type, if you want to treat the files as lwiod var socket data. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/likewise/\.lwiod, /var/lib/likewise-open/\.lwiod ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -47368,6 +83187,9 @@ index 0000000..249014f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -47379,13 +83201,15 @@ index 0000000..249014f + +.SH "SEE ALSO" +selinux(8), lwiod(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/lwregd_selinux.8 b/man/man8/lwregd_selinux.8 new file mode 100644 -index 0000000..9bc985a +index 0000000..99e17fa --- /dev/null +++ b/man/man8/lwregd_selinux.8 -@@ -0,0 +1,128 @@ -+.TH "lwregd_selinux" "8" "12-11-01" "lwregd" "SELinux Policy documentation for lwregd" +@@ -0,0 +1,237 @@ ++.TH "lwregd_selinux" "8" "13-01-16" "lwregd" "SELinux Policy documentation for lwregd" +.SH "NAME" +lwregd_selinux \- Security Enhanced Linux Policy for the lwregd processes +.SH "DESCRIPTION" @@ -47401,9 +83225,11 @@ index 0000000..9bc985a + +.SH "ENTRYPOINTS" + -+The lwregd_t SELinux type can be entered via the "lwregd_exec_t" file type. The default entrypoint paths for the lwregd_t domain are the following:" ++The lwregd_t SELinux type can be entered via the \fBlwregd_exec_t\fP file type. + -+/usr/sbin/lwregd ++The default entrypoint paths for the lwregd_t domain are the following: ++ ++/usr/sbin/lwregd, /opt/likewise/sbin/lwregd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -47419,8 +83245,106 @@ index 0000000..9bc985a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a lwregd_t ++can be used to make the process type lwregd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. lwregd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lwregd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type lwregd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B lwregd_var_lib_t ++ ++ /var/lib/likewise/regsd\.err ++.br ++ /var/lib/likewise/db/registry\.db ++.br ++ /var/lib/likewise-open/regsd\.err ++.br ++ /var/lib/likewise-open/db/registry\.db ++.br ++ ++.br ++.B lwregd_var_run_t ++ ++ /var/run/lwregd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -47430,7 +83354,20 @@ index 0000000..9bc985a +Policy governs the access confined processes have to these files. +SELinux lwregd policy is very flexible allowing users to setup their lwregd processes in as secure a method as possible. +.PP -+The following file types are defined for lwregd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the lwregd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t lwregd_exec_t '/srv/lwregd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylwregd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for lwregd: + + +.EX @@ -47440,6 +83377,10 @@ index 0000000..9bc985a + +- Set files with the lwregd_exec_t type, if you want to transition an executable to the lwregd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/lwregd, /opt/likewise/sbin/lwregd + +.EX +.PP @@ -47448,13 +83389,17 @@ index 0000000..9bc985a + +- Set files with the lwregd_var_lib_t type, if you want to store the lwregd files under the /var/lib directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/likewise/regsd\.err, /var/lib/likewise/db/registry\.db, /var/lib/likewise-open/regsd\.err, /var/lib/likewise-open/db/registry\.db + +.EX +.PP +.B lwregd_var_run_t +.EE + -+- Set files with the lwregd_var_run_t type, if you want to store the lwregd files under the /run directory. ++- Set files with the lwregd_var_run_t type, if you want to store the lwregd files under the /run or /var/run directory. + + +.EX @@ -47464,6 +83409,10 @@ index 0000000..9bc985a + +- Set files with the lwregd_var_socket_t type, if you want to treat the files as lwregd var socket data. + ++.br ++.TP 5 ++Paths: ++/var/lib/likewise/\.regsd, /var/lib/likewise-open/\.regsd + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -47472,26 +83421,6 @@ index 0000000..9bc985a +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type lwregd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B lwregd_var_lib_t -+ -+ /var/lib/likewise-open/regsd\.err -+.br -+ /var/lib/likewise-open/db/registry\.db -+.br -+ -+.br -+.B lwregd_var_run_t -+ -+ /var/run/lwregd.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -47502,6 +83431,9 @@ index 0000000..9bc985a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -47513,13 +83445,15 @@ index 0000000..9bc985a + +.SH "SEE ALSO" +selinux(8), lwregd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/lwsmd_selinux.8 b/man/man8/lwsmd_selinux.8 new file mode 100644 -index 0000000..82a32da +index 0000000..f4b12af --- /dev/null +++ b/man/man8/lwsmd_selinux.8 -@@ -0,0 +1,122 @@ -+.TH "lwsmd_selinux" "8" "12-11-01" "lwsmd" "SELinux Policy documentation for lwsmd" +@@ -0,0 +1,231 @@ ++.TH "lwsmd_selinux" "8" "13-01-16" "lwsmd" "SELinux Policy documentation for lwsmd" +.SH "NAME" +lwsmd_selinux \- Security Enhanced Linux Policy for the lwsmd processes +.SH "DESCRIPTION" @@ -47535,9 +83469,11 @@ index 0000000..82a32da + +.SH "ENTRYPOINTS" + -+The lwsmd_t SELinux type can be entered via the "lwsmd_exec_t" file type. The default entrypoint paths for the lwsmd_t domain are the following:" ++The lwsmd_t SELinux type can be entered via the \fBlwsmd_exec_t\fP file type. + -+/usr/sbin/lwsmd ++The default entrypoint paths for the lwsmd_t domain are the following: ++ ++/usr/sbin/lwsmd, /opt/likewise/sbin/lwsmd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -47553,8 +83489,100 @@ index 0000000..82a32da +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a lwsmd_t ++can be used to make the process type lwsmd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. lwsmd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lwsmd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type lwsmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B lwsmd_var_lib_t ++ ++ /var/lib/likewise/\.lwsmd-lock ++.br ++ /var/lib/likewise-open/\.lwsmd-lock ++.br ++ ++.br ++.B lwsmd_var_run_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -47564,7 +83592,20 @@ index 0000000..82a32da +Policy governs the access confined processes have to these files. +SELinux lwsmd policy is very flexible allowing users to setup their lwsmd processes in as secure a method as possible. +.PP -+The following file types are defined for lwsmd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the lwsmd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t lwsmd_exec_t '/srv/lwsmd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mylwsmd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for lwsmd: + + +.EX @@ -47574,6 +83615,10 @@ index 0000000..82a32da + +- Set files with the lwsmd_exec_t type, if you want to transition an executable to the lwsmd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/lwsmd, /opt/likewise/sbin/lwsmd + +.EX +.PP @@ -47582,13 +83627,17 @@ index 0000000..82a32da + +- Set files with the lwsmd_var_lib_t type, if you want to store the lwsmd files under the /var/lib directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/likewise/\.lwsmd-lock, /var/lib/likewise-open/\.lwsmd-lock + +.EX +.PP +.B lwsmd_var_run_t +.EE + -+- Set files with the lwsmd_var_run_t type, if you want to store the lwsmd files under the /run directory. ++- Set files with the lwsmd_var_run_t type, if you want to store the lwsmd files under the /run or /var/run directory. + + +.EX @@ -47598,6 +83647,10 @@ index 0000000..82a32da + +- Set files with the lwsmd_var_socket_t type, if you want to treat the files as lwsmd var socket data. + ++.br ++.TP 5 ++Paths: ++/var/lib/likewise/\.lwsm, /var/lib/likewise-open/\.lwsm + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -47606,20 +83659,6 @@ index 0000000..82a32da +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type lwsmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B lwsmd_var_lib_t -+ -+ -+.br -+.B lwsmd_var_run_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -47630,6 +83669,9 @@ index 0000000..82a32da +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -47641,13 +83683,15 @@ index 0000000..82a32da + +.SH "SEE ALSO" +selinux(8), lwsmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/mail_munin_plugin_selinux.8 b/man/man8/mail_munin_plugin_selinux.8 new file mode 100644 -index 0000000..fc8cf0a +index 0000000..178a54c --- /dev/null +++ b/man/man8/mail_munin_plugin_selinux.8 -@@ -0,0 +1,115 @@ -+.TH "mail_munin_plugin_selinux" "8" "12-11-01" "mail_munin_plugin" "SELinux Policy documentation for mail_munin_plugin" +@@ -0,0 +1,187 @@ ++.TH "mail_munin_plugin_selinux" "8" "13-01-16" "mail_munin_plugin" "SELinux Policy documentation for mail_munin_plugin" +.SH "NAME" +mail_munin_plugin_selinux \- Security Enhanced Linux Policy for the mail_munin_plugin processes +.SH "DESCRIPTION" @@ -47663,7 +83707,9 @@ index 0000000..fc8cf0a + +.SH "ENTRYPOINTS" + -+The mail_munin_plugin_t SELinux type can be entered via the "mail_munin_plugin_exec_t" file type. The default entrypoint paths for the mail_munin_plugin_t domain are the following:" ++The mail_munin_plugin_t SELinux type can be entered via the \fBmail_munin_plugin_exec_t\fP file type. ++ ++The default entrypoint paths for the mail_munin_plugin_t domain are the following: + +/usr/share/munin/plugins/qmail.*, /usr/share/munin/plugins/exim_mail.*, /usr/share/munin/plugins/sendmail_.*, /usr/share/munin/plugins/courier_mta_.*, /usr/share/munin/plugins/postfix_mail.*, /usr/share/munin/plugins/mailman, /usr/share/munin/plugins/mailscanner +.SH PROCESS TYPES @@ -47681,42 +83727,60 @@ index 0000000..fc8cf0a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mail_munin_plugin_t ++can be used to make the process type mail_munin_plugin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux mail_munin_plugin policy is very flexible allowing users to setup their mail_munin_plugin processes in as secure a method as possible. -+.PP -+The following file types are defined for mail_munin_plugin: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mail_munin_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mail_munin_plugin with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B mail_munin_plugin_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the mail_munin_plugin_exec_t type, if you want to transition an executable to the mail_munin_plugin_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B mail_munin_plugin_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the mail_munin_plugin_tmp_t type, if you want to store mail munin plugin temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -47738,7 +83802,56 @@ index 0000000..fc8cf0a + /var/lib/munin(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux mail_munin_plugin policy is very flexible allowing users to setup their mail_munin_plugin processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mail_munin_plugin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mail_munin_plugin_exec_t '/srv/mail_munin_plugin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymail_munin_plugin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mail_munin_plugin: ++ ++ ++.EX ++.PP ++.B mail_munin_plugin_exec_t ++.EE ++ ++- Set files with the mail_munin_plugin_exec_t type, if you want to transition an executable to the mail_munin_plugin_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/share/munin/plugins/qmail.*, /usr/share/munin/plugins/exim_mail.*, /usr/share/munin/plugins/sendmail_.*, /usr/share/munin/plugins/courier_mta_.*, /usr/share/munin/plugins/postfix_mail.*, /usr/share/munin/plugins/mailman, /usr/share/munin/plugins/mailscanner ++ ++.EX ++.PP ++.B mail_munin_plugin_tmp_t ++.EE ++ ++- Set files with the mail_munin_plugin_tmp_t type, if you want to store mail munin plugin temporary files in the /tmp directories. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -47750,6 +83863,9 @@ index 0000000..fc8cf0a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -47761,15 +83877,15 @@ index 0000000..fc8cf0a + +.SH "SEE ALSO" +selinux(8), mail_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, mailman_cgi_selinux(8), mailman_mail_selinux(8), mailman_queue_selinux(8) ++, setsebool(8), mailman_cgi_selinux(8), mailman_mail_selinux(8), mailman_queue_selinux(8) \ No newline at end of file diff --git a/man/man8/mailman_cgi_selinux.8 b/man/man8/mailman_cgi_selinux.8 new file mode 100644 -index 0000000..3314d81 +index 0000000..ae208ec --- /dev/null +++ b/man/man8/mailman_cgi_selinux.8 -@@ -0,0 +1,145 @@ -+.TH "mailman_cgi_selinux" "8" "12-11-01" "mailman_cgi" "SELinux Policy documentation for mailman_cgi" +@@ -0,0 +1,215 @@ ++.TH "mailman_cgi_selinux" "8" "13-01-16" "mailman_cgi" "SELinux Policy documentation for mailman_cgi" +.SH "NAME" +mailman_cgi_selinux \- Security Enhanced Linux Policy for the mailman_cgi processes +.SH "DESCRIPTION" @@ -47785,9 +83901,11 @@ index 0000000..3314d81 + +.SH "ENTRYPOINTS" + -+The mailman_cgi_t SELinux type can be entered via the "mailman_cgi_exec_t" file type. The default entrypoint paths for the mailman_cgi_t domain are the following:" ++The mailman_cgi_t SELinux type can be entered via the \fBmailman_cgi_exec_t\fP file type. + -+/usr/lib/mailman.*/cgi-bin/.* ++The default entrypoint paths for the mailman_cgi_t domain are the following: ++ ++/usr/lib/mailman.*/cgi-bin/.*, /usr/lib/cgi-bin/mailman.*/.* +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -47803,8 +83921,108 @@ index 0000000..3314d81 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mailman_cgi_t ++can be used to make the process type mailman_cgi_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mailman_cgi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mailman_cgi with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mailman_cgi_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mailman_cgi_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type mailman_cgi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B mailman_cgi_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -47814,7 +84032,20 @@ index 0000000..3314d81 +Policy governs the access confined processes have to these files. +SELinux mailman_cgi policy is very flexible allowing users to setup their mailman_cgi processes in as secure a method as possible. +.PP -+The following file types are defined for mailman_cgi: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mailman_cgi, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mailman_cgi_exec_t '/srv/mailman_cgi/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymailman_cgi_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mailman_cgi: + + +.EX @@ -47824,6 +84055,10 @@ index 0000000..3314d81 + +- Set files with the mailman_cgi_exec_t type, if you want to transition an executable to the mailman_cgi_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/mailman.*/cgi-bin/.*, /usr/lib/cgi-bin/mailman.*/.* + +.EX +.PP @@ -47840,58 +84075,6 @@ index 0000000..3314d81 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type mailman_cgi_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B mailman_archive_t -+ -+ /var/lib/mailman.*/archives(/.*)? -+.br -+ -+.br -+.B mailman_cgi_tmp_t -+ -+ -+.br -+.B mailman_data_t -+ -+ /etc/mailman.* -+.br -+ /var/lib/mailman.* -+.br -+ /var/spool/mailman.* -+.br -+ -+.br -+.B mailman_lock_t -+ -+ /var/lock/mailman.* -+.br -+ -+.br -+.B mailman_log_t -+ -+ /var/log/mailman.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_cgi_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the mailman_cgi_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -47902,6 +84085,9 @@ index 0000000..3314d81 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -47913,15 +84099,15 @@ index 0000000..3314d81 + +.SH "SEE ALSO" +selinux(8), mailman_cgi(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, mailman_mail_selinux(8), mailman_queue_selinux(8) ++, setsebool(8), mailman_mail_selinux(8), mailman_queue_selinux(8) \ No newline at end of file diff --git a/man/man8/mailman_mail_selinux.8 b/man/man8/mailman_mail_selinux.8 new file mode 100644 -index 0000000..e86936f +index 0000000..491511a --- /dev/null +++ b/man/man8/mailman_mail_selinux.8 -@@ -0,0 +1,155 @@ -+.TH "mailman_mail_selinux" "8" "12-11-01" "mailman_mail" "SELinux Policy documentation for mailman_mail" +@@ -0,0 +1,257 @@ ++.TH "mailman_mail_selinux" "8" "13-01-16" "mailman_mail" "SELinux Policy documentation for mailman_mail" +.SH "NAME" +mailman_mail_selinux \- Security Enhanced Linux Policy for the mailman_mail processes +.SH "DESCRIPTION" @@ -47937,9 +84123,11 @@ index 0000000..e86936f + +.SH "ENTRYPOINTS" + -+The mailman_mail_t SELinux type can be entered via the "mailman_mail_exec_t" file type. The default entrypoint paths for the mailman_mail_t domain are the following:" ++The mailman_mail_t SELinux type can be entered via the \fBmailman_mail_exec_t\fP file type. + -+/usr/lib/mailman.*/mail/mailman, /usr/lib/mailman.*/bin/mailmanctl, /usr/lib/mailman.*/scripts/mailman, /usr/lib/mailman.*/bin/mm-handler.*, /usr/share/doc/mailman.*/mm-handler.* ++The default entrypoint paths for the mailman_mail_t domain are the following: ++ ++/usr/mailman.*/mail/wrapper, /usr/lib/mailman.*/mail/mailman, /usr/lib/mailman.*/mail/wrapper, /usr/lib/mailman.*/bin/mailmanctl, /usr/lib/mailman.*/scripts/mailman, /usr/lib/mailman.*/bin/mm-handler.*, /usr/share/doc/mailman.*/mm-handler.* +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -47955,8 +84143,150 @@ index 0000000..e86936f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mailman_mail_t ++can be used to make the process type mailman_mail_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mailman_mail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mailman_mail with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mailman_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mailman_mail_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type mailman_mail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B mailman_mail_tmp_t ++ ++ ++.br ++.B mailman_var_run_t ++ ++ /var/run/mailman.* ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -47966,7 +84296,20 @@ index 0000000..e86936f +Policy governs the access confined processes have to these files. +SELinux mailman_mail policy is very flexible allowing users to setup their mailman_mail processes in as secure a method as possible. +.PP -+The following file types are defined for mailman_mail: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mailman_mail, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mailman_mail_exec_t '/srv/mailman_mail/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymailman_mail_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mailman_mail: + + +.EX @@ -47976,6 +84319,10 @@ index 0000000..e86936f + +- Set files with the mailman_mail_exec_t type, if you want to transition an executable to the mailman_mail_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/mailman.*/mail/wrapper, /usr/lib/mailman.*/mail/mailman, /usr/lib/mailman.*/mail/wrapper, /usr/lib/mailman.*/bin/mailmanctl, /usr/lib/mailman.*/scripts/mailman, /usr/lib/mailman.*/bin/mm-handler.*, /usr/share/doc/mailman.*/mm-handler.* + +.EX +.PP @@ -47992,68 +84339,6 @@ index 0000000..e86936f +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type mailman_mail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B anon_inodefs_t -+ -+ -+.br -+.B mailman_archive_t -+ -+ /var/lib/mailman.*/archives(/.*)? -+.br -+ -+.br -+.B mailman_data_t -+ -+ /etc/mailman.* -+.br -+ /var/lib/mailman.* -+.br -+ /var/spool/mailman.* -+.br -+ -+.br -+.B mailman_lock_t -+ -+ /var/lock/mailman.* -+.br -+ -+.br -+.B mailman_log_t -+ -+ /var/log/mailman.* -+.br -+ -+.br -+.B mailman_mail_tmp_t -+ -+ -+.br -+.B mailman_var_run_t -+ -+ /var/run/mailman.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the mailman_mail_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -48064,6 +84349,9 @@ index 0000000..e86936f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -48075,15 +84363,15 @@ index 0000000..e86936f + +.SH "SEE ALSO" +selinux(8), mailman_mail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, mailman_cgi_selinux(8), mailman_queue_selinux(8) ++, setsebool(8), mailman_cgi_selinux(8), mailman_queue_selinux(8) \ No newline at end of file diff --git a/man/man8/mailman_queue_selinux.8 b/man/man8/mailman_queue_selinux.8 new file mode 100644 -index 0000000..b1d3963 +index 0000000..e1f2831 --- /dev/null +++ b/man/man8/mailman_queue_selinux.8 -@@ -0,0 +1,171 @@ -+.TH "mailman_queue_selinux" "8" "12-11-01" "mailman_queue" "SELinux Policy documentation for mailman_queue" +@@ -0,0 +1,227 @@ ++.TH "mailman_queue_selinux" "8" "13-01-16" "mailman_queue" "SELinux Policy documentation for mailman_queue" +.SH "NAME" +mailman_queue_selinux \- Security Enhanced Linux Policy for the mailman_queue processes +.SH "DESCRIPTION" @@ -48099,9 +84387,11 @@ index 0000000..b1d3963 + +.SH "ENTRYPOINTS" + -+The mailman_queue_t SELinux type can be entered via the "mailman_queue_exec_t" file type. The default entrypoint paths for the mailman_queue_t domain are the following:" ++The mailman_queue_t SELinux type can be entered via the \fBmailman_queue_exec_t\fP file type. + -+/usr/lib/mailman.*/cron/.*, /usr/lib/mailman.*/bin/qrunner ++The default entrypoint paths for the mailman_queue_t domain are the following: ++ ++/usr/lib/mailman.*/cron/.*, /usr/lib/mailman.*/bin/qrunner, /etc/cron\.daily/mailman, /etc/cron\.monthly/mailman +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -48117,8 +84407,120 @@ index 0000000..b1d3963 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mailman_queue_t ++can be used to make the process type mailman_queue_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mailman_queue policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mailman_queue with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mailman_queue_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mailman_queue_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type mailman_queue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B mailman_queue_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -48128,7 +84530,20 @@ index 0000000..b1d3963 +Policy governs the access confined processes have to these files. +SELinux mailman_queue policy is very flexible allowing users to setup their mailman_queue processes in as secure a method as possible. +.PP -+The following file types are defined for mailman_queue: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mailman_queue, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mailman_queue_exec_t '/srv/mailman_queue/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymailman_queue_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mailman_queue: + + +.EX @@ -48138,6 +84553,10 @@ index 0000000..b1d3963 + +- Set files with the mailman_queue_exec_t type, if you want to transition an executable to the mailman_queue_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/mailman.*/cron/.*, /usr/lib/mailman.*/bin/qrunner, /etc/cron\.daily/mailman, /etc/cron\.monthly/mailman + +.EX +.PP @@ -48154,84 +84573,6 @@ index 0000000..b1d3963 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type mailman_queue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B faillog_t -+ -+ /var/log/btmp.* -+.br -+ /var/run/faillock(/.*)? -+.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br -+ -+.br -+.B mailman_archive_t -+ -+ /var/lib/mailman.*/archives(/.*)? -+.br -+ -+.br -+.B mailman_data_t -+ -+ /etc/mailman.* -+.br -+ /var/lib/mailman.* -+.br -+ /var/spool/mailman.* -+.br -+ -+.br -+.B mailman_lock_t -+ -+ /var/lock/mailman.* -+.br -+ -+.br -+.B mailman_log_t -+ -+ /var/log/mailman.* -+.br -+ -+.br -+.B mailman_queue_tmp_t -+ -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_queue_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the mailman_queue_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -48242,6 +84583,9 @@ index 0000000..b1d3963 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -48253,15 +84597,15 @@ index 0000000..b1d3963 + +.SH "SEE ALSO" +selinux(8), mailman_queue(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, mailman_cgi_selinux(8), mailman_mail_selinux(8) ++, setsebool(8), mailman_cgi_selinux(8), mailman_mail_selinux(8) \ No newline at end of file diff --git a/man/man8/mandb_selinux.8 b/man/man8/mandb_selinux.8 new file mode 100644 -index 0000000..962bcc4 +index 0000000..6ae2e70 --- /dev/null +++ b/man/man8/mandb_selinux.8 -@@ -0,0 +1,104 @@ -+.TH "mandb_selinux" "8" "12-11-01" "mandb" "SELinux Policy documentation for mandb" +@@ -0,0 +1,219 @@ ++.TH "mandb_selinux" "8" "13-01-16" "mandb" "SELinux Policy documentation for mandb" +.SH "NAME" +mandb_selinux \- Security Enhanced Linux Policy for the mandb processes +.SH "DESCRIPTION" @@ -48277,9 +84621,11 @@ index 0000000..962bcc4 + +.SH "ENTRYPOINTS" + -+The mandb_t SELinux type can be entered via the "mandb_exec_t" file type. The default entrypoint paths for the mandb_t domain are the following:" ++The mandb_t SELinux type can be entered via the \fBmandb_exec_t\fP file type. + -+/usr/bin/mandb ++The default entrypoint paths for the mandb_t domain are the following: ++ ++/etc/cron.daily/man-db\.cron, /usr/bin/mandb +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -48295,8 +84641,104 @@ index 0000000..962bcc4 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mandb_t ++can be used to make the process type mandb_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mandb policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mandb with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type mandb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B man_cache_t ++ ++ ++.br ++.B mandb_cache_t ++ ++ /var/cache/man(/.*)? ++.br ++ ++.br ++.B mandb_lock_t ++ ++ /var/lock/man-db\.lock ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -48306,7 +84748,20 @@ index 0000000..962bcc4 +Policy governs the access confined processes have to these files. +SELinux mandb policy is very flexible allowing users to setup their mandb processes in as secure a method as possible. +.PP -+The following file types are defined for mandb: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mandb, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mandb_cache_t '/srv/mandb/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymandb_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mandb: + + +.EX @@ -48324,6 +84779,18 @@ index 0000000..962bcc4 + +- Set files with the mandb_exec_t type, if you want to transition an executable to the mandb_t domain. + ++.br ++.TP 5 ++Paths: ++/etc/cron.daily/man-db\.cron, /usr/bin/mandb ++ ++.EX ++.PP ++.B mandb_lock_t ++.EE ++ ++- Set files with the mandb_lock_t type, if you want to treat the files as mandb lock data, stored under the /var/lock directory ++ + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -48332,18 +84799,6 @@ index 0000000..962bcc4 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type mandb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B mandb_cache_t -+ -+ /var/cache/man(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -48354,6 +84809,9 @@ index 0000000..962bcc4 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -48365,13 +84823,15 @@ index 0000000..962bcc4 + +.SH "SEE ALSO" +selinux(8), mandb(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/mcelog_selinux.8 b/man/man8/mcelog_selinux.8 new file mode 100644 -index 0000000..5259ce7 +index 0000000..f4af1f1 --- /dev/null +++ b/man/man8/mcelog_selinux.8 -@@ -0,0 +1,124 @@ -+.TH "mcelog_selinux" "8" "12-11-01" "mcelog" "SELinux Policy documentation for mcelog" +@@ -0,0 +1,259 @@ ++.TH "mcelog_selinux" "8" "13-01-16" "mcelog" "SELinux Policy documentation for mcelog" +.SH "NAME" +mcelog_selinux \- Security Enhanced Linux Policy for the mcelog processes +.SH "DESCRIPTION" @@ -48387,7 +84847,9 @@ index 0000000..5259ce7 + +.SH "ENTRYPOINTS" + -+The mcelog_t SELinux type can be entered via the "mcelog_exec_t" file type. The default entrypoint paths for the mcelog_t domain are the following:" ++The mcelog_t SELinux type can be entered via the \fBmcelog_exec_t\fP file type. ++ ++The default entrypoint paths for the mcelog_t domain are the following: + +/usr/sbin/mcelog +.SH PROCESS TYPES @@ -48405,8 +84867,132 @@ index 0000000..5259ce7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mcelog_t ++can be used to make the process type mcelog_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mcelog policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mcelog with the tightest access possible. ++ ++ ++.PP ++If you want to determine whether mcelog supports client mode, you must turn on the mcelog_client boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mcelog_client 1 ++ ++.EE ++ ++.PP ++If you want to determine whether mcelog can execute scripts, you must turn on the mcelog_exec_scripts boolean. Enabled by default. ++ ++.EX ++.B setsebool -P mcelog_exec_scripts 1 ++ ++.EE ++ ++.PP ++If you want to determine whether mcelog can use all the user ttys, you must turn on the mcelog_foreground boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mcelog_foreground 1 ++ ++.EE ++ ++.PP ++If you want to determine whether mcelog supports server mode, you must turn on the mcelog_server boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mcelog_server 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type mcelog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B mcelog_var_run_t ++ ++ /var/run/mcelog.* ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sysfs_t ++ ++ /sys(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -48416,7 +85002,28 @@ index 0000000..5259ce7 +Policy governs the access confined processes have to these files. +SELinux mcelog policy is very flexible allowing users to setup their mcelog processes in as secure a method as possible. +.PP -+The following file types are defined for mcelog: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mcelog, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mcelog_etc_t '/srv/mcelog/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymcelog_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mcelog: ++ ++ ++.EX ++.PP ++.B mcelog_etc_t ++.EE ++ ++- Set files with the mcelog_etc_t type, if you want to store mcelog files in the /etc directories. + + +.EX @@ -48429,6 +85036,14 @@ index 0000000..5259ce7 + +.EX +.PP ++.B mcelog_initrc_exec_t ++.EE ++ ++- Set files with the mcelog_initrc_exec_t type, if you want to transition an executable to the mcelog_initrc_t domain. ++ ++ ++.EX ++.PP +.B mcelog_log_t +.EE + @@ -48440,7 +85055,7 @@ index 0000000..5259ce7 +.B mcelog_var_run_t +.EE + -+- Set files with the mcelog_var_run_t type, if you want to store the mcelog files under the /run directory. ++- Set files with the mcelog_var_run_t type, if you want to store the mcelog files under the /run or /var/run directory. + + +.PP @@ -48450,30 +85065,6 @@ index 0000000..5259ce7 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type mcelog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B mcelog_log_t -+ -+ /var/log/mcelog.* -+.br -+ -+.br -+.B mcelog_var_run_t -+ -+ /var/run/mcelog.* -+.br -+ -+.br -+.B sysfs_t -+ -+ /sys(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -48484,6 +85075,9 @@ index 0000000..5259ce7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -48495,13 +85089,15 @@ index 0000000..5259ce7 + +.SH "SEE ALSO" +selinux(8), mcelog(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/mdadm_selinux.8 b/man/man8/mdadm_selinux.8 new file mode 100644 -index 0000000..e023488 +index 0000000..edab3b2 --- /dev/null +++ b/man/man8/mdadm_selinux.8 -@@ -0,0 +1,128 @@ -+.TH "mdadm_selinux" "8" "12-11-01" "mdadm" "SELinux Policy documentation for mdadm" +@@ -0,0 +1,279 @@ ++.TH "mdadm_selinux" "8" "13-01-16" "mdadm" "SELinux Policy documentation for mdadm" +.SH "NAME" +mdadm_selinux \- Security Enhanced Linux Policy for the mdadm processes +.SH "DESCRIPTION" @@ -48517,9 +85113,11 @@ index 0000000..e023488 + +.SH "ENTRYPOINTS" + -+The mdadm_t SELinux type can be entered via the "mdadm_exec_t" file type. The default entrypoint paths for the mdadm_t domain are the following:" ++The mdadm_t SELinux type can be entered via the \fBmdadm_exec_t\fP file type. + -+/sbin/mdadm, /sbin/mdmpd, /usr/sbin/mdadm, /usr/sbin/mdmpd, /usr/sbin/iprdump, /usr/sbin/iprinit, /usr/sbin/iprupdate, /usr/sbin/raid-check ++The default entrypoint paths for the mdadm_t domain are the following: ++ ++/sbin/mdadm, /sbin/mdmon, /sbin/mdmpd, /sbin/iprdump, /sbin/iprinit, /sbin/iprupdate, /usr/sbin/mdadm, /usr/sbin/mdmpd, /usr/sbin/mdmon, /sbin/raid-check, /usr/sbin/iprdump, /usr/sbin/iprinit, /usr/sbin/iprupdate, /usr/sbin/raid-check +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -48535,67 +85133,113 @@ index 0000000..e023488 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mdadm_t ++can be used to make the process type mdadm_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux mdadm policy is very flexible allowing users to setup their mdadm processes in as secure a method as possible. -+.PP -+The following file types are defined for mdadm: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mdadm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mdadm with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B mdadm_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the mdadm_exec_t type, if you want to transition an executable to the mdadm_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B mdadm_var_run_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the mdadm_var_run_t type, if you want to store the mdadm files under the /run directory. ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + -+.SH "MANAGED FILES" ++.EX ++.B setsebool -P daemons_use_tty 1 + -+The SELinux process type mdadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++.EE + -+.br -+.B mdadm_var_run_t ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + -+ /dev/.mdadm\.map -+.br -+ /dev/md/.* -+.br -+ /var/run/mdadm(/.*)? -+.br ++.EX ++.B setsebool -P deny_ptrace 1 + -+.br -+.B sysfs_t ++.EE + -+ /sys(/.*)? -+.br ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mdadm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mdadm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -48608,6 +85252,105 @@ index 0000000..e023488 +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH "MANAGED FILES" ++ ++The SELinux process type mdadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B mdadm_var_run_t ++ ++ /dev/md/.* ++.br ++ /var/run/mdadm(/.*)? ++.br ++ /dev/\.mdadm\.map ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sysfs_t ++ ++ /sys(/.*)? ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux mdadm policy is very flexible allowing users to setup their mdadm processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mdadm, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mdadm_exec_t '/srv/mdadm/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymdadm_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mdadm: ++ ++ ++.EX ++.PP ++.B mdadm_exec_t ++.EE ++ ++- Set files with the mdadm_exec_t type, if you want to transition an executable to the mdadm_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/mdadm, /sbin/mdmon, /sbin/mdmpd, /sbin/iprdump, /sbin/iprinit, /sbin/iprupdate, /usr/sbin/mdadm, /usr/sbin/mdmpd, /usr/sbin/mdmon, /sbin/raid-check, /usr/sbin/iprdump, /usr/sbin/iprinit, /usr/sbin/iprupdate, /usr/sbin/raid-check ++ ++.EX ++.PP ++.B mdadm_initrc_exec_t ++.EE ++ ++- Set files with the mdadm_initrc_exec_t type, if you want to transition an executable to the mdadm_initrc_t domain. ++ ++ ++.EX ++.PP ++.B mdadm_var_run_t ++.EE ++ ++- Set files with the mdadm_var_run_t type, if you want to store the mdadm files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/dev/md/.*, /var/run/mdadm(/.*)?, /dev/\.mdadm\.map ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -48618,6 +85361,9 @@ index 0000000..e023488 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -48629,13 +85375,15 @@ index 0000000..e023488 + +.SH "SEE ALSO" +selinux(8), mdadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/memcached_selinux.8 b/man/man8/memcached_selinux.8 new file mode 100644 -index 0000000..f286679 +index 0000000..2861e15 --- /dev/null +++ b/man/man8/memcached_selinux.8 -@@ -0,0 +1,178 @@ -+.TH "memcached_selinux" "8" "12-11-01" "memcached" "SELinux Policy documentation for memcached" +@@ -0,0 +1,287 @@ ++.TH "memcached_selinux" "8" "13-01-16" "memcached" "SELinux Policy documentation for memcached" +.SH "NAME" +memcached_selinux \- Security Enhanced Linux Policy for the memcached processes +.SH "DESCRIPTION" @@ -48651,7 +85399,9 @@ index 0000000..f286679 + +.SH "ENTRYPOINTS" + -+The memcached_t SELinux type can be entered via the "memcached_exec_t" file type. The default entrypoint paths for the memcached_t domain are the following:" ++The memcached_t SELinux type can be entered via the \fBmemcached_exec_t\fP file type. ++ ++The default entrypoint paths for the memcached_t domain are the following: + +/usr/bin/memcached +.SH PROCESS TYPES @@ -48669,68 +85419,124 @@ index 0000000..f286679 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a memcached_t ++can be used to make the process type memcached_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. memcached policy is extremely flexible and has several booleans that allow you to manipulate the policy and run memcached with the tightest access possible. + + +.PP -+If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_can_network_memcache 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow httpd to connect to memcache server, you must turn on the httpd_can_network_memcache boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_can_network_memcache 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux memcached policy is very flexible allowing users to setup their memcached processes in as secure a method as possible. -+.PP -+The following file types are defined for memcached: -+ ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B memcached_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the memcached_exec_t type, if you want to transition an executable to the memcached_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B memcached_initrc_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the memcached_initrc_exec_t type, if you want to transition an executable to the memcached_initrc_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B memcached_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the memcached_var_run_t type, if you want to store the memcached files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the memcached_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the memcached_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -48769,21 +85575,72 @@ index 0000000..f286679 + /var/run/ipa_memcached(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux memcached policy is very flexible allowing users to setup their memcached processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the memcached_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the memcached, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t memcached_exec_t '/srv/memcached/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymemcached_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for memcached: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B memcached_exec_t +.EE + ++- Set files with the memcached_exec_t type, if you want to transition an executable to the memcached_t domain. ++ ++ ++.EX ++.PP ++.B memcached_initrc_exec_t ++.EE ++ ++- Set files with the memcached_initrc_exec_t type, if you want to transition an executable to the memcached_initrc_t domain. ++ ++ ++.EX ++.PP ++.B memcached_var_run_t ++.EE ++ ++- Set files with the memcached_var_run_t type, if you want to store the memcached files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/memcached(/.*)?, /var/run/ipa_memcached(/.*)? ++ +.PP -+If you want to allow confined applications to run with kerberos for the memcached_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -48816,11 +85673,11 @@ index 0000000..f286679 \ No newline at end of file diff --git a/man/man8/mencoder_selinux.8 b/man/man8/mencoder_selinux.8 new file mode 100644 -index 0000000..70bc6e1 +index 0000000..97829a4 --- /dev/null +++ b/man/man8/mencoder_selinux.8 -@@ -0,0 +1,100 @@ -+.TH "mencoder_selinux" "8" "12-11-01" "mencoder" "SELinux Policy documentation for mencoder" +@@ -0,0 +1,237 @@ ++.TH "mencoder_selinux" "8" "13-01-16" "mencoder" "SELinux Policy documentation for mencoder" +.SH "NAME" +mencoder_selinux \- Security Enhanced Linux Policy for the mencoder processes +.SH "DESCRIPTION" @@ -48836,7 +85693,9 @@ index 0000000..70bc6e1 + +.SH "ENTRYPOINTS" + -+The mencoder_t SELinux type can be entered via the "mencoder_exec_t" file type. The default entrypoint paths for the mencoder_t domain are the following:" ++The mencoder_t SELinux type can be entered via the \fBmencoder_exec_t\fP file type. ++ ++The default entrypoint paths for the mencoder_t domain are the following: + +/usr/bin/mencoder +.SH PROCESS TYPES @@ -48854,8 +85713,142 @@ index 0000000..70bc6e1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mencoder_t ++can be used to make the process type mencoder_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mencoder policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mencoder with the tightest access possible. ++ ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to determine whether mplayer can make its stack executable, you must turn on the mplayer_execstack boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mplayer_execstack 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type mencoder_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B mplayer_home_t ++ ++ /home/[^/]*/\.mplayer(/.*)? ++.br ++ /home/pwalsh/\.mplayer(/.*)? ++.br ++ /home/dwalsh/\.mplayer(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.mplayer(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -48865,7 +85858,20 @@ index 0000000..70bc6e1 +Policy governs the access confined processes have to these files. +SELinux mencoder policy is very flexible allowing users to setup their mencoder processes in as secure a method as possible. +.PP -+The following file types are defined for mencoder: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mencoder, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mencoder_exec_t '/srv/mencoder/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymencoder_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mencoder: + + +.EX @@ -48883,22 +85889,6 @@ index 0000000..70bc6e1 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type mencoder_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B mplayer_home_t -+ -+ /home/[^/]*/\.mplayer(/.*)? -+.br -+ /home/dwalsh/\.mplayer(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.mplayer(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -48909,6 +85899,9 @@ index 0000000..70bc6e1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -48920,13 +85913,15 @@ index 0000000..70bc6e1 + +.SH "SEE ALSO" +selinux(8), mencoder(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/mock_build_selinux.8 b/man/man8/mock_build_selinux.8 new file mode 100644 -index 0000000..82e2f70 +index 0000000..a8f9339 --- /dev/null +++ b/man/man8/mock_build_selinux.8 -@@ -0,0 +1,129 @@ -+.TH "mock_build_selinux" "8" "12-11-01" "mock_build" "SELinux Policy documentation for mock_build" +@@ -0,0 +1,192 @@ ++.TH "mock_build_selinux" "8" "13-01-16" "mock_build" "SELinux Policy documentation for mock_build" +.SH "NAME" +mock_build_selinux \- Security Enhanced Linux Policy for the mock_build processes +.SH "DESCRIPTION" @@ -48942,7 +85937,9 @@ index 0000000..82e2f70 + +.SH "ENTRYPOINTS" + -+The mock_build_t SELinux type can be entered via the "mock_var_lib_t,mock_build_exec_t,mock_tmp_t" file types. The default entrypoint paths for the mock_build_t domain are the following:" ++The mock_build_t SELinux type can be entered via the \fBmock_var_lib_t, mock_build_exec_t, mock_tmp_t\fP file types. ++ ++The default entrypoint paths for the mock_build_t domain are the following: + +/var/lib/mock(/.*)? +.SH PROCESS TYPES @@ -48960,34 +85957,108 @@ index 0000000..82e2f70 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mock_build_t ++can be used to make the process type mock_build_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux mock_build policy is very flexible allowing users to setup their mock_build processes in as secure a method as possible. -+.PP -+The following file types are defined for mock_build: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mock_build policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mock_build with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B mock_build_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the mock_build_exec_t type, if you want to transition an executable to the mock_build_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow mock to read files in home directories, you must turn on the mock_enable_homedirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P mock_enable_homedirs 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mock_build_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mock_build_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -49017,22 +86088,6 @@ index 0000000..82e2f70 + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mock_build_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the mock_build_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -49043,6 +86098,9 @@ index 0000000..82e2f70 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -49054,15 +86112,15 @@ index 0000000..82e2f70 + +.SH "SEE ALSO" +selinux(8), mock_build(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, mock_selinux(8), mock_selinux(8) ++, setsebool(8), mock_selinux(8), mock_selinux(8) \ No newline at end of file diff --git a/man/man8/mock_selinux.8 b/man/man8/mock_selinux.8 new file mode 100644 -index 0000000..d8f798e +index 0000000..ce2ddb8 --- /dev/null +++ b/man/man8/mock_selinux.8 -@@ -0,0 +1,190 @@ -+.TH "mock_selinux" "8" "12-11-01" "mock" "SELinux Policy documentation for mock" +@@ -0,0 +1,307 @@ ++.TH "mock_selinux" "8" "13-01-16" "mock" "SELinux Policy documentation for mock" +.SH "NAME" +mock_selinux \- Security Enhanced Linux Policy for the mock processes +.SH "DESCRIPTION" @@ -49078,7 +86136,9 @@ index 0000000..d8f798e + +.SH "ENTRYPOINTS" + -+The mock_t SELinux type can be entered via the "mock_exec_t" file type. The default entrypoint paths for the mock_t domain are the following:" ++The mock_t SELinux type can be entered via the \fBmock_exec_t\fP file type. ++ ++The default entrypoint paths for the mock_t domain are the following: + +/usr/sbin/mock +.SH PROCESS TYPES @@ -49096,27 +86156,173 @@ index 0000000..d8f798e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mock_t ++can be used to make the process type mock_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. mock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mock with the tightest access possible. + + +.PP -+If you want to allow mock to read files in home directories, you must turn on the mock_enable_homedirs boolean. ++If you want to allow mock to read files in home directories, you must turn on the mock_enable_homedirs boolean. Enabled by default. + +.EX +.B setsebool -P mock_enable_homedirs 1 ++ +.EE + +.PP -+If you want to allow mock to read files in home directories, you must turn on the mock_enable_homedirs boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P mock_enable_homedirs 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mock_t, mock_build_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mock_t, mock_build_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type mock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B mock_cache_t ++ ++ /var/cache/mock(/.*)? ++.br ++ ++.br ++.B mock_tmp_t ++ ++ ++.br ++.B mock_var_lib_t ++ ++ /var/lib/mock(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -49125,7 +86331,20 @@ index 0000000..d8f798e +Policy governs the access confined processes have to these files. +SELinux mock policy is very flexible allowing users to setup their mock processes in as secure a method as possible. +.PP -+The following file types are defined for mock: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mock, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mock_build_exec_t '/srv/mock/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymock_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mock: + + +.EX @@ -49183,50 +86402,6 @@ index 0000000..d8f798e +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type mock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B mock_cache_t -+ -+ /var/cache/mock(/.*)? -+.br -+ -+.br -+.B mock_tmp_t -+ -+ -+.br -+.B mock_var_lib_t -+ -+ /var/lib/mock(/.*)? -+.br -+ -+.br -+.B systemd_passwd_var_run_t -+ -+ /var/run/systemd/ask-password(/.*)? -+.br -+ /var/run/systemd/ask-password-block(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mock_t, mock_build_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the mock_t, mock_build_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -49255,11 +86430,11 @@ index 0000000..d8f798e \ No newline at end of file diff --git a/man/man8/modemmanager_selinux.8 b/man/man8/modemmanager_selinux.8 new file mode 100644 -index 0000000..97ff255 +index 0000000..5582bc9 --- /dev/null +++ b/man/man8/modemmanager_selinux.8 -@@ -0,0 +1,86 @@ -+.TH "modemmanager_selinux" "8" "12-11-01" "modemmanager" "SELinux Policy documentation for modemmanager" +@@ -0,0 +1,183 @@ ++.TH "modemmanager_selinux" "8" "13-01-16" "modemmanager" "SELinux Policy documentation for modemmanager" +.SH "NAME" +modemmanager_selinux \- Security Enhanced Linux Policy for the modemmanager processes +.SH "DESCRIPTION" @@ -49275,7 +86450,9 @@ index 0000000..97ff255 + +.SH "ENTRYPOINTS" + -+The modemmanager_t SELinux type can be entered via the "modemmanager_exec_t" file type. The default entrypoint paths for the modemmanager_t domain are the following:" ++The modemmanager_t SELinux type can be entered via the \fBmodemmanager_exec_t\fP file type. ++ ++The default entrypoint paths for the modemmanager_t domain are the following: + +/usr/sbin/modem-manager +.SH PROCESS TYPES @@ -49293,8 +86470,88 @@ index 0000000..97ff255 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a modemmanager_t ++can be used to make the process type modemmanager_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. modemmanager policy is extremely flexible and has several booleans that allow you to manipulate the policy and run modemmanager with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type modemmanager_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -49304,7 +86561,20 @@ index 0000000..97ff255 +Policy governs the access confined processes have to these files. +SELinux modemmanager policy is very flexible allowing users to setup their modemmanager processes in as secure a method as possible. +.PP -+The following file types are defined for modemmanager: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the modemmanager, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t modemmanager_exec_t '/srv/modemmanager/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymodemmanager_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for modemmanager: + + +.EX @@ -49322,8 +86592,6 @@ index 0000000..97ff255 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -49334,6 +86602,9 @@ index 0000000..97ff255 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -49345,13 +86616,15 @@ index 0000000..97ff255 + +.SH "SEE ALSO" +selinux(8), modemmanager(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/mongod_selinux.8 b/man/man8/mongod_selinux.8 new file mode 100644 -index 0000000..a9bc3c3 +index 0000000..7808ba2 --- /dev/null +++ b/man/man8/mongod_selinux.8 -@@ -0,0 +1,186 @@ -+.TH "mongod_selinux" "8" "12-11-01" "mongod" "SELinux Policy documentation for mongod" +@@ -0,0 +1,310 @@ ++.TH "mongod_selinux" "8" "13-01-16" "mongod" "SELinux Policy documentation for mongod" +.SH "NAME" +mongod_selinux \- Security Enhanced Linux Policy for the mongod processes +.SH "DESCRIPTION" @@ -49367,7 +86640,9 @@ index 0000000..a9bc3c3 + +.SH "ENTRYPOINTS" + -+The mongod_t SELinux type can be entered via the "mongod_exec_t" file type. The default entrypoint paths for the mongod_t domain are the following:" ++The mongod_t SELinux type can be entered via the \fBmongod_exec_t\fP file type. ++ ++The default entrypoint paths for the mongod_t domain are the following: + +/usr/bin/mongod, /usr/share/aeolus-conductor/dbomatic/dbomatic +.SH PROCESS TYPES @@ -49385,74 +86660,84 @@ index 0000000..a9bc3c3 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mongod_t ++can be used to make the process type mongod_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux mongod policy is very flexible allowing users to setup their mongod processes in as secure a method as possible. -+.PP -+The following file types are defined for mongod: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mongod policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mongod with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B mongod_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the mongod_exec_t type, if you want to transition an executable to the mongod_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B mongod_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the mongod_initrc_exec_t type, if you want to transition an executable to the mongod_initrc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B mongod_log_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the mongod_log_t type, if you want to treat the data as mongod log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B mongod_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the mongod_tmp_t type, if you want to store mongod temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B mongod_var_lib_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the mongod_var_lib_t type, if you want to store the mongod files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B mongod_var_run_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the mongod_var_run_t type, if you want to store the mongod files under the /run directory. ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -49511,7 +86796,115 @@ index 0000000..a9bc3c3 + /var/run/aeolus/dbomatic\.pid +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux mongod policy is very flexible allowing users to setup their mongod processes in as secure a method as possible. ++.PP ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++mongod policy stores data with multiple different file context types under the /var/log/mongo directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/log/mongo /srv/mongo ++.br ++.B restorecon -R -v /srv/mongo ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mongod, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mongod_exec_t '/srv/mongod/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymongod_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mongod: ++ ++ ++.EX ++.PP ++.B mongod_exec_t ++.EE ++ ++- Set files with the mongod_exec_t type, if you want to transition an executable to the mongod_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/mongod, /usr/share/aeolus-conductor/dbomatic/dbomatic ++ ++.EX ++.PP ++.B mongod_initrc_exec_t ++.EE ++ ++- Set files with the mongod_initrc_exec_t type, if you want to transition an executable to the mongod_initrc_t domain. ++ ++ ++.EX ++.PP ++.B mongod_log_t ++.EE ++ ++- Set files with the mongod_log_t type, if you want to treat the data as mongod log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/mongo(/.*)?, /var/log/mongodb(/.*)?, /var/log/mongo/mongod\.log.*, /var/log/aeolus-conductor/dbomatic\.log.* ++ ++.EX ++.PP ++.B mongod_tmp_t ++.EE ++ ++- Set files with the mongod_tmp_t type, if you want to store mongod temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B mongod_var_lib_t ++.EE ++ ++- Set files with the mongod_var_lib_t type, if you want to store the mongod files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B mongod_var_run_t ++.EE ++ ++- Set files with the mongod_var_run_t type, if you want to store the mongod files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/mongodb(/.*)?, /var/run/aeolus/dbomatic\.pid ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -49526,6 +86919,9 @@ index 0000000..a9bc3c3 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -49537,13 +86933,15 @@ index 0000000..a9bc3c3 + +.SH "SEE ALSO" +selinux(8), mongod(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/mount_ecryptfs_selinux.8 b/man/man8/mount_ecryptfs_selinux.8 new file mode 100644 -index 0000000..47e1952 +index 0000000..a653675 --- /dev/null +++ b/man/man8/mount_ecryptfs_selinux.8 -@@ -0,0 +1,125 @@ -+.TH "mount_ecryptfs_selinux" "8" "12-11-01" "mount_ecryptfs" "SELinux Policy documentation for mount_ecryptfs" +@@ -0,0 +1,223 @@ ++.TH "mount_ecryptfs_selinux" "8" "13-01-16" "mount_ecryptfs" "SELinux Policy documentation for mount_ecryptfs" +.SH "NAME" +mount_ecryptfs_selinux \- Security Enhanced Linux Policy for the mount_ecryptfs processes +.SH "DESCRIPTION" @@ -49559,7 +86957,9 @@ index 0000000..47e1952 + +.SH "ENTRYPOINTS" + -+The mount_ecryptfs_t SELinux type can be entered via the "mount_ecryptfs_exec_t" file type. The default entrypoint paths for the mount_ecryptfs_t domain are the following:" ++The mount_ecryptfs_t SELinux type can be entered via the \fBmount_ecryptfs_exec_t\fP file type. ++ ++The default entrypoint paths for the mount_ecryptfs_t domain are the following: + +/usr/sbin/mount\.ecryptfs, /usr/sbin/umount\.ecryptfs, /usr/sbin/mount\.ecryptfs_private, /usr/sbin/umount\.ecryptfs_private +.SH PROCESS TYPES @@ -49577,42 +86977,100 @@ index 0000000..47e1952 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mount_ecryptfs_t ++can be used to make the process type mount_ecryptfs_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux mount_ecryptfs policy is very flexible allowing users to setup their mount_ecryptfs processes in as secure a method as possible. -+.PP -+The following file types are defined for mount_ecryptfs: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mount_ecryptfs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mount_ecryptfs with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B mount_ecryptfs_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the mount_ecryptfs_exec_t type, if you want to transition an executable to the mount_ecryptfs_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B mount_ecryptfs_tmpfs_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the mount_ecryptfs_tmpfs_t type, if you want to store mount ecryptfs files on a tmpfs file system. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mount_ecryptfs_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mount_ecryptfs_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -49630,21 +87088,56 @@ index 0000000..47e1952 + /dev/shm/pulse-shm.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux mount_ecryptfs policy is very flexible allowing users to setup their mount_ecryptfs processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mount_ecryptfs_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mount_ecryptfs, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mount_ecryptfs_exec_t '/srv/mount_ecryptfs/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymount_ecryptfs_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mount_ecryptfs: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B mount_ecryptfs_exec_t +.EE + ++- Set files with the mount_ecryptfs_exec_t type, if you want to transition an executable to the mount_ecryptfs_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/mount\.ecryptfs, /usr/sbin/umount\.ecryptfs, /usr/sbin/mount\.ecryptfs_private, /usr/sbin/umount\.ecryptfs_private ++ ++.EX ++.PP ++.B mount_ecryptfs_tmpfs_t ++.EE ++ ++- Set files with the mount_ecryptfs_tmpfs_t type, if you want to store mount ecryptfs files on a tmpfs file system. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the mount_ecryptfs_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -49656,6 +87149,9 @@ index 0000000..47e1952 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -49667,15 +87163,15 @@ index 0000000..47e1952 + +.SH "SEE ALSO" +selinux(8), mount_ecryptfs(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, mount_selinux(8), mount_selinux(8) ++, setsebool(8), mount_selinux(8), mount_selinux(8) \ No newline at end of file diff --git a/man/man8/mount_selinux.8 b/man/man8/mount_selinux.8 new file mode 100644 -index 0000000..1f6de58 +index 0000000..e1e4f86 --- /dev/null +++ b/man/man8/mount_selinux.8 -@@ -0,0 +1,242 @@ -+.TH "mount_selinux" "8" "12-11-01" "mount" "SELinux Policy documentation for mount" +@@ -0,0 +1,357 @@ ++.TH "mount_selinux" "8" "13-01-16" "mount" "SELinux Policy documentation for mount" +.SH "NAME" +mount_selinux \- Security Enhanced Linux Policy for the mount processes +.SH "DESCRIPTION" @@ -49691,7 +87187,9 @@ index 0000000..1f6de58 + +.SH "ENTRYPOINTS" + -+The mount_t SELinux type can be entered via the "mount_exec_t,fusermount_exec_t" file types. The default entrypoint paths for the mount_t domain are the following:" ++The mount_t SELinux type can be entered via the \fBmount_exec_t, fusermount_exec_t\fP file types. ++ ++The default entrypoint paths for the mount_t domain are the following: + +/bin/mount.*, /bin/umount.*, /sbin/mount.*, /sbin/umount.*, /usr/bin/mount.*, /usr/bin/umount.*, /usr/sbin/mount.*, /usr/sbin/umount.*, /bin/fusermount, /usr/bin/fusermount +.SH PROCESS TYPES @@ -49709,107 +87207,142 @@ index 0000000..1f6de58 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mount_t ++can be used to make the process type mount_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. mount policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mount with the tightest access possible. + + +.PP -+If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean. -+ -+.EX -+.B setsebool -P xguest_mount_media 1 -+.EE -+ -+.PP -+If you want to allow the mount command to mount any directory or file, you must turn on the mount_anyfile boolean. ++If you want to allow the mount command to mount any directory or file, you must turn on the mount_anyfile boolean. Enabled by default. + +.EX +.B setsebool -P mount_anyfile 1 ++ +.EE + +.PP -+If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P xguest_mount_media 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow the mount command to mount any directory or file, you must turn on the mount_anyfile boolean. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.B setsebool -P mount_anyfile 1 ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ +.PP -+Policy governs the access confined processes have to these files. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mount_t, mount_ecryptfs_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mount_t, mount_ecryptfs_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. +SELinux mount policy is very flexible allowing users to setup their mount processes in as secure a method as possible. +.PP -+The following file types are defined for mount: -+ ++The following port types are defined for mount: + +.EX -+.PP -+.B mount_ecryptfs_exec_t ++.TP 5 ++.B mountd_port_t ++.TP 10 +.EE + -+- Set files with the mount_ecryptfs_exec_t type, if you want to transition an executable to the mount_ecryptfs_t domain. + -+ -+.EX -+.PP -+.B mount_ecryptfs_tmpfs_t ++Default Defined Ports: ++tcp 20048 +.EE -+ -+- Set files with the mount_ecryptfs_tmpfs_t type, if you want to store mount ecryptfs files on a tmpfs file system. -+ -+ -+.EX -+.PP -+.B mount_exec_t ++udp 20048 +.EE -+ -+- Set files with the mount_exec_t type, if you want to transition an executable to the mount_t domain. -+ -+ -+.EX -+.PP -+.B mount_loopback_t -+.EE -+ -+- Set files with the mount_loopback_t type, if you want to treat the files as mount loopback data. -+ -+ -+.EX -+.PP -+.B mount_tmp_t -+.EE -+ -+- Set files with the mount_tmp_t type, if you want to store mount temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B mount_var_run_t -+.EE -+ -+- Set files with the mount_var_run_t type, if you want to store the mount files under the /run directory. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH "MANAGED FILES" + +The SELinux process type mount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -49835,10 +87368,10 @@ index 0000000..1f6de58 +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -49847,10 +87380,10 @@ index 0000000..1f6de58 +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -49876,21 +87409,96 @@ index 0000000..1f6de58 +.B non_security_file_type + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux mount policy is very flexible allowing users to setup their mount processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mount_t, mount_ecryptfs_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mount, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mount_ecryptfs_exec_t '/srv/mount/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymount_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mount: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B mount_ecryptfs_exec_t +.EE + ++- Set files with the mount_ecryptfs_exec_t type, if you want to transition an executable to the mount_ecryptfs_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/mount\.ecryptfs, /usr/sbin/umount\.ecryptfs, /usr/sbin/mount\.ecryptfs_private, /usr/sbin/umount\.ecryptfs_private ++ ++.EX ++.PP ++.B mount_ecryptfs_tmpfs_t ++.EE ++ ++- Set files with the mount_ecryptfs_tmpfs_t type, if you want to store mount ecryptfs files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B mount_exec_t ++.EE ++ ++- Set files with the mount_exec_t type, if you want to transition an executable to the mount_t domain. ++ ++.br ++.TP 5 ++Paths: ++/bin/mount.*, /bin/umount.*, /sbin/mount.*, /sbin/umount.*, /usr/bin/mount.*, /usr/bin/umount.*, /usr/sbin/mount.*, /usr/sbin/umount.* ++ ++.EX ++.PP ++.B mount_loopback_t ++.EE ++ ++- Set files with the mount_loopback_t type, if you want to treat the files as mount loopback data. ++ ++ ++.EX ++.PP ++.B mount_tmp_t ++.EE ++ ++- Set files with the mount_tmp_t type, if you want to store mount temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B mount_var_run_t ++.EE ++ ++- Set files with the mount_var_run_t type, if you want to store the mount files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/run/mount(/.*)?, /dev/\.mount(/.*)?, /var/run/mount(/.*)?, /var/run/davfs2(/.*)?, /var/cache/davfs2(/.*)? ++ +.PP -+If you want to allow confined applications to run with kerberos for the mount_t, mount_ecryptfs_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -49902,6 +87510,9 @@ index 0000000..1f6de58 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage port ++can also be used to manipulate the port definitions ++ +.B semanage boolean +can also be used to manipulate the booleans + @@ -49920,11 +87531,11 @@ index 0000000..1f6de58 \ No newline at end of file diff --git a/man/man8/mozilla_plugin_config_selinux.8 b/man/man8/mozilla_plugin_config_selinux.8 new file mode 100644 -index 0000000..ad663f1 +index 0000000..6567f36 --- /dev/null +++ b/man/man8/mozilla_plugin_config_selinux.8 -@@ -0,0 +1,233 @@ -+.TH "mozilla_plugin_config_selinux" "8" "12-11-01" "mozilla_plugin_config" "SELinux Policy documentation for mozilla_plugin_config" +@@ -0,0 +1,379 @@ ++.TH "mozilla_plugin_config_selinux" "8" "13-01-16" "mozilla_plugin_config" "SELinux Policy documentation for mozilla_plugin_config" +.SH "NAME" +mozilla_plugin_config_selinux \- Security Enhanced Linux Policy for the mozilla_plugin_config processes +.SH "DESCRIPTION" @@ -49940,7 +87551,9 @@ index 0000000..ad663f1 + +.SH "ENTRYPOINTS" + -+The mozilla_plugin_config_t SELinux type can be entered via the "mozilla_plugin_config_exec_t" file type. The default entrypoint paths for the mozilla_plugin_config_t domain are the following:" ++The mozilla_plugin_config_t SELinux type can be entered via the \fBmozilla_plugin_config_exec_t\fP file type. ++ ++The default entrypoint paths for the mozilla_plugin_config_t domain are the following: + +/usr/lib/nspluginwrapper/plugin-config +.SH PROCESS TYPES @@ -49958,34 +87571,108 @@ index 0000000..ad663f1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mozilla_plugin_config_t ++can be used to make the process type mozilla_plugin_config_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux mozilla_plugin_config policy is very flexible allowing users to setup their mozilla_plugin_config processes in as secure a method as possible. -+.PP -+The following file types are defined for mozilla_plugin_config: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mozilla_plugin_config policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mozilla_plugin_config with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B mozilla_plugin_config_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the mozilla_plugin_config_exec_t type, if you want to transition an executable to the mozilla_plugin_config_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean. Enabled by default. ++ ++.EX ++.B setsebool -P unconfined_mozilla_plugin_transition 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mozilla_plugin_config_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -49994,6 +87681,8 @@ index 0000000..ad663f1 +.br +.B mozilla_home_t + ++ /home/[^/]*/\.lyx(/.*)? ++.br + /home/[^/]*/\.java(/.*)? +.br + /home/[^/]*/\.adobe(/.*)? @@ -50024,6 +87713,40 @@ index 0000000..ad663f1 +.br + /home/[^/]*/\.config/chromium(/.*)? +.br ++ /home/pwalsh/\.lyx(/.*)? ++.br ++ /home/pwalsh/\.java(/.*)? ++.br ++ /home/pwalsh/\.adobe(/.*)? ++.br ++ /home/pwalsh/\.gnash(/.*)? ++.br ++ /home/pwalsh/\.galeon(/.*)? ++.br ++ /home/pwalsh/\.spicec(/.*)? ++.br ++ /home/pwalsh/\.mozilla(/.*)? ++.br ++ /home/pwalsh/\.phoenix(/.*)? ++.br ++ /home/pwalsh/\.netscape(/.*)? ++.br ++ /home/pwalsh/\.ICAClient(/.*)? ++.br ++ /home/pwalsh/\.macromedia(/.*)? ++.br ++ /home/pwalsh/\.thunderbird(/.*)? ++.br ++ /home/pwalsh/\.gcjwebplugin(/.*)? ++.br ++ /home/pwalsh/\.icedteaplugin(/.*)? ++.br ++ /home/pwalsh/zimbrauserdata(/.*)? ++.br ++ /home/pwalsh/\.config/chromium(/.*)? ++.br ++ /home/dwalsh/\.lyx(/.*)? ++.br + /home/dwalsh/\.java(/.*)? +.br + /home/dwalsh/\.adobe(/.*)? @@ -50054,6 +87777,8 @@ index 0000000..ad663f1 +.br + /home/dwalsh/\.config/chromium(/.*)? +.br ++ /var/lib/xguest/home/xguest/\.lyx(/.*)? ++.br + /var/lib/xguest/home/xguest/\.java(/.*)? +.br + /var/lib/xguest/home/xguest/\.adobe(/.*)? @@ -50106,6 +87831,12 @@ index 0000000..ad663f1 +.br + /home/[^/]*/\.fonts\.cache-.* +.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br + /home/dwalsh/\.fontconfig(/.*)? +.br + /home/dwalsh/\.fonts/auto(/.*)? @@ -50119,21 +87850,44 @@ index 0000000..ad663f1 + /var/lib/xguest/home/xguest/\.fonts\.cache-.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux mozilla_plugin_config policy is very flexible allowing users to setup their mozilla_plugin_config processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mozilla_plugin_config, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mozilla_plugin_config_exec_t '/srv/mozilla_plugin_config/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymozilla_plugin_config_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mozilla_plugin_config: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B mozilla_plugin_config_exec_t +.EE + ++- Set files with the mozilla_plugin_config_exec_t type, if you want to transition an executable to the mozilla_plugin_config_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -50145,6 +87899,9 @@ index 0000000..ad663f1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -50156,15 +87913,15 @@ index 0000000..ad663f1 + +.SH "SEE ALSO" +selinux(8), mozilla_plugin_config(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, mozilla_selinux(8), mozilla_selinux(8), mozilla_plugin_selinux(8), mozilla_plugin_selinux(8) ++, setsebool(8), mozilla_selinux(8), mozilla_selinux(8), mozilla_plugin_selinux(8), mozilla_plugin_selinux(8) \ No newline at end of file diff --git a/man/man8/mozilla_plugin_selinux.8 b/man/man8/mozilla_plugin_selinux.8 new file mode 100644 -index 0000000..a873bb4 +index 0000000..8fc3aea --- /dev/null +++ b/man/man8/mozilla_plugin_selinux.8 -@@ -0,0 +1,392 @@ -+.TH "mozilla_plugin_selinux" "8" "12-11-01" "mozilla_plugin" "SELinux Policy documentation for mozilla_plugin" +@@ -0,0 +1,605 @@ ++.TH "mozilla_plugin_selinux" "8" "13-01-16" "mozilla_plugin" "SELinux Policy documentation for mozilla_plugin" +.SH "NAME" +mozilla_plugin_selinux \- Security Enhanced Linux Policy for the mozilla_plugin processes +.SH "DESCRIPTION" @@ -50180,7 +87937,9 @@ index 0000000..a873bb4 + +.SH "ENTRYPOINTS" + -+The mozilla_plugin_t SELinux type can be entered via the "mozilla_plugin_exec_t" file type. The default entrypoint paths for the mozilla_plugin_t domain are the following:" ++The mozilla_plugin_t SELinux type can be entered via the \fBmozilla_plugin_exec_t\fP file type. ++ ++The default entrypoint paths for the mozilla_plugin_t domain are the following: + +/usr/lib/xulrunner[^/]*/plugin-container, /usr/lib/nspluginwrapper/npviewer.bin, /usr/bin/nspluginscan, /usr/bin/nspluginviewer +.SH PROCESS TYPES @@ -50198,118 +87957,198 @@ index 0000000..a873bb4 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mozilla_plugin_t ++can be used to make the process type mozilla_plugin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. mozilla_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mozilla_plugin with the tightest access possible. + + +.PP -+If you want to allow mozilla plugin domain to connect to the network using TCP, you must turn on the mozilla_plugin_can_network_connect boolean. ++If you want to allow mozilla plugin domain to connect to the network using TCP, you must turn on the mozilla_plugin_can_network_connect boolean. Disabled by default. + +.EX +.B setsebool -P mozilla_plugin_can_network_connect 1 ++ +.EE + +.PP -+If you want to allow mozilla_plugins to create random content in the users home directory, you must turn on the mozilla_plugin_enable_homedirs boolean. ++If you want to allow mozilla_plugins to create random content in the users home directory, you must turn on the mozilla_plugin_enable_homedirs boolean. Disabled by default. + +.EX +.B setsebool -P mozilla_plugin_enable_homedirs 1 ++ +.EE + +.PP -+If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean. Enabled by default. + +.EX +.B setsebool -P unconfined_mozilla_plugin_transition 1 ++ +.EE + +.PP -+If you want to allow mozilla plugin domain to connect to the network using TCP, you must turn on the mozilla_plugin_can_network_connect boolean. ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. + +.EX -+.B setsebool -P mozilla_plugin_can_network_connect 1 ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ +.EE + +.PP -+If you want to allow mozilla_plugins to create random content in the users home directory, you must turn on the mozilla_plugin_enable_homedirs boolean. ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. + +.EX -+.B setsebool -P mozilla_plugin_enable_homedirs 1 ++.B setsebool -P use_fusefs_home_dirs 1 ++ +.EE + +.PP -+If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean. ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. + +.EX -+.B setsebool -P unconfined_mozilla_plugin_transition 1 ++.B setsebool -P use_nfs_home_dirs 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux mozilla_plugin policy is very flexible allowing users to setup their mozilla_plugin processes in as secure a method as possible. -+.PP -+The following file types are defined for mozilla_plugin: -+ ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. + +.EX -+.PP -+.B mozilla_plugin_config_exec_t ++.B setsebool -P use_samba_home_dirs 1 ++ +.EE + -+- Set files with the mozilla_plugin_config_exec_t type, if you want to transition an executable to the mozilla_plugin_config_t domain. ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mozilla_plugin_config_t, mozilla_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B mozilla_plugin_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the mozilla_plugin_exec_t type, if you want to transition an executable to the mozilla_plugin_t domain. -+ ++.PP ++If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, mozilla_plugin_t, you must turn on the kerberos_enabled boolean. + +.EX -+.PP -+.B mozilla_plugin_rw_t ++.B setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the mozilla_plugin_rw_t type, if you want to treat the files as mozilla plugin read/write content. -+ -+ -+.EX -+.PP -+.B mozilla_plugin_tmp_t -+.EE -+ -+- Set files with the mozilla_plugin_tmp_t type, if you want to store mozilla plugin temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B mozilla_plugin_tmpfs_t -+.EE -+ -+- Set files with the mozilla_plugin_tmpfs_t type, if you want to store mozilla plugin files on a tmpfs file system. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH "MANAGED FILES" + +The SELinux process type mozilla_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br +.B gnome_home_type + + @@ -50326,6 +88165,12 @@ index 0000000..a873bb4 +.br + /home/[^/]*/\.cert(/.*)? +.br ++ /home/pwalsh/.kde/share/apps/networkmanagement/certificates(/.*)? ++.br ++ /home/pwalsh/\.pki(/.*)? ++.br ++ /home/pwalsh/\.cert(/.*)? ++.br + /home/dwalsh/.kde/share/apps/networkmanagement/certificates(/.*)? +.br + /home/dwalsh/\.pki(/.*)? @@ -50342,6 +88187,8 @@ index 0000000..a873bb4 +.br +.B mozilla_home_t + ++ /home/[^/]*/\.lyx(/.*)? ++.br + /home/[^/]*/\.java(/.*)? +.br + /home/[^/]*/\.adobe(/.*)? @@ -50372,6 +88219,40 @@ index 0000000..a873bb4 +.br + /home/[^/]*/\.config/chromium(/.*)? +.br ++ /home/pwalsh/\.lyx(/.*)? ++.br ++ /home/pwalsh/\.java(/.*)? ++.br ++ /home/pwalsh/\.adobe(/.*)? ++.br ++ /home/pwalsh/\.gnash(/.*)? ++.br ++ /home/pwalsh/\.galeon(/.*)? ++.br ++ /home/pwalsh/\.spicec(/.*)? ++.br ++ /home/pwalsh/\.mozilla(/.*)? ++.br ++ /home/pwalsh/\.phoenix(/.*)? ++.br ++ /home/pwalsh/\.netscape(/.*)? ++.br ++ /home/pwalsh/\.ICAClient(/.*)? ++.br ++ /home/pwalsh/\.macromedia(/.*)? ++.br ++ /home/pwalsh/\.thunderbird(/.*)? ++.br ++ /home/pwalsh/\.gcjwebplugin(/.*)? ++.br ++ /home/pwalsh/\.icedteaplugin(/.*)? ++.br ++ /home/pwalsh/zimbrauserdata(/.*)? ++.br ++ /home/pwalsh/\.config/chromium(/.*)? ++.br ++ /home/dwalsh/\.lyx(/.*)? ++.br + /home/dwalsh/\.java(/.*)? +.br + /home/dwalsh/\.adobe(/.*)? @@ -50402,6 +88283,8 @@ index 0000000..a873bb4 +.br + /home/dwalsh/\.config/chromium(/.*)? +.br ++ /var/lib/xguest/home/xguest/\.lyx(/.*)? ++.br + /var/lib/xguest/home/xguest/\.java(/.*)? +.br + /var/lib/xguest/home/xguest/\.adobe(/.*)? @@ -50446,34 +88329,56 @@ index 0000000..a873bb4 + + /home/[^/]*/\.mplayer(/.*)? +.br ++ /home/pwalsh/\.mplayer(/.*)? ++.br + /home/dwalsh/\.mplayer(/.*)? +.br + /var/lib/xguest/home/xguest/\.mplayer(/.*)? +.br + +.br ++.B nfs_t ++ ++ ++.br +.B pulseaudio_home_t + + /root/\.pulse(/.*)? +.br ++ /root/\.config/pulse(/.*)? ++.br + /root/\.esd_auth +.br + /root/\.pulse-cookie +.br + /home/[^/]*/\.pulse(/.*)? +.br ++ /home/[^/]*/\.config/pulse(/.*)? ++.br + /home/[^/]*/\.esd_auth +.br + /home/[^/]*/\.pulse-cookie +.br ++ /home/pwalsh/\.pulse(/.*)? ++.br ++ /home/pwalsh/\.config/pulse(/.*)? ++.br ++ /home/pwalsh/\.esd_auth ++.br ++ /home/pwalsh/\.pulse-cookie ++.br + /home/dwalsh/\.pulse(/.*)? +.br ++ /home/dwalsh/\.config/pulse(/.*)? ++.br + /home/dwalsh/\.esd_auth +.br + /home/dwalsh/\.pulse-cookie +.br + /var/lib/xguest/home/xguest/\.pulse(/.*)? +.br ++ /var/lib/xguest/home/xguest/\.config/pulse(/.*)? ++.br + /var/lib/xguest/home/xguest/\.esd_auth +.br + /var/lib/xguest/home/xguest/\.pulse-cookie @@ -50494,6 +88399,12 @@ index 0000000..a873bb4 +.br + /home/[^/]*/\.fonts\.cache-.* +.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br + /home/dwalsh/\.fontconfig(/.*)? +.br + /home/dwalsh/\.fonts/auto(/.*)? @@ -50515,21 +88426,80 @@ index 0000000..a873bb4 + /dev/shm/pulse-shm.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux mozilla_plugin policy is very flexible allowing users to setup their mozilla_plugin processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, mozilla_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mozilla_plugin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mozilla_plugin_config_exec_t '/srv/mozilla_plugin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymozilla_plugin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mozilla_plugin: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B mozilla_plugin_config_exec_t +.EE + ++- Set files with the mozilla_plugin_config_exec_t type, if you want to transition an executable to the mozilla_plugin_config_t domain. ++ ++ ++.EX ++.PP ++.B mozilla_plugin_exec_t ++.EE ++ ++- Set files with the mozilla_plugin_exec_t type, if you want to transition an executable to the mozilla_plugin_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/xulrunner[^/]*/plugin-container, /usr/lib/nspluginwrapper/npviewer.bin, /usr/bin/nspluginscan, /usr/bin/nspluginviewer ++ ++.EX ++.PP ++.B mozilla_plugin_rw_t ++.EE ++ ++- Set files with the mozilla_plugin_rw_t type, if you want to treat the files as mozilla plugin read/write content. ++ ++ ++.EX ++.PP ++.B mozilla_plugin_tmp_t ++.EE ++ ++- Set files with the mozilla_plugin_tmp_t type, if you want to store mozilla plugin temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B mozilla_plugin_tmpfs_t ++.EE ++ ++- Set files with the mozilla_plugin_tmpfs_t type, if you want to store mozilla plugin files on a tmpfs file system. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, mozilla_plugin_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -50559,11 +88529,11 @@ index 0000000..a873bb4 \ No newline at end of file diff --git a/man/man8/mozilla_selinux.8 b/man/man8/mozilla_selinux.8 new file mode 100644 -index 0000000..5c7618a +index 0000000..ec6ab49 --- /dev/null +++ b/man/man8/mozilla_selinux.8 -@@ -0,0 +1,422 @@ -+.TH "mozilla_selinux" "8" "12-11-01" "mozilla" "SELinux Policy documentation for mozilla" +@@ -0,0 +1,645 @@ ++.TH "mozilla_selinux" "8" "13-01-16" "mozilla" "SELinux Policy documentation for mozilla" +.SH "NAME" +mozilla_selinux \- Security Enhanced Linux Policy for the mozilla processes +.SH "DESCRIPTION" @@ -50579,7 +88549,9 @@ index 0000000..5c7618a + +.SH "ENTRYPOINTS" + -+The mozilla_t SELinux type can be entered via the "mozilla_exec_t" file type. The default entrypoint paths for the mozilla_t domain are the following:" ++The mozilla_t SELinux type can be entered via the \fBmozilla_exec_t\fP file type. ++ ++The default entrypoint paths for the mozilla_t domain are the following: + +/usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/[^/]*firefox[^/]*/firefox-bin, /usr/lib/mozilla[^/]*/reg.+, /usr/lib/mozilla[^/]*/mozilla-.*, /usr/lib/firefox[^/]*/mozilla-.*, /usr/bin/mozilla-[0-9].*, /usr/lib/netscape/.+/communicator/communicator-smotif\.real, /usr/bin/mozilla-bin-[0-9].*, /usr/bin/mozilla, /usr/bin/netscape, /usr/bin/epiphany, /usr/bin/epiphany-bin, /usr/lib/galeon/galeon, /usr/bin/mozilla-snapshot, /usr/lib/netscape/base-4/wrapper +.SH PROCESS TYPES @@ -50597,69 +88569,467 @@ index 0000000..5c7618a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mozilla_t ++can be used to make the process type mozilla_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. mozilla policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mozilla with the tightest access possible. + + +.PP -+If you want to allow mozilla plugin domain to connect to the network using TCP, you must turn on the mozilla_plugin_can_network_connect boolean. -+ -+.EX -+.B setsebool -P mozilla_plugin_can_network_connect 1 -+.EE -+ -+.PP -+If you want to allow confined web browsers to read home directory content, you must turn on the mozilla_read_content boolean. ++If you want to allow confined web browsers to read home directory content, you must turn on the mozilla_read_content boolean. Disabled by default. + +.EX +.B setsebool -P mozilla_read_content 1 ++ +.EE + +.PP -+If you want to allow mozilla_plugins to create random content in the users home directory, you must turn on the mozilla_plugin_enable_homedirs boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P mozilla_plugin_enable_homedirs 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean. ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. + +.EX -+.B setsebool -P unconfined_mozilla_plugin_transition 1 ++.B setsebool -P deny_execmem 1 ++ +.EE + +.PP -+If you want to allow mozilla plugin domain to connect to the network using TCP, you must turn on the mozilla_plugin_can_network_connect boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P mozilla_plugin_can_network_connect 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + +.PP -+If you want to allow confined web browsers to read home directory content, you must turn on the mozilla_read_content boolean. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.B setsebool -P mozilla_read_content 1 ++.B setsebool -P domain_fd_use 1 ++ +.EE + +.PP -+If you want to allow mozilla_plugins to create random content in the users home directory, you must turn on the mozilla_plugin_enable_homedirs boolean. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.B setsebool -P mozilla_plugin_enable_homedirs 1 ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + +.PP -+If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.B setsebool -P unconfined_mozilla_plugin_transition 1 ++.B setsebool -P fips_mode 1 ++ +.EE + ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type mozilla_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B gconf_home_t ++ ++ /root/\.local.* ++.br ++ /root/\.gconf(d)?(/.*)? ++.br ++ /home/[^/]*/\.local.* ++.br ++ /home/[^/]*/\.gconf(d)?(/.*)? ++.br ++ /home/pwalsh/\.local.* ++.br ++ /home/pwalsh/\.gconf(d)?(/.*)? ++.br ++ /home/dwalsh/\.local.* ++.br ++ /home/dwalsh/\.gconf(d)?(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.local.* ++.br ++ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)? ++.br ++ ++.br ++.B gnome_home_type ++ ++ ++.br ++.B mozilla_home_t ++ ++ /home/[^/]*/\.lyx(/.*)? ++.br ++ /home/[^/]*/\.java(/.*)? ++.br ++ /home/[^/]*/\.adobe(/.*)? ++.br ++ /home/[^/]*/\.gnash(/.*)? ++.br ++ /home/[^/]*/\.galeon(/.*)? ++.br ++ /home/[^/]*/\.spicec(/.*)? ++.br ++ /home/[^/]*/\.mozilla(/.*)? ++.br ++ /home/[^/]*/\.phoenix(/.*)? ++.br ++ /home/[^/]*/\.netscape(/.*)? ++.br ++ /home/[^/]*/\.ICAClient(/.*)? ++.br ++ /home/[^/]*/\.macromedia(/.*)? ++.br ++ /home/[^/]*/\.thunderbird(/.*)? ++.br ++ /home/[^/]*/\.gcjwebplugin(/.*)? ++.br ++ /home/[^/]*/\.icedteaplugin(/.*)? ++.br ++ /home/[^/]*/zimbrauserdata(/.*)? ++.br ++ /home/[^/]*/\.config/chromium(/.*)? ++.br ++ /home/pwalsh/\.lyx(/.*)? ++.br ++ /home/pwalsh/\.java(/.*)? ++.br ++ /home/pwalsh/\.adobe(/.*)? ++.br ++ /home/pwalsh/\.gnash(/.*)? ++.br ++ /home/pwalsh/\.galeon(/.*)? ++.br ++ /home/pwalsh/\.spicec(/.*)? ++.br ++ /home/pwalsh/\.mozilla(/.*)? ++.br ++ /home/pwalsh/\.phoenix(/.*)? ++.br ++ /home/pwalsh/\.netscape(/.*)? ++.br ++ /home/pwalsh/\.ICAClient(/.*)? ++.br ++ /home/pwalsh/\.macromedia(/.*)? ++.br ++ /home/pwalsh/\.thunderbird(/.*)? ++.br ++ /home/pwalsh/\.gcjwebplugin(/.*)? ++.br ++ /home/pwalsh/\.icedteaplugin(/.*)? ++.br ++ /home/pwalsh/zimbrauserdata(/.*)? ++.br ++ /home/pwalsh/\.config/chromium(/.*)? ++.br ++ /home/dwalsh/\.lyx(/.*)? ++.br ++ /home/dwalsh/\.java(/.*)? ++.br ++ /home/dwalsh/\.adobe(/.*)? ++.br ++ /home/dwalsh/\.gnash(/.*)? ++.br ++ /home/dwalsh/\.galeon(/.*)? ++.br ++ /home/dwalsh/\.spicec(/.*)? ++.br ++ /home/dwalsh/\.mozilla(/.*)? ++.br ++ /home/dwalsh/\.phoenix(/.*)? ++.br ++ /home/dwalsh/\.netscape(/.*)? ++.br ++ /home/dwalsh/\.ICAClient(/.*)? ++.br ++ /home/dwalsh/\.macromedia(/.*)? ++.br ++ /home/dwalsh/\.thunderbird(/.*)? ++.br ++ /home/dwalsh/\.gcjwebplugin(/.*)? ++.br ++ /home/dwalsh/\.icedteaplugin(/.*)? ++.br ++ /home/dwalsh/zimbrauserdata(/.*)? ++.br ++ /home/dwalsh/\.config/chromium(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.lyx(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.java(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.adobe(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.gnash(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.galeon(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.spicec(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.mozilla(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.phoenix(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.netscape(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ICAClient(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.macromedia(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.thunderbird(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)? ++.br ++ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config/chromium(/.*)? ++.br ++ ++.br ++.B mozilla_tmp_t ++ ++ ++.br ++.B mozilla_tmpfs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B pulseaudio_home_t ++ ++ /root/\.pulse(/.*)? ++.br ++ /root/\.config/pulse(/.*)? ++.br ++ /root/\.esd_auth ++.br ++ /root/\.pulse-cookie ++.br ++ /home/[^/]*/\.pulse(/.*)? ++.br ++ /home/[^/]*/\.config/pulse(/.*)? ++.br ++ /home/[^/]*/\.esd_auth ++.br ++ /home/[^/]*/\.pulse-cookie ++.br ++ /home/pwalsh/\.pulse(/.*)? ++.br ++ /home/pwalsh/\.config/pulse(/.*)? ++.br ++ /home/pwalsh/\.esd_auth ++.br ++ /home/pwalsh/\.pulse-cookie ++.br ++ /home/dwalsh/\.pulse(/.*)? ++.br ++ /home/dwalsh/\.config/pulse(/.*)? ++.br ++ /home/dwalsh/\.esd_auth ++.br ++ /home/dwalsh/\.pulse-cookie ++.br ++ /var/lib/xguest/home/xguest/\.pulse(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config/pulse(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.esd_auth ++.br ++ /var/lib/xguest/home/xguest/\.pulse-cookie ++.br ++ ++.br ++.B user_fonts_cache_t ++ ++ /root/\.fontconfig(/.*)? ++.br ++ /root/\.fonts/auto(/.*)? ++.br ++ /root/\.fonts\.cache-.* ++.br ++ /home/[^/]*/\.fontconfig(/.*)? ++.br ++ /home/[^/]*/\.fonts/auto(/.*)? ++.br ++ /home/[^/]*/\.fonts\.cache-.* ++.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br ++ /home/dwalsh/\.fontconfig(/.*)? ++.br ++ /home/dwalsh/\.fonts/auto(/.*)? ++.br ++ /home/dwalsh/\.fonts\.cache-.* ++.br ++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts\.cache-.* ++.br ++ ++.br ++.B xserver_tmpfs_t ++ ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -50668,7 +89038,20 @@ index 0000000..5c7618a +Policy governs the access confined processes have to these files. +SELinux mozilla policy is very flexible allowing users to setup their mozilla processes in as secure a method as possible. +.PP -+The following file types are defined for mozilla: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mozilla, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mozilla_conf_t '/srv/mozilla/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymozilla_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mozilla: + + +.EX @@ -50686,6 +89069,10 @@ index 0000000..5c7618a + +- Set files with the mozilla_exec_t type, if you want to transition an executable to the mozilla_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/[^/]*firefox[^/]*/firefox-bin, /usr/lib/mozilla[^/]*/reg.+, /usr/lib/mozilla[^/]*/mozilla-.*, /usr/lib/firefox[^/]*/mozilla-.*, /usr/bin/mozilla-[0-9].*, /usr/lib/netscape/.+/communicator/communicator-smotif\.real, /usr/bin/mozilla-bin-[0-9].*, /usr/bin/mozilla, /usr/bin/netscape, /usr/bin/epiphany, /usr/bin/epiphany-bin, /usr/lib/galeon/galeon, /usr/bin/mozilla-snapshot, /usr/lib/netscape/base-4/wrapper + +.EX +.PP @@ -50694,6 +89081,10 @@ index 0000000..5c7618a + +- Set files with the mozilla_home_t type, if you want to store mozilla files in the users home directory. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.lyx(/.*)?, /home/[^/]*/\.java(/.*)?, /home/[^/]*/\.adobe(/.*)?, /home/[^/]*/\.gnash(/.*)?, /home/[^/]*/\.galeon(/.*)?, /home/[^/]*/\.spicec(/.*)?, /home/[^/]*/\.mozilla(/.*)?, /home/[^/]*/\.phoenix(/.*)?, /home/[^/]*/\.netscape(/.*)?, /home/[^/]*/\.ICAClient(/.*)?, /home/[^/]*/\.macromedia(/.*)?, /home/[^/]*/\.thunderbird(/.*)?, /home/[^/]*/\.gcjwebplugin(/.*)?, /home/[^/]*/\.icedteaplugin(/.*)?, /home/[^/]*/zimbrauserdata(/.*)?, /home/[^/]*/\.config/chromium(/.*)?, /home/pwalsh/\.lyx(/.*)?, /home/pwalsh/\.java(/.*)?, /home/pwalsh/\.adobe(/.*)?, /home/pwalsh/\.gnash(/.*)?, /home/pwalsh/\.galeon(/.*)?, /home/pwalsh/\.spicec(/.*)?, /home/pwalsh/\.mozilla(/.*)?, /home/pwalsh/\.phoenix(/.*)?, /home/pwalsh/\.netscape(/.*)?, /home/pwalsh/\.ICAClient(/.*)?, /home/pwalsh/\.macromedia(/.*)?, /home/pwalsh/\.thunderbird(/.*)?, /home/pwalsh/\.gcjwebplugin(/.*)?, /home/pwalsh/\.icedteaplugin(/.*)?, /home/pwalsh/zimbrauserdata(/.*)?, /home/pwalsh/\.config/chromium(/.*)?, /home/dwalsh/\.lyx(/.*)?, /home/dwalsh/\.java(/.*)?, /home/dwalsh/\.adobe(/.*)?, /home/dwalsh/\.gnash(/.*)?, /home/dwalsh/\.galeon(/.*)?, /home/dwalsh/\.spicec(/.*)?, /home/dwalsh/\.mozilla(/.*)?, /home/dwalsh/\.phoenix(/.*)?, /home/dwalsh/\.netscape(/.*)?, /home/dwalsh/\.ICAClient(/.*)?, /home/dwalsh/\.macromedia(/.*)?, /home/dwalsh/\.thunderbird(/.*)?, /home/dwalsh/\.gcjwebplugin(/.*)?, /home/dwalsh/\.icedteaplugin(/.*)?, /home/dwalsh/zimbrauserdata(/.*)?, /home/dwalsh/\.config/chromium(/.*)?, /var/lib/xguest/home/xguest/\.lyx(/.*)?, /var/lib/xguest/home/xguest/\.java(/.*)?, /var/lib/xguest/home/xguest/\.adobe(/.*)?, /var/lib/xguest/home/xguest/\.gnash(/.*)?, /var/lib/xguest/home/xguest/\.galeon(/.*)?, /var/lib/xguest/home/xguest/\.spicec(/.*)?, /var/lib/xguest/home/xguest/\.mozilla(/.*)?, /var/lib/xguest/home/xguest/\.phoenix(/.*)?, /var/lib/xguest/home/xguest/\.netscape(/.*)?, /var/lib/xguest/home/xguest/\.ICAClient(/.*)?, /var/lib/xguest/home/xguest/\.macromedia(/.*)?, /var/lib/xguest/home/xguest/\.thunderbird(/.*)?, /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)?, /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)?, /var/lib/xguest/home/xguest/zimbrauserdata(/.*)?, /var/lib/xguest/home/xguest/\.config/chromium(/.*)? + +.EX +.PP @@ -50710,6 +89101,10 @@ index 0000000..5c7618a + +- Set files with the mozilla_plugin_exec_t type, if you want to transition an executable to the mozilla_plugin_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/xulrunner[^/]*/plugin-container, /usr/lib/nspluginwrapper/npviewer.bin, /usr/bin/nspluginscan, /usr/bin/nspluginviewer + +.EX +.PP @@ -50758,208 +89153,6 @@ index 0000000..5c7618a +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type mozilla_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B gconf_home_t -+ -+ /root/\.local.* -+.br -+ /root/\.gconf(d)?(/.*)? -+.br -+ /home/[^/]*/\.local.* -+.br -+ /home/[^/]*/\.gconf(d)?(/.*)? -+.br -+ /home/dwalsh/\.local.* -+.br -+ /home/dwalsh/\.gconf(d)?(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.local.* -+.br -+ /var/lib/xguest/home/xguest/\.gconf(d)?(/.*)? -+.br -+ -+.br -+.B gnome_home_type -+ -+ -+.br -+.B mozilla_home_t -+ -+ /home/[^/]*/\.java(/.*)? -+.br -+ /home/[^/]*/\.adobe(/.*)? -+.br -+ /home/[^/]*/\.gnash(/.*)? -+.br -+ /home/[^/]*/\.galeon(/.*)? -+.br -+ /home/[^/]*/\.spicec(/.*)? -+.br -+ /home/[^/]*/\.mozilla(/.*)? -+.br -+ /home/[^/]*/\.phoenix(/.*)? -+.br -+ /home/[^/]*/\.netscape(/.*)? -+.br -+ /home/[^/]*/\.ICAClient(/.*)? -+.br -+ /home/[^/]*/\.macromedia(/.*)? -+.br -+ /home/[^/]*/\.thunderbird(/.*)? -+.br -+ /home/[^/]*/\.gcjwebplugin(/.*)? -+.br -+ /home/[^/]*/\.icedteaplugin(/.*)? -+.br -+ /home/[^/]*/zimbrauserdata(/.*)? -+.br -+ /home/[^/]*/\.config/chromium(/.*)? -+.br -+ /home/dwalsh/\.java(/.*)? -+.br -+ /home/dwalsh/\.adobe(/.*)? -+.br -+ /home/dwalsh/\.gnash(/.*)? -+.br -+ /home/dwalsh/\.galeon(/.*)? -+.br -+ /home/dwalsh/\.spicec(/.*)? -+.br -+ /home/dwalsh/\.mozilla(/.*)? -+.br -+ /home/dwalsh/\.phoenix(/.*)? -+.br -+ /home/dwalsh/\.netscape(/.*)? -+.br -+ /home/dwalsh/\.ICAClient(/.*)? -+.br -+ /home/dwalsh/\.macromedia(/.*)? -+.br -+ /home/dwalsh/\.thunderbird(/.*)? -+.br -+ /home/dwalsh/\.gcjwebplugin(/.*)? -+.br -+ /home/dwalsh/\.icedteaplugin(/.*)? -+.br -+ /home/dwalsh/zimbrauserdata(/.*)? -+.br -+ /home/dwalsh/\.config/chromium(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.java(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.adobe(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.gnash(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.galeon(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.spicec(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.mozilla(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.phoenix(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.netscape(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.ICAClient(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.macromedia(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.thunderbird(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.gcjwebplugin(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.icedteaplugin(/.*)? -+.br -+ /var/lib/xguest/home/xguest/zimbrauserdata(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.config/chromium(/.*)? -+.br -+ -+.br -+.B mozilla_tmp_t -+ -+ -+.br -+.B mozilla_tmpfs_t -+ -+ -+.br -+.B pulseaudio_home_t -+ -+ /root/\.pulse(/.*)? -+.br -+ /root/\.esd_auth -+.br -+ /root/\.pulse-cookie -+.br -+ /home/[^/]*/\.pulse(/.*)? -+.br -+ /home/[^/]*/\.esd_auth -+.br -+ /home/[^/]*/\.pulse-cookie -+.br -+ /home/dwalsh/\.pulse(/.*)? -+.br -+ /home/dwalsh/\.esd_auth -+.br -+ /home/dwalsh/\.pulse-cookie -+.br -+ /var/lib/xguest/home/xguest/\.pulse(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.esd_auth -+.br -+ /var/lib/xguest/home/xguest/\.pulse-cookie -+.br -+ -+.br -+.B user_fonts_cache_t -+ -+ /root/\.fontconfig(/.*)? -+.br -+ /root/\.fonts/auto(/.*)? -+.br -+ /root/\.fonts\.cache-.* -+.br -+ /home/[^/]*/\.fontconfig(/.*)? -+.br -+ /home/[^/]*/\.fonts/auto(/.*)? -+.br -+ /home/[^/]*/\.fonts\.cache-.* -+.br -+ /home/dwalsh/\.fontconfig(/.*)? -+.br -+ /home/dwalsh/\.fonts/auto(/.*)? -+.br -+ /home/dwalsh/\.fonts\.cache-.* -+.br -+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.fonts\.cache-.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -50988,11 +89181,11 @@ index 0000000..5c7618a \ No newline at end of file diff --git a/man/man8/mpd_selinux.8 b/man/man8/mpd_selinux.8 new file mode 100644 -index 0000000..ee3fb08 +index 0000000..c577a3b --- /dev/null +++ b/man/man8/mpd_selinux.8 -@@ -0,0 +1,296 @@ -+.TH "mpd_selinux" "8" "12-11-01" "mpd" "SELinux Policy documentation for mpd" +@@ -0,0 +1,482 @@ ++.TH "mpd_selinux" "8" "13-01-16" "mpd" "SELinux Policy documentation for mpd" +.SH "NAME" +mpd_selinux \- Security Enhanced Linux Policy for the mpd processes +.SH "DESCRIPTION" @@ -51008,7 +89201,9 @@ index 0000000..ee3fb08 + +.SH "ENTRYPOINTS" + -+The mpd_t SELinux type can be entered via the "mpd_exec_t" file type. The default entrypoint paths for the mpd_t domain are the following:" ++The mpd_t SELinux type can be entered via the \fBmpd_exec_t\fP file type. ++ ++The default entrypoint paths for the mpd_t domain are the following: + +/usr/bin/mpd +.SH PROCESS TYPES @@ -51026,83 +89221,306 @@ index 0000000..ee3fb08 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mpd_t ++can be used to make the process type mpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. mpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mpd with the tightest access possible. + + +.PP -+If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean. ++If you want to determine whether mpd can traverse user home directories, you must turn on the mpd_enable_homedirs boolean. Disabled by default. + +.EX -+.B setsebool -P mplayer_execstack 1 ++.B setsebool -P mpd_enable_homedirs 1 ++ +.EE + +.PP -+If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. ++If you want to determine whether mpd can use cifs file systems, you must turn on the mpd_use_cifs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mpd_use_cifs 1 ++ ++.EE ++ ++.PP ++If you want to determine whether mpd can use nfs file systems, you must turn on the mpd_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mpd_use_nfs 1 ++ ++.EE ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX +.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.B setsebool -P gssd_read_tmp 1 ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + +.PP -+If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_tmp_exec 1 ++.B setsebool -P daemons_use_tty 1 ++ +.EE + +.PP -+If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P unconfined_mplayer 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + +.PP -+If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.B setsebool -P mplayer_execstack 1 ++.B setsebool -P domain_fd_use 1 ++ +.EE + +.PP -+If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.B setsebool -P daemons_dump_core 1 ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + +.PP -+If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.B setsebool -P gssd_read_tmp 1 ++.B setsebool -P fips_mode 1 ++ +.EE + +.PP -+If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_tmp_exec 1 ++.B setsebool -P global_ssp 1 ++ +.EE + +.PP -+If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean. ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.B setsebool -P unconfined_mplayer 1 ++.B setsebool -P kerberos_enabled 1 ++ +.EE + ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mpd_t, mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mpd_t, mplayer_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux mpd policy is very flexible allowing users to setup their mpd processes in as secure a method as possible. ++.PP ++The following port types are defined for mpd: ++ ++.EX ++.TP 5 ++.B mpd_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 6600 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type mpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B mpd_data_t ++ ++ /var/lib/mpd/music(/.*)? ++.br ++ /var/lib/mpd/playlists(/.*)? ++.br ++ ++.br ++.B mpd_tmp_t ++ ++ ++.br ++.B mpd_tmpfs_t ++ ++ ++.br ++.B mpd_var_lib_t ++ ++ /var/lib/mpd(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B pulseaudio_home_t ++ ++ /root/\.pulse(/.*)? ++.br ++ /root/\.config/pulse(/.*)? ++.br ++ /root/\.esd_auth ++.br ++ /root/\.pulse-cookie ++.br ++ /home/[^/]*/\.pulse(/.*)? ++.br ++ /home/[^/]*/\.config/pulse(/.*)? ++.br ++ /home/[^/]*/\.esd_auth ++.br ++ /home/[^/]*/\.pulse-cookie ++.br ++ /home/pwalsh/\.pulse(/.*)? ++.br ++ /home/pwalsh/\.config/pulse(/.*)? ++.br ++ /home/pwalsh/\.esd_auth ++.br ++ /home/pwalsh/\.pulse-cookie ++.br ++ /home/dwalsh/\.pulse(/.*)? ++.br ++ /home/dwalsh/\.config/pulse(/.*)? ++.br ++ /home/dwalsh/\.esd_auth ++.br ++ /home/dwalsh/\.pulse-cookie ++.br ++ /var/lib/xguest/home/xguest/\.pulse(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config/pulse(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.esd_auth ++.br ++ /var/lib/xguest/home/xguest/\.pulse-cookie ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -51111,7 +89529,31 @@ index 0000000..ee3fb08 +Policy governs the access confined processes have to these files. +SELinux mpd policy is very flexible allowing users to setup their mpd processes in as secure a method as possible. +.PP -+The following file types are defined for mpd: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++mpd policy stores data with multiple different file context types under the /var/lib/mpd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/mpd /srv/mpd ++.br ++.B restorecon -R -v /srv/mpd ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mpd_data_t '/srv/mpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mympd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mpd: + + +.EX @@ -51121,6 +89563,10 @@ index 0000000..ee3fb08 + +- Set files with the mpd_data_t type, if you want to treat the files as mpd content. + ++.br ++.TP 5 ++Paths: ++/var/lib/mpd/music(/.*)?, /var/lib/mpd/playlists(/.*)? + +.EX +.PP @@ -51172,6 +89618,14 @@ index 0000000..ee3fb08 + +.EX +.PP ++.B mpd_user_data_t ++.EE ++ ++- Set files with the mpd_user_data_t type, if you want to treat the files as mpd user content. ++ ++ ++.EX ++.PP +.B mpd_var_lib_t +.EE + @@ -51185,81 +89639,6 @@ index 0000000..ee3fb08 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux mpd policy is very flexible allowing users to setup their mpd processes in as secure a method as possible. -+.PP -+The following port types are defined for mpd: -+ -+.EX -+.TP 5 -+.B mpd_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 6600 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type mpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B anon_inodefs_t -+ -+ -+.br -+.B mpd_data_t -+ -+ /var/lib/mpd/music(/.*)? -+.br -+ /var/lib/mpd/playlists(/.*)? -+.br -+ -+.br -+.B mpd_log_t -+ -+ /var/log/mpd(/.*)? -+.br -+ -+.br -+.B mpd_tmp_t -+ -+ -+.br -+.B mpd_tmpfs_t -+ -+ -+.br -+.B mpd_var_lib_t -+ -+ /var/lib/mpd(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mpd_t, mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the mpd_t, mplayer_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -51291,11 +89670,11 @@ index 0000000..ee3fb08 \ No newline at end of file diff --git a/man/man8/mplayer_selinux.8 b/man/man8/mplayer_selinux.8 new file mode 100644 -index 0000000..5be39fe +index 0000000..1aa03fd --- /dev/null +++ b/man/man8/mplayer_selinux.8 -@@ -0,0 +1,206 @@ -+.TH "mplayer_selinux" "8" "12-11-01" "mplayer" "SELinux Policy documentation for mplayer" +@@ -0,0 +1,427 @@ ++.TH "mplayer_selinux" "8" "13-01-16" "mplayer" "SELinux Policy documentation for mplayer" +.SH "NAME" +mplayer_selinux \- Security Enhanced Linux Policy for the mplayer processes +.SH "DESCRIPTION" @@ -51311,7 +89690,9 @@ index 0000000..5be39fe + +.SH "ENTRYPOINTS" + -+The mplayer_t SELinux type can be entered via the "mplayer_exec_t" file type. The default entrypoint paths for the mplayer_t domain are the following:" ++The mplayer_t SELinux type can be entered via the \fBmplayer_exec_t\fP file type. ++ ++The default entrypoint paths for the mplayer_t domain are the following: + +/usr/bin/vlc, /usr/bin/xine, /usr/bin/mplayer +.SH PROCESS TYPES @@ -51329,41 +89710,301 @@ index 0000000..5be39fe +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mplayer_t ++can be used to make the process type mplayer_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. mplayer policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mplayer with the tightest access possible. + + +.PP -+If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean. ++If you want to determine whether mplayer can make its stack executable, you must turn on the mplayer_execstack boolean. Disabled by default. + +.EX +.B setsebool -P mplayer_execstack 1 ++ +.EE + +.PP -+If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P unconfined_mplayer 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow mplayer executable stack, you must turn on the mplayer_execstack boolean. ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. + +.EX -+.B setsebool -P mplayer_execstack 1 ++.B setsebool -P deny_execmem 1 ++ +.EE + +.PP -+If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P unconfined_mplayer 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mplayer_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type mplayer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B mplayer_home_t ++ ++ /home/[^/]*/\.mplayer(/.*)? ++.br ++ /home/pwalsh/\.mplayer(/.*)? ++.br ++ /home/dwalsh/\.mplayer(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.mplayer(/.*)? ++.br ++ ++.br ++.B mplayer_tmpfs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B pulseaudio_home_t ++ ++ /root/\.pulse(/.*)? ++.br ++ /root/\.config/pulse(/.*)? ++.br ++ /root/\.esd_auth ++.br ++ /root/\.pulse-cookie ++.br ++ /home/[^/]*/\.pulse(/.*)? ++.br ++ /home/[^/]*/\.config/pulse(/.*)? ++.br ++ /home/[^/]*/\.esd_auth ++.br ++ /home/[^/]*/\.pulse-cookie ++.br ++ /home/pwalsh/\.pulse(/.*)? ++.br ++ /home/pwalsh/\.config/pulse(/.*)? ++.br ++ /home/pwalsh/\.esd_auth ++.br ++ /home/pwalsh/\.pulse-cookie ++.br ++ /home/dwalsh/\.pulse(/.*)? ++.br ++ /home/dwalsh/\.config/pulse(/.*)? ++.br ++ /home/dwalsh/\.esd_auth ++.br ++ /home/dwalsh/\.pulse-cookie ++.br ++ /var/lib/xguest/home/xguest/\.pulse(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config/pulse(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.esd_auth ++.br ++ /var/lib/xguest/home/xguest/\.pulse-cookie ++.br ++ ++.br ++.B user_fonts_cache_t ++ ++ /root/\.fontconfig(/.*)? ++.br ++ /root/\.fonts/auto(/.*)? ++.br ++ /root/\.fonts\.cache-.* ++.br ++ /home/[^/]*/\.fontconfig(/.*)? ++.br ++ /home/[^/]*/\.fonts/auto(/.*)? ++.br ++ /home/[^/]*/\.fonts\.cache-.* ++.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br ++ /home/dwalsh/\.fontconfig(/.*)? ++.br ++ /home/dwalsh/\.fonts/auto(/.*)? ++.br ++ /home/dwalsh/\.fonts\.cache-.* ++.br ++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts\.cache-.* ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.br ++.B xserver_tmpfs_t ++ ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -51372,7 +90013,20 @@ index 0000000..5be39fe +Policy governs the access confined processes have to these files. +SELinux mplayer policy is very flexible allowing users to setup their mplayer processes in as secure a method as possible. +.PP -+The following file types are defined for mplayer: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mplayer, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mplayer_etc_t '/srv/mplayer/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymplayer_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mplayer: + + +.EX @@ -51390,6 +90044,10 @@ index 0000000..5be39fe + +- Set files with the mplayer_exec_t type, if you want to transition an executable to the mplayer_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/vlc, /usr/bin/xine, /usr/bin/mplayer + +.EX +.PP @@ -51398,6 +90056,10 @@ index 0000000..5be39fe + +- Set files with the mplayer_home_t type, if you want to store mplayer files in the users home directory. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.mplayer(/.*)?, /home/pwalsh/\.mplayer(/.*)?, /home/dwalsh/\.mplayer(/.*)?, /var/lib/xguest/home/xguest/\.mplayer(/.*)? + +.EX +.PP @@ -51414,68 +90076,6 @@ index 0000000..5be39fe +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type mplayer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B mplayer_home_t -+ -+ /home/[^/]*/\.mplayer(/.*)? -+.br -+ /home/dwalsh/\.mplayer(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.mplayer(/.*)? -+.br -+ -+.br -+.B mplayer_tmpfs_t -+ -+ -+.br -+.B user_fonts_cache_t -+ -+ /root/\.fontconfig(/.*)? -+.br -+ /root/\.fonts/auto(/.*)? -+.br -+ /root/\.fonts\.cache-.* -+.br -+ /home/[^/]*/\.fontconfig(/.*)? -+.br -+ /home/[^/]*/\.fonts/auto(/.*)? -+.br -+ /home/[^/]*/\.fonts\.cache-.* -+.br -+ /home/dwalsh/\.fontconfig(/.*)? -+.br -+ /home/dwalsh/\.fonts/auto(/.*)? -+.br -+ /home/dwalsh/\.fonts\.cache-.* -+.br -+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.fonts\.cache-.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the mplayer_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -51504,11 +90104,11 @@ index 0000000..5be39fe \ No newline at end of file diff --git a/man/man8/mrtg_selinux.8 b/man/man8/mrtg_selinux.8 new file mode 100644 -index 0000000..f49743b +index 0000000..85ec1e7 --- /dev/null +++ b/man/man8/mrtg_selinux.8 -@@ -0,0 +1,210 @@ -+.TH "mrtg_selinux" "8" "12-11-01" "mrtg" "SELinux Policy documentation for mrtg" +@@ -0,0 +1,332 @@ ++.TH "mrtg_selinux" "8" "13-01-16" "mrtg" "SELinux Policy documentation for mrtg" +.SH "NAME" +mrtg_selinux \- Security Enhanced Linux Policy for the mrtg processes +.SH "DESCRIPTION" @@ -51524,7 +90124,9 @@ index 0000000..f49743b + +.SH "ENTRYPOINTS" + -+The mrtg_t SELinux type can be entered via the "mrtg_exec_t" file type. The default entrypoint paths for the mrtg_t domain are the following:" ++The mrtg_t SELinux type can be entered via the \fBmrtg_exec_t\fP file type. ++ ++The default entrypoint paths for the mrtg_t domain are the following: + +/usr/bin/mrtg +.SH PROCESS TYPES @@ -51542,74 +90144,108 @@ index 0000000..f49743b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mrtg_t ++can be used to make the process type mrtg_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux mrtg policy is very flexible allowing users to setup their mrtg processes in as secure a method as possible. -+.PP -+The following file types are defined for mrtg: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mrtg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mrtg with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B mrtg_etc_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the mrtg_etc_t type, if you want to store mrtg files in the /etc directories. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B mrtg_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the mrtg_exec_t type, if you want to transition an executable to the mrtg_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B mrtg_lock_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the mrtg_lock_t type, if you want to treat the files as mrtg lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B mrtg_log_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the mrtg_log_t type, if you want to treat the data as mrtg log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B mrtg_var_lib_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the mrtg_var_lib_t type, if you want to store the mrtg files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B mrtg_var_run_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the mrtg_var_run_t type, if you want to store the mrtg files under the /run directory. ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mrtg_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mrtg_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -51636,18 +90272,16 @@ index 0000000..f49743b +.br + /usr/share/drupal.* +.br ++ /usr/share/z-push(/.*)? ++.br + /var/www/svn/conf(/.*)? +.br + /usr/share/icecast(/.*)? +.br -+ /usr/share/mythweb(/.*)? -+.br + /var/lib/cacti/rra(/.*)? +.br + /usr/share/ntop/html(/.*)? +.br -+ /usr/share/mythtv/data(/.*)? -+.br + /usr/share/doc/ghc/html(/.*)? +.br + /usr/share/openca/htdocs(/.*)? @@ -51660,13 +90294,11 @@ index 0000000..f49743b + + /var/lock/mrtg(/.*)? +.br ++ /var/lock/mrtg-rrd(/.*)? ++.br + /etc/mrtg/mrtg\.ok +.br -+ -+.br -+.B mrtg_log_t -+ -+ /var/log/mrtg(/.*)? ++ /var/lock/subsys/mrtg +.br + +.br @@ -51681,22 +90313,108 @@ index 0000000..f49743b + /var/run/mrtg\.pid +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux mrtg policy is very flexible allowing users to setup their mrtg processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mrtg_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the mrtg_t, you must turn on the kerberos_enabled boolean. ++mrtg policy stores data with multiple different file context types under the /var/lock/mrtg directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lock/mrtg /srv/mrtg ++.br ++.B restorecon -R -v /srv/mrtg ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mrtg, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mrtg_etc_t '/srv/mrtg/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymrtg_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mrtg: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B mrtg_etc_t +.EE + ++- Set files with the mrtg_etc_t type, if you want to store mrtg files in the /etc directories. ++ ++ ++.EX ++.PP ++.B mrtg_exec_t ++.EE ++ ++- Set files with the mrtg_exec_t type, if you want to transition an executable to the mrtg_t domain. ++ ++ ++.EX ++.PP ++.B mrtg_initrc_exec_t ++.EE ++ ++- Set files with the mrtg_initrc_exec_t type, if you want to transition an executable to the mrtg_initrc_t domain. ++ ++ ++.EX ++.PP ++.B mrtg_lock_t ++.EE ++ ++- Set files with the mrtg_lock_t type, if you want to treat the files as mrtg lock data, stored under the /var/lock directory ++ ++.br ++.TP 5 ++Paths: ++/var/lock/mrtg(/.*)?, /var/lock/mrtg-rrd(/.*)?, /etc/mrtg/mrtg\.ok, /var/lock/subsys/mrtg ++ ++.EX ++.PP ++.B mrtg_log_t ++.EE ++ ++- Set files with the mrtg_log_t type, if you want to treat the data as mrtg log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B mrtg_var_lib_t ++.EE ++ ++- Set files with the mrtg_var_lib_t type, if you want to store the mrtg files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B mrtg_var_run_t ++.EE ++ ++- Set files with the mrtg_var_run_t type, if you want to store the mrtg files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -51707,6 +90425,9 @@ index 0000000..f49743b +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -51718,13 +90439,15 @@ index 0000000..f49743b + +.SH "SEE ALSO" +selinux(8), mrtg(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/mscan_selinux.8 b/man/man8/mscan_selinux.8 new file mode 100644 -index 0000000..3349daa +index 0000000..9a4e931 --- /dev/null +++ b/man/man8/mscan_selinux.8 -@@ -0,0 +1,204 @@ -+.TH "mscan_selinux" "8" "12-11-01" "mscan" "SELinux Policy documentation for mscan" +@@ -0,0 +1,311 @@ ++.TH "mscan_selinux" "8" "13-01-16" "mscan" "SELinux Policy documentation for mscan" +.SH "NAME" +mscan_selinux \- Security Enhanced Linux Policy for the mscan processes +.SH "DESCRIPTION" @@ -51740,7 +90463,9 @@ index 0000000..3349daa + +.SH "ENTRYPOINTS" + -+The mscan_t SELinux type can be entered via the "mscan_exec_t" file type. The default entrypoint paths for the mscan_t domain are the following:" ++The mscan_t SELinux type can be entered via the \fBmscan_exec_t\fP file type. ++ ++The default entrypoint paths for the mscan_t domain are the following: + +/usr/sbin/MailScanner +.SH PROCESS TYPES @@ -51758,41 +90483,173 @@ index 0000000..3349daa +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mscan_t ++can be used to make the process type mscan_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. mscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mscan with the tightest access possible. + + +.PP -+If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P clamscan_can_scan_system 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P clamscan_read_user_content 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow clamscan to non security files on a system, you must turn on the clamscan_can_scan_system boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.B setsebool -P clamscan_can_scan_system 1 ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + +.PP -+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.B setsebool -P clamscan_read_user_content 1 ++.B setsebool -P daemons_use_tty 1 ++ +.EE + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mscan_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mscan_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type mscan_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B clamd_var_run_t ++ ++ /var/run/clamd.* ++.br ++ /var/run/clamav.* ++.br ++ /var/run/amavis(d)?/clamd\.pid ++.br ++ /var/spool/amavisd/clamd\.sock ++.br ++ ++.br ++.B mqueue_spool_t ++ ++ /var/spool/(client)?mqueue(/.*)? ++.br ++ /var/spool/mqueue\.in(/.*)? ++.br ++ ++.br ++.B mscan_spool_t ++ ++ /var/spool/MailScanner(/.*)? ++.br ++ ++.br ++.B mscan_tmp_t ++ ++ ++.br ++.B mscan_var_run_t ++ ++ /var/run/MailScanner\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -51801,7 +90658,20 @@ index 0000000..3349daa +Policy governs the access confined processes have to these files. +SELinux mscan policy is very flexible allowing users to setup their mscan processes in as secure a method as possible. +.PP -+The following file types are defined for mscan: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mscan, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mscan_etc_t '/srv/mscan/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymscan_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mscan: + + +.EX @@ -51811,6 +90681,10 @@ index 0000000..3349daa + +- Set files with the mscan_etc_t type, if you want to store mscan files in the /etc directories. + ++.br ++.TP 5 ++Paths: ++/etc/MailScanner(/.*)?, /etc/sysconfig/MailScanner, /etc/sysconfig/update_spamassassin + +.EX +.PP @@ -51830,6 +90704,14 @@ index 0000000..3349daa + +.EX +.PP ++.B mscan_spool_t ++.EE ++ ++- Set files with the mscan_spool_t type, if you want to store the mscan files under the /var/spool directory. ++ ++ ++.EX ++.PP +.B mscan_tmp_t +.EE + @@ -51841,7 +90723,7 @@ index 0000000..3349daa +.B mscan_var_run_t +.EE + -+- Set files with the mscan_var_run_t type, if you want to store the mscan files under the /run directory. ++- Set files with the mscan_var_run_t type, if you want to store the mscan files under the /run or /var/run directory. + + +.PP @@ -51851,58 +90733,6 @@ index 0000000..3349daa +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type mscan_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B clamd_var_run_t -+ -+ /var/run/clamd.* -+.br -+ /var/run/clamav.* -+.br -+ /var/run/amavis(d)?/clamd\.pid -+.br -+ /var/spool/MailScanner(/.*)? -+.br -+ /var/spool/amavisd/clamd\.sock -+.br -+ -+.br -+.B mqueue_spool_t -+ -+ /var/spool/(client)?mqueue(/.*)? -+.br -+ /var/spool/mqueue\.in(/.*)? -+.br -+ -+.br -+.B mscan_tmp_t -+ -+ -+.br -+.B mscan_var_run_t -+ -+ /var/run/MailScanner\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mscan_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the mscan_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -51931,11 +90761,11 @@ index 0000000..3349daa \ No newline at end of file diff --git a/man/man8/munin_selinux.8 b/man/man8/munin_selinux.8 new file mode 100644 -index 0000000..4e6e830 +index 0000000..c1601b9 --- /dev/null +++ b/man/man8/munin_selinux.8 -@@ -0,0 +1,222 @@ -+.TH "munin_selinux" "8" "12-11-01" "munin" "SELinux Policy documentation for munin" +@@ -0,0 +1,358 @@ ++.TH "munin_selinux" "8" "13-01-16" "munin" "SELinux Policy documentation for munin" +.SH "NAME" +munin_selinux \- Security Enhanced Linux Policy for the munin processes +.SH "DESCRIPTION" @@ -51951,9 +90781,11 @@ index 0000000..4e6e830 + +.SH "ENTRYPOINTS" + -+The munin_t SELinux type can be entered via the "munin_exec_t" file type. The default entrypoint paths for the munin_t domain are the following:" ++The munin_t SELinux type can be entered via the \fBmunin_exec_t\fP file type. + -+/usr/bin/munin-.*, /usr/sbin/munin-.*, /usr/share/munin/munin-.*, /usr/share/munin/plugins/.* ++The default entrypoint paths for the munin_t domain are the following: ++ ++/usr/bin/munin-.*, /usr/sbin/munin-.*, /usr/share/munin/munin-.* +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -51969,8 +90801,189 @@ index 0000000..4e6e830 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a munin_t ++can be used to make the process type munin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. munin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run munin with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the munin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the munin_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux munin policy is very flexible allowing users to setup their munin processes in as secure a method as possible. ++.PP ++The following port types are defined for munin: ++ ++.EX ++.TP 5 ++.B munin_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 4949 ++.EE ++udp 4949 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type munin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B httpd_munin_content_t ++ ++ /var/www/html/munin(/.*)? ++.br ++ ++.br ++.B munin_plugin_state_t ++ ++ /var/lib/munin/plugin-state(/.*)? ++.br ++ ++.br ++.B munin_tmp_t ++ ++ ++.br ++.B munin_var_lib_t ++ ++ /var/lib/munin(/.*)? ++.br ++ ++.br ++.B munin_var_run_t ++ ++ /var/run/munin(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51980,7 +90993,31 @@ index 0000000..4e6e830 +Policy governs the access confined processes have to these files. +SELinux munin policy is very flexible allowing users to setup their munin processes in as secure a method as possible. +.PP -+The following file types are defined for munin: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++munin policy stores data with multiple different file context types under the /var/lib/munin directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/munin /srv/munin ++.br ++.B restorecon -R -v /srv/munin ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the munin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t munin_etc_t '/srv/munin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymunin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for munin: + + +.EX @@ -51998,6 +91035,10 @@ index 0000000..4e6e830 + +- Set files with the munin_exec_t type, if you want to transition an executable to the munin_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/munin-.*, /usr/sbin/munin-.*, /usr/share/munin/munin-.* + +.EX +.PP @@ -52044,7 +91085,7 @@ index 0000000..4e6e830 +.B munin_var_run_t +.EE + -+- Set files with the munin_var_run_t type, if you want to store the munin files under the /run directory. ++- Set files with the munin_var_run_t type, if you want to store the munin files under the /run or /var/run directory. + + +.PP @@ -52054,85 +91095,6 @@ index 0000000..4e6e830 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux munin policy is very flexible allowing users to setup their munin processes in as secure a method as possible. -+.PP -+The following port types are defined for munin: -+ -+.EX -+.TP 5 -+.B munin_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 4949 -+.EE -+udp 4949 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type munin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B httpd_munin_content_t -+ -+ /var/www/html/munin(/.*)? -+.br -+ -+.br -+.B munin_log_t -+ -+ /var/log/munin.* -+.br -+ -+.br -+.B munin_plugin_state_t -+ -+ /var/lib/munin/plugin-state(/.*)? -+.br -+ -+.br -+.B munin_tmp_t -+ -+ -+.br -+.B munin_var_lib_t -+ -+ /var/lib/munin(/.*)? -+.br -+ -+.br -+.B munin_var_run_t -+ -+ /var/run/munin(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the munin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the munin_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -52146,6 +91108,9 @@ index 0000000..4e6e830 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -52157,13 +91122,15 @@ index 0000000..4e6e830 + +.SH "SEE ALSO" +selinux(8), munin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/mysqld_safe_selinux.8 b/man/man8/mysqld_safe_selinux.8 new file mode 100644 -index 0000000..33c4086 +index 0000000..3ff5cca --- /dev/null +++ b/man/man8/mysqld_safe_selinux.8 -@@ -0,0 +1,111 @@ -+.TH "mysqld_safe_selinux" "8" "12-11-01" "mysqld_safe" "SELinux Policy documentation for mysqld_safe" +@@ -0,0 +1,203 @@ ++.TH "mysqld_safe_selinux" "8" "13-01-16" "mysqld_safe" "SELinux Policy documentation for mysqld_safe" +.SH "NAME" +mysqld_safe_selinux \- Security Enhanced Linux Policy for the mysqld_safe processes +.SH "DESCRIPTION" @@ -52179,7 +91146,9 @@ index 0000000..33c4086 + +.SH "ENTRYPOINTS" + -+The mysqld_safe_t SELinux type can be entered via the "mysqld_safe_exec_t" file type. The default entrypoint paths for the mysqld_safe_t domain are the following:" ++The mysqld_safe_t SELinux type can be entered via the \fBmysqld_safe_exec_t\fP file type. ++ ++The default entrypoint paths for the mysqld_safe_t domain are the following: + +/usr/bin/mysqld_safe +.SH PROCESS TYPES @@ -52197,34 +91166,76 @@ index 0000000..33c4086 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mysqld_safe_t ++can be used to make the process type mysqld_safe_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux mysqld_safe policy is very flexible allowing users to setup their mysqld_safe processes in as secure a method as possible. -+.PP -+The following file types are defined for mysqld_safe: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mysqld_safe policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mysqld_safe with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B mysqld_safe_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the mysqld_safe_exec_t type, if you want to transition an executable to the mysqld_safe_t domain. ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -52250,7 +91261,52 @@ index 0000000..33c4086 + /var/lib/mysql/mysql\.sock +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux mysqld_safe policy is very flexible allowing users to setup their mysqld_safe processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mysqld_safe, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mysqld_safe_exec_t '/srv/mysqld_safe/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymysqld_safe_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mysqld_safe: ++ ++ ++.EX ++.PP ++.B mysqld_safe_exec_t ++.EE ++ ++- Set files with the mysqld_safe_exec_t type, if you want to transition an executable to the mysqld_safe_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -52262,6 +91318,9 @@ index 0000000..33c4086 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -52273,15 +91332,15 @@ index 0000000..33c4086 + +.SH "SEE ALSO" +selinux(8), mysqld_safe(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, mysqld_selinux(8), mysqld_selinux(8) ++, setsebool(8), mysqld_selinux(8), mysqld_selinux(8) \ No newline at end of file diff --git a/man/man8/mysqld_selinux.8 b/man/man8/mysqld_selinux.8 new file mode 100644 -index 0000000..4a21c03 +index 0000000..d91c68f --- /dev/null +++ b/man/man8/mysqld_selinux.8 -@@ -0,0 +1,283 @@ -+.TH "mysqld_selinux" "8" "12-11-01" "mysqld" "SELinux Policy documentation for mysqld" +@@ -0,0 +1,433 @@ ++.TH "mysqld_selinux" "8" "13-01-16" "mysqld" "SELinux Policy documentation for mysqld" +.SH "NAME" +mysqld_selinux \- Security Enhanced Linux Policy for the mysqld processes +.SH "DESCRIPTION" @@ -52297,7 +91356,9 @@ index 0000000..4a21c03 + +.SH "ENTRYPOINTS" + -+The mysqld_t SELinux type can be entered via the "mysqld_exec_t" file type. The default entrypoint paths for the mysqld_t domain are the following:" ++The mysqld_t SELinux type can be entered via the \fBmysqld_exec_t\fP file type. ++ ++The default entrypoint paths for the mysqld_t domain are the following: + +/usr/sbin/mysqld(-max)?, /usr/sbin/ndbd, /usr/libexec/mysqld, /usr/bin/mysql_upgrade +.SH PROCESS TYPES @@ -52315,139 +91376,157 @@ index 0000000..4a21c03 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mysqld_t ++can be used to make the process type mysqld_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. mysqld policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mysqld with the tightest access possible. + + +.PP -+If you want to allow mysqld to connect to all ports, you must turn on the mysql_connect_any boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to determine whether exim can connect to databases, you must turn on the exim_can_connect_db boolean. Disabled by default. ++ ++.EX ++.B setsebool -P exim_can_connect_db 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether ftpd can connect to databases over the TCP network, you must turn on the ftpd_connect_db boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ftpd_connect_db 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_network_connect_db 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow mysqld to connect to all ports, you must turn on the mysql_connect_any boolean. Disabled by default. + +.EX +.B setsebool -P mysql_connect_any 1 ++ +.EE + +.PP -+If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.B setsebool -P selinuxuser_mysql_connect_enabled 1 ++.B setsebool -P nis_enabled 1 ++ +.EE + +.PP -+If you want to allow mysqld to connect to all ports, you must turn on the mysql_connect_any boolean. ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX -+.B setsebool -P mysql_connect_any 1 ++.B setsebool -P nscd_use_shm 1 ++ +.EE + ++.SH NSSWITCH DOMAIN ++ +.PP -+If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the mysqld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.B setsebool -P selinuxuser_mysql_connect_enabled 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux mysqld policy is very flexible allowing users to setup their mysqld processes in as secure a method as possible. -+.PP -+The following file types are defined for mysqld: -+ ++If you want to allow confined applications to run with kerberos for the mysqld_t, you must turn on the kerberos_enabled boolean. + +.EX -+.PP -+.B mysqld_db_t ++.B setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the mysqld_db_t type, if you want to treat the files as mysqld database content. -+ -+ -+.EX -+.PP -+.B mysqld_etc_t -+.EE -+ -+- Set files with the mysqld_etc_t type, if you want to store mysqld files in the /etc directories. -+ -+ -+.EX -+.PP -+.B mysqld_exec_t -+.EE -+ -+- Set files with the mysqld_exec_t type, if you want to transition an executable to the mysqld_t domain. -+ -+ -+.EX -+.PP -+.B mysqld_home_t -+.EE -+ -+- Set files with the mysqld_home_t type, if you want to store mysqld files in the users home directory. -+ -+ -+.EX -+.PP -+.B mysqld_initrc_exec_t -+.EE -+ -+- Set files with the mysqld_initrc_exec_t type, if you want to transition an executable to the mysqld_initrc_t domain. -+ -+ -+.EX -+.PP -+.B mysqld_log_t -+.EE -+ -+- Set files with the mysqld_log_t type, if you want to treat the data as mysqld log data, usually stored under the /var/log directory. -+ -+ -+.EX -+.PP -+.B mysqld_safe_exec_t -+.EE -+ -+- Set files with the mysqld_safe_exec_t type, if you want to transition an executable to the mysqld_safe_t domain. -+ -+ -+.EX -+.PP -+.B mysqld_tmp_t -+.EE -+ -+- Set files with the mysqld_tmp_t type, if you want to store mysqld temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B mysqld_unit_file_t -+.EE -+ -+- Set files with the mysqld_unit_file_t type, if you want to treat the files as mysqld unit content. -+ -+ -+.EX -+.PP -+.B mysqld_var_run_t -+.EE -+ -+- Set files with the mysqld_var_run_t type, if you want to store the mysqld files under the /run directory. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. +.PP @@ -52520,22 +91599,152 @@ index 0000000..4a21c03 + /var/lib/mysql/mysql\.sock +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux mysqld policy is very flexible allowing users to setup their mysqld processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mysqld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the mysqld_t, you must turn on the kerberos_enabled boolean. ++mysqld policy stores data with multiple different file context types under the /var/lib/mysql directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/mysql /srv/mysql ++.br ++.B restorecon -R -v /srv/mysql ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mysqld, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mysqld_db_t '/srv/mysqld/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymysqld_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mysqld: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B mysqld_db_t +.EE + ++- Set files with the mysqld_db_t type, if you want to treat the files as mysqld database content. ++ ++ ++.EX ++.PP ++.B mysqld_etc_t ++.EE ++ ++- Set files with the mysqld_etc_t type, if you want to store mysqld files in the /etc directories. ++ ++.br ++.TP 5 ++Paths: ++/etc/mysql(/.*)?, /etc/my\.cnf ++ ++.EX ++.PP ++.B mysqld_exec_t ++.EE ++ ++- Set files with the mysqld_exec_t type, if you want to transition an executable to the mysqld_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/mysqld(-max)?, /usr/sbin/ndbd, /usr/libexec/mysqld, /usr/bin/mysql_upgrade ++ ++.EX ++.PP ++.B mysqld_home_t ++.EE ++ ++- Set files with the mysqld_home_t type, if you want to store mysqld files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/root/\.my\.cnf, /home/[^/]*/\.my\.cnf, /home/pwalsh/\.my\.cnf, /home/dwalsh/\.my\.cnf, /var/lib/xguest/home/xguest/\.my\.cnf ++ ++.EX ++.PP ++.B mysqld_initrc_exec_t ++.EE ++ ++- Set files with the mysqld_initrc_exec_t type, if you want to transition an executable to the mysqld_initrc_t domain. ++ ++ ++.EX ++.PP ++.B mysqld_log_t ++.EE ++ ++- Set files with the mysqld_log_t type, if you want to treat the data as mysqld log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B mysqld_safe_exec_t ++.EE ++ ++- Set files with the mysqld_safe_exec_t type, if you want to transition an executable to the mysqld_safe_t domain. ++ ++ ++.EX ++.PP ++.B mysqld_tmp_t ++.EE ++ ++- Set files with the mysqld_tmp_t type, if you want to store mysqld temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B mysqld_unit_file_t ++.EE ++ ++- Set files with the mysqld_unit_file_t type, if you want to treat the files as mysqld unit content. ++ ++ ++.EX ++.PP ++.B mysqld_var_run_t ++.EE ++ ++- Set files with the mysqld_var_run_t type, if you want to store the mysqld files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/mysqld(/.*)?, /var/lib/mysql/mysql\.sock ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -52567,11 +91776,11 @@ index 0000000..4a21c03 \ No newline at end of file diff --git a/man/man8/mysqlmanagerd_selinux.8 b/man/man8/mysqlmanagerd_selinux.8 new file mode 100644 -index 0000000..1634a0c +index 0000000..918b0f7 --- /dev/null +++ b/man/man8/mysqlmanagerd_selinux.8 -@@ -0,0 +1,138 @@ -+.TH "mysqlmanagerd_selinux" "8" "12-11-01" "mysqlmanagerd" "SELinux Policy documentation for mysqlmanagerd" +@@ -0,0 +1,231 @@ ++.TH "mysqlmanagerd_selinux" "8" "13-01-16" "mysqlmanagerd" "SELinux Policy documentation for mysqlmanagerd" +.SH "NAME" +mysqlmanagerd_selinux \- Security Enhanced Linux Policy for the mysqlmanagerd processes +.SH "DESCRIPTION" @@ -52587,7 +91796,9 @@ index 0000000..1634a0c + +.SH "ENTRYPOINTS" + -+The mysqlmanagerd_t SELinux type can be entered via the "mysqlmanagerd_exec_t" file type. The default entrypoint paths for the mysqlmanagerd_t domain are the following:" ++The mysqlmanagerd_t SELinux type can be entered via the \fBmysqlmanagerd_exec_t\fP file type. ++ ++The default entrypoint paths for the mysqlmanagerd_t domain are the following: + +/usr/sbin/mysqlmanager +.SH PROCESS TYPES @@ -52605,50 +91816,76 @@ index 0000000..1634a0c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a mysqlmanagerd_t ++can be used to make the process type mysqlmanagerd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux mysqlmanagerd policy is very flexible allowing users to setup their mysqlmanagerd processes in as secure a method as possible. -+.PP -+The following file types are defined for mysqlmanagerd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. mysqlmanagerd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mysqlmanagerd with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B mysqlmanagerd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the mysqlmanagerd_exec_t type, if you want to transition an executable to the mysqlmanagerd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B mysqlmanagerd_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the mysqlmanagerd_initrc_exec_t type, if you want to transition an executable to the mysqlmanagerd_initrc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B mysqlmanagerd_var_run_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the mysqlmanagerd_var_run_t type, if you want to store the mysqlmanagerd files under the /run directory. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -52683,7 +91920,68 @@ index 0000000..1634a0c + /var/run/mysqld/mysqlmanager.* +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux mysqlmanagerd policy is very flexible allowing users to setup their mysqlmanagerd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the mysqlmanagerd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t mysqlmanagerd_exec_t '/srv/mysqlmanagerd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mymysqlmanagerd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for mysqlmanagerd: ++ ++ ++.EX ++.PP ++.B mysqlmanagerd_exec_t ++.EE ++ ++- Set files with the mysqlmanagerd_exec_t type, if you want to transition an executable to the mysqlmanagerd_t domain. ++ ++ ++.EX ++.PP ++.B mysqlmanagerd_initrc_exec_t ++.EE ++ ++- Set files with the mysqlmanagerd_initrc_exec_t type, if you want to transition an executable to the mysqlmanagerd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B mysqlmanagerd_var_run_t ++.EE ++ ++- Set files with the mysqlmanagerd_var_run_t type, if you want to store the mysqlmanagerd files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -52698,6 +91996,9 @@ index 0000000..1634a0c +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -52709,13 +92010,15 @@ index 0000000..1634a0c + +.SH "SEE ALSO" +selinux(8), mysqlmanagerd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/nagios_admin_plugin_selinux.8 b/man/man8/nagios_admin_plugin_selinux.8 new file mode 100644 -index 0000000..505d3a1 +index 0000000..569908b --- /dev/null +++ b/man/man8/nagios_admin_plugin_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "nagios_admin_plugin_selinux" "8" "12-11-01" "nagios_admin_plugin" "SELinux Policy documentation for nagios_admin_plugin" +@@ -0,0 +1,147 @@ ++.TH "nagios_admin_plugin_selinux" "8" "13-01-16" "nagios_admin_plugin" "SELinux Policy documentation for nagios_admin_plugin" +.SH "NAME" +nagios_admin_plugin_selinux \- Security Enhanced Linux Policy for the nagios_admin_plugin processes +.SH "DESCRIPTION" @@ -52731,7 +92034,9 @@ index 0000000..505d3a1 + +.SH "ENTRYPOINTS" + -+The nagios_admin_plugin_t SELinux type can be entered via the "nagios_admin_plugin_exec_t" file type. The default entrypoint paths for the nagios_admin_plugin_t domain are the following:" ++The nagios_admin_plugin_t SELinux type can be entered via the \fBnagios_admin_plugin_exec_t\fP file type. ++ ++The default entrypoint paths for the nagios_admin_plugin_t domain are the following: + +/usr/lib/nagios/plugins/check_file_age +.SH PROCESS TYPES @@ -52749,8 +92054,52 @@ index 0000000..505d3a1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nagios_admin_plugin_t ++can be used to make the process type nagios_admin_plugin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nagios_admin_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nagios_admin_plugin with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52760,7 +92109,20 @@ index 0000000..505d3a1 +Policy governs the access confined processes have to these files. +SELinux nagios_admin_plugin policy is very flexible allowing users to setup their nagios_admin_plugin processes in as secure a method as possible. +.PP -+The following file types are defined for nagios_admin_plugin: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nagios_admin_plugin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nagios_admin_plugin_exec_t '/srv/nagios_admin_plugin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynagios_admin_plugin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nagios_admin_plugin: + + +.EX @@ -52778,8 +92140,6 @@ index 0000000..505d3a1 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -52790,6 +92150,9 @@ index 0000000..505d3a1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -52801,15 +92164,15 @@ index 0000000..505d3a1 + +.SH "SEE ALSO" +selinux(8), nagios_admin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nagios_selinux(8), nagios_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8) ++, setsebool(8), nagios_selinux(8), nagios_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8) \ No newline at end of file diff --git a/man/man8/nagios_checkdisk_plugin_selinux.8 b/man/man8/nagios_checkdisk_plugin_selinux.8 new file mode 100644 -index 0000000..9ccef93 +index 0000000..449ca4f --- /dev/null +++ b/man/man8/nagios_checkdisk_plugin_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "nagios_checkdisk_plugin_selinux" "8" "12-11-01" "nagios_checkdisk_plugin" "SELinux Policy documentation for nagios_checkdisk_plugin" +@@ -0,0 +1,151 @@ ++.TH "nagios_checkdisk_plugin_selinux" "8" "13-01-16" "nagios_checkdisk_plugin" "SELinux Policy documentation for nagios_checkdisk_plugin" +.SH "NAME" +nagios_checkdisk_plugin_selinux \- Security Enhanced Linux Policy for the nagios_checkdisk_plugin processes +.SH "DESCRIPTION" @@ -52825,7 +92188,9 @@ index 0000000..9ccef93 + +.SH "ENTRYPOINTS" + -+The nagios_checkdisk_plugin_t SELinux type can be entered via the "nagios_checkdisk_plugin_exec_t" file type. The default entrypoint paths for the nagios_checkdisk_plugin_t domain are the following:" ++The nagios_checkdisk_plugin_t SELinux type can be entered via the \fBnagios_checkdisk_plugin_exec_t\fP file type. ++ ++The default entrypoint paths for the nagios_checkdisk_plugin_t domain are the following: + +/usr/lib/nagios/plugins/check_disk, /usr/lib/nagios/plugins/check_disk_smb, /usr/lib/nagios/plugins/check_ide_smart, /usr/lib/nagios/plugins/check_linux_raid +.SH PROCESS TYPES @@ -52843,8 +92208,52 @@ index 0000000..9ccef93 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nagios_checkdisk_plugin_t ++can be used to make the process type nagios_checkdisk_plugin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nagios_checkdisk_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nagios_checkdisk_plugin with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52854,7 +92263,20 @@ index 0000000..9ccef93 +Policy governs the access confined processes have to these files. +SELinux nagios_checkdisk_plugin policy is very flexible allowing users to setup their nagios_checkdisk_plugin processes in as secure a method as possible. +.PP -+The following file types are defined for nagios_checkdisk_plugin: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nagios_checkdisk_plugin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nagios_checkdisk_plugin_exec_t '/srv/nagios_checkdisk_plugin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynagios_checkdisk_plugin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nagios_checkdisk_plugin: + + +.EX @@ -52864,6 +92286,10 @@ index 0000000..9ccef93 + +- Set files with the nagios_checkdisk_plugin_exec_t type, if you want to transition an executable to the nagios_checkdisk_plugin_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/nagios/plugins/check_disk, /usr/lib/nagios/plugins/check_disk_smb, /usr/lib/nagios/plugins/check_ide_smart, /usr/lib/nagios/plugins/check_linux_raid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -52872,8 +92298,6 @@ index 0000000..9ccef93 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -52884,6 +92308,9 @@ index 0000000..9ccef93 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -52895,15 +92322,15 @@ index 0000000..9ccef93 + +.SH "SEE ALSO" +selinux(8), nagios_checkdisk_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8) ++, setsebool(8), nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8) \ No newline at end of file diff --git a/man/man8/nagios_eventhandler_plugin_selinux.8 b/man/man8/nagios_eventhandler_plugin_selinux.8 new file mode 100644 -index 0000000..507c175 +index 0000000..19ab6cc --- /dev/null +++ b/man/man8/nagios_eventhandler_plugin_selinux.8 -@@ -0,0 +1,111 @@ -+.TH "nagios_eventhandler_plugin_selinux" "8" "12-11-01" "nagios_eventhandler_plugin" "SELinux Policy documentation for nagios_eventhandler_plugin" +@@ -0,0 +1,171 @@ ++.TH "nagios_eventhandler_plugin_selinux" "8" "13-01-16" "nagios_eventhandler_plugin" "SELinux Policy documentation for nagios_eventhandler_plugin" +.SH "NAME" +nagios_eventhandler_plugin_selinux \- Security Enhanced Linux Policy for the nagios_eventhandler_plugin processes +.SH "DESCRIPTION" @@ -52919,7 +92346,9 @@ index 0000000..507c175 + +.SH "ENTRYPOINTS" + -+The nagios_eventhandler_plugin_t SELinux type can be entered via the "nagios_eventhandler_plugin_exec_t" file type. The default entrypoint paths for the nagios_eventhandler_plugin_t domain are the following:" ++The nagios_eventhandler_plugin_t SELinux type can be entered via the \fBnagios_eventhandler_plugin_exec_t\fP file type. ++ ++The default entrypoint paths for the nagios_eventhandler_plugin_t domain are the following: + +/usr/lib/nagios/plugins/eventhandlers(/.*) +.SH PROCESS TYPES @@ -52937,8 +92366,68 @@ index 0000000..507c175 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nagios_eventhandler_plugin_t ++can be used to make the process type nagios_eventhandler_plugin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nagios_eventhandler_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nagios_eventhandler_plugin with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nagios_eventhandler_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nagios_eventhandler_plugin_tmp_t ++ ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52948,7 +92437,20 @@ index 0000000..507c175 +Policy governs the access confined processes have to these files. +SELinux nagios_eventhandler_plugin policy is very flexible allowing users to setup their nagios_eventhandler_plugin processes in as secure a method as possible. +.PP -+The following file types are defined for nagios_eventhandler_plugin: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nagios_eventhandler_plugin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nagios_eventhandler_plugin_exec_t '/srv/nagios_eventhandler_plugin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynagios_eventhandler_plugin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nagios_eventhandler_plugin: + + +.EX @@ -52974,24 +92476,6 @@ index 0000000..507c175 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type nagios_eventhandler_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nagios_eventhandler_plugin_tmp_t -+ -+ -+.br -+.B systemd_passwd_var_run_t -+ -+ /var/run/systemd/ask-password(/.*)? -+.br -+ /var/run/systemd/ask-password-block(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -53002,6 +92486,9 @@ index 0000000..507c175 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -53013,15 +92500,15 @@ index 0000000..507c175 + +.SH "SEE ALSO" +selinux(8), nagios_eventhandler_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8) ++, setsebool(8), nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8) \ No newline at end of file diff --git a/man/man8/nagios_mail_plugin_selinux.8 b/man/man8/nagios_mail_plugin_selinux.8 new file mode 100644 -index 0000000..0140264 +index 0000000..57fec33 --- /dev/null +++ b/man/man8/nagios_mail_plugin_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "nagios_mail_plugin_selinux" "8" "12-11-01" "nagios_mail_plugin" "SELinux Policy documentation for nagios_mail_plugin" +@@ -0,0 +1,155 @@ ++.TH "nagios_mail_plugin_selinux" "8" "13-01-16" "nagios_mail_plugin" "SELinux Policy documentation for nagios_mail_plugin" +.SH "NAME" +nagios_mail_plugin_selinux \- Security Enhanced Linux Policy for the nagios_mail_plugin processes +.SH "DESCRIPTION" @@ -53037,7 +92524,9 @@ index 0000000..0140264 + +.SH "ENTRYPOINTS" + -+The nagios_mail_plugin_t SELinux type can be entered via the "nagios_mail_plugin_exec_t" file type. The default entrypoint paths for the nagios_mail_plugin_t domain are the following:" ++The nagios_mail_plugin_t SELinux type can be entered via the \fBnagios_mail_plugin_exec_t\fP file type. ++ ++The default entrypoint paths for the nagios_mail_plugin_t domain are the following: + +/usr/lib/nagios/plugins/check_mailq +.SH PROCESS TYPES @@ -53055,8 +92544,60 @@ index 0000000..0140264 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nagios_mail_plugin_t ++can be used to make the process type nagios_mail_plugin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nagios_mail_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nagios_mail_plugin with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -53066,7 +92607,20 @@ index 0000000..0140264 +Policy governs the access confined processes have to these files. +SELinux nagios_mail_plugin policy is very flexible allowing users to setup their nagios_mail_plugin processes in as secure a method as possible. +.PP -+The following file types are defined for nagios_mail_plugin: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nagios_mail_plugin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nagios_mail_plugin_exec_t '/srv/nagios_mail_plugin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynagios_mail_plugin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nagios_mail_plugin: + + +.EX @@ -53084,8 +92638,6 @@ index 0000000..0140264 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -53096,6 +92648,9 @@ index 0000000..0140264 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -53107,15 +92662,15 @@ index 0000000..0140264 + +.SH "SEE ALSO" +selinux(8), nagios_mail_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8) ++, setsebool(8), nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8) \ No newline at end of file diff --git a/man/man8/nagios_selinux.8 b/man/man8/nagios_selinux.8 new file mode 100644 -index 0000000..2208671 +index 0000000..b01c31c --- /dev/null +++ b/man/man8/nagios_selinux.8 -@@ -0,0 +1,257 @@ -+.TH "nagios_selinux" "8" "12-11-01" "nagios" "SELinux Policy documentation for nagios" +@@ -0,0 +1,395 @@ ++.TH "nagios_selinux" "8" "13-01-16" "nagios" "SELinux Policy documentation for nagios" +.SH "NAME" +nagios_selinux \- Security Enhanced Linux Policy for the nagios processes +.SH "DESCRIPTION" @@ -53131,7 +92686,9 @@ index 0000000..2208671 + +.SH "ENTRYPOINTS" + -+The nagios_t SELinux type can be entered via the "nagios_exec_t" file type. The default entrypoint paths for the nagios_t domain are the following:" ++The nagios_t SELinux type can be entered via the \fBnagios_exec_t\fP file type. ++ ++The default entrypoint paths for the nagios_t domain are the following: + +/usr/s?bin/nagios +.SH PROCESS TYPES @@ -53149,8 +92706,152 @@ index 0000000..2208671 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nagios_t ++can be used to make the process type nagios_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nagios policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nagios with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the nagios_services_plugin_t, nagios_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nagios_services_plugin_t, nagios_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nagios_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nagios_tmp_t ++ ++ ++.br ++.B nagios_var_lib_t ++ ++ /usr/lib/pnp4nagios(/.*)? ++.br ++ ++.br ++.B nagios_var_run_t ++ ++ /var/run/nagios.* ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -53160,7 +92861,20 @@ index 0000000..2208671 +Policy governs the access confined processes have to these files. +SELinux nagios policy is very flexible allowing users to setup their nagios processes in as secure a method as possible. +.PP -+The following file types are defined for nagios: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nagios, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nagios_admin_plugin_exec_t '/srv/nagios/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynagios_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nagios: + + +.EX @@ -53178,6 +92892,10 @@ index 0000000..2208671 + +- Set files with the nagios_checkdisk_plugin_exec_t type, if you want to transition an executable to the nagios_checkdisk_plugin_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/nagios/plugins/check_disk, /usr/lib/nagios/plugins/check_disk_smb, /usr/lib/nagios/plugins/check_ide_smart, /usr/lib/nagios/plugins/check_linux_raid + +.EX +.PP @@ -53218,6 +92936,10 @@ index 0000000..2208671 + +- Set files with the nagios_initrc_exec_t type, if you want to transition an executable to the nagios_initrc_t domain. + ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/nrpe, /etc/rc\.d/init\.d/nagios + +.EX +.PP @@ -53226,6 +92948,10 @@ index 0000000..2208671 + +- Set files with the nagios_log_t type, if you want to treat the data as nagios log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/nagios(/.*)?, /var/log/netsaint(/.*)? + +.EX +.PP @@ -53242,6 +92968,10 @@ index 0000000..2208671 + +- Set files with the nagios_services_plugin_exec_t type, if you want to transition an executable to the nagios_services_plugin_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_dns, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_http, /usr/lib/nagios/plugins/check_icmp, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_fping, /usr/lib/nagios/plugins/check_mysql, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_mysql_query + +.EX +.PP @@ -53258,6 +92988,10 @@ index 0000000..2208671 + +- Set files with the nagios_system_plugin_exec_t type, if you want to transition an executable to the nagios_system_plugin_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/nagios/plugins/check_log, /usr/lib/nagios/plugins/check_load, /usr/lib/nagios/plugins/check_mrtg, /usr/lib/nagios/plugins/check_swap, /usr/lib/nagios/plugins/check_wave, /usr/lib/nagios/plugins/check_procs, /usr/lib/nagios/plugins/check_users, /usr/lib/nagios/plugins/check_flexlm, /usr/lib/nagios/plugins/check_nagios, /usr/lib/nagios/plugins/check_nwstat, /usr/lib/nagios/plugins/check_overcr, /usr/lib/nagios/plugins/check_sensors, /usr/lib/nagios/plugins/check_ifstatus, /usr/lib/nagios/plugins/check_mrtgtraf, /usr/lib/nagios/plugins/check_ifoperstatus + +.EX +.PP @@ -53296,7 +93030,7 @@ index 0000000..2208671 +.B nagios_var_run_t +.EE + -+- Set files with the nagios_var_run_t type, if you want to store the nagios files under the /run directory. ++- Set files with the nagios_var_run_t type, if you want to store the nagios files under the /run or /var/run directory. + + +.PP @@ -53306,50 +93040,6 @@ index 0000000..2208671 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type nagios_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nagios_log_t -+ -+ /var/log/nagios(/.*)? -+.br -+ /var/log/netsaint(/.*)? -+.br -+ -+.br -+.B nagios_tmp_t -+ -+ -+.br -+.B nagios_var_lib_t -+ -+ /usr/lib/pnp4nagios(/.*)? -+.br -+ -+.br -+.B nagios_var_run_t -+ -+ /var/run/nagios.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nagios_services_plugin_t, nagios_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the nagios_services_plugin_t, nagios_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -53360,6 +93050,9 @@ index 0000000..2208671 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -53371,15 +93064,15 @@ index 0000000..2208671 + +.SH "SEE ALSO" +selinux(8), nagios(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8) ++, setsebool(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8) \ No newline at end of file diff --git a/man/man8/nagios_services_plugin_selinux.8 b/man/man8/nagios_services_plugin_selinux.8 new file mode 100644 -index 0000000..4b2f93e +index 0000000..d74af09 --- /dev/null +++ b/man/man8/nagios_services_plugin_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "nagios_services_plugin_selinux" "8" "12-11-01" "nagios_services_plugin" "SELinux Policy documentation for nagios_services_plugin" +@@ -0,0 +1,199 @@ ++.TH "nagios_services_plugin_selinux" "8" "13-01-16" "nagios_services_plugin" "SELinux Policy documentation for nagios_services_plugin" +.SH "NAME" +nagios_services_plugin_selinux \- Security Enhanced Linux Policy for the nagios_services_plugin processes +.SH "DESCRIPTION" @@ -53395,7 +93088,9 @@ index 0000000..4b2f93e + +.SH "ENTRYPOINTS" + -+The nagios_services_plugin_t SELinux type can be entered via the "nagios_services_plugin_exec_t" file type. The default entrypoint paths for the nagios_services_plugin_t domain are the following:" ++The nagios_services_plugin_t SELinux type can be entered via the \fBnagios_services_plugin_exec_t\fP file type. ++ ++The default entrypoint paths for the nagios_services_plugin_t domain are the following: + +/usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_dns, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_http, /usr/lib/nagios/plugins/check_icmp, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_fping, /usr/lib/nagios/plugins/check_mysql, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_mysql_query +.SH PROCESS TYPES @@ -53413,39 +93108,89 @@ index 0000000..4b2f93e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nagios_services_plugin_t ++can be used to make the process type nagios_services_plugin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux nagios_services_plugin policy is very flexible allowing users to setup their nagios_services_plugin processes in as secure a method as possible. -+.PP -+The following file types are defined for nagios_services_plugin: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nagios_services_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nagios_services_plugin with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B nagios_services_plugin_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the nagios_services_plugin_exec_t type, if you want to transition an executable to the nagios_services_plugin_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nagios_services_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the nagios_services_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -53458,6 +93203,49 @@ index 0000000..4b2f93e +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux nagios_services_plugin policy is very flexible allowing users to setup their nagios_services_plugin processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nagios_services_plugin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nagios_services_plugin_exec_t '/srv/nagios_services_plugin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynagios_services_plugin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nagios_services_plugin: ++ ++ ++.EX ++.PP ++.B nagios_services_plugin_exec_t ++.EE ++ ++- Set files with the nagios_services_plugin_exec_t type, if you want to transition an executable to the nagios_services_plugin_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_dns, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_http, /usr/lib/nagios/plugins/check_icmp, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_fping, /usr/lib/nagios/plugins/check_mysql, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_mysql_query ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -53468,6 +93256,9 @@ index 0000000..4b2f93e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -53479,15 +93270,15 @@ index 0000000..4b2f93e + +.SH "SEE ALSO" +selinux(8), nagios_services_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8) ++, setsebool(8), nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_system_plugin_selinux(8), nagios_unconfined_plugin_selinux(8) \ No newline at end of file diff --git a/man/man8/nagios_system_plugin_selinux.8 b/man/man8/nagios_system_plugin_selinux.8 new file mode 100644 -index 0000000..0005f14 +index 0000000..fd126da --- /dev/null +++ b/man/man8/nagios_system_plugin_selinux.8 -@@ -0,0 +1,103 @@ -+.TH "nagios_system_plugin_selinux" "8" "12-11-01" "nagios_system_plugin" "SELinux Policy documentation for nagios_system_plugin" +@@ -0,0 +1,167 @@ ++.TH "nagios_system_plugin_selinux" "8" "13-01-16" "nagios_system_plugin" "SELinux Policy documentation for nagios_system_plugin" +.SH "NAME" +nagios_system_plugin_selinux \- Security Enhanced Linux Policy for the nagios_system_plugin processes +.SH "DESCRIPTION" @@ -53503,7 +93294,9 @@ index 0000000..0005f14 + +.SH "ENTRYPOINTS" + -+The nagios_system_plugin_t SELinux type can be entered via the "nagios_system_plugin_exec_t" file type. The default entrypoint paths for the nagios_system_plugin_t domain are the following:" ++The nagios_system_plugin_t SELinux type can be entered via the \fBnagios_system_plugin_exec_t\fP file type. ++ ++The default entrypoint paths for the nagios_system_plugin_t domain are the following: + +/usr/lib/nagios/plugins/check_log, /usr/lib/nagios/plugins/check_load, /usr/lib/nagios/plugins/check_mrtg, /usr/lib/nagios/plugins/check_swap, /usr/lib/nagios/plugins/check_wave, /usr/lib/nagios/plugins/check_procs, /usr/lib/nagios/plugins/check_users, /usr/lib/nagios/plugins/check_flexlm, /usr/lib/nagios/plugins/check_nagios, /usr/lib/nagios/plugins/check_nwstat, /usr/lib/nagios/plugins/check_overcr, /usr/lib/nagios/plugins/check_sensors, /usr/lib/nagios/plugins/check_ifstatus, /usr/lib/nagios/plugins/check_mrtgtraf, /usr/lib/nagios/plugins/check_ifoperstatus +.SH PROCESS TYPES @@ -53521,8 +93314,60 @@ index 0000000..0005f14 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nagios_system_plugin_t ++can be used to make the process type nagios_system_plugin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nagios_system_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nagios_system_plugin with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nagios_system_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nagios_system_plugin_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -53532,7 +93377,20 @@ index 0000000..0005f14 +Policy governs the access confined processes have to these files. +SELinux nagios_system_plugin policy is very flexible allowing users to setup their nagios_system_plugin processes in as secure a method as possible. +.PP -+The following file types are defined for nagios_system_plugin: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nagios_system_plugin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nagios_system_plugin_exec_t '/srv/nagios_system_plugin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynagios_system_plugin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nagios_system_plugin: + + +.EX @@ -53542,6 +93400,10 @@ index 0000000..0005f14 + +- Set files with the nagios_system_plugin_exec_t type, if you want to transition an executable to the nagios_system_plugin_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/nagios/plugins/check_log, /usr/lib/nagios/plugins/check_load, /usr/lib/nagios/plugins/check_mrtg, /usr/lib/nagios/plugins/check_swap, /usr/lib/nagios/plugins/check_wave, /usr/lib/nagios/plugins/check_procs, /usr/lib/nagios/plugins/check_users, /usr/lib/nagios/plugins/check_flexlm, /usr/lib/nagios/plugins/check_nagios, /usr/lib/nagios/plugins/check_nwstat, /usr/lib/nagios/plugins/check_overcr, /usr/lib/nagios/plugins/check_sensors, /usr/lib/nagios/plugins/check_ifstatus, /usr/lib/nagios/plugins/check_mrtgtraf, /usr/lib/nagios/plugins/check_ifoperstatus + +.EX +.PP @@ -53558,16 +93420,6 @@ index 0000000..0005f14 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type nagios_system_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nagios_system_plugin_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -53578,6 +93430,9 @@ index 0000000..0005f14 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -53589,15 +93444,15 @@ index 0000000..0005f14 + +.SH "SEE ALSO" +selinux(8), nagios_system_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_unconfined_plugin_selinux(8) ++, setsebool(8), nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_unconfined_plugin_selinux(8) \ No newline at end of file diff --git a/man/man8/nagios_unconfined_plugin_selinux.8 b/man/man8/nagios_unconfined_plugin_selinux.8 new file mode 100644 -index 0000000..ccf2eed +index 0000000..eccefc3 --- /dev/null +++ b/man/man8/nagios_unconfined_plugin_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "nagios_unconfined_plugin_selinux" "8" "12-11-01" "nagios_unconfined_plugin" "SELinux Policy documentation for nagios_unconfined_plugin" +@@ -0,0 +1,147 @@ ++.TH "nagios_unconfined_plugin_selinux" "8" "13-01-16" "nagios_unconfined_plugin" "SELinux Policy documentation for nagios_unconfined_plugin" +.SH "NAME" +nagios_unconfined_plugin_selinux \- Security Enhanced Linux Policy for the nagios_unconfined_plugin processes +.SH "DESCRIPTION" @@ -53613,7 +93468,9 @@ index 0000000..ccf2eed + +.SH "ENTRYPOINTS" + -+The nagios_unconfined_plugin_t SELinux type can be entered via the "nagios_unconfined_plugin_exec_t" file type. The default entrypoint paths for the nagios_unconfined_plugin_t domain are the following:" ++The nagios_unconfined_plugin_t SELinux type can be entered via the \fBnagios_unconfined_plugin_exec_t\fP file type. ++ ++The default entrypoint paths for the nagios_unconfined_plugin_t domain are the following: + +/usr/lib/nagios/plugins/check_by_ssh +.SH PROCESS TYPES @@ -53631,8 +93488,52 @@ index 0000000..ccf2eed +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nagios_unconfined_plugin_t ++can be used to make the process type nagios_unconfined_plugin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nagios_unconfined_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nagios_unconfined_plugin with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -53642,7 +93543,20 @@ index 0000000..ccf2eed +Policy governs the access confined processes have to these files. +SELinux nagios_unconfined_plugin policy is very flexible allowing users to setup their nagios_unconfined_plugin processes in as secure a method as possible. +.PP -+The following file types are defined for nagios_unconfined_plugin: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nagios_unconfined_plugin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nagios_unconfined_plugin_exec_t '/srv/nagios_unconfined_plugin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynagios_unconfined_plugin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nagios_unconfined_plugin: + + +.EX @@ -53660,8 +93574,6 @@ index 0000000..ccf2eed +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -53672,6 +93584,9 @@ index 0000000..ccf2eed +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -53683,13 +93598,13 @@ index 0000000..ccf2eed + +.SH "SEE ALSO" +selinux(8), nagios_unconfined_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8) ++, setsebool(8), nagios_selinux(8), nagios_selinux(8), nagios_admin_plugin_selinux(8), nagios_checkdisk_plugin_selinux(8), nagios_eventhandler_plugin_selinux(8), nagios_mail_plugin_selinux(8), nagios_services_plugin_selinux(8), nagios_system_plugin_selinux(8) \ No newline at end of file diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8 -index fce0b48..8d2debb 100644 +index fce0b48..d1180f7 100644 --- a/man/man8/named_selinux.8 +++ b/man/man8/named_selinux.8 -@@ -1,30 +1,288 @@ +@@ -1,30 +1,440 @@ -.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation" -.de EX -.nf @@ -53699,7 +93614,7 @@ index fce0b48..8d2debb 100644 -.ft R -.fi -.. -+.TH "named_selinux" "8" "12-11-01" "named" "SELinux Policy documentation for named" ++.TH "named_selinux" "8" "13-01-16" "named" "SELinux Policy documentation for named" .SH "NAME" -named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon +named_selinux \- Security Enhanced Linux Policy for the named processes @@ -53718,9 +93633,11 @@ index fce0b48..8d2debb 100644 + +.SH "ENTRYPOINTS" + -+The named_t SELinux type can be entered via the "named_exec_t,named_checkconf_exec_t" file types. The default entrypoint paths for the named_t domain are the following:" ++The named_t SELinux type can be entered via the \fBnamed_exec_t, named_checkconf_exec_t\fP file types. + -+/usr/sbin/named, /usr/sbin/lwresd, /usr/sbin/unbound, /usr/sbin/named-checkconf ++The default entrypoint paths for the named_t domain are the following: ++ ++/usr/sbin/named, /usr/sbin/lwresd, /usr/sbin/unbound, /usr/sbin/unbound-anchor, /usr/sbin/unbound-chkconf, /usr/sbin/named-checkconf +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -53736,8 +93653,8 @@ index fce0b48..8d2debb 100644 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a named_t ++can be used to make the process type named_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + .SH BOOLEANS -SELinux policy is customizable based on least access required. So by @@ -53746,145 +93663,139 @@ index fce0b48..8d2debb 100644 + + +.PP -+If you want to allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers, you must turn on the named_write_master_zones boolean. ++If you want to determine whether Bind can bind tcp socket to http ports, you must turn on the named_tcp_bind_http_port boolean. Disabled by default. + .EX -setsebool -P named_write_master_zones 1 -+.B setsebool -P named_write_master_zones 1 ++.B setsebool -P named_tcp_bind_http_port 1 ++ .EE + .PP -system-config-selinux is a GUI tool available to customize SELinux policy settings. -.SH AUTHOR -This manual page was written by Dan Walsh . -+If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean. -+ -+.EX -+.B setsebool -P named_bind_http_port 1 -+.EE -+ -+.PP -+If you want to allow BIND to write the master zone files. Generally this is used for dynamic DNS or zone transfers, you must turn on the named_write_master_zones boolean. -+ -+.EX -+.B setsebool -P named_write_master_zones 1 -+.EE -+ -+.PP -+If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean. -+ -+.EX -+.B setsebool -P named_bind_http_port 1 -+.EE -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux named policy is very flexible allowing users to setup their named processes in as secure a method as possible. -+.PP -+The following file types are defined for named: -+ -+ -+.EX -+.PP -+.B named_cache_t -+.EE -+ -+- Set files with the named_cache_t type, if you want to store the files under the /var/cache directory. -+ -+ -+.EX -+.PP -+.B named_checkconf_exec_t -+.EE -+ -+- Set files with the named_checkconf_exec_t type, if you want to transition an executable to the named_checkconf_t domain. -+ -+ -+.EX -+.PP -+.B named_conf_t -+.EE -+ -+- Set files with the named_conf_t type, if you want to treat the files as named configuration data, usually stored under the /etc directory. -+ -+ -+.EX -+.PP -+.B named_exec_t -+.EE -+ -+- Set files with the named_exec_t type, if you want to transition an executable to the named_t domain. -+ -+ -+.EX -+.PP -+.B named_initrc_exec_t -+.EE -+ -+- Set files with the named_initrc_exec_t type, if you want to transition an executable to the named_initrc_t domain. ++If you want to determine whether Bind can write to master zone files. Generally this is used for dynamic DNS or zone transfers, you must turn on the named_write_master_zones boolean. Disabled by default. -.SH "SEE ALSO" -selinux(8), named(8), chcon(1), setsebool(8) ++.EX ++.B setsebool -P named_write_master_zones 1 ++ ++.EE ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 -+.EX -+.PP -+.B named_keytab_t +.EE + -+- Set files with the named_keytab_t type, if you want to treat the files as kerberos keytab files. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B named_log_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the named_log_t type, if you want to treat the data as named log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B named_tmp_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the named_tmp_t type, if you want to store named temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B named_unit_file_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the named_unit_file_t type, if you want to treat the files as named unit content. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B named_var_run_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the named_var_run_t type, if you want to store the named files under the /run directory. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B named_zone_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the named_zone_t type, if you want to treat the files as named zone data. ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the namespace_init_t, named_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the namespace_init_t, named_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH "MANAGED FILES" + +The SELinux process type named_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -53918,6 +93829,8 @@ index fce0b48..8d2debb 100644 + + /var/named/data(/.*)? +.br ++ /var/lib/unbound(/.*)? ++.br + /var/named/slaves(/.*)? +.br + /var/named/dynamic(/.*)? @@ -53932,14 +93845,6 @@ index fce0b48..8d2debb 100644 +.br + +.br -+.B named_log_t -+ -+ /var/log/named.* -+.br -+ /var/named/chroot/var/log/named.* -+.br -+ -+.br +.B named_tmp_t + + @@ -53957,22 +93862,184 @@ index fce0b48..8d2debb 100644 + /var/run/ndc +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B named_zone_t ++ ++ /var/named(/.*)? ++.br ++ /var/named/chroot/var/named(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux named policy is very flexible allowing users to setup their named processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the namespace_init_t, named_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the namespace_init_t, named_t, you must turn on the kerberos_enabled boolean. ++named policy stores data with multiple different file context types under the /var/named directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/named /srv/named ++.br ++.B restorecon -R -v /srv/named ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the named, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t named_cache_t '/srv/named/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynamed_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for named: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B named_cache_t +.EE + ++- Set files with the named_cache_t type, if you want to store the files under the /var/cache directory. ++ ++.br ++.TP 5 ++Paths: ++/var/named/data(/.*)?, /var/lib/unbound(/.*)?, /var/named/slaves(/.*)?, /var/named/dynamic(/.*)?, /var/named/chroot/var/tmp(/.*)?, /var/named/chroot/var/named/data(/.*)?, /var/named/chroot/var/named/slaves(/.*)?, /var/named/chroot/var/named/dynamic(/.*)? ++ ++.EX ++.PP ++.B named_checkconf_exec_t ++.EE ++ ++- Set files with the named_checkconf_exec_t type, if you want to transition an executable to the named_checkconf_t domain. ++ ++ ++.EX ++.PP ++.B named_conf_t ++.EE ++ ++- Set files with the named_conf_t type, if you want to treat the files as named configuration data, usually stored under the /etc directory. ++ ++.br ++.TP 5 ++Paths: ++/etc/rndc.*, /etc/unbound(/.*)?, /var/named/chroot(/.*)?, /etc/named\.rfc1912.zones, /var/named/chroot/etc/named\.rfc1912.zones, /etc/named\.conf, /var/named/named\.ca, /etc/named\.root\.hints, /var/named/chroot/etc/named\.conf, /etc/named\.caching-nameserver\.conf, /var/named/chroot/var/named/named\.ca, /var/named/chroot/etc/named\.root\.hints, /var/named/chroot/etc/named\.caching-nameserver\.conf ++ ++.EX ++.PP ++.B named_exec_t ++.EE ++ ++- Set files with the named_exec_t type, if you want to transition an executable to the named_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/named, /usr/sbin/lwresd, /usr/sbin/unbound, /usr/sbin/unbound-anchor, /usr/sbin/unbound-chkconf ++ ++.EX ++.PP ++.B named_initrc_exec_t ++.EE ++ ++- Set files with the named_initrc_exec_t type, if you want to transition an executable to the named_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/named, /etc/rc\.d/init\.d/unbound ++ ++.EX ++.PP ++.B named_keytab_t ++.EE ++ ++- Set files with the named_keytab_t type, if you want to treat the files as kerberos keytab files. ++ ++ ++.EX ++.PP ++.B named_log_t ++.EE ++ ++- Set files with the named_log_t type, if you want to treat the data as named log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/named.*, /var/named/chroot/var/log/named.* ++ ++.EX ++.PP ++.B named_tmp_t ++.EE ++ ++- Set files with the named_tmp_t type, if you want to store named temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B named_unit_file_t ++.EE ++ ++- Set files with the named_unit_file_t type, if you want to treat the files as named unit content. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/systemd/system/named.*, /usr/lib/systemd/system/unbound.* ++ ++.EX ++.PP ++.B named_var_run_t ++.EE ++ ++- Set files with the named_var_run_t type, if you want to store the named files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/bind(/.*)?, /var/run/named(/.*)?, /var/run/unbound(/.*)?, /var/named/chroot/var/run/named.*, /var/run/ndc ++ ++.EX ++.PP ++.B named_zone_t ++.EE ++ ++- Set files with the named_zone_t type, if you want to treat the files as named zone data. ++ ++.br ++.TP 5 ++Paths: ++/var/named(/.*)?, /var/named/chroot/var/named(/.*)? ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -54001,11 +94068,11 @@ index fce0b48..8d2debb 100644 \ No newline at end of file diff --git a/man/man8/namespace_init_selinux.8 b/man/man8/namespace_init_selinux.8 new file mode 100644 -index 0000000..9d3197d +index 0000000..82b2934 --- /dev/null +++ b/man/man8/namespace_init_selinux.8 -@@ -0,0 +1,120 @@ -+.TH "namespace_init_selinux" "8" "12-11-01" "namespace_init" "SELinux Policy documentation for namespace_init" +@@ -0,0 +1,233 @@ ++.TH "namespace_init_selinux" "8" "13-01-16" "namespace_init" "SELinux Policy documentation for namespace_init" +.SH "NAME" +namespace_init_selinux \- Security Enhanced Linux Policy for the namespace_init processes +.SH "DESCRIPTION" @@ -54021,7 +94088,9 @@ index 0000000..9d3197d + +.SH "ENTRYPOINTS" + -+The namespace_init_t SELinux type can be entered via the "namespace_init_exec_t" file type. The default entrypoint paths for the namespace_init_t domain are the following:" ++The namespace_init_t SELinux type can be entered via the \fBnamespace_init_exec_t\fP file type. ++ ++The default entrypoint paths for the namespace_init_t domain are the following: + +/etc/security/namespace.init +.SH PROCESS TYPES @@ -54039,8 +94108,138 @@ index 0000000..9d3197d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a namespace_init_t ++can be used to make the process type namespace_init_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. namespace_init policy is extremely flexible and has several booleans that allow you to manipulate the policy and run namespace_init with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to enable polyinstantiated directory support, you must turn on the polyinstantiation_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P polyinstantiation_enabled 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the namespace_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the namespace_init_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type namespace_init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -54050,7 +94249,20 @@ index 0000000..9d3197d +Policy governs the access confined processes have to these files. +SELinux namespace_init policy is very flexible allowing users to setup their namespace_init processes in as secure a method as possible. +.PP -+The following file types are defined for namespace_init: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the namespace_init, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t namespace_init_exec_t '/srv/namespace_init/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynamespace_init_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for namespace_init: + + +.EX @@ -54068,42 +94280,6 @@ index 0000000..9d3197d +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type namespace_init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B security_t -+ -+ /selinux -+.br -+ -+.br -+.B user_home_t -+ -+ /home/[^/]*/.+ -+.br -+ /home/dwalsh/.+ -+.br -+ /var/lib/xguest/home/xguest/.+ -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the namespace_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the namespace_init_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -54114,6 +94290,9 @@ index 0000000..9d3197d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -54125,13 +94304,15 @@ index 0000000..9d3197d + +.SH "SEE ALSO" +selinux(8), namespace_init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ncftool_selinux.8 b/man/man8/ncftool_selinux.8 new file mode 100644 -index 0000000..2b164c1 +index 0000000..83dd172 --- /dev/null +++ b/man/man8/ncftool_selinux.8 -@@ -0,0 +1,138 @@ -+.TH "ncftool_selinux" "8" "12-11-01" "ncftool" "SELinux Policy documentation for ncftool" +@@ -0,0 +1,195 @@ ++.TH "ncftool_selinux" "8" "13-01-16" "ncftool" "SELinux Policy documentation for ncftool" +.SH "NAME" +ncftool_selinux \- Security Enhanced Linux Policy for the ncftool processes +.SH "DESCRIPTION" @@ -54147,7 +94328,9 @@ index 0000000..2b164c1 + +.SH "ENTRYPOINTS" + -+The ncftool_t SELinux type can be entered via the "ncftool_exec_t" file type. The default entrypoint paths for the ncftool_t domain are the following:" ++The ncftool_t SELinux type can be entered via the \fBncftool_exec_t\fP file type. ++ ++The default entrypoint paths for the ncftool_t domain are the following: + +/usr/bin/ncftool +.SH PROCESS TYPES @@ -54165,34 +94348,52 @@ index 0000000..2b164c1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ncftool_t ++can be used to make the process type ncftool_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux ncftool policy is very flexible allowing users to setup their ncftool processes in as secure a method as possible. -+.PP -+The following file types are defined for ncftool: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ncftool policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ncftool with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B ncftool_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the ncftool_exec_t type, if you want to transition an executable to the ncftool_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -54201,8 +94402,6 @@ index 0000000..2b164c1 +.br +.B net_conf_t + -+ /etc/ntpd?\.conf.* -+.br + /etc/hosts[^/]* +.br + /etc/yp\.conf.* @@ -54213,8 +94412,6 @@ index 0000000..2b164c1 +.br + /etc/resolv\.conf.* +.br -+ /etc/ntp/step-tickers.* -+.br + /etc/sysconfig/networking(/.*)? +.br + /etc/sysconfig/network-scripts(/.*)? @@ -54246,7 +94443,44 @@ index 0000000..2b164c1 + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux ncftool policy is very flexible allowing users to setup their ncftool processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ncftool, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ncftool_exec_t '/srv/ncftool/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myncftool_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ncftool: ++ ++ ++.EX ++.PP ++.B ncftool_exec_t ++.EE ++ ++- Set files with the ncftool_exec_t type, if you want to transition an executable to the ncftool_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -54258,6 +94492,9 @@ index 0000000..2b164c1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -54269,13 +94506,15 @@ index 0000000..2b164c1 + +.SH "SEE ALSO" +selinux(8), ncftool(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ndc_selinux.8 b/man/man8/ndc_selinux.8 new file mode 100644 -index 0000000..3fbc319 +index 0000000..0466b21 --- /dev/null +++ b/man/man8/ndc_selinux.8 -@@ -0,0 +1,100 @@ -+.TH "ndc_selinux" "8" "12-11-01" "ndc" "SELinux Policy documentation for ndc" +@@ -0,0 +1,203 @@ ++.TH "ndc_selinux" "8" "13-01-16" "ndc" "SELinux Policy documentation for ndc" +.SH "NAME" +ndc_selinux \- Security Enhanced Linux Policy for the ndc processes +.SH "DESCRIPTION" @@ -54291,7 +94530,9 @@ index 0000000..3fbc319 + +.SH "ENTRYPOINTS" + -+The ndc_t SELinux type can be entered via the "ndc_exec_t" file type. The default entrypoint paths for the ndc_t domain are the following:" ++The ndc_t SELinux type can be entered via the \fBndc_exec_t\fP file type. ++ ++The default entrypoint paths for the ndc_t domain are the following: + +/usr/sbin/r?ndc +.SH PROCESS TYPES @@ -54309,8 +94550,108 @@ index 0000000..3fbc319 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ndc_t ++can be used to make the process type ndc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ndc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ndc with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ndc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ndc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -54320,7 +94661,20 @@ index 0000000..3fbc319 +Policy governs the access confined processes have to these files. +SELinux ndc policy is very flexible allowing users to setup their ndc processes in as secure a method as possible. +.PP -+The following file types are defined for ndc: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ndc, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ndc_exec_t '/srv/ndc/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myndc_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ndc: + + +.EX @@ -54338,22 +94692,6 @@ index 0000000..3fbc319 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ndc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the ndc_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -54364,6 +94702,9 @@ index 0000000..3fbc319 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -54375,13 +94716,15 @@ index 0000000..3fbc319 + +.SH "SEE ALSO" +selinux(8), ndc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/netlabel_mgmt_selinux.8 b/man/man8/netlabel_mgmt_selinux.8 new file mode 100644 -index 0000000..9ee6f73 +index 0000000..ac2fa89 --- /dev/null +++ b/man/man8/netlabel_mgmt_selinux.8 -@@ -0,0 +1,86 @@ -+.TH "netlabel_mgmt_selinux" "8" "12-11-01" "netlabel_mgmt" "SELinux Policy documentation for netlabel_mgmt" +@@ -0,0 +1,151 @@ ++.TH "netlabel_mgmt_selinux" "8" "13-01-16" "netlabel_mgmt" "SELinux Policy documentation for netlabel_mgmt" +.SH "NAME" +netlabel_mgmt_selinux \- Security Enhanced Linux Policy for the netlabel_mgmt processes +.SH "DESCRIPTION" @@ -54397,7 +94740,9 @@ index 0000000..9ee6f73 + +.SH "ENTRYPOINTS" + -+The netlabel_mgmt_t SELinux type can be entered via the "netlabel_mgmt_exec_t" file type. The default entrypoint paths for the netlabel_mgmt_t domain are the following:" ++The netlabel_mgmt_t SELinux type can be entered via the \fBnetlabel_mgmt_exec_t\fP file type. ++ ++The default entrypoint paths for the netlabel_mgmt_t domain are the following: + +/sbin/netlabelctl, /usr/sbin/netlabelctl +.SH PROCESS TYPES @@ -54415,8 +94760,52 @@ index 0000000..9ee6f73 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a netlabel_mgmt_t ++can be used to make the process type netlabel_mgmt_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. netlabel_mgmt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run netlabel_mgmt with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -54426,7 +94815,20 @@ index 0000000..9ee6f73 +Policy governs the access confined processes have to these files. +SELinux netlabel_mgmt policy is very flexible allowing users to setup their netlabel_mgmt processes in as secure a method as possible. +.PP -+The following file types are defined for netlabel_mgmt: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the netlabel_mgmt, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t netlabel_mgmt_exec_t '/srv/netlabel_mgmt/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynetlabel_mgmt_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for netlabel_mgmt: + + +.EX @@ -54436,6 +94838,10 @@ index 0000000..9ee6f73 + +- Set files with the netlabel_mgmt_exec_t type, if you want to transition an executable to the netlabel_mgmt_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/netlabelctl, /usr/sbin/netlabelctl + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -54444,8 +94850,6 @@ index 0000000..9ee6f73 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -54456,6 +94860,9 @@ index 0000000..9ee6f73 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -54467,13 +94874,15 @@ index 0000000..9ee6f73 + +.SH "SEE ALSO" +selinux(8), netlabel_mgmt(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/netlogond_selinux.8 b/man/man8/netlogond_selinux.8 new file mode 100644 -index 0000000..56dbd55 +index 0000000..901558e --- /dev/null +++ b/man/man8/netlogond_selinux.8 -@@ -0,0 +1,134 @@ -+.TH "netlogond_selinux" "8" "12-11-01" "netlogond" "SELinux Policy documentation for netlogond" +@@ -0,0 +1,251 @@ ++.TH "netlogond_selinux" "8" "13-01-16" "netlogond" "SELinux Policy documentation for netlogond" +.SH "NAME" +netlogond_selinux \- Security Enhanced Linux Policy for the netlogond processes +.SH "DESCRIPTION" @@ -54489,9 +94898,11 @@ index 0000000..56dbd55 + +.SH "ENTRYPOINTS" + -+The netlogond_t SELinux type can be entered via the "netlogond_exec_t" file type. The default entrypoint paths for the netlogond_t domain are the following:" ++The netlogond_t SELinux type can be entered via the \fBnetlogond_exec_t\fP file type. + -+/usr/sbin/netlogond ++The default entrypoint paths for the netlogond_t domain are the following: ++ ++/usr/sbin/netlogond, /opt/likewise/sbin/netlogond +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -54507,58 +94918,84 @@ index 0000000..56dbd55 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a netlogond_t ++can be used to make the process type netlogond_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux netlogond policy is very flexible allowing users to setup their netlogond processes in as secure a method as possible. -+.PP -+The following file types are defined for netlogond: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. netlogond policy is extremely flexible and has several booleans that allow you to manipulate the policy and run netlogond with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B netlogond_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the netlogond_exec_t type, if you want to transition an executable to the netlogond_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B netlogond_var_lib_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the netlogond_var_lib_t type, if you want to store the netlogond files under the /var/lib directory. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B netlogond_var_run_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the netlogond_var_run_t type, if you want to store the netlogond files under the /run directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B netlogond_var_socket_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the netlogond_var_socket_t type, if you want to treat the files as netlogond var socket data. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -54573,18 +95010,103 @@ index 0000000..56dbd55 +.br +.B netlogond_var_lib_t + -+ /var/lib/likewise-open/krb5-affinity.conf ++ /var/lib/likewise/LWNetsd\.err +.br + /var/lib/likewise-open/LWNetsd\.err +.br ++ /var/lib/likewise/krb5-affinity\.conf ++.br ++ /var/lib/likewise-open/krb5-affinity\.conf ++.br + +.br +.B netlogond_var_run_t + -+ /var/run/netlogond.pid ++ /var/run/netlogond\.pid +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux netlogond policy is very flexible allowing users to setup their netlogond processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the netlogond, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t netlogond_exec_t '/srv/netlogond/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynetlogond_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for netlogond: ++ ++ ++.EX ++.PP ++.B netlogond_exec_t ++.EE ++ ++- Set files with the netlogond_exec_t type, if you want to transition an executable to the netlogond_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/netlogond, /opt/likewise/sbin/netlogond ++ ++.EX ++.PP ++.B netlogond_var_lib_t ++.EE ++ ++- Set files with the netlogond_var_lib_t type, if you want to store the netlogond files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/likewise/LWNetsd\.err, /var/lib/likewise-open/LWNetsd\.err, /var/lib/likewise/krb5-affinity\.conf, /var/lib/likewise-open/krb5-affinity\.conf ++ ++.EX ++.PP ++.B netlogond_var_run_t ++.EE ++ ++- Set files with the netlogond_var_run_t type, if you want to store the netlogond files under the /run or /var/run directory. ++ ++ ++.EX ++.PP ++.B netlogond_var_socket_t ++.EE ++ ++- Set files with the netlogond_var_socket_t type, if you want to treat the files as netlogond var socket data. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/likewise/\.netlogond, /var/lib/likewise-open/\.netlogond ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -54596,6 +95118,9 @@ index 0000000..56dbd55 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -54607,13 +95132,15 @@ index 0000000..56dbd55 + +.SH "SEE ALSO" +selinux(8), netlogond(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/netutils_selinux.8 b/man/man8/netutils_selinux.8 new file mode 100644 -index 0000000..0c0688f +index 0000000..2724da4 --- /dev/null +++ b/man/man8/netutils_selinux.8 -@@ -0,0 +1,116 @@ -+.TH "netutils_selinux" "8" "12-11-01" "netutils" "SELinux Policy documentation for netutils" +@@ -0,0 +1,223 @@ ++.TH "netutils_selinux" "8" "13-01-16" "netutils" "SELinux Policy documentation for netutils" +.SH "NAME" +netutils_selinux \- Security Enhanced Linux Policy for the netutils processes +.SH "DESCRIPTION" @@ -54629,7 +95156,9 @@ index 0000000..0c0688f + +.SH "ENTRYPOINTS" + -+The netutils_t SELinux type can be entered via the "netutils_exec_t" file type. The default entrypoint paths for the netutils_t domain are the following:" ++The netutils_t SELinux type can be entered via the \fBnetutils_exec_t\fP file type. ++ ++The default entrypoint paths for the netutils_t domain are the following: + +/sbin/arping, /usr/sbin/arping, /usr/sbin/tcpdump +.SH PROCESS TYPES @@ -54647,8 +95176,116 @@ index 0000000..0c0688f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a netutils_t ++can be used to make the process type netutils_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. netutils policy is extremely flexible and has several booleans that allow you to manipulate the policy and run netutils with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the netutils_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the netutils_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type netutils_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B netutils_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -54658,7 +95295,20 @@ index 0000000..0c0688f +Policy governs the access confined processes have to these files. +SELinux netutils policy is very flexible allowing users to setup their netutils processes in as secure a method as possible. +.PP -+The following file types are defined for netutils: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the netutils, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t netutils_exec_t '/srv/netutils/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynetutils_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for netutils: + + +.EX @@ -54668,6 +95318,10 @@ index 0000000..0c0688f + +- Set files with the netutils_exec_t type, if you want to transition an executable to the netutils_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/arping, /usr/sbin/arping, /usr/sbin/tcpdump + +.EX +.PP @@ -54684,30 +95338,6 @@ index 0000000..0c0688f +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type netutils_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B netutils_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the netutils_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the netutils_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -54718,6 +95348,9 @@ index 0000000..0c0688f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -54729,13 +95362,15 @@ index 0000000..0c0688f + +.SH "SEE ALSO" +selinux(8), netutils(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/newrole_selinux.8 b/man/man8/newrole_selinux.8 new file mode 100644 -index 0000000..fc68433 +index 0000000..00859e3 --- /dev/null +++ b/man/man8/newrole_selinux.8 -@@ -0,0 +1,178 @@ -+.TH "newrole_selinux" "8" "12-11-01" "newrole" "SELinux Policy documentation for newrole" +@@ -0,0 +1,275 @@ ++.TH "newrole_selinux" "8" "13-01-16" "newrole" "SELinux Policy documentation for newrole" +.SH "NAME" +newrole_selinux \- Security Enhanced Linux Policy for the newrole processes +.SH "DESCRIPTION" @@ -54751,7 +95386,9 @@ index 0000000..fc68433 + +.SH "ENTRYPOINTS" + -+The newrole_t SELinux type can be entered via the "newrole_exec_t" file type. The default entrypoint paths for the newrole_t domain are the following:" ++The newrole_t SELinux type can be entered via the \fBnewrole_exec_t\fP file type. ++ ++The default entrypoint paths for the newrole_t domain are the following: + +/usr/bin/newrole +.SH PROCESS TYPES @@ -54769,34 +95406,116 @@ index 0000000..fc68433 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a newrole_t ++can be used to make the process type newrole_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux newrole policy is very flexible allowing users to setup their newrole processes in as secure a method as possible. -+.PP -+The following file types are defined for newrole: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. newrole policy is extremely flexible and has several booleans that allow you to manipulate the policy and run newrole with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B newrole_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the newrole_exec_t type, if you want to transition an executable to the newrole_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to enable polyinstantiated directory support, you must turn on the polyinstantiation_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P polyinstantiation_enabled 1 ++ ++.EE ++ ++.PP ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the newrole_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the newrole_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -54807,12 +95526,12 @@ index 0000000..fc68433 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B initrc_var_run_t @@ -54853,21 +95572,7 @@ index 0000000..fc68433 +.br +.B lastlog_t + -+ /var/log/lastlog -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm ++ /var/log/lastlog.* +.br + +.br @@ -54876,21 +95581,44 @@ index 0000000..fc68433 + /selinux +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux newrole policy is very flexible allowing users to setup their newrole processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the newrole_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the newrole, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t newrole_exec_t '/srv/newrole/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynewrole_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for newrole: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B newrole_exec_t +.EE + ++- Set files with the newrole_exec_t type, if you want to transition an executable to the newrole_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the newrole_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -54902,6 +95630,9 @@ index 0000000..fc68433 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -54913,6 +95644,8 @@ index 0000000..fc68433 + +.SH "SEE ALSO" +selinux(8), newrole(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/nfs_selinux.8 b/man/man8/nfs_selinux.8 deleted file mode 100644 index 8e30c4c..0000000 @@ -54952,11 +95685,11 @@ index 8e30c4c..0000000 -selinux(8), chcon(1), setsebool(8) diff --git a/man/man8/nfsd_selinux.8 b/man/man8/nfsd_selinux.8 new file mode 100644 -index 0000000..72cf8db +index 0000000..4af9239 --- /dev/null +++ b/man/man8/nfsd_selinux.8 -@@ -0,0 +1,447 @@ -+.TH "nfsd_selinux" "8" "12-11-01" "nfsd" "SELinux Policy documentation for nfsd" +@@ -0,0 +1,375 @@ ++.TH "nfsd_selinux" "8" "13-01-16" "nfsd" "SELinux Policy documentation for nfsd" +.SH "NAME" +nfsd_selinux \- Security Enhanced Linux Policy for the nfsd processes +.SH "DESCRIPTION" @@ -54972,7 +95705,9 @@ index 0000000..72cf8db + +.SH "ENTRYPOINTS" + -+The nfsd_t SELinux type can be entered via the "nfsd_exec_t" file type. The default entrypoint paths for the nfsd_t domain are the following:" ++The nfsd_t SELinux type can be entered via the \fBnfsd_exec_t\fP file type. ++ ++The default entrypoint paths for the nfsd_t domain are the following: + +/usr/sbin/rpc\.nfsd, /usr/sbin/rpc\.mountd +.SH PROCESS TYPES @@ -54990,314 +95725,141 @@ index 0000000..72cf8db +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nfsd_t ++can be used to make the process type nfsd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. nfsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nfsd with the tightest access possible. + + +.PP -+If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P ftpd_use_nfs 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_use_nfs 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow any files/directories to be exported read/only via NFS, you must turn on the nfs_export_all_ro boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow any files/directories to be exported read/only via NFS, you must turn on the nfs_export_all_ro boolean. Enabled by default. + +.EX +.B setsebool -P nfs_export_all_ro 1 ++ +.EE + +.PP -+If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean. -+ -+.EX -+.B setsebool -P virt_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean. -+ -+.EX -+.B setsebool -P sge_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean. -+ -+.EX -+.B setsebool -P cobbler_use_nfs 1 -+.EE -+ -+.PP -+If you want to determine whether Git system daemon can access nfs file systems, you must turn on the git_system_use_nfs boolean. -+ -+.EX -+.B setsebool -P git_system_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow rsync servers to share nfs files systems, you must turn on the rsync_use_nfs boolean. -+ -+.EX -+.B setsebool -P rsync_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean. -+ -+.EX -+.B setsebool -P samba_share_nfs 1 -+.EE -+ -+.PP -+If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean. -+ -+.EX -+.B setsebool -P xen_use_nfs 1 -+.EE -+ -+.PP -+If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean. -+ -+.EX -+.B setsebool -P polipo_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow any files/directories to be exported read/write via NFS, you must turn on the nfs_export_all_rw boolean. ++If you want to allow any files/directories to be exported read/write via NFS, you must turn on the nfs_export_all_rw boolean. Enabled by default. + +.EX +.B setsebool -P nfs_export_all_rw 1 ++ +.EE + +.PP -+If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.B setsebool -P sanlock_use_nfs 1 ++.B setsebool -P nis_enabled 1 ++ +.EE + +.PP -+If you want to determine whether Git CGI can access nfs file systems, you must turn on the git_cgi_use_nfs boolean. ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX -+.B setsebool -P git_cgi_use_nfs 1 ++.B setsebool -P nscd_use_shm 1 ++ +.EE + ++.SH NSSWITCH DOMAIN ++ +.PP -+If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the nfsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.B setsebool -P use_nfs_home_dirs 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + +.PP -+If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean. ++If you want to allow confined applications to run with kerberos for the nfsd_t, you must turn on the kerberos_enabled boolean. + +.EX -+.B setsebool -P ftpd_use_nfs 1 ++.B setsebool -P kerberos_enabled 1 +.EE + -+.PP -+If you want to allow httpd to access nfs file systems, you must turn on the httpd_use_nfs boolean. -+ -+.EX -+.B setsebool -P httpd_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow any files/directories to be exported read/only via NFS, you must turn on the nfs_export_all_ro boolean. -+ -+.EX -+.B setsebool -P nfs_export_all_ro 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean. -+ -+.EX -+.B setsebool -P virt_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean. -+ -+.EX -+.B setsebool -P sge_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean. -+ -+.EX -+.B setsebool -P cobbler_use_nfs 1 -+.EE -+ -+.PP -+If you want to determine whether Git system daemon can access nfs file systems, you must turn on the git_system_use_nfs boolean. -+ -+.EX -+.B setsebool -P git_system_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow rsync servers to share nfs files systems, you must turn on the rsync_use_nfs boolean. -+ -+.EX -+.B setsebool -P rsync_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean. -+ -+.EX -+.B setsebool -P samba_share_nfs 1 -+.EE -+ -+.PP -+If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean. -+ -+.EX -+.B setsebool -P xen_use_nfs 1 -+.EE -+ -+.PP -+If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean. -+ -+.EX -+.B setsebool -P polipo_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow any files/directories to be exported read/write via NFS, you must turn on the nfs_export_all_rw boolean. -+ -+.EX -+.B setsebool -P nfs_export_all_rw 1 -+.EE -+ -+.PP -+If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean. -+ -+.EX -+.B setsebool -P sanlock_use_nfs 1 -+.EE -+ -+.PP -+If you want to determine whether Git CGI can access nfs file systems, you must turn on the git_cgi_use_nfs boolean. -+ -+.EX -+.B setsebool -P git_cgi_use_nfs 1 -+.EE -+ -+.PP -+If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. -+ -+.EX -+.B setsebool -P use_nfs_home_dirs 1 -+.EE -+ -+.SH SHARING FILES -+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. -+.TP -+Allow nfsd servers to read the /var/nfsd directory by adding the public_content_t file type to the directory and by restoring the file type. -+.PP -+.B -+semanage fcontext -a -t public_content_t "/var/nfsd(/.*)?" -+.br -+.B restorecon -F -R -v /var/nfsd -+.pp -+.TP -+Allow nfsd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_nfsdd_anon_write boolean to be set. -+.PP -+.B -+semanage fcontext -a -t public_content_rw_t "/var/nfsd/incoming(/.*)?" -+.br -+.B restorecon -F -R -v /var/nfsd/incoming -+ -+ -+.PP -+If you want to allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the nfsd_anon_write boolean. -+ -+.EX -+.B setsebool -P nfsd_anon_write 1 -+.EE -+ -+.PP -+If you want to allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the nfsd_anon_write boolean. -+ -+.EX -+.B setsebool -P nfsd_anon_write 1 -+.EE -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux nfsd policy is very flexible allowing users to setup their nfsd processes in as secure a method as possible. -+.PP -+The following file types are defined for nfsd: -+ -+ -+.EX -+.PP -+.B nfsd_exec_t -+.EE -+ -+- Set files with the nfsd_exec_t type, if you want to transition an executable to the nfsd_t domain. -+ -+ -+.EX -+.PP -+.B nfsd_initrc_exec_t -+.EE -+ -+- Set files with the nfsd_initrc_exec_t type, if you want to transition an executable to the nfsd_initrc_t domain. -+ -+ -+.EX -+.PP -+.B nfsd_ro_t -+.EE -+ -+- Set files with the nfsd_ro_t type, if you want to treat the files as nfsd read/only content. -+ -+ -+.EX -+.PP -+.B nfsd_rw_t -+.EE -+ -+- Set files with the nfsd_rw_t type, if you want to treat the files as nfsd read/write content. -+ -+ -+.EX -+.PP -+.B nfsd_unit_file_t -+.EE -+ -+- Set files with the nfsd_unit_file_t type, if you want to treat the files as nfsd unit content. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. +.PP @@ -55346,6 +95908,20 @@ index 0000000..72cf8db + + +.br ++.B public_content_rw_t ++ ++ /var/spool/abrt-upload(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B var_lib_nfs_t + + /var/lib/nfs(/.*)? @@ -55359,20 +95935,105 @@ index 0000000..72cf8db + /var/lib(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux nfsd policy is very flexible allowing users to setup their nfsd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nfsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nfsd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nfsd_exec_t '/srv/nfsd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynfsd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nfsd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B nfsd_exec_t +.EE + -+.PP -+If you want to allow confined applications to run with kerberos for the nfsd_t, you must turn on the kerberos_enabled boolean. ++- Set files with the nfsd_exec_t type, if you want to transition an executable to the nfsd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/rpc\.nfsd, /usr/sbin/rpc\.mountd + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B nfsd_initrc_exec_t ++.EE ++ ++- Set files with the nfsd_initrc_exec_t type, if you want to transition an executable to the nfsd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B nfsd_ro_t ++.EE ++ ++- Set files with the nfsd_ro_t type, if you want to treat the files as nfsd read/only content. ++ ++ ++.EX ++.PP ++.B nfsd_rw_t ++.EE ++ ++- Set files with the nfsd_rw_t type, if you want to treat the files as nfsd read/write content. ++ ++ ++.EX ++.PP ++.B nfsd_unit_file_t ++.EE ++ ++- Set files with the nfsd_unit_file_t type, if you want to treat the files as nfsd unit content. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH SHARING FILES ++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. ++.TP ++Allow nfsd servers to read the /var/nfsd directory by adding the public_content_t file type to the directory and by restoring the file type. ++.PP ++.B ++semanage fcontext -a -t public_content_t "/var/nfsd(/.*)?" ++.br ++.B restorecon -F -R -v /var/nfsd ++.pp ++.TP ++Allow nfsd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_nfsdd_anon_write boolean to be set. ++.PP ++.B ++semanage fcontext -a -t public_content_rw_t "/var/nfsd/incoming(/.*)?" ++.br ++.B restorecon -F -R -v /var/nfsd/incoming ++ ++ ++.PP ++If you want to allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the nfsd_anon_write boolean. ++ ++.EX ++.B setsebool -P nfsd_anon_write 1 +.EE + +.SH "COMMANDS" @@ -55413,11 +96074,11 @@ index 6271c95..0000000 -.so man8/ypbind_selinux.8 diff --git a/man/man8/nmbd_selinux.8 b/man/man8/nmbd_selinux.8 new file mode 100644 -index 0000000..d15f44d +index 0000000..27dd2f3 --- /dev/null +++ b/man/man8/nmbd_selinux.8 -@@ -0,0 +1,170 @@ -+.TH "nmbd_selinux" "8" "12-11-01" "nmbd" "SELinux Policy documentation for nmbd" +@@ -0,0 +1,292 @@ ++.TH "nmbd_selinux" "8" "13-01-16" "nmbd" "SELinux Policy documentation for nmbd" +.SH "NAME" +nmbd_selinux \- Security Enhanced Linux Policy for the nmbd processes +.SH "DESCRIPTION" @@ -55433,7 +96094,9 @@ index 0000000..d15f44d + +.SH "ENTRYPOINTS" + -+The nmbd_t SELinux type can be entered via the "nmbd_exec_t" file type. The default entrypoint paths for the nmbd_t domain are the following:" ++The nmbd_t SELinux type can be entered via the \fBnmbd_exec_t\fP file type. ++ ++The default entrypoint paths for the nmbd_t domain are the following: + +/usr/sbin/nmbd +.SH PROCESS TYPES @@ -55451,42 +96114,140 @@ index 0000000..d15f44d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nmbd_t ++can be used to make the process type nmbd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux nmbd policy is very flexible allowing users to setup their nmbd processes in as secure a method as possible. -+.PP -+The following file types are defined for nmbd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nmbd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nmbd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B nmbd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the nmbd_exec_t type, if you want to transition an executable to the nmbd_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B nmbd_var_run_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the nmbd_var_run_t type, if you want to store the nmbd files under the /run directory. ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow samba to share any file/directory read only, you must turn on the samba_export_all_ro boolean. Disabled by default. ++ ++.EX ++.B setsebool -P samba_export_all_ro 1 ++ ++.EE ++ ++.PP ++If you want to allow samba to share any file/directory read/write, you must turn on the samba_export_all_rw boolean. Disabled by default. ++ ++.EX ++.B setsebool -P samba_export_all_rw 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the nmbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nmbd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -55516,52 +96277,70 @@ index 0000000..d15f44d +The SELinux process type nmbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B non_security_file_type ++ ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux nmbd policy is very flexible allowing users to setup their nmbd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++nmbd policy stores data with multiple different file context types under the /var/run/samba/nmbd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/samba/nmbd /srv/nmbd ++.br ++.B restorecon -R -v /srv/nmbd ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nmbd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nmbd_exec_t '/srv/nmbd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynmbd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nmbd: ++ ++ ++.EX ++.PP ++.B nmbd_exec_t ++.EE ++ ++- Set files with the nmbd_exec_t type, if you want to transition an executable to the nmbd_t domain. ++ ++ ++.EX ++.PP +.B nmbd_var_run_t -+ -+ /var/run/nmbd(/.*)? -+.br -+ /var/run/samba/nmbd(/.*)? -+.br -+ /var/run/samba/nmbd\.pid -+.br -+ /var/run/samba/messages\.tdb -+.br -+ /var/run/samba/namelist\.debug -+.br -+ /var/run/samba/unexpected\.tdb -+.br -+ -+.br -+.B samba_log_t -+ -+ /var/log/samba(/.*)? -+.br -+ -+.br -+.B samba_var_t -+ -+ /var/lib/samba(/.*)? -+.br -+ /var/cache/samba(/.*)? -+.br -+ /var/spool/samba(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nmbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+.PP -+If you want to allow confined applications to run with kerberos for the nmbd_t, you must turn on the kerberos_enabled boolean. ++- Set files with the nmbd_var_run_t type, if you want to store the nmbd files under the /run or /var/run directory. + -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++.br ++.TP 5 ++Paths: ++/var/run/nmbd(/.*)?, /var/run/samba/nmbd(/.*)?, /var/run/samba/nmbd\.pid, /var/run/samba/messages\.tdb, /var/run/samba/namelist\.debug, /var/run/samba/unexpected\.tdb ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -55576,6 +96355,9 @@ index 0000000..d15f44d +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -55587,13 +96369,15 @@ index 0000000..d15f44d + +.SH "SEE ALSO" +selinux(8), nmbd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/nova_ajax_selinux.8 b/man/man8/nova_ajax_selinux.8 new file mode 100644 -index 0000000..f57b656 +index 0000000..ba8fc77 --- /dev/null +++ b/man/man8/nova_ajax_selinux.8 -@@ -0,0 +1,129 @@ -+.TH "nova_ajax_selinux" "8" "12-11-01" "nova_ajax" "SELinux Policy documentation for nova_ajax" +@@ -0,0 +1,221 @@ ++.TH "nova_ajax_selinux" "8" "13-01-16" "nova_ajax" "SELinux Policy documentation for nova_ajax" +.SH "NAME" +nova_ajax_selinux \- Security Enhanced Linux Policy for the nova_ajax processes +.SH "DESCRIPTION" @@ -55609,7 +96393,9 @@ index 0000000..f57b656 + +.SH "ENTRYPOINTS" + -+The nova_ajax_t SELinux type can be entered via the "nova_ajax_exec_t" file type. The default entrypoint paths for the nova_ajax_t domain are the following:" ++The nova_ajax_t SELinux type can be entered via the \fBnova_ajax_exec_t\fP file type. ++ ++The default entrypoint paths for the nova_ajax_t domain are the following: + +/usr/bin/nova-ajax-console-proxy +.SH PROCESS TYPES @@ -55627,8 +96413,110 @@ index 0000000..f57b656 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nova_ajax_t ++can be used to make the process type nova_ajax_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nova_ajax policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nova_ajax with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nova_ajax_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nova_ajax_tmp_t ++ ++ ++.br ++.B nova_log_t ++ ++ /var/log/nova(/.*)? ++.br ++ ++.br ++.B nova_var_lib_t ++ ++ /var/lib/nova(/.*)? ++.br ++ ++.br ++.B nova_var_run_t ++ ++ /var/run/nova(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -55638,7 +96526,20 @@ index 0000000..f57b656 +Policy governs the access confined processes have to these files. +SELinux nova_ajax policy is very flexible allowing users to setup their nova_ajax processes in as secure a method as possible. +.PP -+The following file types are defined for nova_ajax: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nova_ajax, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nova_ajax_exec_t '/srv/nova_ajax/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynova_ajax_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nova_ajax: + + +.EX @@ -55672,34 +96573,6 @@ index 0000000..f57b656 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type nova_ajax_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nova_ajax_tmp_t -+ -+ -+.br -+.B nova_log_t -+ -+ /var/log/nova(/.*)? -+.br -+ -+.br -+.B nova_var_lib_t -+ -+ /var/lib/nova(/.*)? -+.br -+ -+.br -+.B nova_var_run_t -+ -+ /var/run/nova(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -55710,6 +96583,9 @@ index 0000000..f57b656 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -55721,15 +96597,15 @@ index 0000000..f57b656 + +.SH "SEE ALSO" +selinux(8), nova_ajax(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) ++, setsebool(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) \ No newline at end of file diff --git a/man/man8/nova_api_selinux.8 b/man/man8/nova_api_selinux.8 new file mode 100644 -index 0000000..094a9ae +index 0000000..bfea06c --- /dev/null +++ b/man/man8/nova_api_selinux.8 -@@ -0,0 +1,129 @@ -+.TH "nova_api_selinux" "8" "12-11-01" "nova_api" "SELinux Policy documentation for nova_api" +@@ -0,0 +1,229 @@ ++.TH "nova_api_selinux" "8" "13-01-16" "nova_api" "SELinux Policy documentation for nova_api" +.SH "NAME" +nova_api_selinux \- Security Enhanced Linux Policy for the nova_api processes +.SH "DESCRIPTION" @@ -55745,7 +96621,9 @@ index 0000000..094a9ae + +.SH "ENTRYPOINTS" + -+The nova_api_t SELinux type can be entered via the "nova_api_exec_t" file type. The default entrypoint paths for the nova_api_t domain are the following:" ++The nova_api_t SELinux type can be entered via the \fBnova_api_exec_t\fP file type. ++ ++The default entrypoint paths for the nova_api_t domain are the following: + +/usr/bin/nova-api, /usr//bin/nova-api-metadata +.SH PROCESS TYPES @@ -55763,50 +96641,76 @@ index 0000000..094a9ae +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nova_api_t ++can be used to make the process type nova_api_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux nova_api policy is very flexible allowing users to setup their nova_api processes in as secure a method as possible. -+.PP -+The following file types are defined for nova_api: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nova_api policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nova_api with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B nova_api_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the nova_api_exec_t type, if you want to transition an executable to the nova_api_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B nova_api_tmp_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the nova_api_tmp_t type, if you want to store nova api temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B nova_api_unit_file_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the nova_api_unit_file_t type, if you want to treat the files as nova api unit content. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -55834,7 +96738,76 @@ index 0000000..094a9ae + /var/run/nova(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux nova_api policy is very flexible allowing users to setup their nova_api processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nova_api, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nova_api_exec_t '/srv/nova_api/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynova_api_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nova_api: ++ ++ ++.EX ++.PP ++.B nova_api_exec_t ++.EE ++ ++- Set files with the nova_api_exec_t type, if you want to transition an executable to the nova_api_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/nova-api, /usr//bin/nova-api-metadata ++ ++.EX ++.PP ++.B nova_api_tmp_t ++.EE ++ ++- Set files with the nova_api_tmp_t type, if you want to store nova api temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B nova_api_unit_file_t ++.EE ++ ++- Set files with the nova_api_unit_file_t type, if you want to treat the files as nova api unit content. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/systemd/system/openstack-nova-api.*, /usr/lib/systemd/system/openstack-nova-metadata-api.service.* ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -55846,6 +96819,9 @@ index 0000000..094a9ae +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -55857,15 +96833,15 @@ index 0000000..094a9ae + +.SH "SEE ALSO" +selinux(8), nova_api(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nova_ajax_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) ++, setsebool(8), nova_ajax_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) \ No newline at end of file diff --git a/man/man8/nova_cert_selinux.8 b/man/man8/nova_cert_selinux.8 new file mode 100644 -index 0000000..252fa7f +index 0000000..98857cb --- /dev/null +++ b/man/man8/nova_cert_selinux.8 -@@ -0,0 +1,143 @@ -+.TH "nova_cert_selinux" "8" "12-11-01" "nova_cert" "SELinux Policy documentation for nova_cert" +@@ -0,0 +1,269 @@ ++.TH "nova_cert_selinux" "8" "13-01-16" "nova_cert" "SELinux Policy documentation for nova_cert" +.SH "NAME" +nova_cert_selinux \- Security Enhanced Linux Policy for the nova_cert processes +.SH "DESCRIPTION" @@ -55881,7 +96857,9 @@ index 0000000..252fa7f + +.SH "ENTRYPOINTS" + -+The nova_cert_t SELinux type can be entered via the "nova_cert_exec_t" file type. The default entrypoint paths for the nova_cert_t domain are the following:" ++The nova_cert_t SELinux type can be entered via the \fBnova_cert_exec_t\fP file type. ++ ++The default entrypoint paths for the nova_cert_t domain are the following: + +/usr/bin/nova-cert +.SH PROCESS TYPES @@ -55899,8 +96877,158 @@ index 0000000..252fa7f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nova_cert_t ++can be used to make the process type nova_cert_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nova_cert policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nova_cert with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the nova_cert_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nova_cert_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nova_cert_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nova_cert_tmp_t ++ ++ ++.br ++.B nova_log_t ++ ++ /var/log/nova(/.*)? ++.br ++ ++.br ++.B nova_var_lib_t ++ ++ /var/lib/nova(/.*)? ++.br ++ ++.br ++.B nova_var_run_t ++ ++ /var/run/nova(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -55910,7 +97038,20 @@ index 0000000..252fa7f +Policy governs the access confined processes have to these files. +SELinux nova_cert policy is very flexible allowing users to setup their nova_cert processes in as secure a method as possible. +.PP -+The following file types are defined for nova_cert: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nova_cert, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nova_cert_exec_t '/srv/nova_cert/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynova_cert_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nova_cert: + + +.EX @@ -55944,48 +97085,6 @@ index 0000000..252fa7f +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type nova_cert_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nova_cert_tmp_t -+ -+ -+.br -+.B nova_log_t -+ -+ /var/log/nova(/.*)? -+.br -+ -+.br -+.B nova_var_lib_t -+ -+ /var/lib/nova(/.*)? -+.br -+ -+.br -+.B nova_var_run_t -+ -+ /var/run/nova(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nova_cert_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the nova_cert_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -55996,6 +97095,9 @@ index 0000000..252fa7f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -56007,15 +97109,15 @@ index 0000000..252fa7f + +.SH "SEE ALSO" +selinux(8), nova_cert(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nova_ajax_selinux(8), nova_api_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) ++, setsebool(8), nova_ajax_selinux(8), nova_api_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) \ No newline at end of file diff --git a/man/man8/nova_compute_selinux.8 b/man/man8/nova_compute_selinux.8 new file mode 100644 -index 0000000..cd73723 +index 0000000..b8bf0cc --- /dev/null +++ b/man/man8/nova_compute_selinux.8 -@@ -0,0 +1,129 @@ -+.TH "nova_compute_selinux" "8" "12-11-01" "nova_compute" "SELinux Policy documentation for nova_compute" +@@ -0,0 +1,166 @@ ++.TH "nova_compute_selinux" "8" "13-01-16" "nova_compute" "SELinux Policy documentation for nova_compute" +.SH "NAME" +nova_compute_selinux \- Security Enhanced Linux Policy for the nova_compute processes +.SH "DESCRIPTION" @@ -56031,7 +97133,9 @@ index 0000000..cd73723 + +.SH "ENTRYPOINTS" + -+The nova_compute_t SELinux type can be entered via the "nova_compute_exec_t" file type. The default entrypoint paths for the nova_compute_t domain are the following:" ++The nova_compute_t SELinux type can be entered via the \fBnova_compute_exec_t\fP file type. ++ ++The default entrypoint paths for the nova_compute_t domain are the following: + + +.SH PROCESS TYPES @@ -56049,50 +97153,76 @@ index 0000000..cd73723 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nova_compute_t ++can be used to make the process type nova_compute_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux nova_compute policy is very flexible allowing users to setup their nova_compute processes in as secure a method as possible. -+.PP -+The following file types are defined for nova_compute: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nova_compute policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nova_compute with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B nova_compute_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the nova_compute_exec_t type, if you want to transition an executable to the nova_compute_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B nova_compute_tmp_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the nova_compute_tmp_t type, if you want to store nova compute temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B nova_compute_unit_file_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the nova_compute_unit_file_t type, if you want to treat the files as nova compute unit content. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -56120,7 +97250,13 @@ index 0000000..cd73723 + /var/run/nova(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH "COMMANDS" +.B semanage fcontext @@ -56132,6 +97268,9 @@ index 0000000..cd73723 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -56143,15 +97282,15 @@ index 0000000..cd73723 + +.SH "SEE ALSO" +selinux(8), nova_compute(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) ++, setsebool(8), nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) \ No newline at end of file diff --git a/man/man8/nova_console_selinux.8 b/man/man8/nova_console_selinux.8 new file mode 100644 -index 0000000..3ac720b +index 0000000..d2efda1 --- /dev/null +++ b/man/man8/nova_console_selinux.8 -@@ -0,0 +1,143 @@ -+.TH "nova_console_selinux" "8" "12-11-01" "nova_console" "SELinux Policy documentation for nova_console" +@@ -0,0 +1,269 @@ ++.TH "nova_console_selinux" "8" "13-01-16" "nova_console" "SELinux Policy documentation for nova_console" +.SH "NAME" +nova_console_selinux \- Security Enhanced Linux Policy for the nova_console processes +.SH "DESCRIPTION" @@ -56167,7 +97306,9 @@ index 0000000..3ac720b + +.SH "ENTRYPOINTS" + -+The nova_console_t SELinux type can be entered via the "nova_console_exec_t" file type. The default entrypoint paths for the nova_console_t domain are the following:" ++The nova_console_t SELinux type can be entered via the \fBnova_console_exec_t\fP file type. ++ ++The default entrypoint paths for the nova_console_t domain are the following: + +/usr/bin/nova-console.* +.SH PROCESS TYPES @@ -56185,8 +97326,158 @@ index 0000000..3ac720b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nova_console_t ++can be used to make the process type nova_console_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nova_console policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nova_console with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the nova_console_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nova_console_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nova_console_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nova_console_tmp_t ++ ++ ++.br ++.B nova_log_t ++ ++ /var/log/nova(/.*)? ++.br ++ ++.br ++.B nova_var_lib_t ++ ++ /var/lib/nova(/.*)? ++.br ++ ++.br ++.B nova_var_run_t ++ ++ /var/run/nova(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -56196,7 +97487,20 @@ index 0000000..3ac720b +Policy governs the access confined processes have to these files. +SELinux nova_console policy is very flexible allowing users to setup their nova_console processes in as secure a method as possible. +.PP -+The following file types are defined for nova_console: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nova_console, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nova_console_exec_t '/srv/nova_console/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynova_console_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nova_console: + + +.EX @@ -56230,12 +97534,151 @@ index 0000000..3ac720b +.B restorecon +to apply the labels. + ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), nova_console(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) +\ No newline at end of file +diff --git a/man/man8/nova_direct_selinux.8 b/man/man8/nova_direct_selinux.8 +new file mode 100644 +index 0000000..12e3b94 +--- /dev/null ++++ b/man/man8/nova_direct_selinux.8 +@@ -0,0 +1,221 @@ ++.TH "nova_direct_selinux" "8" "13-01-16" "nova_direct" "SELinux Policy documentation for nova_direct" ++.SH "NAME" ++nova_direct_selinux \- Security Enhanced Linux Policy for the nova_direct processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the nova_direct processes via flexible mandatory access control. ++ ++The nova_direct processes execute with the nova_direct_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep nova_direct_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The nova_direct_t SELinux type can be entered via the \fBnova_direct_exec_t\fP file type. ++ ++The default entrypoint paths for the nova_direct_t domain are the following: ++ ++/usr/bin/nova-direct-api ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux nova_direct policy is very flexible allowing users to setup their nova_direct processes in as secure a method as possible. ++.PP ++The following process types are defined for nova_direct: ++ ++.EX ++.B nova_direct_t ++.EE ++.PP ++Note: ++.B semanage permissive -a nova_direct_t ++can be used to make the process type nova_direct_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nova_direct policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nova_direct with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ +.SH "MANAGED FILES" + -+The SELinux process type nova_console_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++The SELinux process type nova_direct_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B nova_console_tmp_t ++.B nova_direct_tmp_t + + +.br @@ -56256,87 +97699,13 @@ index 0000000..3ac720b + /var/run/nova(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t + -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nova_console_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the nova_console_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), nova_console(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) -\ No newline at end of file -diff --git a/man/man8/nova_direct_selinux.8 b/man/man8/nova_direct_selinux.8 -new file mode 100644 -index 0000000..7739204 ---- /dev/null -+++ b/man/man8/nova_direct_selinux.8 -@@ -0,0 +1,129 @@ -+.TH "nova_direct_selinux" "8" "12-11-01" "nova_direct" "SELinux Policy documentation for nova_direct" -+.SH "NAME" -+nova_direct_selinux \- Security Enhanced Linux Policy for the nova_direct processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the nova_direct processes via flexible mandatory access control. -+ -+The nova_direct processes execute with the nova_direct_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep nova_direct_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The nova_direct_t SELinux type can be entered via the "nova_direct_exec_t" file type. The default entrypoint paths for the nova_direct_t domain are the following:" -+ -+/usr/bin/nova-direct-api -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux nova_direct policy is very flexible allowing users to setup their nova_direct processes in as secure a method as possible. -+.PP -+The following process types are defined for nova_direct: -+ -+.EX -+.B nova_direct_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -56346,7 +97715,20 @@ index 0000000..7739204 +Policy governs the access confined processes have to these files. +SELinux nova_direct policy is very flexible allowing users to setup their nova_direct processes in as secure a method as possible. +.PP -+The following file types are defined for nova_direct: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nova_direct, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nova_direct_exec_t '/srv/nova_direct/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynova_direct_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nova_direct: + + +.EX @@ -56380,34 +97762,6 @@ index 0000000..7739204 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type nova_direct_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nova_direct_tmp_t -+ -+ -+.br -+.B nova_log_t -+ -+ /var/log/nova(/.*)? -+.br -+ -+.br -+.B nova_var_lib_t -+ -+ /var/lib/nova(/.*)? -+.br -+ -+.br -+.B nova_var_run_t -+ -+ /var/run/nova(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -56418,6 +97772,9 @@ index 0000000..7739204 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -56429,15 +97786,15 @@ index 0000000..7739204 + +.SH "SEE ALSO" +selinux(8), nova_direct(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) ++, setsebool(8), nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) \ No newline at end of file diff --git a/man/man8/nova_network_selinux.8 b/man/man8/nova_network_selinux.8 new file mode 100644 -index 0000000..953274d +index 0000000..fe18f6d --- /dev/null +++ b/man/man8/nova_network_selinux.8 -@@ -0,0 +1,129 @@ -+.TH "nova_network_selinux" "8" "12-11-01" "nova_network" "SELinux Policy documentation for nova_network" +@@ -0,0 +1,221 @@ ++.TH "nova_network_selinux" "8" "13-01-16" "nova_network" "SELinux Policy documentation for nova_network" +.SH "NAME" +nova_network_selinux \- Security Enhanced Linux Policy for the nova_network processes +.SH "DESCRIPTION" @@ -56453,7 +97810,9 @@ index 0000000..953274d + +.SH "ENTRYPOINTS" + -+The nova_network_t SELinux type can be entered via the "nova_network_exec_t" file type. The default entrypoint paths for the nova_network_t domain are the following:" ++The nova_network_t SELinux type can be entered via the \fBnova_network_exec_t\fP file type. ++ ++The default entrypoint paths for the nova_network_t domain are the following: + +/usr/bin/nova-network +.SH PROCESS TYPES @@ -56471,8 +97830,110 @@ index 0000000..953274d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nova_network_t ++can be used to make the process type nova_network_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nova_network policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nova_network with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nova_network_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nova_log_t ++ ++ /var/log/nova(/.*)? ++.br ++ ++.br ++.B nova_network_tmp_t ++ ++ ++.br ++.B nova_var_lib_t ++ ++ /var/lib/nova(/.*)? ++.br ++ ++.br ++.B nova_var_run_t ++ ++ /var/run/nova(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -56482,7 +97943,20 @@ index 0000000..953274d +Policy governs the access confined processes have to these files. +SELinux nova_network policy is very flexible allowing users to setup their nova_network processes in as secure a method as possible. +.PP -+The following file types are defined for nova_network: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nova_network, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nova_network_exec_t '/srv/nova_network/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynova_network_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nova_network: + + +.EX @@ -56516,34 +97990,6 @@ index 0000000..953274d +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type nova_network_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nova_log_t -+ -+ /var/log/nova(/.*)? -+.br -+ -+.br -+.B nova_network_tmp_t -+ -+ -+.br -+.B nova_var_lib_t -+ -+ /var/lib/nova(/.*)? -+.br -+ -+.br -+.B nova_var_run_t -+ -+ /var/run/nova(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -56554,6 +98000,9 @@ index 0000000..953274d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -56565,15 +98014,15 @@ index 0000000..953274d + +.SH "SEE ALSO" +selinux(8), nova_network(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) ++, setsebool(8), nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) \ No newline at end of file diff --git a/man/man8/nova_objectstore_selinux.8 b/man/man8/nova_objectstore_selinux.8 new file mode 100644 -index 0000000..449bba7 +index 0000000..3134f10 --- /dev/null +++ b/man/man8/nova_objectstore_selinux.8 -@@ -0,0 +1,129 @@ -+.TH "nova_objectstore_selinux" "8" "12-11-01" "nova_objectstore" "SELinux Policy documentation for nova_objectstore" +@@ -0,0 +1,221 @@ ++.TH "nova_objectstore_selinux" "8" "13-01-16" "nova_objectstore" "SELinux Policy documentation for nova_objectstore" +.SH "NAME" +nova_objectstore_selinux \- Security Enhanced Linux Policy for the nova_objectstore processes +.SH "DESCRIPTION" @@ -56589,7 +98038,9 @@ index 0000000..449bba7 + +.SH "ENTRYPOINTS" + -+The nova_objectstore_t SELinux type can be entered via the "nova_objectstore_exec_t" file type. The default entrypoint paths for the nova_objectstore_t domain are the following:" ++The nova_objectstore_t SELinux type can be entered via the \fBnova_objectstore_exec_t\fP file type. ++ ++The default entrypoint paths for the nova_objectstore_t domain are the following: + +/usr/bin/nova-objectstore +.SH PROCESS TYPES @@ -56607,8 +98058,110 @@ index 0000000..449bba7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nova_objectstore_t ++can be used to make the process type nova_objectstore_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nova_objectstore policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nova_objectstore with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nova_objectstore_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nova_log_t ++ ++ /var/log/nova(/.*)? ++.br ++ ++.br ++.B nova_objectstore_tmp_t ++ ++ ++.br ++.B nova_var_lib_t ++ ++ /var/lib/nova(/.*)? ++.br ++ ++.br ++.B nova_var_run_t ++ ++ /var/run/nova(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -56618,7 +98171,20 @@ index 0000000..449bba7 +Policy governs the access confined processes have to these files. +SELinux nova_objectstore policy is very flexible allowing users to setup their nova_objectstore processes in as secure a method as possible. +.PP -+The following file types are defined for nova_objectstore: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nova_objectstore, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nova_objectstore_exec_t '/srv/nova_objectstore/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynova_objectstore_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nova_objectstore: + + +.EX @@ -56652,34 +98218,6 @@ index 0000000..449bba7 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type nova_objectstore_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nova_log_t -+ -+ /var/log/nova(/.*)? -+.br -+ -+.br -+.B nova_objectstore_tmp_t -+ -+ -+.br -+.B nova_var_lib_t -+ -+ /var/lib/nova(/.*)? -+.br -+ -+.br -+.B nova_var_run_t -+ -+ /var/run/nova(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -56690,6 +98228,9 @@ index 0000000..449bba7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -56701,15 +98242,15 @@ index 0000000..449bba7 + +.SH "SEE ALSO" +selinux(8), nova_objectstore(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) ++, setsebool(8), nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) \ No newline at end of file diff --git a/man/man8/nova_scheduler_selinux.8 b/man/man8/nova_scheduler_selinux.8 new file mode 100644 -index 0000000..ef40436 +index 0000000..a9e26dd --- /dev/null +++ b/man/man8/nova_scheduler_selinux.8 -@@ -0,0 +1,129 @@ -+.TH "nova_scheduler_selinux" "8" "12-11-01" "nova_scheduler" "SELinux Policy documentation for nova_scheduler" +@@ -0,0 +1,221 @@ ++.TH "nova_scheduler_selinux" "8" "13-01-16" "nova_scheduler" "SELinux Policy documentation for nova_scheduler" +.SH "NAME" +nova_scheduler_selinux \- Security Enhanced Linux Policy for the nova_scheduler processes +.SH "DESCRIPTION" @@ -56725,7 +98266,9 @@ index 0000000..ef40436 + +.SH "ENTRYPOINTS" + -+The nova_scheduler_t SELinux type can be entered via the "nova_scheduler_exec_t" file type. The default entrypoint paths for the nova_scheduler_t domain are the following:" ++The nova_scheduler_t SELinux type can be entered via the \fBnova_scheduler_exec_t\fP file type. ++ ++The default entrypoint paths for the nova_scheduler_t domain are the following: + +/usr/bin/nova-scheduler +.SH PROCESS TYPES @@ -56743,8 +98286,110 @@ index 0000000..ef40436 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nova_scheduler_t ++can be used to make the process type nova_scheduler_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nova_scheduler policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nova_scheduler with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nova_scheduler_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nova_log_t ++ ++ /var/log/nova(/.*)? ++.br ++ ++.br ++.B nova_scheduler_tmp_t ++ ++ ++.br ++.B nova_var_lib_t ++ ++ /var/lib/nova(/.*)? ++.br ++ ++.br ++.B nova_var_run_t ++ ++ /var/run/nova(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -56754,7 +98399,20 @@ index 0000000..ef40436 +Policy governs the access confined processes have to these files. +SELinux nova_scheduler policy is very flexible allowing users to setup their nova_scheduler processes in as secure a method as possible. +.PP -+The following file types are defined for nova_scheduler: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nova_scheduler, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nova_scheduler_exec_t '/srv/nova_scheduler/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynova_scheduler_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nova_scheduler: + + +.EX @@ -56788,34 +98446,6 @@ index 0000000..ef40436 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type nova_scheduler_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nova_log_t -+ -+ /var/log/nova(/.*)? -+.br -+ -+.br -+.B nova_scheduler_tmp_t -+ -+ -+.br -+.B nova_var_lib_t -+ -+ /var/lib/nova(/.*)? -+.br -+ -+.br -+.B nova_var_run_t -+ -+ /var/run/nova(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -56826,6 +98456,9 @@ index 0000000..ef40436 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -56837,15 +98470,15 @@ index 0000000..ef40436 + +.SH "SEE ALSO" +selinux(8), nova_scheduler(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) ++, setsebool(8), nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_vncproxy_selinux(8), nova_volume_selinux(8) \ No newline at end of file diff --git a/man/man8/nova_vncproxy_selinux.8 b/man/man8/nova_vncproxy_selinux.8 new file mode 100644 -index 0000000..452fe26 +index 0000000..31d45b8 --- /dev/null +++ b/man/man8/nova_vncproxy_selinux.8 -@@ -0,0 +1,129 @@ -+.TH "nova_vncproxy_selinux" "8" "12-11-01" "nova_vncproxy" "SELinux Policy documentation for nova_vncproxy" +@@ -0,0 +1,229 @@ ++.TH "nova_vncproxy_selinux" "8" "13-01-16" "nova_vncproxy" "SELinux Policy documentation for nova_vncproxy" +.SH "NAME" +nova_vncproxy_selinux \- Security Enhanced Linux Policy for the nova_vncproxy processes +.SH "DESCRIPTION" @@ -56861,7 +98494,9 @@ index 0000000..452fe26 + +.SH "ENTRYPOINTS" + -+The nova_vncproxy_t SELinux type can be entered via the "nova_vncproxy_exec_t" file type. The default entrypoint paths for the nova_vncproxy_t domain are the following:" ++The nova_vncproxy_t SELinux type can be entered via the \fBnova_vncproxy_exec_t\fP file type. ++ ++The default entrypoint paths for the nova_vncproxy_t domain are the following: + +/usr/bin/nova-vncproxy, /usr/bin/nova-xvpvncproxy +.SH PROCESS TYPES @@ -56879,50 +98514,76 @@ index 0000000..452fe26 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nova_vncproxy_t ++can be used to make the process type nova_vncproxy_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux nova_vncproxy policy is very flexible allowing users to setup their nova_vncproxy processes in as secure a method as possible. -+.PP -+The following file types are defined for nova_vncproxy: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nova_vncproxy policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nova_vncproxy with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B nova_vncproxy_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the nova_vncproxy_exec_t type, if you want to transition an executable to the nova_vncproxy_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B nova_vncproxy_tmp_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the nova_vncproxy_tmp_t type, if you want to store nova vncproxy temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B nova_vncproxy_unit_file_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the nova_vncproxy_unit_file_t type, if you want to treat the files as nova vncproxy unit content. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -56950,7 +98611,76 @@ index 0000000..452fe26 +.B nova_vncproxy_tmp_t + + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux nova_vncproxy policy is very flexible allowing users to setup their nova_vncproxy processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nova_vncproxy, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nova_vncproxy_exec_t '/srv/nova_vncproxy/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynova_vncproxy_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nova_vncproxy: ++ ++ ++.EX ++.PP ++.B nova_vncproxy_exec_t ++.EE ++ ++- Set files with the nova_vncproxy_exec_t type, if you want to transition an executable to the nova_vncproxy_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/nova-vncproxy, /usr/bin/nova-xvpvncproxy ++ ++.EX ++.PP ++.B nova_vncproxy_tmp_t ++.EE ++ ++- Set files with the nova_vncproxy_tmp_t type, if you want to store nova vncproxy temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B nova_vncproxy_unit_file_t ++.EE ++ ++- Set files with the nova_vncproxy_unit_file_t type, if you want to treat the files as nova vncproxy unit content. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/systemd/system/openstack-nova-vncproxy.*, /usr/lib/systemd/system/openstack-nova-xvpvncproxy.* ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -56962,6 +98692,9 @@ index 0000000..452fe26 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -56973,15 +98706,15 @@ index 0000000..452fe26 + +.SH "SEE ALSO" +selinux(8), nova_vncproxy(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_volume_selinux(8) ++, setsebool(8), nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_volume_selinux(8) \ No newline at end of file diff --git a/man/man8/nova_volume_selinux.8 b/man/man8/nova_volume_selinux.8 new file mode 100644 -index 0000000..b39d068 +index 0000000..40f586a --- /dev/null +++ b/man/man8/nova_volume_selinux.8 -@@ -0,0 +1,129 @@ -+.TH "nova_volume_selinux" "8" "12-11-01" "nova_volume" "SELinux Policy documentation for nova_volume" +@@ -0,0 +1,221 @@ ++.TH "nova_volume_selinux" "8" "13-01-16" "nova_volume" "SELinux Policy documentation for nova_volume" +.SH "NAME" +nova_volume_selinux \- Security Enhanced Linux Policy for the nova_volume processes +.SH "DESCRIPTION" @@ -56997,7 +98730,9 @@ index 0000000..b39d068 + +.SH "ENTRYPOINTS" + -+The nova_volume_t SELinux type can be entered via the "nova_volume_exec_t" file type. The default entrypoint paths for the nova_volume_t domain are the following:" ++The nova_volume_t SELinux type can be entered via the \fBnova_volume_exec_t\fP file type. ++ ++The default entrypoint paths for the nova_volume_t domain are the following: + +/usr/bin/nova-volume +.SH PROCESS TYPES @@ -57015,8 +98750,110 @@ index 0000000..b39d068 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nova_volume_t ++can be used to make the process type nova_volume_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nova_volume policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nova_volume with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nova_volume_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nova_log_t ++ ++ /var/log/nova(/.*)? ++.br ++ ++.br ++.B nova_var_lib_t ++ ++ /var/lib/nova(/.*)? ++.br ++ ++.br ++.B nova_var_run_t ++ ++ /var/run/nova(/.*)? ++.br ++ ++.br ++.B nova_volume_tmp_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -57026,7 +98863,20 @@ index 0000000..b39d068 +Policy governs the access confined processes have to these files. +SELinux nova_volume policy is very flexible allowing users to setup their nova_volume processes in as secure a method as possible. +.PP -+The following file types are defined for nova_volume: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nova_volume, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nova_volume_exec_t '/srv/nova_volume/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynova_volume_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nova_volume: + + +.EX @@ -57060,34 +98910,6 @@ index 0000000..b39d068 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type nova_volume_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nova_log_t -+ -+ /var/log/nova(/.*)? -+.br -+ -+.br -+.B nova_var_lib_t -+ -+ /var/lib/nova(/.*)? -+.br -+ -+.br -+.B nova_var_run_t -+ -+ /var/run/nova(/.*)? -+.br -+ -+.br -+.B nova_volume_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -57098,6 +98920,9 @@ index 0000000..b39d068 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -57109,15 +98934,15 @@ index 0000000..b39d068 + +.SH "SEE ALSO" +selinux(8), nova_volume(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8) ++, setsebool(8), nova_ajax_selinux(8), nova_api_selinux(8), nova_cert_selinux(8), nova_compute_selinux(8), nova_console_selinux(8), nova_direct_selinux(8), nova_network_selinux(8), nova_objectstore_selinux(8), nova_scheduler_selinux(8), nova_vncproxy_selinux(8) \ No newline at end of file diff --git a/man/man8/nrpe_selinux.8 b/man/man8/nrpe_selinux.8 new file mode 100644 -index 0000000..f91aa56 +index 0000000..a751f49 --- /dev/null +++ b/man/man8/nrpe_selinux.8 -@@ -0,0 +1,124 @@ -+.TH "nrpe_selinux" "8" "12-11-01" "nrpe" "SELinux Policy documentation for nrpe" +@@ -0,0 +1,251 @@ ++.TH "nrpe_selinux" "8" "13-01-16" "nrpe" "SELinux Policy documentation for nrpe" +.SH "NAME" +nrpe_selinux \- Security Enhanced Linux Policy for the nrpe processes +.SH "DESCRIPTION" @@ -57133,7 +98958,9 @@ index 0000000..f91aa56 + +.SH "ENTRYPOINTS" + -+The nrpe_t SELinux type can be entered via the "nrpe_exec_t" file type. The default entrypoint paths for the nrpe_t domain are the following:" ++The nrpe_t SELinux type can be entered via the \fBnrpe_exec_t\fP file type. ++ ++The default entrypoint paths for the nrpe_t domain are the following: + +/usr/s?bin/nrpe +.SH PROCESS TYPES @@ -57151,8 +98978,140 @@ index 0000000..f91aa56 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nrpe_t ++can be used to make the process type nrpe_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nrpe policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nrpe with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the nrpe_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nrpe_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nrpe_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nrpe_var_run_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -57162,7 +99121,20 @@ index 0000000..f91aa56 +Policy governs the access confined processes have to these files. +SELinux nrpe policy is very flexible allowing users to setup their nrpe processes in as secure a method as possible. +.PP -+The following file types are defined for nrpe: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nrpe, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nrpe_etc_t '/srv/nrpe/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynrpe_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nrpe: + + +.EX @@ -57186,7 +99158,7 @@ index 0000000..f91aa56 +.B nrpe_var_run_t +.EE + -+- Set files with the nrpe_var_run_t type, if you want to store the nrpe files under the /run directory. ++- Set files with the nrpe_var_run_t type, if you want to store the nrpe files under the /run or /var/run directory. + + +.PP @@ -57196,30 +99168,6 @@ index 0000000..f91aa56 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type nrpe_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nrpe_var_run_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nrpe_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the nrpe_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -57230,6 +99178,9 @@ index 0000000..f91aa56 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -57241,13 +99192,15 @@ index 0000000..f91aa56 + +.SH "SEE ALSO" +selinux(8), nrpe(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/nscd_selinux.8 b/man/man8/nscd_selinux.8 new file mode 100644 -index 0000000..2d79417 +index 0000000..d6200f6 --- /dev/null +++ b/man/man8/nscd_selinux.8 -@@ -0,0 +1,184 @@ -+.TH "nscd_selinux" "8" "12-11-01" "nscd" "SELinux Policy documentation for nscd" +@@ -0,0 +1,312 @@ ++.TH "nscd_selinux" "8" "13-01-16" "nscd" "SELinux Policy documentation for nscd" +.SH "NAME" +nscd_selinux \- Security Enhanced Linux Policy for the nscd processes +.SH "DESCRIPTION" @@ -57263,7 +99216,9 @@ index 0000000..2d79417 + +.SH "ENTRYPOINTS" + -+The nscd_t SELinux type can be entered via the "nscd_exec_t" file type. The default entrypoint paths for the nscd_t domain are the following:" ++The nscd_t SELinux type can be entered via the \fBnscd_exec_t\fP file type. ++ ++The default entrypoint paths for the nscd_t domain are the following: + +/usr/sbin/nscd +.SH PROCESS TYPES @@ -57281,27 +99236,171 @@ index 0000000..2d79417 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nscd_t ++can be used to make the process type nscd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. nscd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nscd with the tightest access possible. + + +.PP -+If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX +.B setsebool -P nscd_use_shm 1 ++ +.EE + +.PP -+If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P nscd_use_shm 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow samba to act as the domain controller, add users, groups and change passwords, you must turn on the samba_domain_controller boolean. Disabled by default. ++ ++.EX ++.B setsebool -P samba_domain_controller 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the nscd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nscd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nscd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nscd_log_t ++ ++ /var/log/nscd\.log.* ++.br ++ ++.br ++.B nscd_var_run_t ++ ++ /var/db/nscd(/.*)? ++.br ++ /var/run/nscd(/.*)? ++.br ++ /var/cache/nscd(/.*)? ++.br ++ /var/run/nscd\.pid ++.br ++ /var/run/\.nscd_socket ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -57310,7 +99409,31 @@ index 0000000..2d79417 +Policy governs the access confined processes have to these files. +SELinux nscd policy is very flexible allowing users to setup their nscd processes in as secure a method as possible. +.PP -+The following file types are defined for nscd: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++nscd policy stores data with multiple different file context types under the /var/run/nscd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/nscd /srv/nscd ++.br ++.B restorecon -R -v /srv/nscd ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nscd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nscd_exec_t '/srv/nscd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynscd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nscd: + + +.EX @@ -57350,8 +99473,12 @@ index 0000000..2d79417 +.B nscd_var_run_t +.EE + -+- Set files with the nscd_var_run_t type, if you want to store the nscd files under the /run directory. ++- Set files with the nscd_var_run_t type, if you want to store the nscd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/db/nscd(/.*)?, /var/run/nscd(/.*)?, /var/cache/nscd(/.*)?, /var/run/nscd\.pid, /var/run/\.nscd_socket + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -57360,52 +99487,6 @@ index 0000000..2d79417 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type nscd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nscd_log_t -+ -+ /var/log/nscd\.log.* -+.br -+ -+.br -+.B nscd_var_run_t -+ -+ /var/db/nscd(/.*)? -+.br -+ /var/run/nscd(/.*)? -+.br -+ /var/cache/nscd(/.*)? -+.br -+ /var/run/nscd\.pid -+.br -+ /var/run/\.nscd_socket -+.br -+ -+.br -+.B security_t -+ -+ /selinux -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nscd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the nscd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -57434,11 +99515,11 @@ index 0000000..2d79417 \ No newline at end of file diff --git a/man/man8/nslcd_selinux.8 b/man/man8/nslcd_selinux.8 new file mode 100644 -index 0000000..a01b48c +index 0000000..675c5e4 --- /dev/null +++ b/man/man8/nslcd_selinux.8 -@@ -0,0 +1,134 @@ -+.TH "nslcd_selinux" "8" "12-11-01" "nslcd" "SELinux Policy documentation for nslcd" +@@ -0,0 +1,261 @@ ++.TH "nslcd_selinux" "8" "13-01-16" "nslcd" "SELinux Policy documentation for nslcd" +.SH "NAME" +nslcd_selinux \- Security Enhanced Linux Policy for the nslcd processes +.SH "DESCRIPTION" @@ -57454,7 +99535,9 @@ index 0000000..a01b48c + +.SH "ENTRYPOINTS" + -+The nslcd_t SELinux type can be entered via the "nslcd_exec_t" file type. The default entrypoint paths for the nslcd_t domain are the following:" ++The nslcd_t SELinux type can be entered via the \fBnslcd_exec_t\fP file type. ++ ++The default entrypoint paths for the nslcd_t domain are the following: + +/usr/sbin/nslcd +.SH PROCESS TYPES @@ -57472,8 +99555,142 @@ index 0000000..a01b48c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nslcd_t ++can be used to make the process type nslcd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nslcd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nslcd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the nslcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nslcd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nslcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nslcd_var_run_t ++ ++ /var/run/nslcd(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -57483,7 +99700,20 @@ index 0000000..a01b48c +Policy governs the access confined processes have to these files. +SELinux nslcd policy is very flexible allowing users to setup their nslcd processes in as secure a method as possible. +.PP -+The following file types are defined for nslcd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nslcd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nslcd_conf_t '/srv/nslcd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynslcd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nslcd: + + +.EX @@ -57515,7 +99745,7 @@ index 0000000..a01b48c +.B nslcd_var_run_t +.EE + -+- Set files with the nslcd_var_run_t type, if you want to store the nslcd files under the /run directory. ++- Set files with the nslcd_var_run_t type, if you want to store the nslcd files under the /run or /var/run directory. + + +.PP @@ -57525,32 +99755,6 @@ index 0000000..a01b48c +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type nslcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nslcd_var_run_t -+ -+ /var/run/nslcd(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nslcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the nslcd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -57561,6 +99765,9 @@ index 0000000..a01b48c +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -57572,13 +99779,15 @@ index 0000000..a01b48c + +.SH "SEE ALSO" +selinux(8), nslcd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ntop_selinux.8 b/man/man8/ntop_selinux.8 new file mode 100644 -index 0000000..ea60031 +index 0000000..e9e32b1 --- /dev/null +++ b/man/man8/ntop_selinux.8 -@@ -0,0 +1,188 @@ -+.TH "ntop_selinux" "8" "12-11-01" "ntop" "SELinux Policy documentation for ntop" +@@ -0,0 +1,315 @@ ++.TH "ntop_selinux" "8" "13-01-16" "ntop" "SELinux Policy documentation for ntop" +.SH "NAME" +ntop_selinux \- Security Enhanced Linux Policy for the ntop processes +.SH "DESCRIPTION" @@ -57594,9 +99803,11 @@ index 0000000..ea60031 + +.SH "ENTRYPOINTS" + -+The ntop_t SELinux type can be entered via the "ntop_exec_t" file type. The default entrypoint paths for the ntop_t domain are the following:" ++The ntop_t SELinux type can be entered via the \fBntop_exec_t\fP file type. + -+/usr/bin/ntop ++The default entrypoint paths for the ntop_t domain are the following: ++ ++/usr/sbin/ntop +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -57612,8 +99823,177 @@ index 0000000..ea60031 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ntop_t ++can be used to make the process type ntop_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ntop policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ntop with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ntop_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ntop_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux ntop policy is very flexible allowing users to setup their ntop processes in as secure a method as possible. ++.PP ++The following port types are defined for ntop: ++ ++.EX ++.TP 5 ++.B ntop_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 3000-3001 ++.EE ++udp 3000-3001 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type ntop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B ntop_tmp_t ++ ++ ++.br ++.B ntop_var_lib_t ++ ++ /var/lib/ntop(/.*)? ++.br ++ ++.br ++.B ntop_var_run_t ++ ++ /var/run/ntop\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -57623,7 +100003,20 @@ index 0000000..ea60031 +Policy governs the access confined processes have to these files. +SELinux ntop policy is very flexible allowing users to setup their ntop processes in as secure a method as possible. +.PP -+The following file types are defined for ntop: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ntop, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ntop_etc_t '/srv/ntop/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myntop_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ntop: + + +.EX @@ -57671,7 +100064,7 @@ index 0000000..ea60031 +.B ntop_var_run_t +.EE + -+- Set files with the ntop_var_run_t type, if you want to store the ntop files under the /run directory. ++- Set files with the ntop_var_run_t type, if you want to store the ntop files under the /run or /var/run directory. + + +.PP @@ -57681,67 +100074,6 @@ index 0000000..ea60031 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux ntop policy is very flexible allowing users to setup their ntop processes in as secure a method as possible. -+.PP -+The following port types are defined for ntop: -+ -+.EX -+.TP 5 -+.B ntop_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 3000-3001 -+.EE -+udp 3000-3001 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type ntop_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B ntop_tmp_t -+ -+ -+.br -+.B ntop_var_lib_t -+ -+ /var/lib/ntop(/.*)? -+.br -+ -+.br -+.B ntop_var_run_t -+ -+ /var/run/ntop\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ntop_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the ntop_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -57755,6 +100087,9 @@ index 0000000..ea60031 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -57766,13 +100101,15 @@ index 0000000..ea60031 + +.SH "SEE ALSO" +selinux(8), ntop(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ntpd_selinux.8 b/man/man8/ntpd_selinux.8 new file mode 100644 -index 0000000..d93b729 +index 0000000..befb363 --- /dev/null +++ b/man/man8/ntpd_selinux.8 -@@ -0,0 +1,240 @@ -+.TH "ntpd_selinux" "8" "12-11-01" "ntpd" "SELinux Policy documentation for ntpd" +@@ -0,0 +1,391 @@ ++.TH "ntpd_selinux" "8" "13-01-16" "ntpd" "SELinux Policy documentation for ntpd" +.SH "NAME" +ntpd_selinux \- Security Enhanced Linux Policy for the ntpd processes +.SH "DESCRIPTION" @@ -57788,9 +100125,11 @@ index 0000000..d93b729 + +.SH "ENTRYPOINTS" + -+The ntpd_t SELinux type can be entered via the "ntpd_exec_t,ntpdate_exec_t" file types. The default entrypoint paths for the ntpd_t domain are the following:" ++The ntpd_t SELinux type can be entered via the \fBntpdate_exec_t, ntpd_exec_t\fP file types. + -+/etc/cron\.(daily|weekly)/ntp-simple, /etc/cron\.(daily|weekly)/ntp-server, /usr/sbin/ntpd, /usr/sbin/ntpdate ++The default entrypoint paths for the ntpd_t domain are the following: ++ ++/usr/sbin/sntp, /usr/sbin/ntpdate, /etc/cron\.(daily|weekly)/ntp-simple, /etc/cron\.(daily|weekly)/ntp-server, /usr/sbin/ntpd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -57806,98 +100145,140 @@ index 0000000..d93b729 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ntpd_t ++can be used to make the process type ntpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux ntpd policy is very flexible allowing users to setup their ntpd processes in as secure a method as possible. -+.PP -+The following file types are defined for ntpd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ntpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ntpd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B ntpd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the ntpd_exec_t type, if you want to transition an executable to the ntpd_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B ntpd_initrc_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the ntpd_initrc_exec_t type, if you want to transition an executable to the ntpd_initrc_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B ntpd_key_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the ntpd_key_t type, if you want to treat the files as ntpd key data. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B ntpd_log_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the ntpd_log_t type, if you want to treat the data as ntpd log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B ntpd_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the ntpd_tmp_t type, if you want to store ntpd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B ntpd_tmpfs_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the ntpd_tmpfs_t type, if you want to store ntpd files on a tmpfs file system. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B ntpd_unit_file_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the ntpd_unit_file_t type, if you want to treat the files as ntpd unit content. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B ntpd_var_run_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the ntpd_var_run_t type, if you want to store the ntpd files under the /run directory. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B ntpdate_exec_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the ntpdate_exec_t type, if you want to transition an executable to the ntpdate_t domain. ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ntpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ntpd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -57937,15 +100318,7 @@ index 0000000..d93b729 +.br + /etc/ntp/data(/.*)? +.br -+ -+.br -+.B ntpd_log_t -+ -+ /var/log/ntp.* -+.br -+ /var/log/xntpd.* -+.br -+ /var/log/ntpstats(/.*)? ++ /var/lib/sntp-kod(/.*)? +.br + +.br @@ -57963,6 +100336,14 @@ index 0000000..d93b729 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B tmpfs_t + + /dev/shm @@ -57972,21 +100353,124 @@ index 0000000..d93b729 + /usr/lib/udev/devices/shm +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux ntpd policy is very flexible allowing users to setup their ntpd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ntpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ntpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ntpd_exec_t '/srv/ntpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myntpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ntpd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B ntpd_exec_t +.EE + ++- Set files with the ntpd_exec_t type, if you want to transition an executable to the ntpd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/cron\.(daily|weekly)/ntp-simple, /etc/cron\.(daily|weekly)/ntp-server, /usr/sbin/ntpd ++ ++.EX ++.PP ++.B ntpd_initrc_exec_t ++.EE ++ ++- Set files with the ntpd_initrc_exec_t type, if you want to transition an executable to the ntpd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B ntpd_key_t ++.EE ++ ++- Set files with the ntpd_key_t type, if you want to treat the files as ntpd key data. ++ ++.br ++.TP 5 ++Paths: ++/etc/ntp/crypto(/.*)?, /etc/ntp/keys ++ ++.EX ++.PP ++.B ntpd_log_t ++.EE ++ ++- Set files with the ntpd_log_t type, if you want to treat the data as ntpd log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/ntp.*, /var/log/xntpd.*, /var/log/ntpstats(/.*)? ++ ++.EX ++.PP ++.B ntpd_tmp_t ++.EE ++ ++- Set files with the ntpd_tmp_t type, if you want to store ntpd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B ntpd_tmpfs_t ++.EE ++ ++- Set files with the ntpd_tmpfs_t type, if you want to store ntpd files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B ntpd_unit_file_t ++.EE ++ ++- Set files with the ntpd_unit_file_t type, if you want to treat the files as ntpd unit content. ++ ++ ++.EX ++.PP ++.B ntpd_var_run_t ++.EE ++ ++- Set files with the ntpd_var_run_t type, if you want to store the ntpd files under the /run or /var/run directory. ++ ++ ++.EX ++.PP ++.B ntpdate_exec_t ++.EE ++ ++- Set files with the ntpdate_exec_t type, if you want to transition an executable to the ntpdate_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/sntp, /usr/sbin/ntpdate ++ +.PP -+If you want to allow confined applications to run with kerberos for the ntpd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -58001,6 +100485,9 @@ index 0000000..d93b729 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -58012,13 +100499,15 @@ index 0000000..d93b729 + +.SH "SEE ALSO" +selinux(8), ntpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/numad_selinux.8 b/man/man8/numad_selinux.8 new file mode 100644 -index 0000000..4602514 +index 0000000..c93e6df --- /dev/null +++ b/man/man8/numad_selinux.8 -@@ -0,0 +1,126 @@ -+.TH "numad_selinux" "8" "12-11-01" "numad" "SELinux Policy documentation for numad" +@@ -0,0 +1,227 @@ ++.TH "numad_selinux" "8" "13-01-16" "numad" "SELinux Policy documentation for numad" +.SH "NAME" +numad_selinux \- Security Enhanced Linux Policy for the numad processes +.SH "DESCRIPTION" @@ -58034,7 +100523,9 @@ index 0000000..4602514 + +.SH "ENTRYPOINTS" + -+The numad_t SELinux type can be entered via the "numad_exec_t" file type. The default entrypoint paths for the numad_t domain are the following:" ++The numad_t SELinux type can be entered via the \fBnumad_exec_t\fP file type. ++ ++The default entrypoint paths for the numad_t domain are the following: + +/usr/bin/numad +.SH PROCESS TYPES @@ -58052,8 +100543,108 @@ index 0000000..4602514 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a numad_t ++can be used to make the process type numad_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. numad policy is extremely flexible and has several booleans that allow you to manipulate the policy and run numad with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type numad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B numad_var_log_t ++ ++ /var/log/numad\.log.* ++.br ++ ++.br ++.B numad_var_run_t ++ ++ /var/run/numad\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -58063,7 +100654,20 @@ index 0000000..4602514 +Policy governs the access confined processes have to these files. +SELinux numad policy is very flexible allowing users to setup their numad processes in as secure a method as possible. +.PP -+The following file types are defined for numad: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the numad, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t numad_exec_t '/srv/numad/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynumad_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for numad: + + +.EX @@ -58095,7 +100699,7 @@ index 0000000..4602514 +.B numad_var_run_t +.EE + -+- Set files with the numad_var_run_t type, if you want to store the numad files under the /run directory. ++- Set files with the numad_var_run_t type, if you want to store the numad files under the /run or /var/run directory. + + +.PP @@ -58105,24 +100709,6 @@ index 0000000..4602514 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type numad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B numad_var_log_t -+ -+ /var/log/numad\.log.* -+.br -+ -+.br -+.B numad_var_run_t -+ -+ /var/run/numad\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -58133,6 +100719,9 @@ index 0000000..4602514 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -58144,13 +100733,15 @@ index 0000000..4602514 + +.SH "SEE ALSO" +selinux(8), numad(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/nut_upsd_selinux.8 b/man/man8/nut_upsd_selinux.8 new file mode 100644 -index 0000000..f9abfb2 +index 0000000..a145ea6 --- /dev/null +++ b/man/man8/nut_upsd_selinux.8 -@@ -0,0 +1,119 @@ -+.TH "nut_upsd_selinux" "8" "12-11-01" "nut_upsd" "SELinux Policy documentation for nut_upsd" +@@ -0,0 +1,249 @@ ++.TH "nut_upsd_selinux" "8" "13-01-16" "nut_upsd" "SELinux Policy documentation for nut_upsd" +.SH "NAME" +nut_upsd_selinux \- Security Enhanced Linux Policy for the nut_upsd processes +.SH "DESCRIPTION" @@ -58166,7 +100757,9 @@ index 0000000..f9abfb2 + +.SH "ENTRYPOINTS" + -+The nut_upsd_t SELinux type can be entered via the "nut_upsd_exec_t" file type. The default entrypoint paths for the nut_upsd_t domain are the following:" ++The nut_upsd_t SELinux type can be entered via the \fBnut_upsd_exec_t\fP file type. ++ ++The default entrypoint paths for the nut_upsd_t domain are the following: + +/usr/sbin/upsd +.SH PROCESS TYPES @@ -58184,8 +100777,142 @@ index 0000000..f9abfb2 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nut_upsd_t ++can be used to make the process type nut_upsd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nut_upsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nut_upsd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nut_upsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nut_var_run_t ++ ++ /var/run/nut(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -58195,7 +100922,20 @@ index 0000000..f9abfb2 +Policy governs the access confined processes have to these files. +SELinux nut_upsd policy is very flexible allowing users to setup their nut_upsd processes in as secure a method as possible. +.PP -+The following file types are defined for nut_upsd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nut_upsd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nut_upsd_exec_t '/srv/nut_upsd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynut_upsd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nut_upsd: + + +.EX @@ -58213,6 +100953,10 @@ index 0000000..f9abfb2 + +- Set files with the nut_upsdrvctl_exec_t type, if you want to transition an executable to the nut_upsdrvctl_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/upsdrvctl, /usr/sbin/upsdrvctl + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -58221,32 +100965,6 @@ index 0000000..f9abfb2 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type nut_upsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B nut_var_run_t -+ -+ /var/run/nut(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -58257,6 +100975,9 @@ index 0000000..f9abfb2 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -58268,15 +100989,15 @@ index 0000000..f9abfb2 + +.SH "SEE ALSO" +selinux(8), nut_upsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nut_upsdrvctl_selinux(8), nut_upsmon_selinux(8) ++, setsebool(8), nut_upsdrvctl_selinux(8), nut_upsmon_selinux(8) \ No newline at end of file diff --git a/man/man8/nut_upsdrvctl_selinux.8 b/man/man8/nut_upsdrvctl_selinux.8 new file mode 100644 -index 0000000..fbe671e +index 0000000..7421976 --- /dev/null +++ b/man/man8/nut_upsdrvctl_selinux.8 -@@ -0,0 +1,111 @@ -+.TH "nut_upsdrvctl_selinux" "8" "12-11-01" "nut_upsdrvctl" "SELinux Policy documentation for nut_upsdrvctl" +@@ -0,0 +1,241 @@ ++.TH "nut_upsdrvctl_selinux" "8" "13-01-16" "nut_upsdrvctl" "SELinux Policy documentation for nut_upsdrvctl" +.SH "NAME" +nut_upsdrvctl_selinux \- Security Enhanced Linux Policy for the nut_upsdrvctl processes +.SH "DESCRIPTION" @@ -58292,7 +101013,9 @@ index 0000000..fbe671e + +.SH "ENTRYPOINTS" + -+The nut_upsdrvctl_t SELinux type can be entered via the "nut_upsdrvctl_exec_t" file type. The default entrypoint paths for the nut_upsdrvctl_t domain are the following:" ++The nut_upsdrvctl_t SELinux type can be entered via the \fBnut_upsdrvctl_exec_t\fP file type. ++ ++The default entrypoint paths for the nut_upsdrvctl_t domain are the following: + +/sbin/upsdrvctl, /usr/sbin/upsdrvctl +.SH PROCESS TYPES @@ -58310,49 +101033,113 @@ index 0000000..fbe671e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nut_upsdrvctl_t ++can be used to make the process type nut_upsdrvctl_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux nut_upsdrvctl policy is very flexible allowing users to setup their nut_upsdrvctl processes in as secure a method as possible. -+.PP -+The following file types are defined for nut_upsdrvctl: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nut_upsdrvctl policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nut_upsdrvctl with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B nut_upsdrvctl_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the nut_upsdrvctl_exec_t type, if you want to transition an executable to the nut_upsdrvctl_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + -+.SH "MANAGED FILES" ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 + -+The SELinux process type nut_upsdrvctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++.EE + -+.br -+.B nut_var_run_t ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + -+ /var/run/nut(/.*)? -+.br ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsdrvctl_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the nut_upsdrvctl_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -58365,6 +101152,67 @@ index 0000000..fbe671e +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH "MANAGED FILES" ++ ++The SELinux process type nut_upsdrvctl_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nut_var_run_t ++ ++ /var/run/nut(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux nut_upsdrvctl policy is very flexible allowing users to setup their nut_upsdrvctl processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nut_upsdrvctl, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nut_upsdrvctl_exec_t '/srv/nut_upsdrvctl/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynut_upsdrvctl_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nut_upsdrvctl: ++ ++ ++.EX ++.PP ++.B nut_upsdrvctl_exec_t ++.EE ++ ++- Set files with the nut_upsdrvctl_exec_t type, if you want to transition an executable to the nut_upsdrvctl_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/upsdrvctl, /usr/sbin/upsdrvctl ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -58375,6 +101223,9 @@ index 0000000..fbe671e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -58386,15 +101237,15 @@ index 0000000..fbe671e + +.SH "SEE ALSO" +selinux(8), nut_upsdrvctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nut_upsd_selinux(8), nut_upsd_selinux(8), nut_upsmon_selinux(8) ++, setsebool(8), nut_upsd_selinux(8), nut_upsd_selinux(8), nut_upsmon_selinux(8) \ No newline at end of file diff --git a/man/man8/nut_upsmon_selinux.8 b/man/man8/nut_upsmon_selinux.8 new file mode 100644 -index 0000000..8abe28c +index 0000000..17e3d6f --- /dev/null +++ b/man/man8/nut_upsmon_selinux.8 -@@ -0,0 +1,185 @@ -+.TH "nut_upsmon_selinux" "8" "12-11-01" "nut_upsmon" "SELinux Policy documentation for nut_upsmon" +@@ -0,0 +1,311 @@ ++.TH "nut_upsmon_selinux" "8" "13-01-16" "nut_upsmon" "SELinux Policy documentation for nut_upsmon" +.SH "NAME" +nut_upsmon_selinux \- Security Enhanced Linux Policy for the nut_upsmon processes +.SH "DESCRIPTION" @@ -58410,7 +101261,9 @@ index 0000000..8abe28c + +.SH "ENTRYPOINTS" + -+The nut_upsmon_t SELinux type can be entered via the "nut_upsmon_exec_t" file type. The default entrypoint paths for the nut_upsmon_t domain are the following:" ++The nut_upsmon_t SELinux type can be entered via the \fBnut_upsmon_exec_t\fP file type. ++ ++The default entrypoint paths for the nut_upsmon_t domain are the following: + +/usr/sbin/upsmon +.SH PROCESS TYPES @@ -58428,34 +101281,124 @@ index 0000000..8abe28c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a nut_upsmon_t ++can be used to make the process type nut_upsmon_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux nut_upsmon policy is very flexible allowing users to setup their nut_upsmon processes in as secure a method as possible. -+.PP -+The following file types are defined for nut_upsmon: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nut_upsmon policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nut_upsmon with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B nut_upsmon_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the nut_upsmon_exec_t type, if you want to transition an executable to the nut_upsmon_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the nut_upsmon_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nut_upsmon_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -58482,10 +101425,10 @@ index 0000000..8abe28c +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -58494,10 +101437,10 @@ index 0000000..8abe28c +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -58534,6 +101477,14 @@ index 0000000..8abe28c +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B systemd_passwd_var_run_t + + /var/run/systemd/ask-password(/.*)? @@ -58541,21 +101492,44 @@ index 0000000..8abe28c + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux nut_upsmon policy is very flexible allowing users to setup their nut_upsmon processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsmon_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the nut_upsmon, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t nut_upsmon_exec_t '/srv/nut_upsmon/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mynut_upsmon_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for nut_upsmon: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B nut_upsmon_exec_t +.EE + ++- Set files with the nut_upsmon_exec_t type, if you want to transition an executable to the nut_upsmon_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the nut_upsmon_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -58567,6 +101541,9 @@ index 0000000..8abe28c +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -58578,14 +101555,14 @@ index 0000000..8abe28c + +.SH "SEE ALSO" +selinux(8), nut_upsmon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, nut_upsd_selinux(8), nut_upsdrvctl_selinux(8) ++, setsebool(8), nut_upsd_selinux(8), nut_upsdrvctl_selinux(8) \ No newline at end of file diff --git a/man/man8/nx_server_selinux.8 b/man/man8/nx_server_selinux.8 new file mode 100644 -index 0000000..e551b42 +index 0000000..f696a38 --- /dev/null +++ b/man/man8/nx_server_selinux.8 -@@ -0,0 +1,129 @@ +@@ -0,0 +1,183 @@ +.TH "nx_server_selinux" "8" "nx_server" "mgrepl@redhat.com" "nx_server SELinux Policy documentation" +.SH "NAME" +nx_server_r \- \fBnx_server user role\fP - Security Enhanced Linux Policy @@ -58628,6 +101605,50 @@ index 0000000..e551b42 +.B $ semanage user -m -R 'staff_r system_r nx_server_r' staff_u + + ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nx_server policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nx_server with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ +.SH "MANAGED FILES" + +The SELinux process type nx_server_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -58667,6 +101688,8 @@ index 0000000..e551b42 + + /root/\.ssh(/.*)? +.br ++ /var/lib/pgsql/\.ssh(/.*)? ++.br + /var/lib/openshift/[^/]+/\.ssh(/.*)? +.br + /var/lib/amanda/\.ssh(/.*)? @@ -58685,6 +101708,10 @@ index 0000000..e551b42 +.br + /home/[^/]*/\.shosts +.br ++ /home/pwalsh/\.ssh(/.*)? ++.br ++ /home/pwalsh/\.shosts ++.br + /home/dwalsh/\.ssh(/.*)? +.br + /home/dwalsh/\.shosts @@ -58704,6 +101731,9 @@ index 0000000..e551b42 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -58715,13 +101745,234 @@ index 0000000..e551b42 + +.SH "SEE ALSO" +selinux(8), nx_server(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), nx_server_ssh_selinux(8) +\ No newline at end of file +diff --git a/man/man8/nx_server_ssh_selinux.8 b/man/man8/nx_server_ssh_selinux.8 +new file mode 100644 +index 0000000..b75b2cd +--- /dev/null ++++ b/man/man8/nx_server_ssh_selinux.8 +@@ -0,0 +1,212 @@ ++.TH "nx_server_ssh_selinux" "8" "13-01-16" "nx_server_ssh" "SELinux Policy documentation for nx_server_ssh" ++.SH "NAME" ++nx_server_ssh_selinux \- Security Enhanced Linux Policy for the nx_server_ssh processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the nx_server_ssh processes via flexible mandatory access control. ++ ++The nx_server_ssh processes execute with the nx_server_ssh_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep nx_server_ssh_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The nx_server_ssh_t SELinux type can be entered via the \fBssh_exec_t\fP file type. ++ ++The default entrypoint paths for the nx_server_ssh_t domain are the following: ++ ++/usr/bin/ssh ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux nx_server_ssh policy is very flexible allowing users to setup their nx_server_ssh processes in as secure a method as possible. ++.PP ++The following process types are defined for nx_server_ssh: ++ ++.EX ++.B nx_server_ssh_t ++.EE ++.PP ++Note: ++.B semanage permissive -a nx_server_ssh_t ++can be used to make the process type nx_server_ssh_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nx_server_ssh policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nx_server_ssh with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the nx_server_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nx_server_ssh_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type nx_server_ssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B ssh_home_t ++ ++ /root/\.ssh(/.*)? ++.br ++ /var/lib/pgsql/\.ssh(/.*)? ++.br ++ /var/lib/openshift/[^/]+/\.ssh(/.*)? ++.br ++ /var/lib/amanda/\.ssh(/.*)? ++.br ++ /var/lib/stickshift/[^/]+/\.ssh(/.*)? ++.br ++ /var/lib/gitolite/\.ssh(/.*)? ++.br ++ /var/lib/nocpulse/\.ssh(/.*)? ++.br ++ /var/lib/gitolite3/\.ssh(/.*)? ++.br ++ /root/\.shosts ++.br ++ /home/[^/]*/\.ssh(/.*)? ++.br ++ /home/[^/]*/\.shosts ++.br ++ /home/pwalsh/\.ssh(/.*)? ++.br ++ /home/pwalsh/\.shosts ++.br ++ /home/dwalsh/\.ssh(/.*)? ++.br ++ /home/dwalsh/\.shosts ++.br ++ /var/lib/xguest/home/xguest/\.ssh(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.shosts ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), nx_server_ssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), nx_server_selinux(8), nx_server_selinux(8) +\ No newline at end of file diff --git a/man/man8/obex_selinux.8 b/man/man8/obex_selinux.8 new file mode 100644 -index 0000000..516eea1 +index 0000000..6e37908 --- /dev/null +++ b/man/man8/obex_selinux.8 -@@ -0,0 +1,86 @@ -+.TH "obex_selinux" "8" "12-11-01" "obex" "SELinux Policy documentation for obex" +@@ -0,0 +1,147 @@ ++.TH "obex_selinux" "8" "13-01-16" "obex" "SELinux Policy documentation for obex" +.SH "NAME" +obex_selinux \- Security Enhanced Linux Policy for the obex processes +.SH "DESCRIPTION" @@ -58737,7 +101988,9 @@ index 0000000..516eea1 + +.SH "ENTRYPOINTS" + -+The obex_t SELinux type can be entered via the "obex_exec_t" file type. The default entrypoint paths for the obex_t domain are the following:" ++The obex_t SELinux type can be entered via the \fBobex_exec_t\fP file type. ++ ++The default entrypoint paths for the obex_t domain are the following: + +/usr/bin/obex-data-server +.SH PROCESS TYPES @@ -58755,8 +102008,52 @@ index 0000000..516eea1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a obex_t ++can be used to make the process type obex_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. obex policy is extremely flexible and has several booleans that allow you to manipulate the policy and run obex with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -58766,7 +102063,20 @@ index 0000000..516eea1 +Policy governs the access confined processes have to these files. +SELinux obex policy is very flexible allowing users to setup their obex processes in as secure a method as possible. +.PP -+The following file types are defined for obex: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the obex, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t obex_exec_t '/srv/obex/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myobex_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for obex: + + +.EX @@ -58784,8 +102094,6 @@ index 0000000..516eea1 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -58796,6 +102104,9 @@ index 0000000..516eea1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -58807,13 +102118,15 @@ index 0000000..516eea1 + +.SH "SEE ALSO" +selinux(8), obex(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/oddjob_mkhomedir_selinux.8 b/man/man8/oddjob_mkhomedir_selinux.8 new file mode 100644 -index 0000000..a049201 +index 0000000..5ebd904 --- /dev/null +++ b/man/man8/oddjob_mkhomedir_selinux.8 -@@ -0,0 +1,117 @@ -+.TH "oddjob_mkhomedir_selinux" "8" "12-11-01" "oddjob_mkhomedir" "SELinux Policy documentation for oddjob_mkhomedir" +@@ -0,0 +1,287 @@ ++.TH "oddjob_mkhomedir_selinux" "8" "13-01-16" "oddjob_mkhomedir" "SELinux Policy documentation for oddjob_mkhomedir" +.SH "NAME" +oddjob_mkhomedir_selinux \- Security Enhanced Linux Policy for the oddjob_mkhomedir processes +.SH "DESCRIPTION" @@ -58829,7 +102142,9 @@ index 0000000..a049201 + +.SH "ENTRYPOINTS" + -+The oddjob_mkhomedir_t SELinux type can be entered via the "oddjob_mkhomedir_exec_t" file type. The default entrypoint paths for the oddjob_mkhomedir_t domain are the following:" ++The oddjob_mkhomedir_t SELinux type can be entered via the \fBoddjob_mkhomedir_exec_t\fP file type. ++ ++The default entrypoint paths for the oddjob_mkhomedir_t domain are the following: + +/usr/lib/oddjob/mkhomedir, /usr/sbin/mkhomedir_helper, /usr/libexec/oddjob/mkhomedir +.SH PROCESS TYPES @@ -58847,40 +102162,178 @@ index 0000000..a049201 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a oddjob_mkhomedir_t ++can be used to make the process type oddjob_mkhomedir_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux oddjob_mkhomedir policy is very flexible allowing users to setup their oddjob_mkhomedir processes in as secure a method as possible. -+.PP -+The following file types are defined for oddjob_mkhomedir: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. oddjob_mkhomedir policy is extremely flexible and has several booleans that allow you to manipulate the policy and run oddjob_mkhomedir with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B oddjob_mkhomedir_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the oddjob_mkhomedir_exec_t type, if you want to transition an executable to the oddjob_mkhomedir_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the oddjob_mkhomedir_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the oddjob_mkhomedir_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type oddjob_mkhomedir_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br +.B security_t + + /selinux @@ -58892,21 +102345,48 @@ index 0000000..a049201 + all user home files +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux oddjob_mkhomedir policy is very flexible allowing users to setup their oddjob_mkhomedir processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the oddjob_mkhomedir_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the oddjob_mkhomedir, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t oddjob_mkhomedir_exec_t '/srv/oddjob_mkhomedir/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myoddjob_mkhomedir_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for oddjob_mkhomedir: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B oddjob_mkhomedir_exec_t +.EE + ++- Set files with the oddjob_mkhomedir_exec_t type, if you want to transition an executable to the oddjob_mkhomedir_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/oddjob/mkhomedir, /usr/sbin/mkhomedir_helper, /usr/libexec/oddjob/mkhomedir ++ +.PP -+If you want to allow confined applications to run with kerberos for the oddjob_mkhomedir_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -58918,6 +102398,9 @@ index 0000000..a049201 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -58929,15 +102412,15 @@ index 0000000..a049201 + +.SH "SEE ALSO" +selinux(8), oddjob_mkhomedir(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, oddjob_selinux(8), oddjob_selinux(8) ++, setsebool(8), oddjob_selinux(8), oddjob_selinux(8) \ No newline at end of file diff --git a/man/man8/oddjob_selinux.8 b/man/man8/oddjob_selinux.8 new file mode 100644 -index 0000000..da2bce8 +index 0000000..14f89f8 --- /dev/null +++ b/man/man8/oddjob_selinux.8 -@@ -0,0 +1,154 @@ -+.TH "oddjob_selinux" "8" "12-11-01" "oddjob" "SELinux Policy documentation for oddjob" +@@ -0,0 +1,271 @@ ++.TH "oddjob_selinux" "8" "13-01-16" "oddjob" "SELinux Policy documentation for oddjob" +.SH "NAME" +oddjob_selinux \- Security Enhanced Linux Policy for the oddjob processes +.SH "DESCRIPTION" @@ -58953,7 +102436,9 @@ index 0000000..da2bce8 + +.SH "ENTRYPOINTS" + -+The oddjob_t SELinux type can be entered via the "oddjob_exec_t" file type. The default entrypoint paths for the oddjob_t domain are the following:" ++The oddjob_t SELinux type can be entered via the \fBoddjob_exec_t\fP file type. ++ ++The default entrypoint paths for the oddjob_t domain are the following: + +/usr/sbin/oddjobd +.SH PROCESS TYPES @@ -58971,27 +102456,157 @@ index 0000000..da2bce8 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a oddjob_t ++can be used to make the process type oddjob_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. oddjob policy is extremely flexible and has several booleans that allow you to manipulate the policy and run oddjob with the tightest access possible. + + +.PP -+If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_use_oddjob 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow httpd to communicate with oddjob to start up a service, you must turn on the httpd_use_oddjob boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_use_oddjob 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow Apache to run in stickshift mode, not transition to passenger, you must turn on the httpd_run_stickshift boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_run_stickshift 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the oddjob_mkhomedir_t, oddjob_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the oddjob_mkhomedir_t, oddjob_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type oddjob_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B oddjob_var_run_t ++ ++ /var/run/oddjobd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -59000,7 +102615,20 @@ index 0000000..da2bce8 +Policy governs the access confined processes have to these files. +SELinux oddjob policy is very flexible allowing users to setup their oddjob processes in as secure a method as possible. +.PP -+The following file types are defined for oddjob: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the oddjob, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t oddjob_exec_t '/srv/oddjob/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myoddjob_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for oddjob: + + +.EX @@ -59018,13 +102646,17 @@ index 0000000..da2bce8 + +- Set files with the oddjob_mkhomedir_exec_t type, if you want to transition an executable to the oddjob_mkhomedir_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/oddjob/mkhomedir, /usr/sbin/mkhomedir_helper, /usr/libexec/oddjob/mkhomedir + +.EX +.PP +.B oddjob_var_run_t +.EE + -+- Set files with the oddjob_var_run_t type, if you want to store the oddjob files under the /run directory. ++- Set files with the oddjob_var_run_t type, if you want to store the oddjob files under the /run or /var/run directory. + + +.PP @@ -59034,38 +102666,6 @@ index 0000000..da2bce8 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type oddjob_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B oddjob_var_run_t -+ -+ /var/run/oddjobd\.pid -+.br -+ -+.br -+.B security_t -+ -+ /selinux -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the oddjob_mkhomedir_t, oddjob_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the oddjob_mkhomedir_t, oddjob_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -59094,11 +102694,11 @@ index 0000000..da2bce8 \ No newline at end of file diff --git a/man/man8/openct_selinux.8 b/man/man8/openct_selinux.8 new file mode 100644 -index 0000000..7a5ded1 +index 0000000..33a25cd --- /dev/null +++ b/man/man8/openct_selinux.8 -@@ -0,0 +1,108 @@ -+.TH "openct_selinux" "8" "12-11-01" "openct" "SELinux Policy documentation for openct" +@@ -0,0 +1,213 @@ ++.TH "openct_selinux" "8" "13-01-16" "openct" "SELinux Policy documentation for openct" +.SH "NAME" +openct_selinux \- Security Enhanced Linux Policy for the openct processes +.SH "DESCRIPTION" @@ -59114,7 +102714,9 @@ index 0000000..7a5ded1 + +.SH "ENTRYPOINTS" + -+The openct_t SELinux type can be entered via the "openct_exec_t" file type. The default entrypoint paths for the openct_t domain are the following:" ++The openct_t SELinux type can be entered via the \fBopenct_exec_t\fP file type. ++ ++The default entrypoint paths for the openct_t domain are the following: + +/usr/sbin/ifdhandler, /usr/sbin/openct-control +.SH PROCESS TYPES @@ -59132,42 +102734,76 @@ index 0000000..7a5ded1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a openct_t ++can be used to make the process type openct_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux openct policy is very flexible allowing users to setup their openct processes in as secure a method as possible. -+.PP -+The following file types are defined for openct: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. openct policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openct with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B openct_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the openct_exec_t type, if you want to transition an executable to the openct_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B openct_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the openct_var_run_t type, if you want to store the openct files under the /run directory. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -59180,10 +102816,75 @@ index 0000000..7a5ded1 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B usbfs_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux openct policy is very flexible allowing users to setup their openct processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the openct, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t openct_exec_t '/srv/openct/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myopenct_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for openct: ++ ++ ++.EX ++.PP ++.B openct_exec_t ++.EE ++ ++- Set files with the openct_exec_t type, if you want to transition an executable to the openct_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/ifdhandler, /usr/sbin/openct-control ++ ++.EX ++.PP ++.B openct_initrc_exec_t ++.EE ++ ++- Set files with the openct_initrc_exec_t type, if you want to transition an executable to the openct_initrc_t domain. ++ ++ ++.EX ++.PP ++.B openct_var_run_t ++.EE ++ ++- Set files with the openct_var_run_t type, if you want to store the openct files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -59195,6 +102896,9 @@ index 0000000..7a5ded1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -59206,13 +102910,179 @@ index 0000000..7a5ded1 + +.SH "SEE ALSO" +selinux(8), openct(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/openshift_app_selinux.8 b/man/man8/openshift_app_selinux.8 +new file mode 100644 +index 0000000..32a7599 +--- /dev/null ++++ b/man/man8/openshift_app_selinux.8 +@@ -0,0 +1,157 @@ ++.TH "openshift_app_selinux" "8" "13-01-16" "openshift_app" "SELinux Policy documentation for openshift_app" ++.SH "NAME" ++openshift_app_selinux \- Security Enhanced Linux Policy for the openshift_app processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the openshift_app processes via flexible mandatory access control. ++ ++The openshift_app processes execute with the openshift_app_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep openshift_app_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The openshift_app_t SELinux type can be entered via the \fBopenshift_file_type, shell_exec_t, httpd_exec_t, user_cron_spool_t, gpg_exec_t, bin_t\fP file types. ++ ++The default entrypoint paths for the openshift_app_t domain are the following: ++ ++All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin. ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails, /var/spool/at(/.*)?, /var/spool/cron, /usr/bin/gpg(2)?, /usr/lib/gnupg/.*, /usr/bin/gpgsm ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux openshift_app policy is very flexible allowing users to setup their openshift_app processes in as secure a method as possible. ++.PP ++The following process types are defined for openshift_app: ++ ++.EX ++.B openshift_app_t ++.EE ++.PP ++Note: ++.B semanage permissive -a openshift_app_t ++can be used to make the process type openshift_app_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. openshift_app policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openshift_app with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type openshift_app_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B hugetlbfs_t ++ ++ /dev/hugepages ++.br ++ /lib/udev/devices/hugepages ++.br ++ /usr/lib/udev/devices/hugepages ++.br ++ ++.br ++.B openshift_rw_file_t ++ ++ /var/lib/openshift/.*/data(/.*)? ++.br ++ /var/lib/stickshift/.*/data(/.*)? ++.br ++ ++.br ++.B openshift_tmp_t ++ ++ /var/lib/openshift/.*/\.tmp(/.*)? ++.br ++ /var/lib/openshift/.*/\.sandbox(/.*)? ++.br ++ /var/lib/stickshift/.*/\.tmp(/.*)? ++.br ++ /var/lib/stickshift/.*/\.sandbox(/.*)? ++.br ++ ++.br ++.B openshift_tmpfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), openshift_app(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), openshift_selinux(8), openshift_selinux(8), openshift_cgroup_read_selinux(8), openshift_initrc_selinux(8), openshift_mail_selinux(8), openshift_min_selinux(8), openshift_min_app_selinux(8), openshift_net_selinux(8), openshift_net_app_selinux(8) +\ No newline at end of file diff --git a/man/man8/openshift_cgroup_read_selinux.8 b/man/man8/openshift_cgroup_read_selinux.8 new file mode 100644 -index 0000000..535b556 +index 0000000..dc1f351 --- /dev/null +++ b/man/man8/openshift_cgroup_read_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "openshift_cgroup_read_selinux" "8" "12-11-01" "openshift_cgroup_read" "SELinux Policy documentation for openshift_cgroup_read" +@@ -0,0 +1,147 @@ ++.TH "openshift_cgroup_read_selinux" "8" "13-01-16" "openshift_cgroup_read" "SELinux Policy documentation for openshift_cgroup_read" +.SH "NAME" +openshift_cgroup_read_selinux \- Security Enhanced Linux Policy for the openshift_cgroup_read processes +.SH "DESCRIPTION" @@ -59228,9 +103098,11 @@ index 0000000..535b556 + +.SH "ENTRYPOINTS" + -+The openshift_cgroup_read_t SELinux type can be entered via the "openshift_cgroup_read_exec_t" file type. The default entrypoint paths for the openshift_cgroup_read_t domain are the following:" ++The openshift_cgroup_read_t SELinux type can be entered via the \fBopenshift_cgroup_read_exec_t\fP file type. + -+/usr/bin/(oo|rhc)-cgroup-read ++The default entrypoint paths for the openshift_cgroup_read_t domain are the following: ++ ++/usr/s?bin/(oo|rhc)-cgroup-read +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -59246,8 +103118,52 @@ index 0000000..535b556 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a openshift_cgroup_read_t ++can be used to make the process type openshift_cgroup_read_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. openshift_cgroup_read policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openshift_cgroup_read with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -59257,7 +103173,20 @@ index 0000000..535b556 +Policy governs the access confined processes have to these files. +SELinux openshift_cgroup_read policy is very flexible allowing users to setup their openshift_cgroup_read processes in as secure a method as possible. +.PP -+The following file types are defined for openshift_cgroup_read: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the openshift_cgroup_read, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t openshift_cgroup_read_exec_t '/srv/openshift_cgroup_read/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myopenshift_cgroup_read_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for openshift_cgroup_read: + + +.EX @@ -59275,8 +103204,6 @@ index 0000000..535b556 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -59287,6 +103214,9 @@ index 0000000..535b556 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -59298,15 +103228,15 @@ index 0000000..535b556 + +.SH "SEE ALSO" +selinux(8), openshift_cgroup_read(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, openshift_initrc_selinux(8) ++, setsebool(8), openshift_selinux(8), openshift_selinux(8), openshift_app_selinux(8), openshift_initrc_selinux(8), openshift_mail_selinux(8), openshift_min_selinux(8), openshift_min_app_selinux(8), openshift_net_selinux(8), openshift_net_app_selinux(8) \ No newline at end of file diff --git a/man/man8/openshift_initrc_selinux.8 b/man/man8/openshift_initrc_selinux.8 new file mode 100644 -index 0000000..43101f1 +index 0000000..c393e68 --- /dev/null +++ b/man/man8/openshift_initrc_selinux.8 -@@ -0,0 +1,105 @@ -+.TH "openshift_initrc_selinux" "8" "12-11-01" "openshift_initrc" "SELinux Policy documentation for openshift_initrc" +@@ -0,0 +1,257 @@ ++.TH "openshift_initrc_selinux" "8" "13-01-16" "openshift_initrc" "SELinux Policy documentation for openshift_initrc" +.SH "NAME" +openshift_initrc_selinux \- Security Enhanced Linux Policy for the openshift_initrc processes +.SH "DESCRIPTION" @@ -59322,9 +103252,11 @@ index 0000000..43101f1 + +.SH "ENTRYPOINTS" + -+The openshift_initrc_t SELinux type can be entered via the "filesystem_type,openshift_initrc_exec_t,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type" file types. The default entrypoint paths for the openshift_initrc_t domain are the following:" ++The openshift_initrc_t SELinux type can be entered via the \fBsysctl_type, filesystem_type, mtrr_device_t, unlabeled_t, proc_type, file_type, openshift_initrc_exec_t\fP file types. + -+/usr/bin/(oo|rhc)-restorer, /etc/rc\.d/init\.d/libra, /usr/sbin/mcollectived, /usr/bin/oo-admin-ctl-gears, /etc/rc\.d/init\.d/mcollective, /dev/cpu/mtrr, all files on the system ++The default entrypoint paths for the openshift_initrc_t domain are the following: ++ ++/dev/cpu/mtrr, all files on the system, /usr/s?bin/mcollectived, /usr/s?bin/(oo|rhc)-restorer, /usr/s?bin/oo-admin-ctl-gears, /etc/rc\.d/init\.d/libra, /etc/rc\.d/init\.d/mcollective +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -59340,8 +103272,150 @@ index 0000000..43101f1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a openshift_initrc_t ++can be used to make the process type openshift_initrc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. openshift_initrc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openshift_initrc with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE ++ ++.PP ++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_insmod 1 ++ ++.EE ++ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_policyload 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execheap 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type openshift_initrc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B file_type ++ ++ all files on the system ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -59351,7 +103425,20 @@ index 0000000..43101f1 +Policy governs the access confined processes have to these files. +SELinux openshift_initrc policy is very flexible allowing users to setup their openshift_initrc processes in as secure a method as possible. +.PP -+The following file types are defined for openshift_initrc: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the openshift_initrc, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t openshift_initrc_exec_t '/srv/openshift_initrc/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myopenshift_initrc_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for openshift_initrc: + + +.EX @@ -59361,6 +103448,10 @@ index 0000000..43101f1 + +- Set files with the openshift_initrc_exec_t type, if you want to transition an executable to the openshift_initrc_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/s?bin/mcollectived, /usr/s?bin/(oo|rhc)-restorer, /usr/s?bin/oo-admin-ctl-gears, /etc/rc\.d/init\.d/libra, /etc/rc\.d/init\.d/mcollective + +.EX +.PP @@ -59377,18 +103468,6 @@ index 0000000..43101f1 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type openshift_initrc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B file_type -+ -+ all files on the system -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -59399,6 +103478,9 @@ index 0000000..43101f1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -59410,15 +103492,1412 @@ index 0000000..43101f1 + +.SH "SEE ALSO" +selinux(8), openshift_initrc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, openshift_cgroup_read_selinux(8) ++, setsebool(8), openshift_selinux(8), openshift_selinux(8), openshift_app_selinux(8), openshift_cgroup_read_selinux(8), openshift_mail_selinux(8), openshift_min_selinux(8), openshift_min_app_selinux(8), openshift_net_selinux(8), openshift_net_app_selinux(8) +\ No newline at end of file +diff --git a/man/man8/openshift_mail_selinux.8 b/man/man8/openshift_mail_selinux.8 +new file mode 100644 +index 0000000..7f44b7f +--- /dev/null ++++ b/man/man8/openshift_mail_selinux.8 +@@ -0,0 +1,256 @@ ++.TH "openshift_mail_selinux" "8" "13-01-16" "openshift_mail" "SELinux Policy documentation for openshift_mail" ++.SH "NAME" ++openshift_mail_selinux \- Security Enhanced Linux Policy for the openshift_mail processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the openshift_mail processes via flexible mandatory access control. ++ ++The openshift_mail processes execute with the openshift_mail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep openshift_mail_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The openshift_mail_t SELinux type can be entered via the \fBmta_exec_type, mta_exec_type, sendmail_exec_t\fP file types. ++ ++The default entrypoint paths for the openshift_mail_t domain are the following: ++ ++/bin/mail(x)?, /usr/bin/mail(x)?, /usr/sbin/sendmail(\.sendmail)?, /usr/bin/esmtp, /usr/sbin/rmail, /usr/sbin/ssmtp, /usr/lib/sendmail, /var/qmail/bin/sendmail, /usr/sbin/sendmail\.postfix, /usr/lib/courier/bin/sendmail ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux openshift_mail policy is very flexible allowing users to setup their openshift_mail processes in as secure a method as possible. ++.PP ++The following process types are defined for openshift_mail: ++ ++.EX ++.B openshift_mail_t ++.EE ++.PP ++Note: ++.B semanage permissive -a openshift_mail_t ++can be used to make the process type openshift_mail_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. openshift_mail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openshift_mail with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the openshift_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the openshift_mail_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type openshift_mail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B courier_spool_t ++ ++ /var/spool/courier(/.*)? ++.br ++ /var/spool/authdaemon(/.*)? ++.br ++ ++.br ++.B exim_log_t ++ ++ /var/log/exim[0-9]?(/.*)? ++.br ++ ++.br ++.B exim_spool_t ++ ++ /var/spool/exim[0-9]?(/.*)? ++.br ++ ++.br ++.B mail_home_rw_t ++ ++ /root/Maildir(/.*)? ++.br ++ /home/[^/]*/.maildir(/.*)? ++.br ++ /home/[^/]*/Maildir(/.*)? ++.br ++ /home/pwalsh/.maildir(/.*)? ++.br ++ /home/pwalsh/Maildir(/.*)? ++.br ++ /home/dwalsh/.maildir(/.*)? ++.br ++ /home/dwalsh/Maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/.maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/Maildir(/.*)? ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B mqueue_spool_t ++ ++ /var/spool/(client)?mqueue(/.*)? ++.br ++ /var/spool/mqueue\.in(/.*)? ++.br ++ ++.br ++.B openshift_file_type ++ ++ ++.br ++.B openshift_mail_tmp_t ++ ++ ++.br ++.B openshift_tmp_t ++ ++ /var/lib/openshift/.*/\.tmp(/.*)? ++.br ++ /var/lib/openshift/.*/\.sandbox(/.*)? ++.br ++ /var/lib/stickshift/.*/\.tmp(/.*)? ++.br ++ /var/lib/stickshift/.*/\.sandbox(/.*)? ++.br ++ ++.br ++.B sendmail_log_t ++ ++ /var/log/mail(/.*)? ++.br ++ /var/log/sendmail\.st.* ++.br ++ ++.br ++.B uucpd_spool_t ++ ++ /var/spool/uucp(/.*)? ++.br ++ /var/spool/uucppublic(/.*)? ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), openshift_mail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), openshift_selinux(8), openshift_selinux(8), openshift_app_selinux(8), openshift_cgroup_read_selinux(8), openshift_initrc_selinux(8), openshift_min_selinux(8), openshift_min_app_selinux(8), openshift_net_selinux(8), openshift_net_app_selinux(8) +\ No newline at end of file +diff --git a/man/man8/openshift_min_app_selinux.8 b/man/man8/openshift_min_app_selinux.8 +new file mode 100644 +index 0000000..4e3f17a +--- /dev/null ++++ b/man/man8/openshift_min_app_selinux.8 +@@ -0,0 +1,157 @@ ++.TH "openshift_min_app_selinux" "8" "13-01-16" "openshift_min_app" "SELinux Policy documentation for openshift_min_app" ++.SH "NAME" ++openshift_min_app_selinux \- Security Enhanced Linux Policy for the openshift_min_app processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the openshift_min_app processes via flexible mandatory access control. ++ ++The openshift_min_app processes execute with the openshift_min_app_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep openshift_min_app_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The openshift_min_app_t SELinux type can be entered via the \fBopenshift_file_type, shell_exec_t, httpd_exec_t, user_cron_spool_t, gpg_exec_t, bin_t\fP file types. ++ ++The default entrypoint paths for the openshift_min_app_t domain are the following: ++ ++All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin. ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails, /var/spool/at(/.*)?, /var/spool/cron, /usr/bin/gpg(2)?, /usr/lib/gnupg/.*, /usr/bin/gpgsm ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux openshift_min_app policy is very flexible allowing users to setup their openshift_min_app processes in as secure a method as possible. ++.PP ++The following process types are defined for openshift_min_app: ++ ++.EX ++.B openshift_min_app_t ++.EE ++.PP ++Note: ++.B semanage permissive -a openshift_min_app_t ++can be used to make the process type openshift_min_app_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. openshift_min_app policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openshift_min_app with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type openshift_min_app_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B hugetlbfs_t ++ ++ /dev/hugepages ++.br ++ /lib/udev/devices/hugepages ++.br ++ /usr/lib/udev/devices/hugepages ++.br ++ ++.br ++.B openshift_rw_file_t ++ ++ /var/lib/openshift/.*/data(/.*)? ++.br ++ /var/lib/stickshift/.*/data(/.*)? ++.br ++ ++.br ++.B openshift_tmp_t ++ ++ /var/lib/openshift/.*/\.tmp(/.*)? ++.br ++ /var/lib/openshift/.*/\.sandbox(/.*)? ++.br ++ /var/lib/stickshift/.*/\.tmp(/.*)? ++.br ++ /var/lib/stickshift/.*/\.sandbox(/.*)? ++.br ++ ++.br ++.B openshift_tmpfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), openshift_min_app(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), openshift_selinux(8), openshift_selinux(8), openshift_app_selinux(8), openshift_cgroup_read_selinux(8), openshift_initrc_selinux(8), openshift_mail_selinux(8), openshift_min_selinux(8), openshift_min_selinux(8), openshift_net_selinux(8), openshift_net_app_selinux(8) +\ No newline at end of file +diff --git a/man/man8/openshift_min_selinux.8 b/man/man8/openshift_min_selinux.8 +new file mode 100644 +index 0000000..969ff84 +--- /dev/null ++++ b/man/man8/openshift_min_selinux.8 +@@ -0,0 +1,201 @@ ++.TH "openshift_min_selinux" "8" "13-01-16" "openshift_min" "SELinux Policy documentation for openshift_min" ++.SH "NAME" ++openshift_min_selinux \- Security Enhanced Linux Policy for the openshift_min processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the openshift_min processes via flexible mandatory access control. ++ ++The openshift_min processes execute with the openshift_min_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep openshift_min_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The openshift_min_t SELinux type can be entered via the \fBopenshift_file_type, shell_exec_t, httpd_exec_t, user_cron_spool_t, gpg_exec_t, bin_t\fP file types. ++ ++The default entrypoint paths for the openshift_min_t domain are the following: ++ ++All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin. ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails, /var/spool/at(/.*)?, /var/spool/cron, /usr/bin/gpg(2)?, /usr/lib/gnupg/.*, /usr/bin/gpgsm ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux openshift_min policy is very flexible allowing users to setup their openshift_min processes in as secure a method as possible. ++.PP ++The following process types are defined for openshift_min: ++ ++.EX ++.B openshift_min_t, openshift_min_app_t ++.EE ++.PP ++Note: ++.B semanage permissive -a openshift_min_t ++can be used to make the process type openshift_min_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. openshift_min policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openshift_min with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the openshift_min_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the openshift_min_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type openshift_min_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B hugetlbfs_t ++ ++ /dev/hugepages ++.br ++ /lib/udev/devices/hugepages ++.br ++ /usr/lib/udev/devices/hugepages ++.br ++ ++.br ++.B openshift_file_type ++ ++ ++.br ++.B openshift_tmp_t ++ ++ /var/lib/openshift/.*/\.tmp(/.*)? ++.br ++ /var/lib/openshift/.*/\.sandbox(/.*)? ++.br ++ /var/lib/stickshift/.*/\.tmp(/.*)? ++.br ++ /var/lib/stickshift/.*/\.sandbox(/.*)? ++.br ++ ++.br ++.B openshift_tmpfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), openshift_min(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), openshift_selinux(8), openshift_selinux(8), openshift_app_selinux(8), openshift_cgroup_read_selinux(8), openshift_initrc_selinux(8), openshift_mail_selinux(8), openshift_min_app_selinux(8), openshift_net_selinux(8), openshift_net_app_selinux(8) +\ No newline at end of file +diff --git a/man/man8/openshift_net_app_selinux.8 b/man/man8/openshift_net_app_selinux.8 +new file mode 100644 +index 0000000..2563e11 +--- /dev/null ++++ b/man/man8/openshift_net_app_selinux.8 +@@ -0,0 +1,157 @@ ++.TH "openshift_net_app_selinux" "8" "13-01-16" "openshift_net_app" "SELinux Policy documentation for openshift_net_app" ++.SH "NAME" ++openshift_net_app_selinux \- Security Enhanced Linux Policy for the openshift_net_app processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the openshift_net_app processes via flexible mandatory access control. ++ ++The openshift_net_app processes execute with the openshift_net_app_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep openshift_net_app_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The openshift_net_app_t SELinux type can be entered via the \fBopenshift_file_type, shell_exec_t, httpd_exec_t, user_cron_spool_t, gpg_exec_t, bin_t\fP file types. ++ ++The default entrypoint paths for the openshift_net_app_t domain are the following: ++ ++All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin. ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails, /var/spool/at(/.*)?, /var/spool/cron, /usr/bin/gpg(2)?, /usr/lib/gnupg/.*, /usr/bin/gpgsm ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux openshift_net_app policy is very flexible allowing users to setup their openshift_net_app processes in as secure a method as possible. ++.PP ++The following process types are defined for openshift_net_app: ++ ++.EX ++.B openshift_net_app_t ++.EE ++.PP ++Note: ++.B semanage permissive -a openshift_net_app_t ++can be used to make the process type openshift_net_app_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. openshift_net_app policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openshift_net_app with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type openshift_net_app_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B hugetlbfs_t ++ ++ /dev/hugepages ++.br ++ /lib/udev/devices/hugepages ++.br ++ /usr/lib/udev/devices/hugepages ++.br ++ ++.br ++.B openshift_rw_file_t ++ ++ /var/lib/openshift/.*/data(/.*)? ++.br ++ /var/lib/stickshift/.*/data(/.*)? ++.br ++ ++.br ++.B openshift_tmp_t ++ ++ /var/lib/openshift/.*/\.tmp(/.*)? ++.br ++ /var/lib/openshift/.*/\.sandbox(/.*)? ++.br ++ /var/lib/stickshift/.*/\.tmp(/.*)? ++.br ++ /var/lib/stickshift/.*/\.sandbox(/.*)? ++.br ++ ++.br ++.B openshift_tmpfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), openshift_net_app(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), openshift_selinux(8), openshift_selinux(8), openshift_app_selinux(8), openshift_cgroup_read_selinux(8), openshift_initrc_selinux(8), openshift_mail_selinux(8), openshift_min_selinux(8), openshift_min_app_selinux(8), openshift_net_selinux(8), openshift_net_selinux(8) +\ No newline at end of file +diff --git a/man/man8/openshift_net_selinux.8 b/man/man8/openshift_net_selinux.8 +new file mode 100644 +index 0000000..9b376a5 +--- /dev/null ++++ b/man/man8/openshift_net_selinux.8 +@@ -0,0 +1,201 @@ ++.TH "openshift_net_selinux" "8" "13-01-16" "openshift_net" "SELinux Policy documentation for openshift_net" ++.SH "NAME" ++openshift_net_selinux \- Security Enhanced Linux Policy for the openshift_net processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the openshift_net processes via flexible mandatory access control. ++ ++The openshift_net processes execute with the openshift_net_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep openshift_net_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The openshift_net_t SELinux type can be entered via the \fBopenshift_file_type, shell_exec_t, httpd_exec_t, user_cron_spool_t, gpg_exec_t, bin_t\fP file types. ++ ++The default entrypoint paths for the openshift_net_t domain are the following: ++ ++All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin. ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails, /var/spool/at(/.*)?, /var/spool/cron, /usr/bin/gpg(2)?, /usr/lib/gnupg/.*, /usr/bin/gpgsm ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux openshift_net policy is very flexible allowing users to setup their openshift_net processes in as secure a method as possible. ++.PP ++The following process types are defined for openshift_net: ++ ++.EX ++.B openshift_net_t, openshift_net_app_t ++.EE ++.PP ++Note: ++.B semanage permissive -a openshift_net_t ++can be used to make the process type openshift_net_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. openshift_net policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openshift_net with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the openshift_net_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the openshift_net_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type openshift_net_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B hugetlbfs_t ++ ++ /dev/hugepages ++.br ++ /lib/udev/devices/hugepages ++.br ++ /usr/lib/udev/devices/hugepages ++.br ++ ++.br ++.B openshift_file_type ++ ++ ++.br ++.B openshift_tmp_t ++ ++ /var/lib/openshift/.*/\.tmp(/.*)? ++.br ++ /var/lib/openshift/.*/\.sandbox(/.*)? ++.br ++ /var/lib/stickshift/.*/\.tmp(/.*)? ++.br ++ /var/lib/stickshift/.*/\.sandbox(/.*)? ++.br ++ ++.br ++.B openshift_tmpfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), openshift_net(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), openshift_selinux(8), openshift_selinux(8), openshift_app_selinux(8), openshift_cgroup_read_selinux(8), openshift_initrc_selinux(8), openshift_mail_selinux(8), openshift_min_selinux(8), openshift_min_app_selinux(8), openshift_net_app_selinux(8) +\ No newline at end of file +diff --git a/man/man8/openshift_selinux.8 b/man/man8/openshift_selinux.8 +new file mode 100644 +index 0000000..f6ba7e5 +--- /dev/null ++++ b/man/man8/openshift_selinux.8 +@@ -0,0 +1,383 @@ ++.TH "openshift_selinux" "8" "13-01-16" "openshift" "SELinux Policy documentation for openshift" ++.SH "NAME" ++openshift_selinux \- Security Enhanced Linux Policy for the openshift processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the openshift processes via flexible mandatory access control. ++ ++The openshift processes execute with the openshift_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep openshift_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The openshift_t SELinux type can be entered via the \fBopenshift_file_type, shell_exec_t, httpd_exec_t, user_cron_spool_t, gpg_exec_t, bin_t\fP file types. ++ ++The default entrypoint paths for the openshift_t domain are the following: ++ ++All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin. ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails, /var/spool/at(/.*)?, /var/spool/cron, /usr/bin/gpg(2)?, /usr/lib/gnupg/.*, /usr/bin/gpgsm ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux openshift policy is very flexible allowing users to setup their openshift processes in as secure a method as possible. ++.PP ++The following process types are defined for openshift: ++ ++.EX ++.B openshift_app_t, openshift_min_t, openshift_net_t, openshift_min_app_t, openshift_net_app_t, openshift_cgroup_read_t, openshift_initrc_t, openshift_mail_t, openshift_t ++.EE ++.PP ++Note: ++.B semanage permissive -a openshift_t ++can be used to make the process type openshift_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. openshift policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openshift with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the openshift_net_t, openshift_mail_t, openshift_min_t, openshift_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the openshift_net_t, openshift_mail_t, openshift_min_t, openshift_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux openshift policy is very flexible allowing users to setup their openshift processes in as secure a method as possible. ++.PP ++The following port types are defined for openshift: ++ ++.EX ++.TP 5 ++.B openshift_port_t ++.TP 10 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type openshift_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B hugetlbfs_t ++ ++ /dev/hugepages ++.br ++ /lib/udev/devices/hugepages ++.br ++ /usr/lib/udev/devices/hugepages ++.br ++ ++.br ++.B openshift_file_type ++ ++ ++.br ++.B openshift_tmp_t ++ ++ /var/lib/openshift/.*/\.tmp(/.*)? ++.br ++ /var/lib/openshift/.*/\.sandbox(/.*)? ++.br ++ /var/lib/stickshift/.*/\.tmp(/.*)? ++.br ++ /var/lib/stickshift/.*/\.sandbox(/.*)? ++.br ++ ++.br ++.B openshift_tmpfs_t ++ ++ ++.br ++.B postfix_spool_maildrop_t ++ ++ /var/spool/postfix/defer(/.*)? ++.br ++ /var/spool/postfix/deferred(/.*)? ++.br ++ /var/spool/postfix/maildrop(/.*)? ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux openshift policy is very flexible allowing users to setup their openshift processes in as secure a method as possible. ++.PP ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++openshift policy stores data with multiple different file context types under the /var/lib/openshift directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/openshift /srv/openshift ++.br ++.B restorecon -R -v /srv/openshift ++.PP ++ ++.PP ++openshift policy stores data with multiple different file context types under the /var/lib/stickshift directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/stickshift /srv/stickshift ++.br ++.B restorecon -R -v /srv/stickshift ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the openshift, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t openshift_cgroup_read_exec_t '/srv/openshift/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myopenshift_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for openshift: ++ ++ ++.EX ++.PP ++.B openshift_cgroup_read_exec_t ++.EE ++ ++- Set files with the openshift_cgroup_read_exec_t type, if you want to transition an executable to the openshift_cgroup_read_t domain. ++ ++ ++.EX ++.PP ++.B openshift_initrc_exec_t ++.EE ++ ++- Set files with the openshift_initrc_exec_t type, if you want to transition an executable to the openshift_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/s?bin/mcollectived, /usr/s?bin/(oo|rhc)-restorer, /usr/s?bin/oo-admin-ctl-gears, /etc/rc\.d/init\.d/libra, /etc/rc\.d/init\.d/mcollective ++ ++.EX ++.PP ++.B openshift_initrc_tmp_t ++.EE ++ ++- Set files with the openshift_initrc_tmp_t type, if you want to store openshift initrc temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B openshift_log_t ++.EE ++ ++- Set files with the openshift_log_t type, if you want to treat the data as openshift log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B openshift_mail_tmp_t ++.EE ++ ++- Set files with the openshift_mail_tmp_t type, if you want to store openshift mail temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B openshift_rw_file_t ++.EE ++ ++- Set files with the openshift_rw_file_t type, if you want to treat the files as openshift rw content. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/openshift/.*/data(/.*)?, /var/lib/stickshift/.*/data(/.*)? ++ ++.EX ++.PP ++.B openshift_tmp_t ++.EE ++ ++- Set files with the openshift_tmp_t type, if you want to store openshift temporary files in the /tmp directories. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/openshift/.*/\.tmp(/.*)?, /var/lib/openshift/.*/\.sandbox(/.*)?, /var/lib/stickshift/.*/\.tmp(/.*)?, /var/lib/stickshift/.*/\.sandbox(/.*)? ++ ++.EX ++.PP ++.B openshift_tmpfs_t ++.EE ++ ++- Set files with the openshift_tmpfs_t type, if you want to store openshift files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B openshift_var_lib_t ++.EE ++ ++- Set files with the openshift_var_lib_t type, if you want to store the openshift files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/openshift(/.*)?, /var/lib/stickshift(/.*)? ++ ++.EX ++.PP ++.B openshift_var_run_t ++.EE ++ ++- Set files with the openshift_var_run_t type, if you want to store the openshift files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/openshift(/.*)?, /var/run/stickshift(/.*)? ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage port ++can also be used to manipulate the port definitions ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), openshift(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), openshift_app_selinux(8), openshift_cgroup_read_selinux(8), openshift_initrc_selinux(8), openshift_mail_selinux(8), openshift_min_selinux(8), openshift_min_app_selinux(8), openshift_net_selinux(8), openshift_net_app_selinux(8) \ No newline at end of file diff --git a/man/man8/openvpn_selinux.8 b/man/man8/openvpn_selinux.8 new file mode 100644 -index 0000000..266266d +index 0000000..af0be13 --- /dev/null +++ b/man/man8/openvpn_selinux.8 -@@ -0,0 +1,314 @@ -+.TH "openvpn_selinux" "8" "12-11-01" "openvpn" "SELinux Policy documentation for openvpn" +@@ -0,0 +1,448 @@ ++.TH "openvpn_selinux" "8" "13-01-16" "openvpn" "SELinux Policy documentation for openvpn" +.SH "NAME" +openvpn_selinux \- Security Enhanced Linux Policy for the openvpn processes +.SH "DESCRIPTION" @@ -59434,7 +104913,9 @@ index 0000000..266266d + +.SH "ENTRYPOINTS" + -+The openvpn_t SELinux type can be entered via the "openvpn_exec_t" file type. The default entrypoint paths for the openvpn_t domain are the following:" ++The openvpn_t SELinux type can be entered via the \fBopenvpn_exec_t\fP file type. ++ ++The default entrypoint paths for the openvpn_t domain are the following: + +/usr/sbin/openvpn +.SH PROCESS TYPES @@ -59452,27 +104933,280 @@ index 0000000..266266d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a openvpn_t ++can be used to make the process type openvpn_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. openvpn policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openvpn with the tightest access possible. + + +.PP -+If you want to allow openvpn to read home directories, you must turn on the openvpn_enable_homedirs boolean. ++If you want to determine whether openvpn can read generic user home content files, you must turn on the openvpn_enable_homedirs boolean. Enabled by default. + +.EX +.B setsebool -P openvpn_enable_homedirs 1 ++ +.EE + +.PP -+If you want to allow openvpn to read home directories, you must turn on the openvpn_enable_homedirs boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P openvpn_enable_homedirs 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the openvpn_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the openvpn_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux openvpn policy is very flexible allowing users to setup their openvpn processes in as secure a method as possible. ++.PP ++The following port types are defined for openvpn: ++ ++.EX ++.TP 5 ++.B openvpn_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 1194 ++.EE ++udp 1194 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type openvpn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B lastlog_t ++ ++ /var/log/lastlog.* ++.br ++ ++.br ++.B net_conf_t ++ ++ /etc/hosts[^/]* ++.br ++ /etc/yp\.conf.* ++.br ++ /etc/denyhosts.* ++.br ++ /etc/hosts\.deny.* ++.br ++ /etc/resolv\.conf.* ++.br ++ /etc/sysconfig/networking(/.*)? ++.br ++ /etc/sysconfig/network-scripts(/.*)? ++.br ++ /etc/sysconfig/network-scripts/.*resolv\.conf ++.br ++ /etc/ethers ++.br ++ ++.br ++.B openvpn_etc_rw_t ++ ++ /etc/openvpn/ipp\.txt ++.br ++ ++.br ++.B openvpn_status_t ++ ++ /var/log/openvpn-status\.log.* ++.br ++ ++.br ++.B openvpn_tmp_t ++ ++ ++.br ++.B openvpn_var_run_t ++ ++ /var/run/openvpn(/.*)? ++.br ++ /var/run/openvpn\.client.* ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -59481,7 +105215,31 @@ index 0000000..266266d +Policy governs the access confined processes have to these files. +SELinux openvpn policy is very flexible allowing users to setup their openvpn processes in as secure a method as possible. +.PP -+The following file types are defined for openvpn: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++openvpn policy stores data with multiple different file context types under the /var/run/openvpn directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/openvpn /srv/openvpn ++.br ++.B restorecon -R -v /srv/openvpn ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the openvpn, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t openvpn_etc_rw_t '/srv/openvpn/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myopenvpn_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for openvpn: + + +.EX @@ -59518,6 +105276,14 @@ index 0000000..266266d + +.EX +.PP ++.B openvpn_status_t ++.EE ++ ++- Set files with the openvpn_status_t type, if you want to treat the files as openvpn status data. ++ ++ ++.EX ++.PP +.B openvpn_tmp_t +.EE + @@ -59537,8 +105303,12 @@ index 0000000..266266d +.B openvpn_var_run_t +.EE + -+- Set files with the openvpn_var_run_t type, if you want to store the openvpn files under the /run directory. ++- Set files with the openvpn_var_run_t type, if you want to store the openvpn files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/openvpn(/.*)?, /var/run/openvpn\.client.* + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -59547,163 +105317,6 @@ index 0000000..266266d +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux openvpn policy is very flexible allowing users to setup their openvpn processes in as secure a method as possible. -+.PP -+The following port types are defined for openvpn: -+ -+.EX -+.TP 5 -+.B openvpn_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 1194 -+.EE -+udp 1194 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type openvpn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B faillog_t -+ -+ /var/log/btmp.* -+.br -+ /var/run/faillock(/.*)? -+.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br -+ -+.br -+.B krb5_host_rcache_t -+ -+ /var/cache/krb5rcache(/.*)? -+.br -+ /var/tmp/nfs_0 -+.br -+ /var/tmp/DNS_25 -+.br -+ /var/tmp/host_0 -+.br -+ /var/tmp/imap_0 -+.br -+ /var/tmp/HTTP_23 -+.br -+ /var/tmp/HTTP_48 -+.br -+ /var/tmp/ldap_55 -+.br -+ /var/tmp/ldap_487 -+.br -+ /var/tmp/ldapmap1_0 -+.br -+ -+.br -+.B lastlog_t -+ -+ /var/log/lastlog -+.br -+ -+.br -+.B net_conf_t -+ -+ /etc/ntpd?\.conf.* -+.br -+ /etc/hosts[^/]* -+.br -+ /etc/yp\.conf.* -+.br -+ /etc/denyhosts.* -+.br -+ /etc/hosts\.deny.* -+.br -+ /etc/resolv\.conf.* -+.br -+ /etc/ntp/step-tickers.* -+.br -+ /etc/sysconfig/networking(/.*)? -+.br -+ /etc/sysconfig/network-scripts(/.*)? -+.br -+ /etc/sysconfig/network-scripts/.*resolv\.conf -+.br -+ /etc/ethers -+.br -+ -+.br -+.B openvpn_etc_rw_t -+ -+ /etc/openvpn/ipp.txt -+.br -+ -+.br -+.B openvpn_tmp_t -+ -+ -+.br -+.B openvpn_var_log_t -+ -+ /var/log/openvpn.* -+.br -+ -+.br -+.B openvpn_var_run_t -+ -+ /var/run/openvpn(/.*)? -+.br -+ /var/run/openvpn\.client.* -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br -+.B security_t -+ -+ /selinux -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the openvpn_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the openvpn_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -59733,13 +105346,279 @@ index 0000000..266266d +selinux(8), openvpn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) +, setsebool(8) \ No newline at end of file +diff --git a/man/man8/openvswitch_selinux.8 b/man/man8/openvswitch_selinux.8 +new file mode 100644 +index 0000000..ce8ee2c +--- /dev/null ++++ b/man/man8/openvswitch_selinux.8 +@@ -0,0 +1,259 @@ ++.TH "openvswitch_selinux" "8" "13-01-16" "openvswitch" "SELinux Policy documentation for openvswitch" ++.SH "NAME" ++openvswitch_selinux \- Security Enhanced Linux Policy for the openvswitch processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the openvswitch processes via flexible mandatory access control. ++ ++The openvswitch processes execute with the openvswitch_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep openvswitch_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The openvswitch_t SELinux type can be entered via the \fBopenvswitch_exec_t\fP file type. ++ ++The default entrypoint paths for the openvswitch_t domain are the following: ++ ++/usr/bin/ovs-vsctl, /usr/sbin/ovsdb-ctl, /usr/sbin/ovsdb-server, /usr/sbin/ovs-vswitchd, /usr/share/openvswitch/scripts/ovs-ctl ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux openvswitch policy is very flexible allowing users to setup their openvswitch processes in as secure a method as possible. ++.PP ++The following process types are defined for openvswitch: ++ ++.EX ++.B openvswitch_t ++.EE ++.PP ++Note: ++.B semanage permissive -a openvswitch_t ++can be used to make the process type openvswitch_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. openvswitch policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openvswitch with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type openvswitch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B openvswitch_log_t ++ ++ /var/log/openvswitch(/.*)? ++.br ++ ++.br ++.B openvswitch_rw_t ++ ++ /etc/openvswitch(/.*)? ++.br ++ ++.br ++.B openvswitch_var_lib_t ++ ++ /var/lib/openvswitch(/.*)? ++.br ++ ++.br ++.B openvswitch_var_run_t ++ ++ /var/run/openvswitch(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux openvswitch policy is very flexible allowing users to setup their openvswitch processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the openvswitch, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t openvswitch_exec_t '/srv/openvswitch/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myopenvswitch_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for openvswitch: ++ ++ ++.EX ++.PP ++.B openvswitch_exec_t ++.EE ++ ++- Set files with the openvswitch_exec_t type, if you want to transition an executable to the openvswitch_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/ovs-vsctl, /usr/sbin/ovsdb-ctl, /usr/sbin/ovsdb-server, /usr/sbin/ovs-vswitchd, /usr/share/openvswitch/scripts/ovs-ctl ++ ++.EX ++.PP ++.B openvswitch_log_t ++.EE ++ ++- Set files with the openvswitch_log_t type, if you want to treat the data as openvswitch log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B openvswitch_rw_t ++.EE ++ ++- Set files with the openvswitch_rw_t type, if you want to treat the files as openvswitch read/write content. ++ ++ ++.EX ++.PP ++.B openvswitch_unit_file_t ++.EE ++ ++- Set files with the openvswitch_unit_file_t type, if you want to treat the files as openvswitch unit content. ++ ++ ++.EX ++.PP ++.B openvswitch_var_lib_t ++.EE ++ ++- Set files with the openvswitch_var_lib_t type, if you want to store the openvswitch files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B openvswitch_var_run_t ++.EE ++ ++- Set files with the openvswitch_var_run_t type, if you want to store the openvswitch files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), openvswitch(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/pacemaker_selinux.8 b/man/man8/pacemaker_selinux.8 new file mode 100644 -index 0000000..30da0ee +index 0000000..c04ae01 --- /dev/null +++ b/man/man8/pacemaker_selinux.8 -@@ -0,0 +1,150 @@ -+.TH "pacemaker_selinux" "8" "12-11-01" "pacemaker" "SELinux Policy documentation for pacemaker" +@@ -0,0 +1,311 @@ ++.TH "pacemaker_selinux" "8" "13-01-16" "pacemaker" "SELinux Policy documentation for pacemaker" +.SH "NAME" +pacemaker_selinux \- Security Enhanced Linux Policy for the pacemaker processes +.SH "DESCRIPTION" @@ -59755,7 +105634,9 @@ index 0000000..30da0ee + +.SH "ENTRYPOINTS" + -+The pacemaker_t SELinux type can be entered via the "pacemaker_exec_t" file type. The default entrypoint paths for the pacemaker_t domain are the following:" ++The pacemaker_t SELinux type can be entered via the \fBpacemaker_exec_t\fP file type. ++ ++The default entrypoint paths for the pacemaker_t domain are the following: + +/usr/sbin/pacemakerd +.SH PROCESS TYPES @@ -59773,8 +105654,164 @@ index 0000000..30da0ee +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pacemaker_t ++can be used to make the process type pacemaker_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pacemaker policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pacemaker with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the pacemaker_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pacemaker_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type pacemaker_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B corosync_tmpfs_t ++ ++ ++.br ++.B pacemaker_tmp_t ++ ++ ++.br ++.B pacemaker_tmpfs_t ++ ++ ++.br ++.B pacemaker_var_lib_t ++ ++ /var/lib/pengine(/.*)? ++.br ++ /var/lib/pacemaker(/.*)? ++.br ++ /var/lib/heartbeat/crm(/.*)? ++.br ++ ++.br ++.B pacemaker_var_run_t ++ ++ /var/run/crm(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -59784,7 +105821,20 @@ index 0000000..30da0ee +Policy governs the access confined processes have to these files. +SELinux pacemaker policy is very flexible allowing users to setup their pacemaker processes in as secure a method as possible. +.PP -+The following file types are defined for pacemaker: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pacemaker, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pacemaker_exec_t '/srv/pacemaker/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypacemaker_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pacemaker: + + +.EX @@ -59805,6 +105855,22 @@ index 0000000..30da0ee + +.EX +.PP ++.B pacemaker_tmp_t ++.EE ++ ++- Set files with the pacemaker_tmp_t type, if you want to store pacemaker temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B pacemaker_tmpfs_t ++.EE ++ ++- Set files with the pacemaker_tmpfs_t type, if you want to store pacemaker files on a tmpfs file system. ++ ++ ++.EX ++.PP +.B pacemaker_unit_file_t +.EE + @@ -59818,13 +105884,17 @@ index 0000000..30da0ee + +- Set files with the pacemaker_var_lib_t type, if you want to store the pacemaker files under the /var/lib directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/pengine(/.*)?, /var/lib/pacemaker(/.*)?, /var/lib/heartbeat/crm(/.*)? + +.EX +.PP +.B pacemaker_var_run_t +.EE + -+- Set files with the pacemaker_var_run_t type, if you want to store the pacemaker files under the /run directory. ++- Set files with the pacemaker_var_run_t type, if you want to store the pacemaker files under the /run or /var/run directory. + + +.PP @@ -59834,40 +105904,6 @@ index 0000000..30da0ee +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type pacemaker_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B pacemaker_var_lib_t -+ -+ /var/lib/pengine(/.*)? -+.br -+ /var/lib/heartbeat/crm(/.*)? -+.br -+ -+.br -+.B pacemaker_var_run_t -+ -+ /var/run/crm(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pacemaker_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the pacemaker_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -59878,6 +105914,9 @@ index 0000000..30da0ee +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -59889,13 +105928,15 @@ index 0000000..30da0ee + +.SH "SEE ALSO" +selinux(8), pacemaker(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/pads_selinux.8 b/man/man8/pads_selinux.8 new file mode 100644 -index 0000000..4402702 +index 0000000..bec5fbe --- /dev/null +++ b/man/man8/pads_selinux.8 -@@ -0,0 +1,140 @@ -+.TH "pads_selinux" "8" "12-11-01" "pads" "SELinux Policy documentation for pads" +@@ -0,0 +1,245 @@ ++.TH "pads_selinux" "8" "13-01-16" "pads" "SELinux Policy documentation for pads" +.SH "NAME" +pads_selinux \- Security Enhanced Linux Policy for the pads processes +.SH "DESCRIPTION" @@ -59911,7 +105952,9 @@ index 0000000..4402702 + +.SH "ENTRYPOINTS" + -+The pads_t SELinux type can be entered via the "pads_exec_t" file type. The default entrypoint paths for the pads_t domain are the following:" ++The pads_t SELinux type can be entered via the \fBpads_exec_t\fP file type. ++ ++The default entrypoint paths for the pads_t domain are the following: + +/usr/bin/pads +.SH PROCESS TYPES @@ -59929,8 +105972,122 @@ index 0000000..4402702 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pads_t ++can be used to make the process type pads_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pads policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pads with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type pads_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B pads_config_t ++ ++ /etc/pads\.conf ++.br ++ /etc/pads-assets\.csv ++.br ++ /etc/pads-ether-codes ++.br ++ /etc/pads-signature-list ++.br ++ ++.br ++.B pads_var_run_t ++ ++ /var/run/pads\.pid ++.br ++ ++.br ++.B prelude_spool_t ++ ++ /var/spool/prelude(/.*)? ++.br ++ /var/spool/prelude-manager(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -59940,7 +106097,20 @@ index 0000000..4402702 +Policy governs the access confined processes have to these files. +SELinux pads policy is very flexible allowing users to setup their pads processes in as secure a method as possible. +.PP -+The following file types are defined for pads: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pads, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pads_config_t '/srv/pads/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypads_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pads: + + +.EX @@ -59950,6 +106120,10 @@ index 0000000..4402702 + +- Set files with the pads_config_t type, if you want to treat the files as pads configuration data, usually stored under the /etc directory. + ++.br ++.TP 5 ++Paths: ++/etc/pads\.conf, /etc/pads-assets\.csv, /etc/pads-ether-codes, /etc/pads-signature-list + +.EX +.PP @@ -59972,7 +106146,7 @@ index 0000000..4402702 +.B pads_var_run_t +.EE + -+- Set files with the pads_var_run_t type, if you want to store the pads files under the /run directory. ++- Set files with the pads_var_run_t type, if you want to store the pads files under the /run or /var/run directory. + + +.PP @@ -59982,38 +106156,6 @@ index 0000000..4402702 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type pads_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B pads_config_t -+ -+ /etc/pads-assets.csv -+.br -+ /etc/pads\.conf -+.br -+ /etc/pads-ether-codes -+.br -+ /etc/pads-signature-list -+.br -+ -+.br -+.B pads_var_run_t -+ -+ /var/run/pads\.pid -+.br -+ -+.br -+.B prelude_spool_t -+ -+ /var/spool/prelude(/.*)? -+.br -+ /var/spool/prelude-manager(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -60024,6 +106166,9 @@ index 0000000..4402702 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -60035,13 +106180,15 @@ index 0000000..4402702 + +.SH "SEE ALSO" +selinux(8), pads(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/pam_console_selinux.8 b/man/man8/pam_console_selinux.8 new file mode 100644 -index 0000000..efb2cc6 +index 0000000..7d751ec --- /dev/null +++ b/man/man8/pam_console_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "pam_console_selinux" "8" "12-11-01" "pam_console" "SELinux Policy documentation for pam_console" +@@ -0,0 +1,207 @@ ++.TH "pam_console_selinux" "8" "13-01-16" "pam_console" "SELinux Policy documentation for pam_console" +.SH "NAME" +pam_console_selinux \- Security Enhanced Linux Policy for the pam_console processes +.SH "DESCRIPTION" @@ -60057,7 +106204,9 @@ index 0000000..efb2cc6 + +.SH "ENTRYPOINTS" + -+The pam_console_t SELinux type can be entered via the "pam_console_exec_t" file type. The default entrypoint paths for the pam_console_t domain are the following:" ++The pam_console_t SELinux type can be entered via the \fBpam_console_exec_t\fP file type. ++ ++The default entrypoint paths for the pam_console_t domain are the following: + +/sbin/pam_console_apply, /usr/sbin/pam_console_apply +.SH PROCESS TYPES @@ -60075,39 +106224,97 @@ index 0000000..efb2cc6 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pam_console_t ++can be used to make the process type pam_console_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux pam_console policy is very flexible allowing users to setup their pam_console processes in as secure a method as possible. -+.PP -+The following file types are defined for pam_console: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pam_console policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pam_console with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B pam_console_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the pam_console_exec_t type, if you want to transition an executable to the pam_console_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pam_console_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the pam_console_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -60120,6 +106327,49 @@ index 0000000..efb2cc6 +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux pam_console policy is very flexible allowing users to setup their pam_console processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pam_console, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pam_console_exec_t '/srv/pam_console/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypam_console_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pam_console: ++ ++ ++.EX ++.PP ++.B pam_console_exec_t ++.EE ++ ++- Set files with the pam_console_exec_t type, if you want to transition an executable to the pam_console_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/pam_console_apply, /usr/sbin/pam_console_apply ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -60130,6 +106380,9 @@ index 0000000..efb2cc6 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -60141,15 +106394,15 @@ index 0000000..efb2cc6 + +.SH "SEE ALSO" +selinux(8), pam_console(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, pam_timestamp_selinux(8) ++, setsebool(8), pam_timestamp_selinux(8) \ No newline at end of file diff --git a/man/man8/pam_timestamp_selinux.8 b/man/man8/pam_timestamp_selinux.8 new file mode 100644 -index 0000000..b2e35ab +index 0000000..8baf127 --- /dev/null +++ b/man/man8/pam_timestamp_selinux.8 -@@ -0,0 +1,117 @@ -+.TH "pam_timestamp_selinux" "8" "12-11-01" "pam_timestamp" "SELinux Policy documentation for pam_timestamp" +@@ -0,0 +1,215 @@ ++.TH "pam_timestamp_selinux" "8" "13-01-16" "pam_timestamp" "SELinux Policy documentation for pam_timestamp" +.SH "NAME" +pam_timestamp_selinux \- Security Enhanced Linux Policy for the pam_timestamp processes +.SH "DESCRIPTION" @@ -60165,7 +106418,9 @@ index 0000000..b2e35ab + +.SH "ENTRYPOINTS" + -+The pam_timestamp_t SELinux type can be entered via the "pam_timestamp_exec_t" file type. The default entrypoint paths for the pam_timestamp_t domain are the following:" ++The pam_timestamp_t SELinux type can be entered via the \fBpam_timestamp_exec_t\fP file type. ++ ++The default entrypoint paths for the pam_timestamp_t domain are the following: + +/sbin/pam_timestamp_check, /usr/sbin/pam_timestamp_check +.SH PROCESS TYPES @@ -60183,8 +106438,108 @@ index 0000000..b2e35ab +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pam_timestamp_t ++can be used to make the process type pam_timestamp_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pam_timestamp policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pam_timestamp with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the pam_timestamp_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pam_timestamp_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type pam_timestamp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B pam_timestamp_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -60194,7 +106549,20 @@ index 0000000..b2e35ab +Policy governs the access confined processes have to these files. +SELinux pam_timestamp policy is very flexible allowing users to setup their pam_timestamp processes in as secure a method as possible. +.PP -+The following file types are defined for pam_timestamp: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pam_timestamp, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pam_timestamp_exec_t '/srv/pam_timestamp/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypam_timestamp_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pam_timestamp: + + +.EX @@ -60204,6 +106572,10 @@ index 0000000..b2e35ab + +- Set files with the pam_timestamp_exec_t type, if you want to transition an executable to the pam_timestamp_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/pam_timestamp_check, /usr/sbin/pam_timestamp_check + +.EX +.PP @@ -60220,30 +106592,6 @@ index 0000000..b2e35ab +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type pam_timestamp_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B pam_timestamp_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pam_timestamp_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the pam_timestamp_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -60254,6 +106602,9 @@ index 0000000..b2e35ab +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -60265,15 +106616,15 @@ index 0000000..b2e35ab + +.SH "SEE ALSO" +selinux(8), pam_timestamp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, pam_console_selinux(8) ++, setsebool(8), pam_console_selinux(8) \ No newline at end of file diff --git a/man/man8/passenger_selinux.8 b/man/man8/passenger_selinux.8 new file mode 100644 -index 0000000..c07e89a +index 0000000..5c2dfea --- /dev/null +++ b/man/man8/passenger_selinux.8 -@@ -0,0 +1,166 @@ -+.TH "passenger_selinux" "8" "12-11-01" "passenger" "SELinux Policy documentation for passenger" +@@ -0,0 +1,271 @@ ++.TH "passenger_selinux" "8" "13-01-16" "passenger" "SELinux Policy documentation for passenger" +.SH "NAME" +passenger_selinux \- Security Enhanced Linux Policy for the passenger processes +.SH "DESCRIPTION" @@ -60289,9 +106640,11 @@ index 0000000..c07e89a + +.SH "ENTRYPOINTS" + -+The passenger_t SELinux type can be entered via the "passenger_exec_t" file type. The default entrypoint paths for the passenger_t domain are the following:" ++The passenger_t SELinux type can be entered via the \fBpassenger_exec_t\fP file type. + -+/usr/lib/gems/.*/Passenger.*, /usr/lib/gems/.*/ApplicationPoolServerExecutable, /usr/share/gems/.*/Passenger.*, /usr/share/gems/.*/ApplicationPoolServerExecutable ++The default entrypoint paths for the passenger_t domain are the following: ++ ++/usr/share/.*/gems/.*/helper-scripts/prespawn, /usr/lib/gems/.*/Passenger.*, /usr/lib/gems/.*/ApplicationPoolServerExecutable, /usr/share/gems/.*/Passenger.*, /usr/share/gems/.*/ApplicationPoolServerExecutable +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -60307,8 +106660,140 @@ index 0000000..c07e89a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a passenger_t ++can be used to make the process type passenger_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. passenger policy is extremely flexible and has several booleans that allow you to manipulate the policy and run passenger with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow Apache to run in stickshift mode, not transition to passenger, you must turn on the httpd_run_stickshift boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_run_stickshift 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the passenger_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the passenger_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type passenger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B passenger_log_t ++ ++ /var/log/passenger.* ++.br ++ ++.br ++.B passenger_tmp_t ++ ++ ++.br ++.B passenger_var_lib_t ++ ++ /var/lib/passenger(/.*)? ++.br ++ ++.br ++.B passenger_var_run_t ++ ++ /var/run/passenger(/.*)? ++.br ++ ++.br ++.B puppet_var_lib_t ++ ++ /var/lib/puppet(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -60318,7 +106803,20 @@ index 0000000..c07e89a +Policy governs the access confined processes have to these files. +SELinux passenger policy is very flexible allowing users to setup their passenger processes in as secure a method as possible. +.PP -+The following file types are defined for passenger: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the passenger, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t passenger_exec_t '/srv/passenger/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypassenger_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for passenger: + + +.EX @@ -60328,6 +106826,10 @@ index 0000000..c07e89a + +- Set files with the passenger_exec_t type, if you want to transition an executable to the passenger_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/share/.*/gems/.*/helper-scripts/prespawn, /usr/lib/gems/.*/Passenger.*, /usr/lib/gems/.*/ApplicationPoolServerExecutable, /usr/share/gems/.*/Passenger.*, /usr/share/gems/.*/ApplicationPoolServerExecutable + +.EX +.PP @@ -60358,7 +106860,7 @@ index 0000000..c07e89a +.B passenger_var_run_t +.EE + -+- Set files with the passenger_var_run_t type, if you want to store the passenger files under the /run directory. ++- Set files with the passenger_var_run_t type, if you want to store the passenger files under the /run or /var/run directory. + + +.PP @@ -60368,56 +106870,6 @@ index 0000000..c07e89a +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type passenger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B passenger_log_t -+ -+ /var/log/passenger.* -+.br -+ /var/log/passenger(/.*)? -+.br -+ -+.br -+.B passenger_tmp_t -+ -+ -+.br -+.B passenger_var_lib_t -+ -+ /var/lib/passenger(/.*)? -+.br -+ -+.br -+.B passenger_var_run_t -+ -+ /var/run/passenger(/.*)? -+.br -+ -+.br -+.B puppet_var_lib_t -+ -+ /var/lib/puppet(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the passenger_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the passenger_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -60428,6 +106880,9 @@ index 0000000..c07e89a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -60439,13 +106894,15 @@ index 0000000..c07e89a + +.SH "SEE ALSO" +selinux(8), passenger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/passwd_selinux.8 b/man/man8/passwd_selinux.8 new file mode 100644 -index 0000000..af4b9b1 +index 0000000..c5e4d49 --- /dev/null +++ b/man/man8/passwd_selinux.8 -@@ -0,0 +1,208 @@ -+.TH "passwd_selinux" "8" "12-11-01" "passwd" "SELinux Policy documentation for passwd" +@@ -0,0 +1,307 @@ ++.TH "passwd_selinux" "8" "13-01-16" "passwd" "SELinux Policy documentation for passwd" +.SH "NAME" +passwd_selinux \- Security Enhanced Linux Policy for the passwd processes +.SH "DESCRIPTION" @@ -60461,7 +106918,9 @@ index 0000000..af4b9b1 + +.SH "ENTRYPOINTS" + -+The passwd_t SELinux type can be entered via the "passwd_exec_t" file type. The default entrypoint paths for the passwd_t domain are the following:" ++The passwd_t SELinux type can be entered via the \fBpasswd_exec_t\fP file type. ++ ++The default entrypoint paths for the passwd_t domain are the following: + +/usr/bin/chage, /usr/bin/passwd +.SH PROCESS TYPES @@ -60479,42 +106938,108 @@ index 0000000..af4b9b1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a passwd_t ++can be used to make the process type passwd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux passwd policy is very flexible allowing users to setup their passwd processes in as secure a method as possible. -+.PP -+The following file types are defined for passwd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. passwd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run passwd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B passwd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the passwd_exec_t type, if you want to transition an executable to the passwd_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B passwd_file_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the passwd_file_t type, if you want to treat the files as passwd content. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow samba to act as the domain controller, add users, groups and change passwords, you must turn on the samba_domain_controller boolean. Disabled by default. ++ ++.EX ++.B setsebool -P samba_domain_controller 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the passwd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -60525,12 +107050,12 @@ index 0000000..af4b9b1 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B krb5_host_rcache_t @@ -60559,7 +107084,7 @@ index 0000000..af4b9b1 +.br +.B lastlog_t + -+ /var/log/lastlog ++ /var/log/lastlog.* +.br + +.br @@ -60583,20 +107108,6 @@ index 0000000..af4b9b1 +.br + +.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br +.B security_t + + /selinux @@ -60609,6 +107120,8 @@ index 0000000..af4b9b1 +.br + /etc/gshadow.* +.br ++ /etc/nshadow.* ++.br + /var/db/shadow.* +.br + /etc/security/opasswd @@ -60616,21 +107129,60 @@ index 0000000..af4b9b1 + /etc/security/opasswd\.old +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux passwd policy is very flexible allowing users to setup their passwd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the passwd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t passwd_exec_t '/srv/passwd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypasswd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for passwd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B passwd_exec_t +.EE + ++- Set files with the passwd_exec_t type, if you want to transition an executable to the passwd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/chage, /usr/bin/passwd ++ ++.EX ++.PP ++.B passwd_file_t ++.EE ++ ++- Set files with the passwd_file_t type, if you want to treat the files as passwd content. ++ ++.br ++.TP 5 ++Paths: ++/etc/group[-\+]?, /etc/passwd[-\+]?, /etc/passwd\.adjunct.*, /etc/ptmptmp, /etc/\.pwd\.lock, /etc/group\.lock, /etc/passwd\.OLD, /etc/passwd\.lock ++ +.PP -+If you want to allow confined applications to run with kerberos for the passwd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -60642,6 +107194,9 @@ index 0000000..af4b9b1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -60653,13 +107208,15 @@ index 0000000..af4b9b1 + +.SH "SEE ALSO" +selinux(8), passwd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/pcscd_selinux.8 b/man/man8/pcscd_selinux.8 new file mode 100644 -index 0000000..41e4f5f +index 0000000..02a80fe --- /dev/null +++ b/man/man8/pcscd_selinux.8 -@@ -0,0 +1,116 @@ -+.TH "pcscd_selinux" "8" "12-11-01" "pcscd" "SELinux Policy documentation for pcscd" +@@ -0,0 +1,240 @@ ++.TH "pcscd_selinux" "8" "13-01-16" "pcscd" "SELinux Policy documentation for pcscd" +.SH "NAME" +pcscd_selinux \- Security Enhanced Linux Policy for the pcscd processes +.SH "DESCRIPTION" @@ -60675,7 +107232,9 @@ index 0000000..41e4f5f + +.SH "ENTRYPOINTS" + -+The pcscd_t SELinux type can be entered via the "pcscd_exec_t" file type. The default entrypoint paths for the pcscd_t domain are the following:" ++The pcscd_t SELinux type can be entered via the \fBpcscd_exec_t\fP file type. ++ ++The default entrypoint paths for the pcscd_t domain are the following: + +/usr/sbin/pcscd +.SH PROCESS TYPES @@ -60693,42 +107252,84 @@ index 0000000..41e4f5f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pcscd_t ++can be used to make the process type pcscd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux pcscd policy is very flexible allowing users to setup their pcscd processes in as secure a method as possible. -+.PP -+The following file types are defined for pcscd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pcscd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pcscd with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B pcscd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the pcscd_exec_t type, if you want to transition an executable to the pcscd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B pcscd_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the pcscd_var_run_t type, if you want to store the pcscd files under the /run directory. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -60749,10 +107350,86 @@ index 0000000..41e4f5f +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B usbfs_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux pcscd policy is very flexible allowing users to setup their pcscd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++pcscd policy stores data with multiple different file context types under the /var/run/pcscd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/pcscd /srv/pcscd ++.br ++.B restorecon -R -v /srv/pcscd ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pcscd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pcscd_exec_t '/srv/pcscd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypcscd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pcscd: ++ ++ ++.EX ++.PP ++.B pcscd_exec_t ++.EE ++ ++- Set files with the pcscd_exec_t type, if you want to transition an executable to the pcscd_t domain. ++ ++ ++.EX ++.PP ++.B pcscd_initrc_exec_t ++.EE ++ ++- Set files with the pcscd_initrc_exec_t type, if you want to transition an executable to the pcscd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B pcscd_var_run_t ++.EE ++ ++- Set files with the pcscd_var_run_t type, if you want to store the pcscd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/pcscd(/.*)?, /var/run/pcscd\.events(/.*)?, /var/run/pcscd\.pid, /var/run/pcscd\.pub, /var/run/pcscd\.comm ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -60764,6 +107441,9 @@ index 0000000..41e4f5f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -60775,13 +107455,15 @@ index 0000000..41e4f5f + +.SH "SEE ALSO" +selinux(8), pcscd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/pegasus_selinux.8 b/man/man8/pegasus_selinux.8 new file mode 100644 -index 0000000..39479f4 +index 0000000..a0e38f2 --- /dev/null +++ b/man/man8/pegasus_selinux.8 -@@ -0,0 +1,279 @@ -+.TH "pegasus_selinux" "8" "12-11-01" "pegasus" "SELinux Policy documentation for pegasus" +@@ -0,0 +1,406 @@ ++.TH "pegasus_selinux" "8" "13-01-16" "pegasus" "SELinux Policy documentation for pegasus" +.SH "NAME" +pegasus_selinux \- Security Enhanced Linux Policy for the pegasus processes +.SH "DESCRIPTION" @@ -60797,7 +107479,9 @@ index 0000000..39479f4 + +.SH "ENTRYPOINTS" + -+The pegasus_t SELinux type can be entered via the "pegasus_exec_t" file type. The default entrypoint paths for the pegasus_t domain are the following:" ++The pegasus_t SELinux type can be entered via the \fBpegasus_exec_t\fP file type. ++ ++The default entrypoint paths for the pegasus_t domain are the following: + +/usr/sbin/cimserver, /usr/sbin/init_repository +.SH PROCESS TYPES @@ -60815,82 +107499,124 @@ index 0000000..39479f4 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pegasus_t ++can be used to make the process type pegasus_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux pegasus policy is very flexible allowing users to setup their pegasus processes in as secure a method as possible. -+.PP -+The following file types are defined for pegasus: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pegasus policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pegasus with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B pegasus_cache_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the pegasus_cache_t type, if you want to store the files under the /var/cache directory. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B pegasus_conf_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the pegasus_conf_t type, if you want to treat the files as pegasus configuration data, usually stored under the /etc directory. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B pegasus_data_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the pegasus_data_t type, if you want to treat the files as pegasus content. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B pegasus_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the pegasus_exec_t type, if you want to transition an executable to the pegasus_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B pegasus_mof_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the pegasus_mof_t type, if you want to treat the files as pegasus mof data. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B pegasus_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the pegasus_tmp_t type, if you want to store pegasus temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B pegasus_var_run_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the pegasus_var_run_t type, if you want to store the pegasus files under the /run directory. ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the pegasus_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pegasus_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -60935,12 +107661,12 @@ index 0000000..39479f4 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B initrc_var_run_t @@ -60955,20 +107681,6 @@ index 0000000..39479f4 +.br + +.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br +.B pegasus_cache_t + + @@ -60991,12 +107703,26 @@ index 0000000..39479f4 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B samba_etc_t + + /etc/samba(/.*)? +.br + +.br ++.B sysfs_t ++ ++ /sys(/.*)? ++.br ++ ++.br +.B virt_etc_rw_t + + /etc/xen/.*/.* @@ -61020,21 +107746,100 @@ index 0000000..39479f4 + /etc/libvirt +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux pegasus policy is very flexible allowing users to setup their pegasus processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pegasus_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pegasus, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pegasus_cache_t '/srv/pegasus/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypegasus_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pegasus: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B pegasus_cache_t +.EE + ++- Set files with the pegasus_cache_t type, if you want to store the files under the /var/cache directory. ++ ++ ++.EX ++.PP ++.B pegasus_conf_t ++.EE ++ ++- Set files with the pegasus_conf_t type, if you want to treat the files as pegasus configuration data, usually stored under the /etc directory. ++ ++ ++.EX ++.PP ++.B pegasus_data_t ++.EE ++ ++- Set files with the pegasus_data_t type, if you want to treat the files as pegasus content. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/Pegasus(/.*)?, /etc/Pegasus/pegasus_current\.conf ++ ++.EX ++.PP ++.B pegasus_exec_t ++.EE ++ ++- Set files with the pegasus_exec_t type, if you want to transition an executable to the pegasus_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/cimserver, /usr/sbin/init_repository ++ ++.EX ++.PP ++.B pegasus_mof_t ++.EE ++ ++- Set files with the pegasus_mof_t type, if you want to treat the files as pegasus mof data. ++ ++ ++.EX ++.PP ++.B pegasus_tmp_t ++.EE ++ ++- Set files with the pegasus_tmp_t type, if you want to store pegasus temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B pegasus_var_run_t ++.EE ++ ++- Set files with the pegasus_var_run_t type, if you want to store the pegasus files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the pegasus_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -61049,6 +107854,9 @@ index 0000000..39479f4 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -61060,159 +107868,15 @@ index 0000000..39479f4 + +.SH "SEE ALSO" +selinux(8), pegasus(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -diff --git a/man/man8/phpfpm_selinux.8 b/man/man8/phpfpm_selinux.8 -new file mode 100644 -index 0000000..ae94dbd ---- /dev/null -+++ b/man/man8/phpfpm_selinux.8 -@@ -0,0 +1,140 @@ -+.TH "phpfpm_selinux" "8" "12-11-01" "phpfpm" "SELinux Policy documentation for phpfpm" -+.SH "NAME" -+phpfpm_selinux \- Security Enhanced Linux Policy for the phpfpm processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the phpfpm processes via flexible mandatory access control. -+ -+The phpfpm processes execute with the phpfpm_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep phpfpm_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The phpfpm_t SELinux type can be entered via the "phpfpm_exec_t" file type. The default entrypoint paths for the phpfpm_t domain are the following:" -+ -+/usr/sbin/php-fpm -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux phpfpm policy is very flexible allowing users to setup their phpfpm processes in as secure a method as possible. -+.PP -+The following process types are defined for phpfpm: -+ -+.EX -+.B phpfpm_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux phpfpm policy is very flexible allowing users to setup their phpfpm processes in as secure a method as possible. -+.PP -+The following file types are defined for phpfpm: -+ -+ -+.EX -+.PP -+.B phpfpm_exec_t -+.EE -+ -+- Set files with the phpfpm_exec_t type, if you want to transition an executable to the phpfpm_t domain. -+ -+ -+.EX -+.PP -+.B phpfpm_log_t -+.EE -+ -+- Set files with the phpfpm_log_t type, if you want to treat the data as phpfpm log data, usually stored under the /var/log directory. -+ -+ -+.EX -+.PP -+.B phpfpm_unit_file_t -+.EE -+ -+- Set files with the phpfpm_unit_file_t type, if you want to treat the files as phpfpm unit content. -+ -+ -+.EX -+.PP -+.B phpfpm_var_run_t -+.EE -+ -+- Set files with the phpfpm_var_run_t type, if you want to store the phpfpm files under the /run directory. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ -+.SH "MANAGED FILES" -+ -+The SELinux process type phpfpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B phpfpm_log_t -+ -+ /var/log/php-fpm(/.*)? -+.br -+ -+.br -+.B phpfpm_var_run_t -+ -+ /var/run/php-fpm(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the phpfpm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the phpfpm_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), phpfpm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ping_selinux.8 b/man/man8/ping_selinux.8 new file mode 100644 -index 0000000..7210530 +index 0000000..f207b9b --- /dev/null +++ b/man/man8/ping_selinux.8 -@@ -0,0 +1,180 @@ -+.TH "ping_selinux" "8" "12-11-01" "ping" "SELinux Policy documentation for ping" +@@ -0,0 +1,273 @@ ++.TH "ping_selinux" "8" "13-01-16" "ping" "SELinux Policy documentation for ping" +.SH "NAME" +ping_selinux \- Security Enhanced Linux Policy for the ping processes +.SH "DESCRIPTION" @@ -61228,9 +107892,11 @@ index 0000000..7210530 + +.SH "ENTRYPOINTS" + -+The ping_t SELinux type can be entered via the "ping_exec_t" file type. The default entrypoint paths for the ping_t domain are the following:" ++The ping_t SELinux type can be entered via the \fBping_exec_t\fP file type. + -+/bin/ping.*, /usr/bin/ping.*, /usr/sbin/fping.*, /usr/sbin/hping2, /usr/sbin/send_arp ++The default entrypoint paths for the ping_t domain are the following: ++ ++/bin/ping.*, /usr/bin/ping.*, /usr/sbin/fping.*, /usr/sbin/hping2, /usr/sbin/send_arp, /usr/lib/heartbeat/send_arp +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -61246,27 +107912,140 @@ index 0000000..7210530 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ping_t ++can be used to make the process type ping_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. ping policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ping with the tightest access possible. + + +.PP -+If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P selinuxuser_ping 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean. Enabled by default. + +.EX +.B setsebool -P selinuxuser_ping 1 ++ +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible. ++.PP ++The following port types are defined for ping: ++ ++.EX ++.TP 5 ++.B pingd_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 9125 ++.EE +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -61275,7 +108054,20 @@ index 0000000..7210530 +Policy governs the access confined processes have to these files. +SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible. +.PP -+The following file types are defined for ping: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ping, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ping_exec_t '/srv/ping/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myping_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ping: + + +.EX @@ -61285,6 +108077,10 @@ index 0000000..7210530 + +- Set files with the ping_exec_t type, if you want to transition an executable to the ping_t domain. + ++.br ++.TP 5 ++Paths: ++/bin/ping.*, /usr/bin/ping.*, /usr/sbin/fping.*, /usr/sbin/hping2, /usr/sbin/send_arp, /usr/lib/heartbeat/send_arp + +.EX +.PP @@ -61325,45 +108121,6 @@ index 0000000..7210530 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux ping policy is very flexible allowing users to setup their ping processes in as secure a method as possible. -+.PP -+The following port types are defined for ping: -+ -+.EX -+.TP 5 -+.B pingd_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 9125 -+.EE -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -61395,11 +108152,11 @@ index 0000000..7210530 \ No newline at end of file diff --git a/man/man8/pingd_selinux.8 b/man/man8/pingd_selinux.8 new file mode 100644 -index 0000000..4fc7233 +index 0000000..0a7f6a1 --- /dev/null +++ b/man/man8/pingd_selinux.8 -@@ -0,0 +1,172 @@ -+.TH "pingd_selinux" "8" "12-11-01" "pingd" "SELinux Policy documentation for pingd" +@@ -0,0 +1,281 @@ ++.TH "pingd_selinux" "8" "13-01-16" "pingd" "SELinux Policy documentation for pingd" +.SH "NAME" +pingd_selinux \- Security Enhanced Linux Policy for the pingd processes +.SH "DESCRIPTION" @@ -61415,7 +108172,9 @@ index 0000000..4fc7233 + +.SH "ENTRYPOINTS" + -+The pingd_t SELinux type can be entered via the "pingd_exec_t" file type. The default entrypoint paths for the pingd_t domain are the following:" ++The pingd_t SELinux type can be entered via the \fBpingd_exec_t\fP file type. ++ ++The default entrypoint paths for the pingd_t domain are the following: + +/usr/sbin/pingd +.SH PROCESS TYPES @@ -61433,27 +108192,160 @@ index 0000000..4fc7233 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pingd_t ++can be used to make the process type pingd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. pingd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pingd with the tightest access possible. + + +.PP -+If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P selinuxuser_ping 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P selinuxuser_ping 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux pingd policy is very flexible allowing users to setup their pingd processes in as secure a method as possible. ++.PP ++The following port types are defined for pingd: ++ ++.EX ++.TP 5 ++.B pingd_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 9125 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type pingd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -61462,7 +108354,20 @@ index 0000000..4fc7233 +Policy governs the access confined processes have to these files. +SELinux pingd policy is very flexible allowing users to setup their pingd processes in as secure a method as possible. +.PP -+The following file types are defined for pingd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pingd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pingd_etc_t '/srv/pingd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypingd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pingd: + + +.EX @@ -61504,45 +108409,6 @@ index 0000000..4fc7233 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux pingd policy is very flexible allowing users to setup their pingd processes in as secure a method as possible. -+.PP -+The following port types are defined for pingd: -+ -+.EX -+.TP 5 -+.B pingd_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 9125 -+.EE -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -61574,11 +108440,11 @@ index 0000000..4fc7233 \ No newline at end of file diff --git a/man/man8/piranha_fos_selinux.8 b/man/man8/piranha_fos_selinux.8 new file mode 100644 -index 0000000..99093e6 +index 0000000..5253845 --- /dev/null +++ b/man/man8/piranha_fos_selinux.8 -@@ -0,0 +1,119 @@ -+.TH "piranha_fos_selinux" "8" "12-11-01" "piranha_fos" "SELinux Policy documentation for piranha_fos" +@@ -0,0 +1,245 @@ ++.TH "piranha_fos_selinux" "8" "13-01-16" "piranha_fos" "SELinux Policy documentation for piranha_fos" +.SH "NAME" +piranha_fos_selinux \- Security Enhanced Linux Policy for the piranha_fos processes +.SH "DESCRIPTION" @@ -61594,7 +108460,9 @@ index 0000000..99093e6 + +.SH "ENTRYPOINTS" + -+The piranha_fos_t SELinux type can be entered via the "piranha_fos_exec_t" file type. The default entrypoint paths for the piranha_fos_t domain are the following:" ++The piranha_fos_t SELinux type can be entered via the \fBpiranha_fos_exec_t\fP file type. ++ ++The default entrypoint paths for the piranha_fos_t domain are the following: + +/usr/sbin/fos +.SH PROCESS TYPES @@ -61612,8 +108480,142 @@ index 0000000..99093e6 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a piranha_fos_t ++can be used to make the process type piranha_fos_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. piranha_fos policy is extremely flexible and has several booleans that allow you to manipulate the policy and run piranha_fos with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the piranha_fos_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the piranha_fos_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type piranha_fos_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B piranha_fos_var_run_t ++ ++ /var/run/fos\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -61623,7 +108625,20 @@ index 0000000..99093e6 +Policy governs the access confined processes have to these files. +SELinux piranha_fos policy is very flexible allowing users to setup their piranha_fos processes in as secure a method as possible. +.PP -+The following file types are defined for piranha_fos: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the piranha_fos, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t piranha_fos_exec_t '/srv/piranha_fos/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypiranha_fos_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for piranha_fos: + + +.EX @@ -61639,7 +108654,7 @@ index 0000000..99093e6 +.B piranha_fos_var_run_t +.EE + -+- Set files with the piranha_fos_var_run_t type, if you want to store the piranha fos files under the /run directory. ++- Set files with the piranha_fos_var_run_t type, if you want to store the piranha fos files under the /run or /var/run directory. + + +.PP @@ -61649,32 +108664,6 @@ index 0000000..99093e6 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type piranha_fos_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B piranha_fos_var_run_t -+ -+ /var/run/fos\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_fos_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the piranha_fos_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -61685,6 +108674,9 @@ index 0000000..99093e6 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -61696,15 +108688,15 @@ index 0000000..99093e6 + +.SH "SEE ALSO" +selinux(8), piranha_fos(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, piranha_lvs_selinux(8), piranha_pulse_selinux(8), piranha_web_selinux(8) ++, setsebool(8), piranha_lvs_selinux(8), piranha_pulse_selinux(8), piranha_web_selinux(8) \ No newline at end of file diff --git a/man/man8/piranha_lvs_selinux.8 b/man/man8/piranha_lvs_selinux.8 new file mode 100644 -index 0000000..4792eec +index 0000000..5d8bb06 --- /dev/null +++ b/man/man8/piranha_lvs_selinux.8 -@@ -0,0 +1,140 @@ -+.TH "piranha_lvs_selinux" "8" "12-11-01" "piranha_lvs" "SELinux Policy documentation for piranha_lvs" +@@ -0,0 +1,253 @@ ++.TH "piranha_lvs_selinux" "8" "13-01-16" "piranha_lvs" "SELinux Policy documentation for piranha_lvs" +.SH "NAME" +piranha_lvs_selinux \- Security Enhanced Linux Policy for the piranha_lvs processes +.SH "DESCRIPTION" @@ -61720,7 +108712,9 @@ index 0000000..4792eec + +.SH "ENTRYPOINTS" + -+The piranha_lvs_t SELinux type can be entered via the "piranha_lvs_exec_t" file type. The default entrypoint paths for the piranha_lvs_t domain are the following:" ++The piranha_lvs_t SELinux type can be entered via the \fBpiranha_lvs_exec_t\fP file type. ++ ++The default entrypoint paths for the piranha_lvs_t domain are the following: + +/usr/sbin/lvsd +.SH PROCESS TYPES @@ -61738,27 +108732,151 @@ index 0000000..4792eec +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a piranha_lvs_t ++can be used to make the process type piranha_lvs_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. piranha_lvs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run piranha_lvs with the tightest access possible. + + +.PP -+If you want to allow piranha-lvs domain to connect to the network using TCP, you must turn on the piranha_lvs_can_network_connect boolean. ++If you want to allow piranha-lvs domain to connect to the network using TCP, you must turn on the piranha_lvs_can_network_connect boolean. Disabled by default. + +.EX +.B setsebool -P piranha_lvs_can_network_connect 1 ++ +.EE + +.PP -+If you want to allow piranha-lvs domain to connect to the network using TCP, you must turn on the piranha_lvs_can_network_connect boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P piranha_lvs_can_network_connect 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the piranha_lvs_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the piranha_lvs_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type piranha_lvs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B piranha_lvs_var_run_t ++ ++ /var/run/lvs\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -61767,7 +108885,20 @@ index 0000000..4792eec +Policy governs the access confined processes have to these files. +SELinux piranha_lvs policy is very flexible allowing users to setup their piranha_lvs processes in as secure a method as possible. +.PP -+The following file types are defined for piranha_lvs: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the piranha_lvs, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t piranha_lvs_exec_t '/srv/piranha_lvs/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypiranha_lvs_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for piranha_lvs: + + +.EX @@ -61783,7 +108914,7 @@ index 0000000..4792eec +.B piranha_lvs_var_run_t +.EE + -+- Set files with the piranha_lvs_var_run_t type, if you want to store the piranha lvs files under the /run directory. ++- Set files with the piranha_lvs_var_run_t type, if you want to store the piranha lvs files under the /run or /var/run directory. + + +.PP @@ -61793,32 +108924,6 @@ index 0000000..4792eec +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type piranha_lvs_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B piranha_lvs_var_run_t -+ -+ /var/run/lvs\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_lvs_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the piranha_lvs_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -61847,11 +108952,11 @@ index 0000000..4792eec \ No newline at end of file diff --git a/man/man8/piranha_pulse_selinux.8 b/man/man8/piranha_pulse_selinux.8 new file mode 100644 -index 0000000..2c470f5 +index 0000000..1fbd0f5 --- /dev/null +++ b/man/man8/piranha_pulse_selinux.8 -@@ -0,0 +1,151 @@ -+.TH "piranha_pulse_selinux" "8" "12-11-01" "piranha_pulse" "SELinux Policy documentation for piranha_pulse" +@@ -0,0 +1,279 @@ ++.TH "piranha_pulse_selinux" "8" "13-01-16" "piranha_pulse" "SELinux Policy documentation for piranha_pulse" +.SH "NAME" +piranha_pulse_selinux \- Security Enhanced Linux Policy for the piranha_pulse processes +.SH "DESCRIPTION" @@ -61867,7 +108972,9 @@ index 0000000..2c470f5 + +.SH "ENTRYPOINTS" + -+The piranha_pulse_t SELinux type can be entered via the "piranha_pulse_exec_t" file type. The default entrypoint paths for the piranha_pulse_t domain are the following:" ++The piranha_pulse_t SELinux type can be entered via the \fBpiranha_pulse_exec_t\fP file type. ++ ++The default entrypoint paths for the piranha_pulse_t domain are the following: + +/usr/sbin/pulse +.SH PROCESS TYPES @@ -61885,8 +108992,168 @@ index 0000000..2c470f5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a piranha_pulse_t ++can be used to make the process type piranha_pulse_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. piranha_pulse policy is extremely flexible and has several booleans that allow you to manipulate the policy and run piranha_pulse with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the piranha_pulse_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the piranha_pulse_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type piranha_pulse_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B piranha_pulse_var_run_t ++ ++ /var/run/pulse\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B samba_etc_t ++ ++ /etc/samba(/.*)? ++.br ++ ++.br ++.B samba_var_t ++ ++ /var/nmbd(/.*)? ++.br ++ /var/lib/samba(/.*)? ++.br ++ /var/cache/samba(/.*)? ++.br ++ /var/spool/samba(/.*)? ++.br ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -61896,7 +109163,20 @@ index 0000000..2c470f5 +Policy governs the access confined processes have to these files. +SELinux piranha_pulse policy is very flexible allowing users to setup their piranha_pulse processes in as secure a method as possible. +.PP -+The following file types are defined for piranha_pulse: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the piranha_pulse, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t piranha_pulse_exec_t '/srv/piranha_pulse/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypiranha_pulse_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for piranha_pulse: + + +.EX @@ -61920,7 +109200,7 @@ index 0000000..2c470f5 +.B piranha_pulse_var_run_t +.EE + -+- Set files with the piranha_pulse_var_run_t type, if you want to store the piranha pulse files under the /run directory. ++- Set files with the piranha_pulse_var_run_t type, if you want to store the piranha pulse files under the /run or /var/run directory. + + +.PP @@ -61930,56 +109210,6 @@ index 0000000..2c470f5 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type piranha_pulse_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B piranha_pulse_var_run_t -+ -+ /var/run/pulse\.pid -+.br -+ -+.br -+.B samba_etc_t -+ -+ /etc/samba(/.*)? -+.br -+ -+.br -+.B samba_var_t -+ -+ /var/lib/samba(/.*)? -+.br -+ /var/cache/samba(/.*)? -+.br -+ /var/spool/samba(/.*)? -+.br -+ -+.br -+.B systemd_passwd_var_run_t -+ -+ /var/run/systemd/ask-password(/.*)? -+.br -+ /var/run/systemd/ask-password-block(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_pulse_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the piranha_pulse_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -61990,6 +109220,9 @@ index 0000000..2c470f5 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -62001,15 +109234,15 @@ index 0000000..2c470f5 + +.SH "SEE ALSO" +selinux(8), piranha_pulse(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, piranha_fos_selinux(8), piranha_lvs_selinux(8), piranha_web_selinux(8) ++, setsebool(8), piranha_fos_selinux(8), piranha_lvs_selinux(8), piranha_web_selinux(8) \ No newline at end of file diff --git a/man/man8/piranha_web_selinux.8 b/man/man8/piranha_web_selinux.8 new file mode 100644 -index 0000000..c0ce2c7 +index 0000000..6b0c5b6 --- /dev/null +++ b/man/man8/piranha_web_selinux.8 -@@ -0,0 +1,177 @@ -+.TH "piranha_web_selinux" "8" "12-11-01" "piranha_web" "SELinux Policy documentation for piranha_web" +@@ -0,0 +1,318 @@ ++.TH "piranha_web_selinux" "8" "13-01-16" "piranha_web" "SELinux Policy documentation for piranha_web" +.SH "NAME" +piranha_web_selinux \- Security Enhanced Linux Policy for the piranha_web processes +.SH "DESCRIPTION" @@ -62025,7 +109258,9 @@ index 0000000..c0ce2c7 + +.SH "ENTRYPOINTS" + -+The piranha_web_t SELinux type can be entered via the "piranha_web_exec_t" file type. The default entrypoint paths for the piranha_web_t domain are the following:" ++The piranha_web_t SELinux type can be entered via the \fBpiranha_web_exec_t\fP file type. ++ ++The default entrypoint paths for the piranha_web_t domain are the following: + +/usr/sbin/piranha_gui +.SH PROCESS TYPES @@ -62043,8 +109278,168 @@ index 0000000..c0ce2c7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a piranha_web_t ++can be used to make the process type piranha_web_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. piranha_web policy is extremely flexible and has several booleans that allow you to manipulate the policy and run piranha_web with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the piranha_web_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the piranha_web_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type piranha_web_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B piranha_etc_rw_t ++ ++ /etc/piranha/lvs\.cf ++.br ++ ++.br ++.B piranha_log_t ++ ++ /var/log/piranha(/.*)? ++.br ++ ++.br ++.B piranha_web_data_t ++ ++ /var/lib/luci(/.*)? ++.br ++ ++.br ++.B piranha_web_tmp_t ++ ++ ++.br ++.B piranha_web_tmpfs_t ++ ++ ++.br ++.B piranha_web_var_run_t ++ ++ /var/run/piranha-httpd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -62054,7 +109449,31 @@ index 0000000..c0ce2c7 +Policy governs the access confined processes have to these files. +SELinux piranha_web policy is very flexible allowing users to setup their piranha_web processes in as secure a method as possible. +.PP -+The following file types are defined for piranha_web: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++piranha_web policy stores data with multiple different file context types under the /var/lib/luci directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/luci /srv/luci ++.br ++.B restorecon -R -v /srv/luci ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the piranha_web, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t piranha_web_conf_t '/srv/piranha_web/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypiranha_web_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for piranha_web: + + +.EX @@ -62064,6 +109483,10 @@ index 0000000..c0ce2c7 + +- Set files with the piranha_web_conf_t type, if you want to treat the files as piranha web configuration data, usually stored under the /etc directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/luci/etc(/.*)?, /var/lib/luci/cert(/.*)? + +.EX +.PP @@ -62102,7 +109525,7 @@ index 0000000..c0ce2c7 +.B piranha_web_var_run_t +.EE + -+- Set files with the piranha_web_var_run_t type, if you want to store the piranha web files under the /run directory. ++- Set files with the piranha_web_var_run_t type, if you want to store the piranha web files under the /run or /var/run directory. + + +.PP @@ -62112,58 +109535,6 @@ index 0000000..c0ce2c7 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type piranha_web_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B piranha_etc_rw_t -+ -+ /etc/piranha/lvs\.cf -+.br -+ -+.br -+.B piranha_log_t -+ -+ /var/log/piranha(/.*)? -+.br -+ -+.br -+.B piranha_web_data_t -+ -+ /var/lib/luci(/.*)? -+.br -+ -+.br -+.B piranha_web_tmp_t -+ -+ -+.br -+.B piranha_web_tmpfs_t -+ -+ -+.br -+.B piranha_web_var_run_t -+ -+ /var/run/piranha-httpd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_web_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the piranha_web_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -62174,6 +109545,9 @@ index 0000000..c0ce2c7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -62185,15 +109559,15 @@ index 0000000..c0ce2c7 + +.SH "SEE ALSO" +selinux(8), piranha_web(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, piranha_fos_selinux(8), piranha_lvs_selinux(8), piranha_pulse_selinux(8) ++, setsebool(8), piranha_fos_selinux(8), piranha_lvs_selinux(8), piranha_pulse_selinux(8) \ No newline at end of file diff --git a/man/man8/pkcsslotd_selinux.8 b/man/man8/pkcsslotd_selinux.8 new file mode 100644 -index 0000000..a7bf1c6 +index 0000000..ded07f3 --- /dev/null +++ b/man/man8/pkcsslotd_selinux.8 -@@ -0,0 +1,148 @@ -+.TH "pkcsslotd_selinux" "8" "12-11-01" "pkcsslotd" "SELinux Policy documentation for pkcsslotd" +@@ -0,0 +1,241 @@ ++.TH "pkcsslotd_selinux" "8" "13-01-16" "pkcsslotd" "SELinux Policy documentation for pkcsslotd" +.SH "NAME" +pkcsslotd_selinux \- Security Enhanced Linux Policy for the pkcsslotd processes +.SH "DESCRIPTION" @@ -62209,7 +109583,9 @@ index 0000000..a7bf1c6 + +.SH "ENTRYPOINTS" + -+The pkcsslotd_t SELinux type can be entered via the "pkcsslotd_exec_t" file type. The default entrypoint paths for the pkcsslotd_t domain are the following:" ++The pkcsslotd_t SELinux type can be entered via the \fBpkcsslotd_exec_t\fP file type. ++ ++The default entrypoint paths for the pkcsslotd_t domain are the following: + +/usr/sbin/pkcsslotd +.SH PROCESS TYPES @@ -62227,8 +109603,106 @@ index 0000000..a7bf1c6 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pkcsslotd_t ++can be used to make the process type pkcsslotd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pkcsslotd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pkcsslotd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type pkcsslotd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B pkcsslotd_tmp_t ++ ++ ++.br ++.B pkcsslotd_tmpfs_t ++ ++ ++.br ++.B pkcsslotd_var_lib_t ++ ++ /var/lib/opencryptoki(/.*)? ++.br ++ ++.br ++.B pkcsslotd_var_run_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -62238,7 +109712,20 @@ index 0000000..a7bf1c6 +Policy governs the access confined processes have to these files. +SELinux pkcsslotd policy is very flexible allowing users to setup their pkcsslotd processes in as secure a method as possible. +.PP -+The following file types are defined for pkcsslotd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pkcsslotd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pkcsslotd_exec_t '/srv/pkcsslotd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypkcsslotd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pkcsslotd: + + +.EX @@ -62286,7 +109773,7 @@ index 0000000..a7bf1c6 +.B pkcsslotd_var_run_t +.EE + -+- Set files with the pkcsslotd_var_run_t type, if you want to store the pkcsslotd files under the /run directory. ++- Set files with the pkcsslotd_var_run_t type, if you want to store the pkcsslotd files under the /run or /var/run directory. + + +.PP @@ -62296,30 +109783,6 @@ index 0000000..a7bf1c6 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type pkcsslotd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B pkcsslotd_tmp_t -+ -+ -+.br -+.B pkcsslotd_tmpfs_t -+ -+ -+.br -+.B pkcsslotd_var_lib_t -+ -+ /var/lib/opencryptoki(/.*)? -+.br -+ -+.br -+.B pkcsslotd_var_run_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -62330,6 +109793,9 @@ index 0000000..a7bf1c6 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -62341,13 +109807,15 @@ index 0000000..a7bf1c6 + +.SH "SEE ALSO" +selinux(8), pkcsslotd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/pki_ra_selinux.8 b/man/man8/pki_ra_selinux.8 new file mode 100644 -index 0000000..565c3d5 +index 0000000..b96098a --- /dev/null +++ b/man/man8/pki_ra_selinux.8 -@@ -0,0 +1,241 @@ -+.TH "pki_ra_selinux" "8" "12-11-01" "pki_ra" "SELinux Policy documentation for pki_ra" +@@ -0,0 +1,382 @@ ++.TH "pki_ra_selinux" "8" "13-01-16" "pki_ra" "SELinux Policy documentation for pki_ra" +.SH "NAME" +pki_ra_selinux \- Security Enhanced Linux Policy for the pki_ra processes +.SH "DESCRIPTION" @@ -62363,9 +109831,11 @@ index 0000000..565c3d5 + +.SH "ENTRYPOINTS" + -+The pki_ra_t SELinux type can be entered via the "httpd_exec_t,pki_ra_exec_t" file types. The default entrypoint paths for the pki_ra_t domain are the following:" ++The pki_ra_t SELinux type can be entered via the \fBpki_ra_exec_t, httpd_exec_t\fP file types. + -+/usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails, /var/lib/pki-ra/pki-ra ++The default entrypoint paths for the pki_ra_t domain are the following: ++ ++/var/lib/pki-ra/pki-ra, /usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -62381,90 +109851,124 @@ index 0000000..565c3d5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pki_ra_t ++can be used to make the process type pki_ra_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux pki_ra policy is very flexible allowing users to setup their pki_ra processes in as secure a method as possible. -+.PP -+The following file types are defined for pki_ra: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pki_ra policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pki_ra with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B pki_ra_etc_rw_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the pki_ra_etc_rw_t type, if you want to treat the files as pki ra etc read/write content. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B pki_ra_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the pki_ra_exec_t type, if you want to transition an executable to the pki_ra_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B pki_ra_lock_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the pki_ra_lock_t type, if you want to treat the files as pki ra lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B pki_ra_log_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the pki_ra_log_t type, if you want to treat the data as pki ra log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B pki_ra_script_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the pki_ra_script_exec_t type, if you want to transition an executable to the pki_ra_script_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B pki_ra_tomcat_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the pki_ra_tomcat_exec_t type, if you want to transition an executable to the pki_ra_tomcat_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B pki_ra_var_lib_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the pki_ra_var_lib_t type, if you want to store the pki ra files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B pki_ra_var_run_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the pki_ra_var_run_t type, if you want to store the pki ra files under the /run directory. ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the pki_ra_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pki_ra_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -62547,22 +110051,124 @@ index 0000000..565c3d5 + /var/run/pki/ra(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux pki_ra policy is very flexible allowing users to setup their pki_ra processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pki_ra_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the pki_ra_t, you must turn on the kerberos_enabled boolean. ++pki_ra policy stores data with multiple different file context types under the /var/lib/pki-ra directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/pki-ra /srv/pki-ra ++.br ++.B restorecon -R -v /srv/pki-ra ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pki_ra, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pki_ra_etc_rw_t '/srv/pki_ra/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypki_ra_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pki_ra: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B pki_ra_etc_rw_t +.EE + ++- Set files with the pki_ra_etc_rw_t type, if you want to treat the files as pki ra etc read/write content. ++ ++.br ++.TP 5 ++Paths: ++/etc/pki-ra(/.*)?, /etc/sysconfig/pki/ra(/.*)? ++ ++.EX ++.PP ++.B pki_ra_exec_t ++.EE ++ ++- Set files with the pki_ra_exec_t type, if you want to transition an executable to the pki_ra_t domain. ++ ++ ++.EX ++.PP ++.B pki_ra_lock_t ++.EE ++ ++- Set files with the pki_ra_lock_t type, if you want to treat the files as pki ra lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B pki_ra_log_t ++.EE ++ ++- Set files with the pki_ra_log_t type, if you want to treat the data as pki ra log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B pki_ra_script_exec_t ++.EE ++ ++- Set files with the pki_ra_script_exec_t type, if you want to transition an executable to the pki_ra_script_t domain. ++ ++ ++.EX ++.PP ++.B pki_ra_tomcat_exec_t ++.EE ++ ++- Set files with the pki_ra_tomcat_exec_t type, if you want to transition an executable to the pki_ra_tomcat_t domain. ++ ++ ++.EX ++.PP ++.B pki_ra_var_lib_t ++.EE ++ ++- Set files with the pki_ra_var_lib_t type, if you want to store the pki ra files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B pki_ra_var_run_t ++.EE ++ ++- Set files with the pki_ra_var_run_t type, if you want to store the pki ra files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -62576,6 +110182,9 @@ index 0000000..565c3d5 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -62587,15 +110196,123 @@ index 0000000..565c3d5 + +.SH "SEE ALSO" +selinux(8), pki_ra(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, pki_tomcat_selinux(8), pki_tps_selinux(8) ++, setsebool(8), pki_tomcat_selinux(8), pki_tomcat_script_selinux(8), pki_tps_selinux(8) +\ No newline at end of file +diff --git a/man/man8/pki_tomcat_script_selinux.8 b/man/man8/pki_tomcat_script_selinux.8 +new file mode 100644 +index 0000000..ed9dd29 +--- /dev/null ++++ b/man/man8/pki_tomcat_script_selinux.8 +@@ -0,0 +1,101 @@ ++.TH "pki_tomcat_script_selinux" "8" "13-01-16" "pki_tomcat_script" "SELinux Policy documentation for pki_tomcat_script" ++.SH "NAME" ++pki_tomcat_script_selinux \- Security Enhanced Linux Policy for the pki_tomcat_script processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the pki_tomcat_script processes via flexible mandatory access control. ++ ++The pki_tomcat_script processes execute with the pki_tomcat_script_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep pki_tomcat_script_t ++ ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux pki_tomcat_script policy is very flexible allowing users to setup their pki_tomcat_script processes in as secure a method as possible. ++.PP ++The following process types are defined for pki_tomcat_script: ++ ++.EX ++.B pki_tomcat_script_t ++.EE ++.PP ++Note: ++.B semanage permissive -a pki_tomcat_script_t ++can be used to make the process type pki_tomcat_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pki_tomcat_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pki_tomcat_script with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), pki_tomcat_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), pki_ra_selinux(8), pki_tomcat_selinux(8), pki_tomcat_selinux(8), pki_tps_selinux(8) \ No newline at end of file diff --git a/man/man8/pki_tomcat_selinux.8 b/man/man8/pki_tomcat_selinux.8 new file mode 100644 -index 0000000..47e7c89 +index 0000000..dd903a3 --- /dev/null +++ b/man/man8/pki_tomcat_selinux.8 -@@ -0,0 +1,273 @@ -+.TH "pki_tomcat_selinux" "8" "12-11-01" "pki_tomcat" "SELinux Policy documentation for pki_tomcat" +@@ -0,0 +1,430 @@ ++.TH "pki_tomcat_selinux" "8" "13-01-16" "pki_tomcat" "SELinux Policy documentation for pki_tomcat" +.SH "NAME" +pki_tomcat_selinux \- Security Enhanced Linux Policy for the pki_tomcat processes +.SH "DESCRIPTION" @@ -62611,7 +110328,9 @@ index 0000000..47e7c89 + +.SH "ENTRYPOINTS" + -+The pki_tomcat_t SELinux type can be entered via the "pki_tomcat_exec_t" file type. The default entrypoint paths for the pki_tomcat_t domain are the following:" ++The pki_tomcat_t SELinux type can be entered via the \fBpki_tomcat_exec_t\fP file type. ++ ++The default entrypoint paths for the pki_tomcat_t domain are the following: + +/usr/bin/pkidaemon +.SH PROCESS TYPES @@ -62629,107 +110348,85 @@ index 0000000..47e7c89 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pki_tomcat_t ++can be used to make the process type pki_tomcat_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux pki_tomcat policy is very flexible allowing users to setup their pki_tomcat processes in as secure a method as possible. -+.PP -+The following file types are defined for pki_tomcat: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pki_tomcat policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pki_tomcat with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B pki_tomcat_cache_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the pki_tomcat_cache_t type, if you want to store the files under the /var/cache directory. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B pki_tomcat_cert_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the pki_tomcat_cert_t type, if you want to treat the files as pki tomcat certificate data. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B pki_tomcat_etc_rw_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the pki_tomcat_etc_rw_t type, if you want to treat the files as pki tomcat etc read/write content. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B pki_tomcat_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the pki_tomcat_exec_t type, if you want to transition an executable to the pki_tomcat_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B pki_tomcat_lock_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the pki_tomcat_lock_t type, if you want to treat the files as pki tomcat lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B pki_tomcat_log_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the pki_tomcat_log_t type, if you want to treat the data as pki tomcat log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B pki_tomcat_tmp_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the pki_tomcat_tmp_t type, if you want to store pki tomcat temporary files in the /tmp directories. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B pki_tomcat_unit_file_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the pki_tomcat_unit_file_t type, if you want to treat the files as pki tomcat unit content. -+ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. + +.EX -+.PP -+.B pki_tomcat_var_lib_t ++.B setsebool -P nscd_use_shm 1 ++ +.EE + -+- Set files with the pki_tomcat_var_lib_t type, if you want to store the pki tomcat files under the /var/lib directory. -+ -+ -+.EX -+.PP -+.B pki_tomcat_var_run_t -+.EE -+ -+- Set files with the pki_tomcat_var_run_t type, if you want to store the pki tomcat files under the /run directory. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH "MANAGED FILES" + +The SELinux process type pki_tomcat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -62833,18 +110530,192 @@ index 0000000..47e7c89 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B user_tmp_t + + /var/run/user(/.*)? +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux pki_tomcat policy is very flexible allowing users to setup their pki_tomcat processes in as secure a method as possible. ++.PP ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++pki_tomcat policy stores data with multiple different file context types under the /var/lib/pki-ca directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/pki-ca /srv/pki-ca ++.br ++.B restorecon -R -v /srv/pki-ca ++.PP ++ ++.PP ++pki_tomcat policy stores data with multiple different file context types under the /var/lib/pki-kra directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/pki-kra /srv/pki-kra ++.br ++.B restorecon -R -v /srv/pki-kra ++.PP ++ ++.PP ++pki_tomcat policy stores data with multiple different file context types under the /var/lib/pki-ocsp directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/pki-ocsp /srv/pki-ocsp ++.br ++.B restorecon -R -v /srv/pki-ocsp ++.PP ++ ++.PP ++pki_tomcat policy stores data with multiple different file context types under the /var/lib/pki-tks directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/pki-tks /srv/pki-tks ++.br ++.B restorecon -R -v /srv/pki-tks ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pki_tomcat, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pki_tomcat_cache_t '/srv/pki_tomcat/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypki_tomcat_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pki_tomcat: ++ ++ ++.EX ++.PP ++.B pki_tomcat_cache_t ++.EE ++ ++- Set files with the pki_tomcat_cache_t type, if you want to store the files under the /var/cache directory. ++ ++ ++.EX ++.PP ++.B pki_tomcat_cert_t ++.EE ++ ++- Set files with the pki_tomcat_cert_t type, if you want to treat the files as pki tomcat certificate data. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/pki-ca/alias(/.*)?, /var/lib/pki-kra/alias(/.*)?, /var/lib/pki-tks/alias(/.*)?, /var/lib/pki-ocsp/alias(/.*)?, /etc/pki/pki-tomcat/alias(/.*)? ++ ++.EX ++.PP ++.B pki_tomcat_etc_rw_t ++.EE ++ ++- Set files with the pki_tomcat_etc_rw_t type, if you want to treat the files as pki tomcat etc read/write content. ++ ++.br ++.TP 5 ++Paths: ++/etc/pki-ca(/.*)?, /etc/pki-kra(/.*)?, /etc/pki-tks(/.*)?, /etc/pki-ocsp(/.*)?, /etc/pki/pki-tomcat(/.*)?, /etc/sysconfig/pki/tomcat(/.*)? ++ ++.EX ++.PP ++.B pki_tomcat_exec_t ++.EE ++ ++- Set files with the pki_tomcat_exec_t type, if you want to transition an executable to the pki_tomcat_t domain. ++ ++ ++.EX ++.PP ++.B pki_tomcat_lock_t ++.EE ++ ++- Set files with the pki_tomcat_lock_t type, if you want to treat the files as pki tomcat lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B pki_tomcat_log_t ++.EE ++ ++- Set files with the pki_tomcat_log_t type, if you want to treat the data as pki tomcat log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/pki-ca(/.*)?, /var/log/pki-kra(/.*)?, /var/log/pki-tks(/.*)?, /var/log/pki-ocsp(/.*)?, /var/log/pki/pki-tomcat(/.*)? ++ ++.EX ++.PP ++.B pki_tomcat_tmp_t ++.EE ++ ++- Set files with the pki_tomcat_tmp_t type, if you want to store pki tomcat temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B pki_tomcat_unit_file_t ++.EE ++ ++- Set files with the pki_tomcat_unit_file_t type, if you want to treat the files as pki tomcat unit content. ++ ++ ++.EX ++.PP ++.B pki_tomcat_var_lib_t ++.EE ++ ++- Set files with the pki_tomcat_var_lib_t type, if you want to store the pki tomcat files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/pki-ca(/.*)?, /var/lib/pki-kra(/.*)?, /var/lib/pki-tks(/.*)?, /var/lib/pki-ocsp(/.*)?, /var/lib/pki/pki-tomcat(/.*)? ++ ++.EX ++.PP ++.B pki_tomcat_var_run_t ++.EE ++ ++- Set files with the pki_tomcat_var_run_t type, if you want to store the pki tomcat files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/pki-ca.pid, /var/run/pki-kra.pid, /var/run/pki-tks.pid, /var/run/pki-ocsp.pid, /var/run/pki/tomcat(/.*)? ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -62856,6 +110727,9 @@ index 0000000..47e7c89 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -62867,15 +110741,15 @@ index 0000000..47e7c89 + +.SH "SEE ALSO" +selinux(8), pki_tomcat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, pki_ra_selinux(8), pki_tps_selinux(8) ++, setsebool(8), pki_ra_selinux(8), pki_tomcat_script_selinux(8), pki_tps_selinux(8) \ No newline at end of file diff --git a/man/man8/pki_tps_selinux.8 b/man/man8/pki_tps_selinux.8 new file mode 100644 -index 0000000..8fecac8 +index 0000000..bc8c15d --- /dev/null +++ b/man/man8/pki_tps_selinux.8 -@@ -0,0 +1,223 @@ -+.TH "pki_tps_selinux" "8" "12-11-01" "pki_tps" "SELinux Policy documentation for pki_tps" +@@ -0,0 +1,364 @@ ++.TH "pki_tps_selinux" "8" "13-01-16" "pki_tps" "SELinux Policy documentation for pki_tps" +.SH "NAME" +pki_tps_selinux \- Security Enhanced Linux Policy for the pki_tps processes +.SH "DESCRIPTION" @@ -62891,9 +110765,11 @@ index 0000000..8fecac8 + +.SH "ENTRYPOINTS" + -+The pki_tps_t SELinux type can be entered via the "httpd_exec_t,pki_tps_exec_t" file types. The default entrypoint paths for the pki_tps_t domain are the following:" ++The pki_tps_t SELinux type can be entered via the \fBpki_tps_exec_t, httpd_exec_t\fP file types. + -+/usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails, /var/lib/pki-tps/pki-tps ++The default entrypoint paths for the pki_tps_t domain are the following: ++ ++/var/lib/pki-tps/pki-tps, /usr/sbin/httpd(\.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/share/jetty/bin/jetty.sh, /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd, /usr/sbin/httpd\.event, /usr/bin/mongrel_rails +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -62909,90 +110785,124 @@ index 0000000..8fecac8 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pki_tps_t ++can be used to make the process type pki_tps_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux pki_tps policy is very flexible allowing users to setup their pki_tps processes in as secure a method as possible. -+.PP -+The following file types are defined for pki_tps: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pki_tps policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pki_tps with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B pki_tps_etc_rw_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the pki_tps_etc_rw_t type, if you want to treat the files as pki tps etc read/write content. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B pki_tps_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the pki_tps_exec_t type, if you want to transition an executable to the pki_tps_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B pki_tps_lock_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the pki_tps_lock_t type, if you want to treat the files as pki tps lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B pki_tps_log_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the pki_tps_log_t type, if you want to treat the data as pki tps log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B pki_tps_script_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the pki_tps_script_exec_t type, if you want to transition an executable to the pki_tps_script_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B pki_tps_tomcat_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the pki_tps_tomcat_exec_t type, if you want to transition an executable to the pki_tps_tomcat_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B pki_tps_var_lib_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the pki_tps_var_lib_t type, if you want to store the pki tps files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B pki_tps_var_run_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the pki_tps_var_run_t type, if you want to store the pki tps files under the /run directory. ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the pki_tps_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pki_tps_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -63057,22 +110967,124 @@ index 0000000..8fecac8 + /var/run/pki/tps(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux pki_tps policy is very flexible allowing users to setup their pki_tps processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pki_tps_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the pki_tps_t, you must turn on the kerberos_enabled boolean. ++pki_tps policy stores data with multiple different file context types under the /var/lib/pki-tps directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/pki-tps /srv/pki-tps ++.br ++.B restorecon -R -v /srv/pki-tps ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pki_tps, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pki_tps_etc_rw_t '/srv/pki_tps/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypki_tps_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pki_tps: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B pki_tps_etc_rw_t +.EE + ++- Set files with the pki_tps_etc_rw_t type, if you want to treat the files as pki tps etc read/write content. ++ ++.br ++.TP 5 ++Paths: ++/etc/pki-tps(/.*)?, /etc/sysconfig/pki/tps(/.*)? ++ ++.EX ++.PP ++.B pki_tps_exec_t ++.EE ++ ++- Set files with the pki_tps_exec_t type, if you want to transition an executable to the pki_tps_t domain. ++ ++ ++.EX ++.PP ++.B pki_tps_lock_t ++.EE ++ ++- Set files with the pki_tps_lock_t type, if you want to treat the files as pki tps lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B pki_tps_log_t ++.EE ++ ++- Set files with the pki_tps_log_t type, if you want to treat the data as pki tps log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B pki_tps_script_exec_t ++.EE ++ ++- Set files with the pki_tps_script_exec_t type, if you want to transition an executable to the pki_tps_script_t domain. ++ ++ ++.EX ++.PP ++.B pki_tps_tomcat_exec_t ++.EE ++ ++- Set files with the pki_tps_tomcat_exec_t type, if you want to transition an executable to the pki_tps_tomcat_t domain. ++ ++ ++.EX ++.PP ++.B pki_tps_var_lib_t ++.EE ++ ++- Set files with the pki_tps_var_lib_t type, if you want to store the pki tps files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B pki_tps_var_run_t ++.EE ++ ++- Set files with the pki_tps_var_run_t type, if you want to store the pki tps files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -63086,6 +111098,9 @@ index 0000000..8fecac8 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -63097,15 +111112,15 @@ index 0000000..8fecac8 + +.SH "SEE ALSO" +selinux(8), pki_tps(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, pki_ra_selinux(8), pki_tomcat_selinux(8) ++, setsebool(8), pki_ra_selinux(8), pki_tomcat_selinux(8), pki_tomcat_script_selinux(8) \ No newline at end of file diff --git a/man/man8/plymouth_selinux.8 b/man/man8/plymouth_selinux.8 new file mode 100644 -index 0000000..fd43c97 +index 0000000..9c88ed0 --- /dev/null +++ b/man/man8/plymouth_selinux.8 -@@ -0,0 +1,127 @@ -+.TH "plymouth_selinux" "8" "12-11-01" "plymouth" "SELinux Policy documentation for plymouth" +@@ -0,0 +1,195 @@ ++.TH "plymouth_selinux" "8" "13-01-16" "plymouth" "SELinux Policy documentation for plymouth" +.SH "NAME" +plymouth_selinux \- Security Enhanced Linux Policy for the plymouth processes +.SH "DESCRIPTION" @@ -63121,7 +111136,9 @@ index 0000000..fd43c97 + +.SH "ENTRYPOINTS" + -+The plymouth_t SELinux type can be entered via the "plymouth_exec_t" file type. The default entrypoint paths for the plymouth_t domain are the following:" ++The plymouth_t SELinux type can be entered via the \fBplymouth_exec_t\fP file type. ++ ++The default entrypoint paths for the plymouth_t domain are the following: + +/bin/plymouth, /usr/bin/plymouth +.SH PROCESS TYPES @@ -63139,8 +111156,52 @@ index 0000000..fd43c97 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a plymouth_t ++can be used to make the process type plymouth_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. plymouth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run plymouth with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -63150,7 +111211,20 @@ index 0000000..fd43c97 +Policy governs the access confined processes have to these files. +SELinux plymouth policy is very flexible allowing users to setup their plymouth processes in as secure a method as possible. +.PP -+The following file types are defined for plymouth: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the plymouth, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t plymouth_exec_t '/srv/plymouth/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myplymouth_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for plymouth: + + +.EX @@ -63160,6 +111234,10 @@ index 0000000..fd43c97 + +- Set files with the plymouth_exec_t type, if you want to transition an executable to the plymouth_t domain. + ++.br ++.TP 5 ++Paths: ++/bin/plymouth, /usr/bin/plymouth + +.EX +.PP @@ -63168,6 +111246,10 @@ index 0000000..fd43c97 + +- Set files with the plymouthd_exec_t type, if you want to transition an executable to the plymouthd_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/plymouthd, /usr/sbin/plymouthd + +.EX +.PP @@ -63198,7 +111280,7 @@ index 0000000..fd43c97 +.B plymouthd_var_run_t +.EE + -+- Set files with the plymouthd_var_run_t type, if you want to store the plymouthd files under the /run directory. ++- Set files with the plymouthd_var_run_t type, if you want to store the plymouthd files under the /run or /var/run directory. + + +.PP @@ -63208,8 +111290,6 @@ index 0000000..fd43c97 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -63220,6 +111300,9 @@ index 0000000..fd43c97 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -63231,15 +111314,15 @@ index 0000000..fd43c97 + +.SH "SEE ALSO" +selinux(8), plymouth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, plymouthd_selinux(8) ++, setsebool(8), plymouthd_selinux(8) \ No newline at end of file diff --git a/man/man8/plymouthd_selinux.8 b/man/man8/plymouthd_selinux.8 new file mode 100644 -index 0000000..8ddb343 +index 0000000..03992e1 --- /dev/null +++ b/man/man8/plymouthd_selinux.8 -@@ -0,0 +1,159 @@ -+.TH "plymouthd_selinux" "8" "12-11-01" "plymouthd" "SELinux Policy documentation for plymouthd" +@@ -0,0 +1,255 @@ ++.TH "plymouthd_selinux" "8" "13-01-16" "plymouthd" "SELinux Policy documentation for plymouthd" +.SH "NAME" +plymouthd_selinux \- Security Enhanced Linux Policy for the plymouthd processes +.SH "DESCRIPTION" @@ -63255,7 +111338,9 @@ index 0000000..8ddb343 + +.SH "ENTRYPOINTS" + -+The plymouthd_t SELinux type can be entered via the "plymouthd_exec_t" file type. The default entrypoint paths for the plymouthd_t domain are the following:" ++The plymouthd_t SELinux type can be entered via the \fBplymouthd_exec_t\fP file type. ++ ++The default entrypoint paths for the plymouthd_t domain are the following: + +/sbin/plymouthd, /usr/sbin/plymouthd +.SH PROCESS TYPES @@ -63273,66 +111358,76 @@ index 0000000..8ddb343 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a plymouthd_t ++can be used to make the process type plymouthd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux plymouthd policy is very flexible allowing users to setup their plymouthd processes in as secure a method as possible. -+.PP -+The following file types are defined for plymouthd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. plymouthd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run plymouthd with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B plymouthd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the plymouthd_exec_t type, if you want to transition an executable to the plymouthd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B plymouthd_spool_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the plymouthd_spool_t type, if you want to store the plymouthd files under the /var/spool directory. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B plymouthd_var_lib_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the plymouthd_var_lib_t type, if you want to store the plymouthd files under the /var/lib directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B plymouthd_var_log_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the plymouthd_var_log_t type, if you want to treat the data as plymouthd var log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B plymouthd_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the plymouthd_var_run_t type, if you want to store the plymouthd files under the /run directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -63369,12 +111464,93 @@ index 0000000..8ddb343 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B xdm_spool_t + + /var/spool/[mg]dm(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux plymouthd policy is very flexible allowing users to setup their plymouthd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the plymouthd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t plymouthd_exec_t '/srv/plymouthd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myplymouthd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for plymouthd: ++ ++ ++.EX ++.PP ++.B plymouthd_exec_t ++.EE ++ ++- Set files with the plymouthd_exec_t type, if you want to transition an executable to the plymouthd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/plymouthd, /usr/sbin/plymouthd ++ ++.EX ++.PP ++.B plymouthd_spool_t ++.EE ++ ++- Set files with the plymouthd_spool_t type, if you want to store the plymouthd files under the /var/spool directory. ++ ++ ++.EX ++.PP ++.B plymouthd_var_lib_t ++.EE ++ ++- Set files with the plymouthd_var_lib_t type, if you want to store the plymouthd files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B plymouthd_var_log_t ++.EE ++ ++- Set files with the plymouthd_var_log_t type, if you want to treat the data as plymouthd var log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B plymouthd_var_run_t ++.EE ++ ++- Set files with the plymouthd_var_run_t type, if you want to store the plymouthd files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -63386,6 +111562,9 @@ index 0000000..8ddb343 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -63397,15 +111576,15 @@ index 0000000..8ddb343 + +.SH "SEE ALSO" +selinux(8), plymouthd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, plymouth_selinux(8), plymouth_selinux(8) ++, setsebool(8), plymouth_selinux(8), plymouth_selinux(8) \ No newline at end of file diff --git a/man/man8/podsleuth_selinux.8 b/man/man8/podsleuth_selinux.8 new file mode 100644 -index 0000000..5da1a9f +index 0000000..1c13a3e --- /dev/null +++ b/man/man8/podsleuth_selinux.8 -@@ -0,0 +1,128 @@ -+.TH "podsleuth_selinux" "8" "12-11-01" "podsleuth" "SELinux Policy documentation for podsleuth" +@@ -0,0 +1,201 @@ ++.TH "podsleuth_selinux" "8" "13-01-16" "podsleuth" "SELinux Policy documentation for podsleuth" +.SH "NAME" +podsleuth_selinux \- Security Enhanced Linux Policy for the podsleuth processes +.SH "DESCRIPTION" @@ -63421,7 +111600,9 @@ index 0000000..5da1a9f + +.SH "ENTRYPOINTS" + -+The podsleuth_t SELinux type can be entered via the "podsleuth_exec_t" file type. The default entrypoint paths for the podsleuth_t domain are the following:" ++The podsleuth_t SELinux type can be entered via the \fBpodsleuth_exec_t\fP file type. ++ ++The default entrypoint paths for the podsleuth_t domain are the following: + +/usr/bin/podsleuth, /usr/libexec/hal-podsleuth +.SH PROCESS TYPES @@ -63439,8 +111620,78 @@ index 0000000..5da1a9f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a podsleuth_t ++can be used to make the process type podsleuth_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. podsleuth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run podsleuth with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type podsleuth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B podsleuth_cache_t ++ ++ /var/cache/podsleuth(/.*)? ++.br ++ ++.br ++.B podsleuth_tmp_t ++ ++ ++.br ++.B podsleuth_tmpfs_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -63450,7 +111701,20 @@ index 0000000..5da1a9f +Policy governs the access confined processes have to these files. +SELinux podsleuth policy is very flexible allowing users to setup their podsleuth processes in as secure a method as possible. +.PP -+The following file types are defined for podsleuth: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the podsleuth, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t podsleuth_cache_t '/srv/podsleuth/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypodsleuth_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for podsleuth: + + +.EX @@ -63468,6 +111732,10 @@ index 0000000..5da1a9f + +- Set files with the podsleuth_exec_t type, if you want to transition an executable to the podsleuth_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/podsleuth, /usr/libexec/hal-podsleuth + +.EX +.PP @@ -63492,26 +111760,6 @@ index 0000000..5da1a9f +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type podsleuth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B podsleuth_cache_t -+ -+ /var/cache/podsleuth(/.*)? -+.br -+ -+.br -+.B podsleuth_tmp_t -+ -+ -+.br -+.B podsleuth_tmpfs_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -63522,6 +111770,9 @@ index 0000000..5da1a9f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -63533,13 +111784,15 @@ index 0000000..5da1a9f + +.SH "SEE ALSO" +selinux(8), podsleuth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/policykit_auth_selinux.8 b/man/man8/policykit_auth_selinux.8 new file mode 100644 -index 0000000..8e1e635 +index 0000000..f468040 --- /dev/null +++ b/man/man8/policykit_auth_selinux.8 -@@ -0,0 +1,207 @@ -+.TH "policykit_auth_selinux" "8" "12-11-01" "policykit_auth" "SELinux Policy documentation for policykit_auth" +@@ -0,0 +1,333 @@ ++.TH "policykit_auth_selinux" "8" "13-01-16" "policykit_auth" "SELinux Policy documentation for policykit_auth" +.SH "NAME" +policykit_auth_selinux \- Security Enhanced Linux Policy for the policykit_auth processes +.SH "DESCRIPTION" @@ -63555,7 +111808,9 @@ index 0000000..8e1e635 + +.SH "ENTRYPOINTS" + -+The policykit_auth_t SELinux type can be entered via the "policykit_auth_exec_t" file type. The default entrypoint paths for the policykit_auth_t domain are the following:" ++The policykit_auth_t SELinux type can be entered via the \fBpolicykit_auth_exec_t\fP file type. ++ ++The default entrypoint paths for the policykit_auth_t domain are the following: + +/usr/libexec/polkit-read-auth-helper, /usr/lib/polkit-1/polkit-agent-helper-1, /usr/lib/policykit/polkit-read-auth-helper, /usr/libexec/polkit-1/polkit-agent-helper-1 +.SH PROCESS TYPES @@ -63573,34 +111828,132 @@ index 0000000..8e1e635 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a policykit_auth_t ++can be used to make the process type policykit_auth_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux policykit_auth policy is very flexible allowing users to setup their policykit_auth processes in as secure a method as possible. -+.PP -+The following file types are defined for policykit_auth: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. policykit_auth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run policykit_auth with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B policykit_auth_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the policykit_auth_exec_t type, if you want to transition an executable to the policykit_auth_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the policykit_auth_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the policykit_auth_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -63611,12 +111964,12 @@ index 0000000..8e1e635 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B krb5_host_rcache_t @@ -63643,20 +111996,6 @@ index 0000000..8e1e635 +.br + +.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br +.B policykit_reload_t + + /var/lib/misc/PolicyKit.reload @@ -63683,6 +112022,14 @@ index 0000000..8e1e635 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux @@ -63705,24 +112052,53 @@ index 0000000..8e1e635 +.br + /var/lib/pam_shield(/.*)? +.br ++ /var/opt/quest/vas/vasd(/.*)? ++.br + /var/lib/google-authenticator(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux policykit_auth policy is very flexible allowing users to setup their policykit_auth processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_auth_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the policykit_auth, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t policykit_auth_exec_t '/srv/policykit_auth/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypolicykit_auth_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for policykit_auth: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B policykit_auth_exec_t +.EE + ++- Set files with the policykit_auth_exec_t type, if you want to transition an executable to the policykit_auth_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/polkit-read-auth-helper, /usr/lib/polkit-1/polkit-agent-helper-1, /usr/lib/policykit/polkit-read-auth-helper, /usr/libexec/polkit-1/polkit-agent-helper-1 ++ +.PP -+If you want to allow confined applications to run with kerberos for the policykit_auth_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -63734,6 +112110,9 @@ index 0000000..8e1e635 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -63745,15 +112124,15 @@ index 0000000..8e1e635 + +.SH "SEE ALSO" +selinux(8), policykit_auth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, policykit_selinux(8), policykit_selinux(8), policykit_grant_selinux(8), policykit_resolve_selinux(8) ++, setsebool(8), policykit_selinux(8), policykit_selinux(8), policykit_grant_selinux(8), policykit_resolve_selinux(8) \ No newline at end of file diff --git a/man/man8/policykit_grant_selinux.8 b/man/man8/policykit_grant_selinux.8 new file mode 100644 -index 0000000..236cec7 +index 0000000..edca9c5 --- /dev/null +++ b/man/man8/policykit_grant_selinux.8 -@@ -0,0 +1,157 @@ -+.TH "policykit_grant_selinux" "8" "12-11-01" "policykit_grant" "SELinux Policy documentation for policykit_grant" +@@ -0,0 +1,249 @@ ++.TH "policykit_grant_selinux" "8" "13-01-16" "policykit_grant" "SELinux Policy documentation for policykit_grant" +.SH "NAME" +policykit_grant_selinux \- Security Enhanced Linux Policy for the policykit_grant processes +.SH "DESCRIPTION" @@ -63769,7 +112148,9 @@ index 0000000..236cec7 + +.SH "ENTRYPOINTS" + -+The policykit_grant_t SELinux type can be entered via the "policykit_grant_exec_t" file type. The default entrypoint paths for the policykit_grant_t domain are the following:" ++The policykit_grant_t SELinux type can be entered via the \fBpolicykit_grant_exec_t\fP file type. ++ ++The default entrypoint paths for the policykit_grant_t domain are the following: + +/usr/libexec/polkit-grant-helper.*, /usr/lib/policykit/polkit-grant-helper.* +.SH PROCESS TYPES @@ -63787,34 +112168,108 @@ index 0000000..236cec7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a policykit_grant_t ++can be used to make the process type policykit_grant_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux policykit_grant policy is very flexible allowing users to setup their policykit_grant processes in as secure a method as possible. -+.PP -+The following file types are defined for policykit_grant: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. policykit_grant policy is extremely flexible and has several booleans that allow you to manipulate the policy and run policykit_grant with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B policykit_grant_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the policykit_grant_exec_t type, if you want to transition an executable to the policykit_grant_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the policykit_grant_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the policykit_grant_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -63825,26 +112280,12 @@ index 0000000..236cec7 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br + +.br +.B policykit_reload_t @@ -63872,21 +112313,48 @@ index 0000000..236cec7 +.B system_cronjob_var_lib_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux policykit_grant policy is very flexible allowing users to setup their policykit_grant processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_grant_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the policykit_grant, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t policykit_grant_exec_t '/srv/policykit_grant/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypolicykit_grant_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for policykit_grant: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B policykit_grant_exec_t +.EE + ++- Set files with the policykit_grant_exec_t type, if you want to transition an executable to the policykit_grant_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/polkit-grant-helper.*, /usr/lib/policykit/polkit-grant-helper.* ++ +.PP -+If you want to allow confined applications to run with kerberos for the policykit_grant_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -63898,6 +112366,9 @@ index 0000000..236cec7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -63909,15 +112380,15 @@ index 0000000..236cec7 + +.SH "SEE ALSO" +selinux(8), policykit_grant(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, policykit_selinux(8), policykit_selinux(8), policykit_auth_selinux(8), policykit_resolve_selinux(8) ++, setsebool(8), policykit_selinux(8), policykit_selinux(8), policykit_auth_selinux(8), policykit_resolve_selinux(8) \ No newline at end of file diff --git a/man/man8/policykit_resolve_selinux.8 b/man/man8/policykit_resolve_selinux.8 new file mode 100644 -index 0000000..103c687 +index 0000000..2f55486 --- /dev/null +++ b/man/man8/policykit_resolve_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "policykit_resolve_selinux" "8" "12-11-01" "policykit_resolve" "SELinux Policy documentation for policykit_resolve" +@@ -0,0 +1,207 @@ ++.TH "policykit_resolve_selinux" "8" "13-01-16" "policykit_resolve" "SELinux Policy documentation for policykit_resolve" +.SH "NAME" +policykit_resolve_selinux \- Security Enhanced Linux Policy for the policykit_resolve processes +.SH "DESCRIPTION" @@ -63933,7 +112404,9 @@ index 0000000..103c687 + +.SH "ENTRYPOINTS" + -+The policykit_resolve_t SELinux type can be entered via the "policykit_resolve_exec_t" file type. The default entrypoint paths for the policykit_resolve_t domain are the following:" ++The policykit_resolve_t SELinux type can be entered via the \fBpolicykit_resolve_exec_t\fP file type. ++ ++The default entrypoint paths for the policykit_resolve_t domain are the following: + +/usr/libexec/polkit-resolve-exe-helper.*, /usr/lib/policykit/polkit-resolve-exe-helper.* +.SH PROCESS TYPES @@ -63951,39 +112424,97 @@ index 0000000..103c687 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a policykit_resolve_t ++can be used to make the process type policykit_resolve_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux policykit_resolve policy is very flexible allowing users to setup their policykit_resolve processes in as secure a method as possible. -+.PP -+The following file types are defined for policykit_resolve: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. policykit_resolve policy is extremely flexible and has several booleans that allow you to manipulate the policy and run policykit_resolve with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B policykit_resolve_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the policykit_resolve_exec_t type, if you want to transition an executable to the policykit_resolve_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_resolve_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the policykit_resolve_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -63996,6 +112527,49 @@ index 0000000..103c687 +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux policykit_resolve policy is very flexible allowing users to setup their policykit_resolve processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the policykit_resolve, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t policykit_resolve_exec_t '/srv/policykit_resolve/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypolicykit_resolve_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for policykit_resolve: ++ ++ ++.EX ++.PP ++.B policykit_resolve_exec_t ++.EE ++ ++- Set files with the policykit_resolve_exec_t type, if you want to transition an executable to the policykit_resolve_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/polkit-resolve-exe-helper.*, /usr/lib/policykit/polkit-resolve-exe-helper.* ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -64006,6 +112580,9 @@ index 0000000..103c687 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -64017,15 +112594,15 @@ index 0000000..103c687 + +.SH "SEE ALSO" +selinux(8), policykit_resolve(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, policykit_selinux(8), policykit_selinux(8), policykit_auth_selinux(8), policykit_grant_selinux(8) ++, setsebool(8), policykit_selinux(8), policykit_selinux(8), policykit_auth_selinux(8), policykit_grant_selinux(8) \ No newline at end of file diff --git a/man/man8/policykit_selinux.8 b/man/man8/policykit_selinux.8 new file mode 100644 -index 0000000..62bd2e6 +index 0000000..4ec52fb --- /dev/null +++ b/man/man8/policykit_selinux.8 -@@ -0,0 +1,213 @@ -+.TH "policykit_selinux" "8" "12-11-01" "policykit" "SELinux Policy documentation for policykit" +@@ -0,0 +1,370 @@ ++.TH "policykit_selinux" "8" "13-01-16" "policykit" "SELinux Policy documentation for policykit" +.SH "NAME" +policykit_selinux \- Security Enhanced Linux Policy for the policykit processes +.SH "DESCRIPTION" @@ -64041,7 +112618,9 @@ index 0000000..62bd2e6 + +.SH "ENTRYPOINTS" + -+The policykit_t SELinux type can be entered via the "policykit_exec_t" file type. The default entrypoint paths for the policykit_t domain are the following:" ++The policykit_t SELinux type can be entered via the \fBpolicykit_exec_t\fP file type. ++ ++The default entrypoint paths for the policykit_t domain are the following: + +/usr/libexec/polkitd.*, /usr/libexec/polkit-1/polkitd.*, /usr/lib/polkit-1/polkitd, /usr/lib/policykit/polkitd +.SH PROCESS TYPES @@ -64059,90 +112638,124 @@ index 0000000..62bd2e6 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a policykit_t ++can be used to make the process type policykit_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux policykit policy is very flexible allowing users to setup their policykit processes in as secure a method as possible. -+.PP -+The following file types are defined for policykit: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. policykit policy is extremely flexible and has several booleans that allow you to manipulate the policy and run policykit with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B policykit_auth_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the policykit_auth_exec_t type, if you want to transition an executable to the policykit_auth_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B policykit_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the policykit_exec_t type, if you want to transition an executable to the policykit_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B policykit_grant_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the policykit_grant_exec_t type, if you want to transition an executable to the policykit_grant_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B policykit_reload_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the policykit_reload_t type, if you want to treat the files as policykit reload data. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B policykit_resolve_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the policykit_resolve_exec_t type, if you want to transition an executable to the policykit_resolve_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B policykit_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the policykit_tmp_t type, if you want to store policykit temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B policykit_var_lib_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the policykit_var_lib_t type, if you want to store the policykit files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B policykit_var_run_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the policykit_var_run_t type, if you want to store the policykit files under the /run directory. ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -64195,27 +112808,145 @@ index 0000000..62bd2e6 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux policykit policy is very flexible allowing users to setup their policykit processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the kerberos_enabled boolean. ++policykit policy stores data with multiple different file context types under the /var/lib/PolicyKit directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/PolicyKit /srv/PolicyKit ++.br ++.B restorecon -R -v /srv/PolicyKit ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the policykit, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t policykit_auth_exec_t '/srv/policykit/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypolicykit_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for policykit: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B policykit_auth_exec_t +.EE + ++- Set files with the policykit_auth_exec_t type, if you want to transition an executable to the policykit_auth_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/polkit-read-auth-helper, /usr/lib/polkit-1/polkit-agent-helper-1, /usr/lib/policykit/polkit-read-auth-helper, /usr/libexec/polkit-1/polkit-agent-helper-1 ++ ++.EX ++.PP ++.B policykit_exec_t ++.EE ++ ++- Set files with the policykit_exec_t type, if you want to transition an executable to the policykit_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/polkitd.*, /usr/libexec/polkit-1/polkitd.*, /usr/lib/polkit-1/polkitd, /usr/lib/policykit/polkitd ++ ++.EX ++.PP ++.B policykit_grant_exec_t ++.EE ++ ++- Set files with the policykit_grant_exec_t type, if you want to transition an executable to the policykit_grant_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/polkit-grant-helper.*, /usr/lib/policykit/polkit-grant-helper.* ++ ++.EX ++.PP ++.B policykit_reload_t ++.EE ++ ++- Set files with the policykit_reload_t type, if you want to treat the files as policykit reload data. ++ ++ ++.EX ++.PP ++.B policykit_resolve_exec_t ++.EE ++ ++- Set files with the policykit_resolve_exec_t type, if you want to transition an executable to the policykit_resolve_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/polkit-resolve-exe-helper.*, /usr/lib/policykit/polkit-resolve-exe-helper.* ++ ++.EX ++.PP ++.B policykit_tmp_t ++.EE ++ ++- Set files with the policykit_tmp_t type, if you want to store policykit temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B policykit_var_lib_t ++.EE ++ ++- Set files with the policykit_var_lib_t type, if you want to store the policykit files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/polkit-1(/.*)?, /var/lib/PolicyKit(/.*)?, /var/lib/PolicyKit-public(/.*)? ++ ++.EX ++.PP ++.B policykit_var_run_t ++.EE ++ ++- Set files with the policykit_var_run_t type, if you want to store the policykit files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -64226,6 +112957,9 @@ index 0000000..62bd2e6 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -64237,15 +112971,15 @@ index 0000000..62bd2e6 + +.SH "SEE ALSO" +selinux(8), policykit(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, policykit_auth_selinux(8), policykit_grant_selinux(8), policykit_resolve_selinux(8) ++, setsebool(8), policykit_auth_selinux(8), policykit_grant_selinux(8), policykit_resolve_selinux(8) \ No newline at end of file diff --git a/man/man8/polipo_selinux.8 b/man/man8/polipo_selinux.8 new file mode 100644 -index 0000000..47a11ed +index 0000000..cd34b9b --- /dev/null +++ b/man/man8/polipo_selinux.8 -@@ -0,0 +1,264 @@ -+.TH "polipo_selinux" "8" "12-11-01" "polipo" "SELinux Policy documentation for polipo" +@@ -0,0 +1,353 @@ ++.TH "polipo_selinux" "8" "13-01-16" "polipo" "SELinux Policy documentation for polipo" +.SH "NAME" +polipo_selinux \- Security Enhanced Linux Policy for the polipo processes +.SH "DESCRIPTION" @@ -64261,7 +112995,9 @@ index 0000000..47a11ed + +.SH "ENTRYPOINTS" + -+The polipo_t SELinux type can be entered via the "polipo_exec_t" file type. The default entrypoint paths for the polipo_t domain are the following:" ++The polipo_t SELinux type can be entered via the \fBpolipo_exec_t\fP file type. ++ ++The default entrypoint paths for the polipo_t domain are the following: + +/usr/bin/polipo +.SH PROCESS TYPES @@ -64279,83 +113015,187 @@ index 0000000..47a11ed +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a polipo_t ++can be used to make the process type polipo_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. polipo policy is extremely flexible and has several booleans that allow you to manipulate the policy and run polipo with the tightest access possible. + + +.PP -+If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean. -+ -+.EX -+.B setsebool -P polipo_session_users 1 -+.EE -+ -+.PP -+If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean. -+ -+.EX -+.B setsebool -P polipo_use_nfs 1 -+.EE -+ -+.PP -+If you want to determine whether polipo can access cifs file systems, you must turn on the polipo_use_cifs boolean. -+ -+.EX -+.B setsebool -P polipo_use_cifs 1 -+.EE -+ -+.PP -+If you want to determine whether Polipo session daemon can bind tcp sockets to all unreserved ports, you must turn on the polipo_session_bind_all_unreserved_ports boolean. -+ -+.EX -+.B setsebool -P polipo_session_bind_all_unreserved_ports 1 -+.EE -+ -+.PP -+If you want to allow polipo to connect to all ports > 1023, you must turn on the polipo_connect_all_unreserved boolean. ++If you want to allow polipo to connect to all ports > 1023, you must turn on the polipo_connect_all_unreserved boolean. Disabled by default. + +.EX +.B setsebool -P polipo_connect_all_unreserved 1 ++ +.EE + +.PP -+If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean. -+ -+.EX -+.B setsebool -P polipo_session_users 1 -+.EE -+ -+.PP -+If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean. -+ -+.EX -+.B setsebool -P polipo_use_nfs 1 -+.EE -+ -+.PP -+If you want to determine whether polipo can access cifs file systems, you must turn on the polipo_use_cifs boolean. ++If you want to determine whether polipo can access cifs file systems, you must turn on the polipo_use_cifs boolean. Disabled by default. + +.EX +.B setsebool -P polipo_use_cifs 1 ++ +.EE + +.PP -+If you want to determine whether Polipo session daemon can bind tcp sockets to all unreserved ports, you must turn on the polipo_session_bind_all_unreserved_ports boolean. ++If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean. Disabled by default. + +.EX -+.B setsebool -P polipo_session_bind_all_unreserved_ports 1 ++.B setsebool -P polipo_use_nfs 1 ++ +.EE + +.PP -+If you want to allow polipo to connect to all ports > 1023, you must turn on the polipo_connect_all_unreserved boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P polipo_connect_all_unreserved 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the polipo_t, polipo_session_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the polipo_t, polipo_session_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type polipo_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B polipo_cache_t ++ ++ /var/cache/polipo(/.*)? ++.br ++ ++.br ++.B polipo_log_t ++ ++ /var/log/polipo.* ++.br ++ ++.br ++.B polipo_pid_t ++ ++ /var/run/polipo(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -64364,7 +113204,20 @@ index 0000000..47a11ed +Policy governs the access confined processes have to these files. +SELinux polipo policy is very flexible allowing users to setup their polipo processes in as secure a method as possible. +.PP -+The following file types are defined for polipo: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the polipo, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t polipo_cache_home_t '/srv/polipo/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypolipo_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for polipo: + + +.EX @@ -64374,6 +113227,10 @@ index 0000000..47a11ed + +- Set files with the polipo_cache_home_t type, if you want to store polipo cache files in the users home directory. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.polipo-cache(/.*)?, /home/pwalsh/\.polipo-cache(/.*)?, /home/dwalsh/\.polipo-cache(/.*)?, /var/lib/xguest/home/xguest/\.polipo-cache(/.*)? + +.EX +.PP @@ -64390,6 +113247,10 @@ index 0000000..47a11ed + +- Set files with the polipo_config_home_t type, if you want to store polipo config files in the users home directory. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.polipo, /home/pwalsh/\.polipo, /home/dwalsh/\.polipo, /var/lib/xguest/home/xguest/\.polipo + +.EX +.PP @@ -64446,44 +113307,6 @@ index 0000000..47a11ed +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type polipo_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B polipo_cache_t -+ -+ /var/cache/polipo(/.*)? -+.br -+ -+.br -+.B polipo_log_t -+ -+ /var/log/polipo.* -+.br -+ -+.br -+.B polipo_pid_t -+ -+ /var/run/polipo(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the polipo_t, polipo_session_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the polipo_t, polipo_session_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -64508,15 +113331,274 @@ index 0000000..47a11ed + +.SH "SEE ALSO" +selinux(8), polipo(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8) ++, setsebool(8), polipo_session_selinux(8) +\ No newline at end of file +diff --git a/man/man8/polipo_session_selinux.8 b/man/man8/polipo_session_selinux.8 +new file mode 100644 +index 0000000..4e9a698 +--- /dev/null ++++ b/man/man8/polipo_session_selinux.8 +@@ -0,0 +1,252 @@ ++.TH "polipo_session_selinux" "8" "13-01-16" "polipo_session" "SELinux Policy documentation for polipo_session" ++.SH "NAME" ++polipo_session_selinux \- Security Enhanced Linux Policy for the polipo_session processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the polipo_session processes via flexible mandatory access control. ++ ++The polipo_session processes execute with the polipo_session_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep polipo_session_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The polipo_session_t SELinux type can be entered via the \fBpolipo_exec_t\fP file type. ++ ++The default entrypoint paths for the polipo_session_t domain are the following: ++ ++/usr/bin/polipo ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux polipo_session policy is very flexible allowing users to setup their polipo_session processes in as secure a method as possible. ++.PP ++The following process types are defined for polipo_session: ++ ++.EX ++.B polipo_session_t ++.EE ++.PP ++Note: ++.B semanage permissive -a polipo_session_t ++can be used to make the process type polipo_session_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. polipo_session policy is extremely flexible and has several booleans that allow you to manipulate the policy and run polipo_session with the tightest access possible. ++ ++ ++.PP ++If you want to determine whether Polipo session daemon can bind tcp sockets to all unreserved ports, you must turn on the polipo_session_bind_all_unreserved_ports boolean. Disabled by default. ++ ++.EX ++.B setsebool -P polipo_session_bind_all_unreserved_ports 1 ++ ++.EE ++ ++.PP ++If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean. Disabled by default. ++ ++.EX ++.B setsebool -P polipo_session_users 1 ++ ++.EE ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the polipo_session_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the polipo_session_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type polipo_session_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B polipo_cache_home_t ++ ++ /home/[^/]*/\.polipo-cache(/.*)? ++.br ++ /home/pwalsh/\.polipo-cache(/.*)? ++.br ++ /home/dwalsh/\.polipo-cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.polipo-cache(/.*)? ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), polipo_session(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), polipo_selinux(8), polipo_selinux(8) \ No newline at end of file diff --git a/man/man8/portmap_helper_selinux.8 b/man/man8/portmap_helper_selinux.8 new file mode 100644 -index 0000000..8e59c47 +index 0000000..104342c --- /dev/null +++ b/man/man8/portmap_helper_selinux.8 -@@ -0,0 +1,125 @@ -+.TH "portmap_helper_selinux" "8" "12-11-01" "portmap_helper" "SELinux Policy documentation for portmap_helper" +@@ -0,0 +1,247 @@ ++.TH "portmap_helper_selinux" "8" "13-01-16" "portmap_helper" "SELinux Policy documentation for portmap_helper" +.SH "NAME" +portmap_helper_selinux \- Security Enhanced Linux Policy for the portmap_helper processes +.SH "DESCRIPTION" @@ -64532,9 +113614,11 @@ index 0000000..8e59c47 + +.SH "ENTRYPOINTS" + -+The portmap_helper_t SELinux type can be entered via the "portmap_helper_exec_t" file type. The default entrypoint paths for the portmap_helper_t domain are the following:" ++The portmap_helper_t SELinux type can be entered via the \fBportmap_helper_exec_t\fP file type. + -+/usr/sbin/pmap_set, /usr/sbin/pmap_dump ++The default entrypoint paths for the portmap_helper_t domain are the following: ++ ++/sbin/pmap_set, /sbin/pmap_dump, /usr/sbin/pmap_set, /usr/sbin/pmap_dump +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -64550,34 +113634,108 @@ index 0000000..8e59c47 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a portmap_helper_t ++can be used to make the process type portmap_helper_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux portmap_helper policy is very flexible allowing users to setup their portmap_helper processes in as secure a method as possible. -+.PP -+The following file types are defined for portmap_helper: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. portmap_helper policy is extremely flexible and has several booleans that allow you to manipulate the policy and run portmap_helper with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B portmap_helper_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the portmap_helper_exec_t type, if you want to transition an executable to the portmap_helper_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the portmap_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the portmap_helper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -64598,6 +113756,8 @@ index 0000000..8e59c47 +.br +.B portmap_var_run_t + ++ /var/run/portmap_mapping ++.br + /var/run/portmap\.upgrade-state +.br + @@ -64617,7 +113777,48 @@ index 0000000..8e59c47 + /var/spool/postfix/pid +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux portmap_helper policy is very flexible allowing users to setup their portmap_helper processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the portmap_helper, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t portmap_helper_exec_t '/srv/portmap_helper/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myportmap_helper_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for portmap_helper: ++ ++ ++.EX ++.PP ++.B portmap_helper_exec_t ++.EE ++ ++- Set files with the portmap_helper_exec_t type, if you want to transition an executable to the portmap_helper_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/pmap_set, /sbin/pmap_dump, /usr/sbin/pmap_set, /usr/sbin/pmap_dump ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -64629,6 +113830,9 @@ index 0000000..8e59c47 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -64640,15 +113844,15 @@ index 0000000..8e59c47 + +.SH "SEE ALSO" +selinux(8), portmap_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, portmap_selinux(8), portmap_selinux(8) ++, setsebool(8), portmap_selinux(8), portmap_selinux(8) \ No newline at end of file diff --git a/man/man8/portmap_selinux.8 b/man/man8/portmap_selinux.8 new file mode 100644 -index 0000000..6c4bbc4 +index 0000000..cc06c2e --- /dev/null +++ b/man/man8/portmap_selinux.8 -@@ -0,0 +1,188 @@ -+.TH "portmap_selinux" "8" "12-11-01" "portmap" "SELinux Policy documentation for portmap" +@@ -0,0 +1,315 @@ ++.TH "portmap_selinux" "8" "13-01-16" "portmap" "SELinux Policy documentation for portmap" +.SH "NAME" +portmap_selinux \- Security Enhanced Linux Policy for the portmap processes +.SH "DESCRIPTION" @@ -64664,7 +113868,9 @@ index 0000000..6c4bbc4 + +.SH "ENTRYPOINTS" + -+The portmap_t SELinux type can be entered via the "portmap_exec_t" file type. The default entrypoint paths for the portmap_t domain are the following:" ++The portmap_t SELinux type can be entered via the \fBportmap_exec_t\fP file type. ++ ++The default entrypoint paths for the portmap_t domain are the following: + +/sbin/portmap, /usr/sbin/portmap +.SH PROCESS TYPES @@ -64682,76 +113888,124 @@ index 0000000..6c4bbc4 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a portmap_t ++can be used to make the process type portmap_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. portmap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run portmap with the tightest access possible. + + +.PP -+If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P samba_portmapper 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P samba_portmapper 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux portmap policy is very flexible allowing users to setup their portmap processes in as secure a method as possible. -+.PP -+The following file types are defined for portmap: -+ ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B portmap_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the portmap_exec_t type, if you want to transition an executable to the portmap_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B portmap_helper_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the portmap_helper_exec_t type, if you want to transition an executable to the portmap_helper_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B portmap_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the portmap_tmp_t type, if you want to store portmap temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B portmap_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the portmap_var_run_t type, if you want to store the portmap files under the /run directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the portmap_t, portmap_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the portmap_t, portmap_helper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -64789,24 +114043,101 @@ index 0000000..6c4bbc4 +.br +.B portmap_var_run_t + ++ /var/run/portmap_mapping ++.br + /var/run/portmap\.upgrade-state +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux portmap policy is very flexible allowing users to setup their portmap processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the portmap_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the portmap, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t portmap_exec_t '/srv/portmap/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myportmap_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for portmap: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B portmap_exec_t +.EE + ++- Set files with the portmap_exec_t type, if you want to transition an executable to the portmap_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/portmap, /usr/sbin/portmap ++ ++.EX ++.PP ++.B portmap_helper_exec_t ++.EE ++ ++- Set files with the portmap_helper_exec_t type, if you want to transition an executable to the portmap_helper_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/pmap_set, /sbin/pmap_dump, /usr/sbin/pmap_set, /usr/sbin/pmap_dump ++ ++.EX ++.PP ++.B portmap_initrc_exec_t ++.EE ++ ++- Set files with the portmap_initrc_exec_t type, if you want to transition an executable to the portmap_initrc_t domain. ++ ++ ++.EX ++.PP ++.B portmap_tmp_t ++.EE ++ ++- Set files with the portmap_tmp_t type, if you want to store portmap temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B portmap_var_run_t ++.EE ++ ++- Set files with the portmap_var_run_t type, if you want to store the portmap files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/portmap_mapping, /var/run/portmap\.upgrade-state ++ +.PP -+If you want to allow confined applications to run with kerberos for the portmap_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -64839,11 +114170,11 @@ index 0000000..6c4bbc4 \ No newline at end of file diff --git a/man/man8/portreserve_selinux.8 b/man/man8/portreserve_selinux.8 new file mode 100644 -index 0000000..af478cb +index 0000000..2340bd1 --- /dev/null +++ b/man/man8/portreserve_selinux.8 -@@ -0,0 +1,120 @@ -+.TH "portreserve_selinux" "8" "12-11-01" "portreserve" "SELinux Policy documentation for portreserve" +@@ -0,0 +1,217 @@ ++.TH "portreserve_selinux" "8" "13-01-16" "portreserve" "SELinux Policy documentation for portreserve" +.SH "NAME" +portreserve_selinux \- Security Enhanced Linux Policy for the portreserve processes +.SH "DESCRIPTION" @@ -64859,7 +114190,9 @@ index 0000000..af478cb + +.SH "ENTRYPOINTS" + -+The portreserve_t SELinux type can be entered via the "portreserve_exec_t" file type. The default entrypoint paths for the portreserve_t domain are the following:" ++The portreserve_t SELinux type can be entered via the \fBportreserve_exec_t\fP file type. ++ ++The default entrypoint paths for the portreserve_t domain are the following: + +/sbin/portreserve, /usr/sbin/portreserve +.SH PROCESS TYPES @@ -64877,8 +114210,94 @@ index 0000000..af478cb +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a portreserve_t ++can be used to make the process type portreserve_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. portreserve policy is extremely flexible and has several booleans that allow you to manipulate the policy and run portreserve with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type portreserve_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B portreserve_var_run_t ++ ++ /var/run/portreserve(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -64888,7 +114307,20 @@ index 0000000..af478cb +Policy governs the access confined processes have to these files. +SELinux portreserve policy is very flexible allowing users to setup their portreserve processes in as secure a method as possible. +.PP -+The following file types are defined for portreserve: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the portreserve, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t portreserve_etc_t '/srv/portreserve/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myportreserve_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for portreserve: + + +.EX @@ -64906,6 +114338,10 @@ index 0000000..af478cb + +- Set files with the portreserve_exec_t type, if you want to transition an executable to the portreserve_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/portreserve, /usr/sbin/portreserve + +.EX +.PP @@ -64920,7 +114356,7 @@ index 0000000..af478cb +.B portreserve_var_run_t +.EE + -+- Set files with the portreserve_var_run_t type, if you want to store the portreserve files under the /run directory. ++- Set files with the portreserve_var_run_t type, if you want to store the portreserve files under the /run or /var/run directory. + + +.PP @@ -64930,18 +114366,6 @@ index 0000000..af478cb +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type portreserve_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B portreserve_var_run_t -+ -+ /var/run/portreserve(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -64952,6 +114376,9 @@ index 0000000..af478cb +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -64963,13 +114390,15 @@ index 0000000..af478cb + +.SH "SEE ALSO" +selinux(8), portreserve(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/postfix_bounce_selinux.8 b/man/man8/postfix_bounce_selinux.8 new file mode 100644 -index 0000000..c0a0f25 +index 0000000..13705e8 --- /dev/null +++ b/man/man8/postfix_bounce_selinux.8 -@@ -0,0 +1,149 @@ -+.TH "postfix_bounce_selinux" "8" "12-11-01" "postfix_bounce" "SELinux Policy documentation for postfix_bounce" +@@ -0,0 +1,243 @@ ++.TH "postfix_bounce_selinux" "8" "13-01-16" "postfix_bounce" "SELinux Policy documentation for postfix_bounce" +.SH "NAME" +postfix_bounce_selinux \- Security Enhanced Linux Policy for the postfix_bounce processes +.SH "DESCRIPTION" @@ -64985,7 +114414,9 @@ index 0000000..c0a0f25 + +.SH "ENTRYPOINTS" + -+The postfix_bounce_t SELinux type can be entered via the "postfix_bounce_exec_t" file type. The default entrypoint paths for the postfix_bounce_t domain are the following:" ++The postfix_bounce_t SELinux type can be entered via the \fBpostfix_bounce_exec_t\fP file type. ++ ++The default entrypoint paths for the postfix_bounce_t domain are the following: + +/usr/libexec/postfix/bounce +.SH PROCESS TYPES @@ -65003,42 +114434,100 @@ index 0000000..c0a0f25 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postfix_bounce_t ++can be used to make the process type postfix_bounce_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux postfix_bounce policy is very flexible allowing users to setup their postfix_bounce processes in as secure a method as possible. -+.PP -+The following file types are defined for postfix_bounce: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. postfix_bounce policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_bounce with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B postfix_bounce_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the postfix_bounce_exec_t type, if you want to transition an executable to the postfix_bounce_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B postfix_bounce_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the postfix_bounce_tmp_t type, if you want to store postfix bounce temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postfix_bounce_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_bounce_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -65080,21 +114569,52 @@ index 0000000..c0a0f25 + /var/spool/postfix/pid/.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux postfix_bounce policy is very flexible allowing users to setup their postfix_bounce processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_bounce_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postfix_bounce, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postfix_bounce_exec_t '/srv/postfix_bounce/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostfix_bounce_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postfix_bounce: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B postfix_bounce_exec_t +.EE + ++- Set files with the postfix_bounce_exec_t type, if you want to transition an executable to the postfix_bounce_t domain. ++ ++ ++.EX ++.PP ++.B postfix_bounce_tmp_t ++.EE ++ ++- Set files with the postfix_bounce_tmp_t type, if you want to store postfix bounce temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the postfix_bounce_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -65106,6 +114626,9 @@ index 0000000..c0a0f25 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -65117,15 +114640,15 @@ index 0000000..c0a0f25 + +.SH "SEE ALSO" +selinux(8), postfix_bounce(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) ++, setsebool(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) \ No newline at end of file diff --git a/man/man8/postfix_cleanup_selinux.8 b/man/man8/postfix_cleanup_selinux.8 new file mode 100644 -index 0000000..615ab43 +index 0000000..864c76a --- /dev/null +++ b/man/man8/postfix_cleanup_selinux.8 -@@ -0,0 +1,133 @@ -+.TH "postfix_cleanup_selinux" "8" "12-11-01" "postfix_cleanup" "SELinux Policy documentation for postfix_cleanup" +@@ -0,0 +1,227 @@ ++.TH "postfix_cleanup_selinux" "8" "13-01-16" "postfix_cleanup" "SELinux Policy documentation for postfix_cleanup" +.SH "NAME" +postfix_cleanup_selinux \- Security Enhanced Linux Policy for the postfix_cleanup processes +.SH "DESCRIPTION" @@ -65141,7 +114664,9 @@ index 0000000..615ab43 + +.SH "ENTRYPOINTS" + -+The postfix_cleanup_t SELinux type can be entered via the "postfix_cleanup_exec_t" file type. The default entrypoint paths for the postfix_cleanup_t domain are the following:" ++The postfix_cleanup_t SELinux type can be entered via the \fBpostfix_cleanup_exec_t\fP file type. ++ ++The default entrypoint paths for the postfix_cleanup_t domain are the following: + +/usr/libexec/postfix/cleanup +.SH PROCESS TYPES @@ -65159,42 +114684,100 @@ index 0000000..615ab43 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postfix_cleanup_t ++can be used to make the process type postfix_cleanup_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux postfix_cleanup policy is very flexible allowing users to setup their postfix_cleanup processes in as secure a method as possible. -+.PP -+The following file types are defined for postfix_cleanup: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. postfix_cleanup policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_cleanup with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B postfix_cleanup_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the postfix_cleanup_exec_t type, if you want to transition an executable to the postfix_cleanup_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B postfix_cleanup_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the postfix_cleanup_tmp_t type, if you want to store postfix cleanup temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postfix_cleanup_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_cleanup_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -65220,21 +114803,52 @@ index 0000000..615ab43 + /var/spool/postfix/pid/.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux postfix_cleanup policy is very flexible allowing users to setup their postfix_cleanup processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_cleanup_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postfix_cleanup, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postfix_cleanup_exec_t '/srv/postfix_cleanup/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostfix_cleanup_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postfix_cleanup: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B postfix_cleanup_exec_t +.EE + ++- Set files with the postfix_cleanup_exec_t type, if you want to transition an executable to the postfix_cleanup_t domain. ++ ++ ++.EX ++.PP ++.B postfix_cleanup_tmp_t ++.EE ++ ++- Set files with the postfix_cleanup_tmp_t type, if you want to store postfix cleanup temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the postfix_cleanup_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -65246,6 +114860,9 @@ index 0000000..615ab43 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -65257,15 +114874,15 @@ index 0000000..615ab43 + +.SH "SEE ALSO" +selinux(8), postfix_cleanup(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, postfix_bounce_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) ++, setsebool(8), postfix_bounce_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) \ No newline at end of file diff --git a/man/man8/postfix_local_selinux.8 b/man/man8/postfix_local_selinux.8 new file mode 100644 -index 0000000..6e24730 +index 0000000..8a59a64 --- /dev/null +++ b/man/man8/postfix_local_selinux.8 -@@ -0,0 +1,212 @@ -+.TH "postfix_local_selinux" "8" "12-11-01" "postfix_local" "SELinux Policy documentation for postfix_local" +@@ -0,0 +1,369 @@ ++.TH "postfix_local_selinux" "8" "13-01-16" "postfix_local" "SELinux Policy documentation for postfix_local" +.SH "NAME" +postfix_local_selinux \- Security Enhanced Linux Policy for the postfix_local processes +.SH "DESCRIPTION" @@ -65281,7 +114898,9 @@ index 0000000..6e24730 + +.SH "ENTRYPOINTS" + -+The postfix_local_t SELinux type can be entered via the "postfix_local_exec_t" file type. The default entrypoint paths for the postfix_local_t domain are the following:" ++The postfix_local_t SELinux type can be entered via the \fBpostfix_local_exec_t\fP file type. ++ ++The default entrypoint paths for the postfix_local_t domain are the following: + +/usr/libexec/postfix/local +.SH PROCESS TYPES @@ -65299,60 +114918,140 @@ index 0000000..6e24730 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postfix_local_t ++can be used to make the process type postfix_local_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. postfix_local policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_local with the tightest access possible. + + +.PP -+If you want to allow postfix_local domain full write access to mail_spool directories, you must turn on the postfix_local_write_mail_spool boolean. ++If you want to allow postfix_local domain full write access to mail_spool directories, you must turn on the postfix_local_write_mail_spool boolean. Enabled by default. + +.EX +.B setsebool -P postfix_local_write_mail_spool 1 ++ +.EE + +.PP -+If you want to allow postfix_local domain full write access to mail_spool directories, you must turn on the postfix_local_write_mail_spool boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P postfix_local_write_mail_spool 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux postfix_local policy is very flexible allowing users to setup their postfix_local processes in as secure a method as possible. -+.PP -+The following file types are defined for postfix_local: -+ ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B postfix_local_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the postfix_local_exec_t type, if you want to transition an executable to the postfix_local_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B postfix_local_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the postfix_local_tmp_t type, if you want to store postfix local temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postfix_local_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_local_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -65363,20 +115062,58 @@ index 0000000..6e24730 + + +.br ++.B cifs_t ++ ++ ++.br +.B dovecot_spool_t + + /var/spool/dovecot(/.*)? +.br + +.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br +.B mail_home_rw_t + + /root/Maildir(/.*)? +.br ++ /home/[^/]*/.maildir(/.*)? ++.br + /home/[^/]*/Maildir(/.*)? +.br ++ /home/pwalsh/.maildir(/.*)? ++.br ++ /home/pwalsh/Maildir(/.*)? ++.br ++ /home/dwalsh/.maildir(/.*)? ++.br + /home/dwalsh/Maildir(/.*)? +.br ++ /var/lib/xguest/home/xguest/.maildir(/.*)? ++.br + /var/lib/xguest/home/xguest/Maildir(/.*)? +.br + @@ -65401,6 +115138,10 @@ index 0000000..6e24730 +.br + +.br ++.B nfs_t ++ ++ ++.br +.B postfix_local_tmp_t + + @@ -65431,26 +115172,59 @@ index 0000000..6e24730 + + /home/[^/]*/.+ +.br ++ /home/pwalsh/.+ ++.br + /home/dwalsh/.+ +.br + /var/lib/xguest/home/xguest/.+ +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux postfix_local policy is very flexible allowing users to setup their postfix_local processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_local_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postfix_local, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postfix_local_exec_t '/srv/postfix_local/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostfix_local_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postfix_local: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B postfix_local_exec_t +.EE + ++- Set files with the postfix_local_exec_t type, if you want to transition an executable to the postfix_local_t domain. ++ ++ ++.EX ++.PP ++.B postfix_local_tmp_t ++.EE ++ ++- Set files with the postfix_local_tmp_t type, if you want to store postfix local temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the postfix_local_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -65480,11 +115254,11 @@ index 0000000..6e24730 \ No newline at end of file diff --git a/man/man8/postfix_map_selinux.8 b/man/man8/postfix_map_selinux.8 new file mode 100644 -index 0000000..f1b2f03 +index 0000000..bd88d0b --- /dev/null +++ b/man/man8/postfix_map_selinux.8 -@@ -0,0 +1,133 @@ -+.TH "postfix_map_selinux" "8" "12-11-01" "postfix_map" "SELinux Policy documentation for postfix_map" +@@ -0,0 +1,227 @@ ++.TH "postfix_map_selinux" "8" "13-01-16" "postfix_map" "SELinux Policy documentation for postfix_map" +.SH "NAME" +postfix_map_selinux \- Security Enhanced Linux Policy for the postfix_map processes +.SH "DESCRIPTION" @@ -65500,7 +115274,9 @@ index 0000000..f1b2f03 + +.SH "ENTRYPOINTS" + -+The postfix_map_t SELinux type can be entered via the "postfix_map_exec_t" file type. The default entrypoint paths for the postfix_map_t domain are the following:" ++The postfix_map_t SELinux type can be entered via the \fBpostfix_map_exec_t\fP file type. ++ ++The default entrypoint paths for the postfix_map_t domain are the following: + +/usr/sbin/postmap +.SH PROCESS TYPES @@ -65518,42 +115294,100 @@ index 0000000..f1b2f03 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postfix_map_t ++can be used to make the process type postfix_map_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux postfix_map policy is very flexible allowing users to setup their postfix_map processes in as secure a method as possible. -+.PP -+The following file types are defined for postfix_map: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. postfix_map policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_map with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B postfix_map_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the postfix_map_exec_t type, if you want to transition an executable to the postfix_map_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B postfix_map_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the postfix_map_tmp_t type, if you want to store postfix map temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postfix_map_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_map_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -65579,21 +115413,52 @@ index 0000000..f1b2f03 +.B postfix_map_tmp_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux postfix_map policy is very flexible allowing users to setup their postfix_map processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_map_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postfix_map, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postfix_map_exec_t '/srv/postfix_map/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostfix_map_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postfix_map: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B postfix_map_exec_t +.EE + ++- Set files with the postfix_map_exec_t type, if you want to transition an executable to the postfix_map_t domain. ++ ++ ++.EX ++.PP ++.B postfix_map_tmp_t ++.EE ++ ++- Set files with the postfix_map_tmp_t type, if you want to store postfix map temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the postfix_map_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -65605,6 +115470,9 @@ index 0000000..f1b2f03 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -65616,15 +115484,15 @@ index 0000000..f1b2f03 + +.SH "SEE ALSO" +selinux(8), postfix_map(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) ++, setsebool(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) \ No newline at end of file diff --git a/man/man8/postfix_master_selinux.8 b/man/man8/postfix_master_selinux.8 new file mode 100644 -index 0000000..feb9a1e +index 0000000..a8826aa --- /dev/null +++ b/man/man8/postfix_master_selinux.8 -@@ -0,0 +1,177 @@ -+.TH "postfix_master_selinux" "8" "12-11-01" "postfix_master" "SELinux Policy documentation for postfix_master" +@@ -0,0 +1,307 @@ ++.TH "postfix_master_selinux" "8" "13-01-16" "postfix_master" "SELinux Policy documentation for postfix_master" +.SH "NAME" +postfix_master_selinux \- Security Enhanced Linux Policy for the postfix_master processes +.SH "DESCRIPTION" @@ -65640,7 +115508,9 @@ index 0000000..feb9a1e + +.SH "ENTRYPOINTS" + -+The postfix_master_t SELinux type can be entered via the "postfix_master_exec_t" file type. The default entrypoint paths for the postfix_master_t domain are the following:" ++The postfix_master_t SELinux type can be entered via the \fBpostfix_master_exec_t\fP file type. ++ ++The default entrypoint paths for the postfix_master_t domain are the following: + +/usr/sbin/postcat, /usr/sbin/postfix, /usr/sbin/postlog, /usr/sbin/postkick, /usr/sbin/postlock, /usr/sbin/postalias, /usr/sbin/postsuper, /usr/libexec/postfix/master +.SH PROCESS TYPES @@ -65658,34 +115528,124 @@ index 0000000..feb9a1e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postfix_master_t ++can be used to make the process type postfix_master_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux postfix_master policy is very flexible allowing users to setup their postfix_master processes in as secure a method as possible. -+.PP -+The following file types are defined for postfix_master: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. postfix_master policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_master with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B postfix_master_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the postfix_master_exec_t type, if you want to transition an executable to the postfix_master_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postfix_master_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_master_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -65763,21 +115723,56 @@ index 0000000..feb9a1e + /var/spool/postfix/pid/.* +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux postfix_master policy is very flexible allowing users to setup their postfix_master processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_master_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postfix_master, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postfix_master_exec_t '/srv/postfix_master/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostfix_master_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postfix_master: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B postfix_master_exec_t +.EE + ++- Set files with the postfix_master_exec_t type, if you want to transition an executable to the postfix_master_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/postcat, /usr/sbin/postfix, /usr/sbin/postlog, /usr/sbin/postkick, /usr/sbin/postlock, /usr/sbin/postalias, /usr/sbin/postsuper, /usr/libexec/postfix/master ++ +.PP -+If you want to allow confined applications to run with kerberos for the postfix_master_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -65789,6 +115784,9 @@ index 0000000..feb9a1e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -65800,15 +115798,15 @@ index 0000000..feb9a1e + +.SH "SEE ALSO" +selinux(8), postfix_master(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) ++, setsebool(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) \ No newline at end of file diff --git a/man/man8/postfix_pickup_selinux.8 b/man/man8/postfix_pickup_selinux.8 new file mode 100644 -index 0000000..4db315f +index 0000000..dd2feb8 --- /dev/null +++ b/man/man8/postfix_pickup_selinux.8 -@@ -0,0 +1,127 @@ -+.TH "postfix_pickup_selinux" "8" "12-11-01" "postfix_pickup" "SELinux Policy documentation for postfix_pickup" +@@ -0,0 +1,221 @@ ++.TH "postfix_pickup_selinux" "8" "13-01-16" "postfix_pickup" "SELinux Policy documentation for postfix_pickup" +.SH "NAME" +postfix_pickup_selinux \- Security Enhanced Linux Policy for the postfix_pickup processes +.SH "DESCRIPTION" @@ -65824,7 +115822,9 @@ index 0000000..4db315f + +.SH "ENTRYPOINTS" + -+The postfix_pickup_t SELinux type can be entered via the "postfix_pickup_exec_t" file type. The default entrypoint paths for the postfix_pickup_t domain are the following:" ++The postfix_pickup_t SELinux type can be entered via the \fBpostfix_pickup_exec_t\fP file type. ++ ++The default entrypoint paths for the postfix_pickup_t domain are the following: + +/usr/libexec/postfix/pickup +.SH PROCESS TYPES @@ -65842,8 +115842,118 @@ index 0000000..4db315f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postfix_pickup_t ++can be used to make the process type postfix_pickup_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. postfix_pickup policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_pickup with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postfix_pickup_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_pickup_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type postfix_pickup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B postfix_pickup_tmp_t ++ ++ ++.br ++.B postfix_var_run_t ++ ++ /var/spool/postfix/pid/.* ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -65853,7 +115963,20 @@ index 0000000..4db315f +Policy governs the access confined processes have to these files. +SELinux postfix_pickup policy is very flexible allowing users to setup their postfix_pickup processes in as secure a method as possible. +.PP -+The following file types are defined for postfix_pickup: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postfix_pickup, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postfix_pickup_exec_t '/srv/postfix_pickup/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostfix_pickup_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postfix_pickup: + + +.EX @@ -65879,40 +116002,6 @@ index 0000000..4db315f +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type postfix_pickup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B anon_inodefs_t -+ -+ -+.br -+.B postfix_pickup_tmp_t -+ -+ -+.br -+.B postfix_var_run_t -+ -+ /var/spool/postfix/pid/.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_pickup_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the postfix_pickup_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -65923,6 +116012,9 @@ index 0000000..4db315f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -65934,15 +116026,15 @@ index 0000000..4db315f + +.SH "SEE ALSO" +selinux(8), postfix_pickup(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) ++, setsebool(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) \ No newline at end of file diff --git a/man/man8/postfix_pipe_selinux.8 b/man/man8/postfix_pipe_selinux.8 new file mode 100644 -index 0000000..0fc0351 +index 0000000..5fe0204 --- /dev/null +++ b/man/man8/postfix_pipe_selinux.8 -@@ -0,0 +1,143 @@ -+.TH "postfix_pipe_selinux" "8" "12-11-01" "postfix_pipe" "SELinux Policy documentation for postfix_pipe" +@@ -0,0 +1,237 @@ ++.TH "postfix_pipe_selinux" "8" "13-01-16" "postfix_pipe" "SELinux Policy documentation for postfix_pipe" +.SH "NAME" +postfix_pipe_selinux \- Security Enhanced Linux Policy for the postfix_pipe processes +.SH "DESCRIPTION" @@ -65958,7 +116050,9 @@ index 0000000..0fc0351 + +.SH "ENTRYPOINTS" + -+The postfix_pipe_t SELinux type can be entered via the "postfix_pipe_exec_t" file type. The default entrypoint paths for the postfix_pipe_t domain are the following:" ++The postfix_pipe_t SELinux type can be entered via the \fBpostfix_pipe_exec_t\fP file type. ++ ++The default entrypoint paths for the postfix_pipe_t domain are the following: + +/usr/libexec/postfix/pipe +.SH PROCESS TYPES @@ -65976,42 +116070,100 @@ index 0000000..0fc0351 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postfix_pipe_t ++can be used to make the process type postfix_pipe_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux postfix_pipe policy is very flexible allowing users to setup their postfix_pipe processes in as secure a method as possible. -+.PP -+The following file types are defined for postfix_pipe: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. postfix_pipe policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_pipe with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B postfix_pipe_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the postfix_pipe_exec_t type, if you want to transition an executable to the postfix_pipe_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B postfix_pipe_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the postfix_pipe_tmp_t type, if you want to store postfix pipe temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postfix_pipe_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_pipe_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -66047,21 +116199,52 @@ index 0000000..0fc0351 + /var/spool/postfix/pid/.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux postfix_pipe policy is very flexible allowing users to setup their postfix_pipe processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_pipe_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postfix_pipe, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postfix_pipe_exec_t '/srv/postfix_pipe/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostfix_pipe_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postfix_pipe: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B postfix_pipe_exec_t +.EE + ++- Set files with the postfix_pipe_exec_t type, if you want to transition an executable to the postfix_pipe_t domain. ++ ++ ++.EX ++.PP ++.B postfix_pipe_tmp_t ++.EE ++ ++- Set files with the postfix_pipe_tmp_t type, if you want to store postfix pipe temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the postfix_pipe_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -66073,6 +116256,9 @@ index 0000000..0fc0351 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -66084,15 +116270,15 @@ index 0000000..0fc0351 + +.SH "SEE ALSO" +selinux(8), postfix_pipe(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) ++, setsebool(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) \ No newline at end of file diff --git a/man/man8/postfix_postdrop_selinux.8 b/man/man8/postfix_postdrop_selinux.8 new file mode 100644 -index 0000000..e6877f7 +index 0000000..2967206 --- /dev/null +++ b/man/man8/postfix_postdrop_selinux.8 -@@ -0,0 +1,137 @@ -+.TH "postfix_postdrop_selinux" "8" "12-11-01" "postfix_postdrop" "SELinux Policy documentation for postfix_postdrop" +@@ -0,0 +1,247 @@ ++.TH "postfix_postdrop_selinux" "8" "13-01-16" "postfix_postdrop" "SELinux Policy documentation for postfix_postdrop" +.SH "NAME" +postfix_postdrop_selinux \- Security Enhanced Linux Policy for the postfix_postdrop processes +.SH "DESCRIPTION" @@ -66108,7 +116294,9 @@ index 0000000..e6877f7 + +.SH "ENTRYPOINTS" + -+The postfix_postdrop_t SELinux type can be entered via the "postfix_postdrop_exec_t" file type. The default entrypoint paths for the postfix_postdrop_t domain are the following:" ++The postfix_postdrop_t SELinux type can be entered via the \fBpostfix_postdrop_exec_t\fP file type. ++ ++The default entrypoint paths for the postfix_postdrop_t domain are the following: + +/usr/sbin/postdrop +.SH PROCESS TYPES @@ -66126,34 +116314,116 @@ index 0000000..e6877f7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postfix_postdrop_t ++can be used to make the process type postfix_postdrop_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux postfix_postdrop policy is very flexible allowing users to setup their postfix_postdrop processes in as secure a method as possible. -+.PP -+The following file types are defined for postfix_postdrop: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. postfix_postdrop policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_postdrop with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B postfix_postdrop_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the postfix_postdrop_exec_t type, if you want to transition an executable to the postfix_postdrop_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Gitosis can send mail, you must turn on the gitosis_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P gitosis_can_sendmail 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_sendmail 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postfix_postdrop_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_postdrop_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -66191,21 +116461,44 @@ index 0000000..e6877f7 + /var/spool/uucppublic(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux postfix_postdrop policy is very flexible allowing users to setup their postfix_postdrop processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_postdrop_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postfix_postdrop, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postfix_postdrop_exec_t '/srv/postfix_postdrop/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostfix_postdrop_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postfix_postdrop: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B postfix_postdrop_exec_t +.EE + ++- Set files with the postfix_postdrop_exec_t type, if you want to transition an executable to the postfix_postdrop_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the postfix_postdrop_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -66217,6 +116510,9 @@ index 0000000..e6877f7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -66228,15 +116524,15 @@ index 0000000..e6877f7 + +.SH "SEE ALSO" +selinux(8), postfix_postdrop(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) ++, setsebool(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) \ No newline at end of file diff --git a/man/man8/postfix_postqueue_selinux.8 b/man/man8/postfix_postqueue_selinux.8 new file mode 100644 -index 0000000..7b40ff1 +index 0000000..db3561e --- /dev/null +++ b/man/man8/postfix_postqueue_selinux.8 -@@ -0,0 +1,119 @@ -+.TH "postfix_postqueue_selinux" "8" "12-11-01" "postfix_postqueue" "SELinux Policy documentation for postfix_postqueue" +@@ -0,0 +1,229 @@ ++.TH "postfix_postqueue_selinux" "8" "13-01-16" "postfix_postqueue" "SELinux Policy documentation for postfix_postqueue" +.SH "NAME" +postfix_postqueue_selinux \- Security Enhanced Linux Policy for the postfix_postqueue processes +.SH "DESCRIPTION" @@ -66252,7 +116548,9 @@ index 0000000..7b40ff1 + +.SH "ENTRYPOINTS" + -+The postfix_postqueue_t SELinux type can be entered via the "postfix_postqueue_exec_t" file type. The default entrypoint paths for the postfix_postqueue_t domain are the following:" ++The postfix_postqueue_t SELinux type can be entered via the \fBpostfix_postqueue_exec_t\fP file type. ++ ++The default entrypoint paths for the postfix_postqueue_t domain are the following: + +/usr/sbin/postqueue +.SH PROCESS TYPES @@ -66270,34 +116568,116 @@ index 0000000..7b40ff1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postfix_postqueue_t ++can be used to make the process type postfix_postqueue_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux postfix_postqueue policy is very flexible allowing users to setup their postfix_postqueue processes in as secure a method as possible. -+.PP -+The following file types are defined for postfix_postqueue: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. postfix_postqueue policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_postqueue with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B postfix_postqueue_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the postfix_postqueue_exec_t type, if you want to transition an executable to the postfix_postqueue_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Gitosis can send mail, you must turn on the gitosis_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P gitosis_can_sendmail 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_sendmail 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postfix_postqueue_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_postqueue_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -66317,21 +116697,44 @@ index 0000000..7b40ff1 + /var/spool/postfix/pid/.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux postfix_postqueue policy is very flexible allowing users to setup their postfix_postqueue processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_postqueue_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postfix_postqueue, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postfix_postqueue_exec_t '/srv/postfix_postqueue/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostfix_postqueue_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postfix_postqueue: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B postfix_postqueue_exec_t +.EE + ++- Set files with the postfix_postqueue_exec_t type, if you want to transition an executable to the postfix_postqueue_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the postfix_postqueue_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -66343,6 +116746,9 @@ index 0000000..7b40ff1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -66354,15 +116760,15 @@ index 0000000..7b40ff1 + +.SH "SEE ALSO" +selinux(8), postfix_postqueue(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) ++, setsebool(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) \ No newline at end of file diff --git a/man/man8/postfix_qmgr_selinux.8 b/man/man8/postfix_qmgr_selinux.8 new file mode 100644 -index 0000000..0cdebf4 +index 0000000..3e4070f --- /dev/null +++ b/man/man8/postfix_qmgr_selinux.8 -@@ -0,0 +1,143 @@ -+.TH "postfix_qmgr_selinux" "8" "12-11-01" "postfix_qmgr" "SELinux Policy documentation for postfix_qmgr" +@@ -0,0 +1,237 @@ ++.TH "postfix_qmgr_selinux" "8" "13-01-16" "postfix_qmgr" "SELinux Policy documentation for postfix_qmgr" +.SH "NAME" +postfix_qmgr_selinux \- Security Enhanced Linux Policy for the postfix_qmgr processes +.SH "DESCRIPTION" @@ -66378,7 +116784,9 @@ index 0000000..0cdebf4 + +.SH "ENTRYPOINTS" + -+The postfix_qmgr_t SELinux type can be entered via the "postfix_qmgr_exec_t" file type. The default entrypoint paths for the postfix_qmgr_t domain are the following:" ++The postfix_qmgr_t SELinux type can be entered via the \fBpostfix_qmgr_exec_t\fP file type. ++ ++The default entrypoint paths for the postfix_qmgr_t domain are the following: + +/usr/libexec/postfix/(n)?qmgr +.SH PROCESS TYPES @@ -66396,42 +116804,100 @@ index 0000000..0cdebf4 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postfix_qmgr_t ++can be used to make the process type postfix_qmgr_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux postfix_qmgr policy is very flexible allowing users to setup their postfix_qmgr processes in as secure a method as possible. -+.PP -+The following file types are defined for postfix_qmgr: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. postfix_qmgr policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_qmgr with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B postfix_qmgr_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the postfix_qmgr_exec_t type, if you want to transition an executable to the postfix_qmgr_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B postfix_qmgr_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the postfix_qmgr_tmp_t type, if you want to store postfix qmgr temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postfix_qmgr_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_qmgr_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -66467,21 +116933,52 @@ index 0000000..0cdebf4 + /var/spool/postfix/pid/.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux postfix_qmgr policy is very flexible allowing users to setup their postfix_qmgr processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_qmgr_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postfix_qmgr, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postfix_qmgr_exec_t '/srv/postfix_qmgr/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostfix_qmgr_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postfix_qmgr: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B postfix_qmgr_exec_t +.EE + ++- Set files with the postfix_qmgr_exec_t type, if you want to transition an executable to the postfix_qmgr_t domain. ++ ++ ++.EX ++.PP ++.B postfix_qmgr_tmp_t ++.EE ++ ++- Set files with the postfix_qmgr_tmp_t type, if you want to store postfix qmgr temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the postfix_qmgr_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -66493,6 +116990,9 @@ index 0000000..0cdebf4 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -66504,15 +117004,15 @@ index 0000000..0cdebf4 + +.SH "SEE ALSO" +selinux(8), postfix_qmgr(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) ++, setsebool(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) \ No newline at end of file diff --git a/man/man8/postfix_showq_selinux.8 b/man/man8/postfix_showq_selinux.8 new file mode 100644 -index 0000000..06cde29 +index 0000000..db363b3 --- /dev/null +++ b/man/man8/postfix_showq_selinux.8 -@@ -0,0 +1,115 @@ -+.TH "postfix_showq_selinux" "8" "12-11-01" "postfix_showq" "SELinux Policy documentation for postfix_showq" +@@ -0,0 +1,209 @@ ++.TH "postfix_showq_selinux" "8" "13-01-16" "postfix_showq" "SELinux Policy documentation for postfix_showq" +.SH "NAME" +postfix_showq_selinux \- Security Enhanced Linux Policy for the postfix_showq processes +.SH "DESCRIPTION" @@ -66528,7 +117028,9 @@ index 0000000..06cde29 + +.SH "ENTRYPOINTS" + -+The postfix_showq_t SELinux type can be entered via the "postfix_showq_exec_t" file type. The default entrypoint paths for the postfix_showq_t domain are the following:" ++The postfix_showq_t SELinux type can be entered via the \fBpostfix_showq_exec_t\fP file type. ++ ++The default entrypoint paths for the postfix_showq_t domain are the following: + +/usr/libexec/postfix/showq +.SH PROCESS TYPES @@ -66546,8 +117048,114 @@ index 0000000..06cde29 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postfix_showq_t ++can be used to make the process type postfix_showq_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. postfix_showq policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_showq with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postfix_showq_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_showq_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type postfix_showq_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B postfix_var_run_t ++ ++ /var/spool/postfix/pid/.* ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -66557,7 +117165,20 @@ index 0000000..06cde29 +Policy governs the access confined processes have to these files. +SELinux postfix_showq policy is very flexible allowing users to setup their postfix_showq processes in as secure a method as possible. +.PP -+The following file types are defined for postfix_showq: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postfix_showq, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postfix_showq_exec_t '/srv/postfix_showq/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostfix_showq_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postfix_showq: + + +.EX @@ -66575,36 +117196,6 @@ index 0000000..06cde29 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type postfix_showq_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B anon_inodefs_t -+ -+ -+.br -+.B postfix_var_run_t -+ -+ /var/spool/postfix/pid/.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_showq_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the postfix_showq_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -66615,6 +117206,9 @@ index 0000000..06cde29 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -66626,15 +117220,15 @@ index 0000000..06cde29 + +.SH "SEE ALSO" +selinux(8), postfix_showq(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) ++, setsebool(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) \ No newline at end of file diff --git a/man/man8/postfix_smtp_selinux.8 b/man/man8/postfix_smtp_selinux.8 new file mode 100644 -index 0000000..d10b079 +index 0000000..95c60d1 --- /dev/null +++ b/man/man8/postfix_smtp_selinux.8 -@@ -0,0 +1,165 @@ -+.TH "postfix_smtp_selinux" "8" "12-11-01" "postfix_smtp" "SELinux Policy documentation for postfix_smtp" +@@ -0,0 +1,263 @@ ++.TH "postfix_smtp_selinux" "8" "13-01-16" "postfix_smtp" "SELinux Policy documentation for postfix_smtp" +.SH "NAME" +postfix_smtp_selinux \- Security Enhanced Linux Policy for the postfix_smtp processes +.SH "DESCRIPTION" @@ -66650,7 +117244,9 @@ index 0000000..d10b079 + +.SH "ENTRYPOINTS" + -+The postfix_smtp_t SELinux type can be entered via the "postfix_smtp_exec_t" file type. The default entrypoint paths for the postfix_smtp_t domain are the following:" ++The postfix_smtp_t SELinux type can be entered via the \fBpostfix_smtp_exec_t\fP file type. ++ ++The default entrypoint paths for the postfix_smtp_t domain are the following: + +/usr/libexec/postfix/lmtp, /usr/libexec/postfix/smtp, /usr/libexec/postfix/scache +.SH PROCESS TYPES @@ -66668,58 +117264,100 @@ index 0000000..d10b079 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postfix_smtp_t ++can be used to make the process type postfix_smtp_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux postfix_smtp policy is very flexible allowing users to setup their postfix_smtp processes in as secure a method as possible. -+.PP -+The following file types are defined for postfix_smtp: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. postfix_smtp policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_smtp with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B postfix_smtp_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the postfix_smtp_exec_t type, if you want to transition an executable to the postfix_smtp_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B postfix_smtp_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the postfix_smtp_tmp_t type, if you want to store postfix smtp temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B postfix_smtpd_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the postfix_smtpd_exec_t type, if you want to transition an executable to the postfix_smtpd_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B postfix_smtpd_tmp_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the postfix_smtpd_tmp_t type, if you want to store postfix smtpd temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postfix_smtpd_t, postfix_smtp_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_smtpd_t, postfix_smtp_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -66761,97 +117399,48 @@ index 0000000..d10b079 + /var/spool/postfix/pid/.* +.br + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_smtpd_t, postfix_smtp_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the postfix_smtpd_t, postfix_smtp_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), postfix_smtp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) -\ No newline at end of file -diff --git a/man/man8/postfix_smtpd_selinux.8 b/man/man8/postfix_smtpd_selinux.8 -new file mode 100644 -index 0000000..45ad26e ---- /dev/null -+++ b/man/man8/postfix_smtpd_selinux.8 -@@ -0,0 +1,139 @@ -+.TH "postfix_smtpd_selinux" "8" "12-11-01" "postfix_smtpd" "SELinux Policy documentation for postfix_smtpd" -+.SH "NAME" -+postfix_smtpd_selinux \- Security Enhanced Linux Policy for the postfix_smtpd processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the postfix_smtpd processes via flexible mandatory access control. -+ -+The postfix_smtpd processes execute with the postfix_smtpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep postfix_smtpd_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The postfix_smtpd_t SELinux type can be entered via the "postfix_smtpd_exec_t" file type. The default entrypoint paths for the postfix_smtpd_t domain are the following:" -+ -+/usr/libexec/postfix/smtpd -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux postfix_smtpd policy is very flexible allowing users to setup their postfix_smtpd processes in as secure a method as possible. -+.PP -+The following process types are defined for postfix_smtpd: -+ -+.EX -+.B postfix_smtpd_t, postfix_smtp_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP +You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP +Policy governs the access confined processes have to these files. -+SELinux postfix_smtpd policy is very flexible allowing users to setup their postfix_smtpd processes in as secure a method as possible. ++SELinux postfix_smtp policy is very flexible allowing users to setup their postfix_smtp processes in as secure a method as possible. +.PP -+The following file types are defined for postfix_smtpd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postfix_smtp, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postfix_smtp_exec_t '/srv/postfix_smtp/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostfix_smtp_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postfix_smtp: ++ ++ ++.EX ++.PP ++.B postfix_smtp_exec_t ++.EE ++ ++- Set files with the postfix_smtp_exec_t type, if you want to transition an executable to the postfix_smtp_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/postfix/lmtp, /usr/libexec/postfix/smtp, /usr/libexec/postfix/scache ++ ++.EX ++.PP ++.B postfix_smtp_tmp_t ++.EE ++ ++- Set files with the postfix_smtp_tmp_t type, if you want to store postfix smtp temporary files in the /tmp directories. + + +.EX @@ -66877,6 +117466,169 @@ index 0000000..45ad26e +.B restorecon +to apply the labels. + ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), postfix_smtp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtpd_selinux(8), postfix_virtual_selinux(8) +\ No newline at end of file +diff --git a/man/man8/postfix_smtpd_selinux.8 b/man/man8/postfix_smtpd_selinux.8 +new file mode 100644 +index 0000000..dac55b8 +--- /dev/null ++++ b/man/man8/postfix_smtpd_selinux.8 +@@ -0,0 +1,233 @@ ++.TH "postfix_smtpd_selinux" "8" "13-01-16" "postfix_smtpd" "SELinux Policy documentation for postfix_smtpd" ++.SH "NAME" ++postfix_smtpd_selinux \- Security Enhanced Linux Policy for the postfix_smtpd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the postfix_smtpd processes via flexible mandatory access control. ++ ++The postfix_smtpd processes execute with the postfix_smtpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep postfix_smtpd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The postfix_smtpd_t SELinux type can be entered via the \fBpostfix_smtpd_exec_t\fP file type. ++ ++The default entrypoint paths for the postfix_smtpd_t domain are the following: ++ ++/usr/libexec/postfix/smtpd ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux postfix_smtpd policy is very flexible allowing users to setup their postfix_smtpd processes in as secure a method as possible. ++.PP ++The following process types are defined for postfix_smtpd: ++ ++.EX ++.B postfix_smtpd_t, postfix_smtp_t ++.EE ++.PP ++Note: ++.B semanage permissive -a postfix_smtpd_t ++can be used to make the process type postfix_smtpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. postfix_smtpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_smtpd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postfix_smtpd_t, postfix_smtp_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_smtpd_t, postfix_smtp_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ +.SH "MANAGED FILES" + +The SELinux process type postfix_smtpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -66907,21 +117659,52 @@ index 0000000..45ad26e + /var/spool/postfix/pid/.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux postfix_smtpd policy is very flexible allowing users to setup their postfix_smtpd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_smtpd_t, postfix_smtp_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postfix_smtpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postfix_smtpd_exec_t '/srv/postfix_smtpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostfix_smtpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postfix_smtpd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B postfix_smtpd_exec_t +.EE + ++- Set files with the postfix_smtpd_exec_t type, if you want to transition an executable to the postfix_smtpd_t domain. ++ ++ ++.EX ++.PP ++.B postfix_smtpd_tmp_t ++.EE ++ ++- Set files with the postfix_smtpd_tmp_t type, if you want to store postfix smtpd temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the postfix_smtpd_t, postfix_smtp_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -66933,6 +117716,9 @@ index 0000000..45ad26e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -66944,15 +117730,15 @@ index 0000000..45ad26e + +.SH "SEE ALSO" +selinux(8), postfix_smtpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtp_selinux(8), postfix_virtual_selinux(8) ++, setsebool(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtp_selinux(8), postfix_virtual_selinux(8) \ No newline at end of file diff --git a/man/man8/postfix_virtual_selinux.8 b/man/man8/postfix_virtual_selinux.8 new file mode 100644 -index 0000000..c58fbd2 +index 0000000..8d05148 --- /dev/null +++ b/man/man8/postfix_virtual_selinux.8 -@@ -0,0 +1,165 @@ -+.TH "postfix_virtual_selinux" "8" "12-11-01" "postfix_virtual" "SELinux Policy documentation for postfix_virtual" +@@ -0,0 +1,325 @@ ++.TH "postfix_virtual_selinux" "8" "13-01-16" "postfix_virtual" "SELinux Policy documentation for postfix_virtual" +.SH "NAME" +postfix_virtual_selinux \- Security Enhanced Linux Policy for the postfix_virtual processes +.SH "DESCRIPTION" @@ -66968,7 +117754,9 @@ index 0000000..c58fbd2 + +.SH "ENTRYPOINTS" + -+The postfix_virtual_t SELinux type can be entered via the "postfix_virtual_exec_t" file type. The default entrypoint paths for the postfix_virtual_t domain are the following:" ++The postfix_virtual_t SELinux type can be entered via the \fBpostfix_virtual_exec_t\fP file type. ++ ++The default entrypoint paths for the postfix_virtual_t domain are the following: + +/usr/libexec/postfix/virtual +.SH PROCESS TYPES @@ -66986,8 +117774,222 @@ index 0000000..c58fbd2 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postfix_virtual_t ++can be used to make the process type postfix_virtual_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. postfix_virtual policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix_virtual with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postfix_virtual_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_virtual_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type postfix_virtual_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B dovecot_spool_t ++ ++ /var/spool/dovecot(/.*)? ++.br ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B postfix_spool_t ++ ++ /var/spool/postfix.* ++.br ++ ++.br ++.B postfix_var_run_t ++ ++ /var/spool/postfix/pid/.* ++.br ++ ++.br ++.B postfix_virtual_tmp_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_home_type ++ ++ all user home files ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -66997,7 +117999,20 @@ index 0000000..c58fbd2 +Policy governs the access confined processes have to these files. +SELinux postfix_virtual policy is very flexible allowing users to setup their postfix_virtual processes in as secure a method as possible. +.PP -+The following file types are defined for postfix_virtual: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postfix_virtual, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postfix_virtual_exec_t '/srv/postfix_virtual/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostfix_virtual_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postfix_virtual: + + +.EX @@ -67023,78 +118038,6 @@ index 0000000..c58fbd2 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type postfix_virtual_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B anon_inodefs_t -+ -+ -+.br -+.B dovecot_spool_t -+ -+ /var/spool/dovecot(/.*)? -+.br -+ -+.br -+.B mail_spool_t -+ -+ /var/mail(/.*)? -+.br -+ /var/spool/imap(/.*)? -+.br -+ /var/spool/mail(/.*)? -+.br -+ -+.br -+.B postfix_spool_t -+ -+ /var/spool/postfix.* -+.br -+ -+.br -+.B postfix_var_run_t -+ -+ /var/spool/postfix/pid/.* -+.br -+ -+.br -+.B postfix_virtual_tmp_t -+ -+ -+.br -+.B user_home_t -+ -+ /home/[^/]*/.+ -+.br -+ /home/dwalsh/.+ -+.br -+ /var/lib/xguest/home/xguest/.+ -+.br -+ -+.br -+.B user_home_type -+ -+ all user home files -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_virtual_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the postfix_virtual_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -67105,6 +118048,9 @@ index 0000000..c58fbd2 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -67116,15 +118062,15 @@ index 0000000..c58fbd2 + +.SH "SEE ALSO" +selinux(8), postfix_virtual(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8) ++, setsebool(8), postfix_bounce_selinux(8), postfix_cleanup_selinux(8), postfix_local_selinux(8), postfix_map_selinux(8), postfix_master_selinux(8), postfix_pickup_selinux(8), postfix_pipe_selinux(8), postfix_postdrop_selinux(8), postfix_postqueue_selinux(8), postfix_qmgr_selinux(8), postfix_showq_selinux(8), postfix_smtp_selinux(8), postfix_smtpd_selinux(8) \ No newline at end of file diff --git a/man/man8/postgresql_selinux.8 b/man/man8/postgresql_selinux.8 new file mode 100644 -index 0000000..375c37b +index 0000000..7ede704 --- /dev/null +++ b/man/man8/postgresql_selinux.8 -@@ -0,0 +1,382 @@ -+.TH "postgresql_selinux" "8" "12-11-01" "postgresql" "SELinux Policy documentation for postgresql" +@@ -0,0 +1,494 @@ ++.TH "postgresql_selinux" "8" "13-01-16" "postgresql" "SELinux Policy documentation for postgresql" +.SH "NAME" +postgresql_selinux \- Security Enhanced Linux Policy for the postgresql processes +.SH "DESCRIPTION" @@ -67140,9 +118086,11 @@ index 0000000..375c37b + +.SH "ENTRYPOINTS" + -+The postgresql_t SELinux type can be entered via the "postgresql_exec_t" file type. The default entrypoint paths for the postgresql_t domain are the following:" ++The postgresql_t SELinux type can be entered via the \fBpostgresql_exec_t\fP file type. + -+/usr/bin/(se)?postgres, /usr/bin/initdb(\.sepgsql)?, /usr/lib/postgresql/bin/.*, /usr/lib/pgsql/test/regress/pg_regress ++The default entrypoint paths for the postgresql_t domain are the following: ++ ++/usr/bin/(se)?postgres, /usr/bin/initdb(\.sepgsql)?, /usr/lib/postgresql/bin/.*, /usr/bin/pg_ctl, /usr/lib/pgsql/test/regress/pg_regress +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -67158,165 +118106,165 @@ index 0000000..375c37b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postgresql_t ++can be used to make the process type postgresql_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. postgresql policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postgresql with the tightest access possible. + + +.PP -+If you want to allow transmit client label to foreign database, you must turn on the postgresql_selinux_transmit_client_label boolean. -+ -+.EX -+.B setsebool -P postgresql_selinux_transmit_client_label 1 -+.EE -+ -+.PP -+If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean. -+ -+.EX -+.B setsebool -P postgresql_selinux_unconfined_dbadm 1 -+.EE -+ -+.PP -+If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean. ++If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean. Disabled by default. + +.EX +.B setsebool -P postgresql_can_rsync 1 ++ +.EE + +.PP -+If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean. -+ -+.EX -+.B setsebool -P selinuxuser_postgresql_connect_enabled 1 -+.EE -+ -+.PP -+If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean. -+ -+.EX -+.B setsebool -P postgresql_selinux_users_ddl 1 -+.EE -+ -+.PP -+If you want to allow transmit client label to foreign database, you must turn on the postgresql_selinux_transmit_client_label boolean. ++If you want to allow transmit client label to foreign database, you must turn on the postgresql_selinux_transmit_client_label boolean. Disabled by default. + +.EX +.B setsebool -P postgresql_selinux_transmit_client_label 1 ++ +.EE + +.PP -+If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P postgresql_selinux_unconfined_dbadm 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P postgresql_can_rsync 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether ftpd can connect to databases over the TCP network, you must turn on the ftpd_connect_db boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ftpd_connect_db 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean. Disabled by default. + +.EX +.B setsebool -P selinuxuser_postgresql_connect_enabled 1 ++ +.EE + ++.SH NSSWITCH DOMAIN ++ +.PP -+If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the postgresql_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.B setsebool -P postgresql_selinux_users_ddl 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux postgresql policy is very flexible allowing users to setup their postgresql processes in as secure a method as possible. -+.PP -+The following file types are defined for postgresql: -+ ++If you want to allow confined applications to run with kerberos for the postgresql_t, you must turn on the kerberos_enabled boolean. + +.EX -+.PP -+.B postgresql_db_t ++.B setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the postgresql_db_t type, if you want to treat the files as postgresql database content. -+ -+ -+.EX -+.PP -+.B postgresql_etc_t -+.EE -+ -+- Set files with the postgresql_etc_t type, if you want to store postgresql files in the /etc directories. -+ -+ -+.EX -+.PP -+.B postgresql_exec_t -+.EE -+ -+- Set files with the postgresql_exec_t type, if you want to transition an executable to the postgresql_t domain. -+ -+ -+.EX -+.PP -+.B postgresql_initrc_exec_t -+.EE -+ -+- Set files with the postgresql_initrc_exec_t type, if you want to transition an executable to the postgresql_initrc_t domain. -+ -+ -+.EX -+.PP -+.B postgresql_lock_t -+.EE -+ -+- Set files with the postgresql_lock_t type, if you want to treat the files as postgresql lock data, stored under the /var/lock directory -+ -+ -+.EX -+.PP -+.B postgresql_log_t -+.EE -+ -+- Set files with the postgresql_log_t type, if you want to treat the data as postgresql log data, usually stored under the /var/log directory. -+ -+ -+.EX -+.PP -+.B postgresql_tmp_t -+.EE -+ -+- Set files with the postgresql_tmp_t type, if you want to store postgresql temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B postgresql_var_run_t -+.EE -+ -+- Set files with the postgresql_var_run_t type, if you want to store the postgresql files under the /run directory. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. +.PP @@ -67349,12 +118297,12 @@ index 0000000..375c37b + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B hugetlbfs_t @@ -67393,21 +118341,7 @@ index 0000000..375c37b +.br +.B lastlog_t + -+ /var/log/lastlog -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm ++ /var/log/lastlog.* +.br + +.br @@ -67443,6 +118377,8 @@ index 0000000..375c37b +.br + /var/log/sepostgresql\.log.* +.br ++ /var/lib/pgsql/data/pg_log(/.*)? ++.br + /var/lib/sepgsql/pgstartup\.log +.br + @@ -67457,27 +118393,149 @@ index 0000000..375c37b +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux postgresql policy is very flexible allowing users to setup their postgresql processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postgresql_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the postgresql_t, you must turn on the kerberos_enabled boolean. ++postgresql policy stores data with multiple different file context types under the /var/lib/sepgsql directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/sepgsql /srv/sepgsql ++.br ++.B restorecon -R -v /srv/sepgsql ++.PP ++ ++.PP ++postgresql policy stores data with multiple different file context types under the /var/lib/pgsql directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/pgsql /srv/pgsql ++.br ++.B restorecon -R -v /srv/pgsql ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postgresql, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postgresql_db_t '/srv/postgresql/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostgresql_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postgresql: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B postgresql_db_t +.EE + ++- Set files with the postgresql_db_t type, if you want to treat the files as postgresql database content. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/pgsql(/.*)?, /var/lib/sepgsql(/.*)?, /var/lib/postgres(ql)?(/.*)?, /usr/share/jonas/pgsql(/.*)?, /usr/lib/pgsql/test/regress(/.*)? ++ ++.EX ++.PP ++.B postgresql_etc_t ++.EE ++ ++- Set files with the postgresql_etc_t type, if you want to store postgresql files in the /etc directories. ++ ++.br ++.TP 5 ++Paths: ++/etc/postgresql(/.*)?, /etc/sysconfig/pgsql(/.*)? ++ ++.EX ++.PP ++.B postgresql_exec_t ++.EE ++ ++- Set files with the postgresql_exec_t type, if you want to transition an executable to the postgresql_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/(se)?postgres, /usr/bin/initdb(\.sepgsql)?, /usr/lib/postgresql/bin/.*, /usr/bin/pg_ctl, /usr/lib/pgsql/test/regress/pg_regress ++ ++.EX ++.PP ++.B postgresql_initrc_exec_t ++.EE ++ ++- Set files with the postgresql_initrc_exec_t type, if you want to transition an executable to the postgresql_initrc_t domain. ++ ++ ++.EX ++.PP ++.B postgresql_lock_t ++.EE ++ ++- Set files with the postgresql_lock_t type, if you want to treat the files as postgresql lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B postgresql_log_t ++.EE ++ ++- Set files with the postgresql_log_t type, if you want to treat the data as postgresql log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/pgsql/.*\.log, /var/log/rhdb/rhdb(/.*)?, /var/log/postgresql(/.*)?, /var/log/postgres\.log.*, /var/lib/pgsql/logfile(/.*)?, /var/log/sepostgresql\.log.*, /var/lib/pgsql/data/pg_log(/.*)?, /var/lib/sepgsql/pgstartup\.log ++ ++.EX ++.PP ++.B postgresql_tmp_t ++.EE ++ ++- Set files with the postgresql_tmp_t type, if you want to store postgresql temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B postgresql_var_run_t ++.EE ++ ++- Set files with the postgresql_var_run_t type, if you want to store the postgresql files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -67509,11 +118567,11 @@ index 0000000..375c37b \ No newline at end of file diff --git a/man/man8/postgrey_selinux.8 b/man/man8/postgrey_selinux.8 new file mode 100644 -index 0000000..0959a17 +index 0000000..7785a10 --- /dev/null +++ b/man/man8/postgrey_selinux.8 -@@ -0,0 +1,180 @@ -+.TH "postgrey_selinux" "8" "12-11-01" "postgrey" "SELinux Policy documentation for postgrey" +@@ -0,0 +1,296 @@ ++.TH "postgrey_selinux" "8" "13-01-16" "postgrey" "SELinux Policy documentation for postgrey" +.SH "NAME" +postgrey_selinux \- Security Enhanced Linux Policy for the postgrey processes +.SH "DESCRIPTION" @@ -67529,7 +118587,9 @@ index 0000000..0959a17 + +.SH "ENTRYPOINTS" + -+The postgrey_t SELinux type can be entered via the "postgrey_exec_t" file type. The default entrypoint paths for the postgrey_t domain are the following:" ++The postgrey_t SELinux type can be entered via the \fBpostgrey_exec_t\fP file type. ++ ++The default entrypoint paths for the postgrey_t domain are the following: + +/usr/sbin/postgrey +.SH PROCESS TYPES @@ -67547,74 +118607,84 @@ index 0000000..0959a17 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a postgrey_t ++can be used to make the process type postgrey_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux postgrey policy is very flexible allowing users to setup their postgrey processes in as secure a method as possible. -+.PP -+The following file types are defined for postgrey: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. postgrey policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postgrey with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B postgrey_etc_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the postgrey_etc_t type, if you want to store postgrey files in the /etc directories. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B postgrey_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the postgrey_exec_t type, if you want to transition an executable to the postgrey_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B postgrey_initrc_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the postgrey_initrc_exec_t type, if you want to transition an executable to the postgrey_initrc_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B postgrey_spool_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the postgrey_spool_t type, if you want to store the postgrey files under the /var/spool directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B postgrey_var_lib_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the postgrey_var_lib_t type, if you want to store the postgrey files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B postgrey_var_run_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the postgrey_var_run_t type, if you want to store the postgrey files under the /run directory. ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -67667,7 +118737,107 @@ index 0000000..0959a17 + /var/run/postgrey\.pid +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux postgrey policy is very flexible allowing users to setup their postgrey processes in as secure a method as possible. ++.PP ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++postgrey policy stores data with multiple different file context types under the /var/run/postgrey directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/postgrey /srv/postgrey ++.br ++.B restorecon -R -v /srv/postgrey ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the postgrey, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t postgrey_etc_t '/srv/postgrey/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypostgrey_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for postgrey: ++ ++ ++.EX ++.PP ++.B postgrey_etc_t ++.EE ++ ++- Set files with the postgrey_etc_t type, if you want to store postgrey files in the /etc directories. ++ ++ ++.EX ++.PP ++.B postgrey_exec_t ++.EE ++ ++- Set files with the postgrey_exec_t type, if you want to transition an executable to the postgrey_t domain. ++ ++ ++.EX ++.PP ++.B postgrey_initrc_exec_t ++.EE ++ ++- Set files with the postgrey_initrc_exec_t type, if you want to transition an executable to the postgrey_initrc_t domain. ++ ++ ++.EX ++.PP ++.B postgrey_spool_t ++.EE ++ ++- Set files with the postgrey_spool_t type, if you want to store the postgrey files under the /var/spool directory. ++ ++ ++.EX ++.PP ++.B postgrey_var_lib_t ++.EE ++ ++- Set files with the postgrey_var_lib_t type, if you want to store the postgrey files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B postgrey_var_run_t ++.EE ++ ++- Set files with the postgrey_var_run_t type, if you want to store the postgrey files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/postgrey(/.*)?, /var/run/postgrey\.pid ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -67682,6 +118852,9 @@ index 0000000..0959a17 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -67693,13 +118866,15 @@ index 0000000..0959a17 + +.SH "SEE ALSO" +selinux(8), postgrey(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/pppd_selinux.8 b/man/man8/pppd_selinux.8 new file mode 100644 -index 0000000..be38983 +index 0000000..c166525 --- /dev/null +++ b/man/man8/pppd_selinux.8 -@@ -0,0 +1,362 @@ -+.TH "pppd_selinux" "8" "12-11-01" "pppd" "SELinux Policy documentation for pppd" +@@ -0,0 +1,494 @@ ++.TH "pppd_selinux" "8" "13-01-16" "pppd" "SELinux Policy documentation for pppd" +.SH "NAME" +pppd_selinux \- Security Enhanced Linux Policy for the pppd processes +.SH "DESCRIPTION" @@ -67715,7 +118890,9 @@ index 0000000..be38983 + +.SH "ENTRYPOINTS" + -+The pppd_t SELinux type can be entered via the "pppd_exec_t" file type. The default entrypoint paths for the pppd_t domain are the following:" ++The pppd_t SELinux type can be entered via the \fBpppd_exec_t\fP file type. ++ ++The default entrypoint paths for the pppd_t domain are the following: + +/usr/sbin/pppd, /sbin/ppp-watch, /usr/sbin/ipppd, /sbin/pppoe-server, /usr/sbin/ppp-watch, /usr/sbin/pppoe-server +.SH PROCESS TYPES @@ -67733,138 +118910,140 @@ index 0000000..be38983 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pppd_t ++can be used to make the process type pppd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. pppd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pppd with the tightest access possible. + + +.PP -+If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean. ++If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean. Disabled by default. + +.EX +.B setsebool -P pppd_can_insmod 1 ++ +.EE + +.PP -+If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean. ++If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean. Disabled by default. + +.EX +.B setsebool -P pppd_for_user 1 ++ +.EE + +.PP -+If you want to allow pppd to load kernel modules for certain modems, you must turn on the pppd_can_insmod boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P pppd_can_insmod 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P pppd_for_user 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux pppd policy is very flexible allowing users to setup their pppd processes in as secure a method as possible. -+.PP -+The following file types are defined for pppd: -+ ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B pppd_etc_rw_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the pppd_etc_rw_t type, if you want to treat the files as pppd etc read/write content. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B pppd_etc_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the pppd_etc_t type, if you want to store pppd files in the /etc directories. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B pppd_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the pppd_exec_t type, if you want to transition an executable to the pppd_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B pppd_initrc_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the pppd_initrc_exec_t type, if you want to transition an executable to the pppd_initrc_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B pppd_lock_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the pppd_lock_t type, if you want to treat the files as pppd lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B pppd_log_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the pppd_log_t type, if you want to treat the data as pppd log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B pppd_secret_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the pppd_secret_t type, if you want to treat the files as pppd se secret data. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B pppd_tmp_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the pppd_tmp_t type, if you want to store pppd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.PP -+.B pppd_unit_file_t ++.B setsebool -P nis_enabled 1 ++ +.EE + -+- Set files with the pppd_unit_file_t type, if you want to treat the files as pppd unit content. -+ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX -+.PP -+.B pppd_var_run_t ++.B setsebool -P nscd_use_shm 1 ++ +.EE + -+- Set files with the pppd_var_run_t type, if you want to store the pppd files under the /run directory. -+ ++.SH NSSWITCH DOMAIN + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the pppd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pppd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -67891,10 +119070,10 @@ index 0000000..be38983 +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -67903,10 +119082,10 @@ index 0000000..be38983 +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -67929,18 +119108,16 @@ index 0000000..be38983 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B net_conf_t + -+ /etc/ntpd?\.conf.* -+.br + /etc/hosts[^/]* +.br + /etc/yp\.conf.* @@ -67951,8 +119128,6 @@ index 0000000..be38983 +.br + /etc/resolv\.conf.* +.br -+ /etc/ntp/step-tickers.* -+.br + /etc/sysconfig/networking(/.*)? +.br + /etc/sysconfig/network-scripts(/.*)? @@ -67963,20 +119138,6 @@ index 0000000..be38983 +.br + +.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br +.B pppd_etc_rw_t + + /etc/ppp(/.*)? @@ -68015,27 +119176,173 @@ index 0000000..be38983 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B wtmp_t + + /var/log/wtmp.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux pppd policy is very flexible allowing users to setup their pppd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pppd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the pppd_t, you must turn on the kerberos_enabled boolean. ++pppd policy stores data with multiple different file context types under the /var/log/ppp directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/log/ppp /srv/ppp ++.br ++.B restorecon -R -v /srv/ppp ++.PP ++ ++.PP ++pppd policy stores data with multiple different file context types under the /var/run/ppp directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/ppp /srv/ppp ++.br ++.B restorecon -R -v /srv/ppp ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pppd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pppd_etc_rw_t '/srv/pppd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypppd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pppd: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B pppd_etc_rw_t +.EE + ++- Set files with the pppd_etc_rw_t type, if you want to treat the files as pppd etc read/write content. ++ ++.br ++.TP 5 ++Paths: ++/etc/ppp(/.*)?, /etc/ppp/peers(/.*)?, /etc/ppp/resolv\.conf ++ ++.EX ++.PP ++.B pppd_etc_t ++.EE ++ ++- Set files with the pppd_etc_t type, if you want to store pppd files in the /etc directories. ++ ++.br ++.TP 5 ++Paths: ++/root/.ppprc, /etc/ppp ++ ++.EX ++.PP ++.B pppd_exec_t ++.EE ++ ++- Set files with the pppd_exec_t type, if you want to transition an executable to the pppd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/pppd, /sbin/ppp-watch, /usr/sbin/ipppd, /sbin/pppoe-server, /usr/sbin/ppp-watch, /usr/sbin/pppoe-server ++ ++.EX ++.PP ++.B pppd_initrc_exec_t ++.EE ++ ++- Set files with the pppd_initrc_exec_t type, if you want to transition an executable to the pppd_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/ppp/(auth|ip(v6|x)?)-(up|down), /etc/rc\.d/init\.d/ppp ++ ++.EX ++.PP ++.B pppd_lock_t ++.EE ++ ++- Set files with the pppd_lock_t type, if you want to treat the files as pppd lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B pppd_log_t ++.EE ++ ++- Set files with the pppd_log_t type, if you want to treat the data as pppd log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/ppp(/.*)?, /var/log/ppp-connect-errors.* ++ ++.EX ++.PP ++.B pppd_secret_t ++.EE ++ ++- Set files with the pppd_secret_t type, if you want to treat the files as pppd se secret data. ++ ++ ++.EX ++.PP ++.B pppd_tmp_t ++.EE ++ ++- Set files with the pppd_tmp_t type, if you want to store pppd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B pppd_unit_file_t ++.EE ++ ++- Set files with the pppd_unit_file_t type, if you want to treat the files as pppd unit content. ++ ++ ++.EX ++.PP ++.B pppd_var_run_t ++.EE ++ ++- Set files with the pppd_var_run_t type, if you want to store the pppd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/(i)?ppp.*pid[^/]*, /var/run/ppp(/.*)?, /var/run/pppd[0-9]*\.tdb ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -68064,11 +119371,11 @@ index 0000000..be38983 \ No newline at end of file diff --git a/man/man8/pptp_selinux.8 b/man/man8/pptp_selinux.8 new file mode 100644 -index 0000000..ff95294 +index 0000000..7ebf5a5 --- /dev/null +++ b/man/man8/pptp_selinux.8 -@@ -0,0 +1,158 @@ -+.TH "pptp_selinux" "8" "12-11-01" "pptp" "SELinux Policy documentation for pptp" +@@ -0,0 +1,285 @@ ++.TH "pptp_selinux" "8" "13-01-16" "pptp" "SELinux Policy documentation for pptp" +.SH "NAME" +pptp_selinux \- Security Enhanced Linux Policy for the pptp processes +.SH "DESCRIPTION" @@ -68084,7 +119391,9 @@ index 0000000..ff95294 + +.SH "ENTRYPOINTS" + -+The pptp_t SELinux type can be entered via the "pptp_exec_t" file type. The default entrypoint paths for the pptp_t domain are the following:" ++The pptp_t SELinux type can be entered via the \fBpptp_exec_t\fP file type. ++ ++The default entrypoint paths for the pptp_t domain are the following: + +/usr/sbin/pptp +.SH PROCESS TYPES @@ -68102,50 +119411,124 @@ index 0000000..ff95294 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pptp_t ++can be used to make the process type pptp_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux pptp policy is very flexible allowing users to setup their pptp processes in as secure a method as possible. -+.PP -+The following file types are defined for pptp: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pptp policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pptp with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B pptp_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the pptp_exec_t type, if you want to transition an executable to the pptp_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B pptp_log_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the pptp_log_t type, if you want to treat the data as pptp log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B pptp_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the pptp_var_run_t type, if you want to store the pptp files under the /run directory. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the pptp_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pptp_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -68186,21 +119569,68 @@ index 0000000..ff95294 + /var/run/pptp(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux pptp policy is very flexible allowing users to setup their pptp processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pptp_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pptp, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pptp_exec_t '/srv/pptp/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypptp_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pptp: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B pptp_exec_t +.EE + ++- Set files with the pptp_exec_t type, if you want to transition an executable to the pptp_t domain. ++ ++ ++.EX ++.PP ++.B pptp_log_t ++.EE ++ ++- Set files with the pptp_log_t type, if you want to treat the data as pptp log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B pptp_var_run_t ++.EE ++ ++- Set files with the pptp_var_run_t type, if you want to store the pptp files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the pptp_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -68215,6 +119645,9 @@ index 0000000..ff95294 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -68226,13 +119659,15 @@ index 0000000..ff95294 + +.SH "SEE ALSO" +selinux(8), pptp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/prelink_cron_system_selinux.8 b/man/man8/prelink_cron_system_selinux.8 new file mode 100644 -index 0000000..b622f23 +index 0000000..b7728f0 --- /dev/null +++ b/man/man8/prelink_cron_system_selinux.8 -@@ -0,0 +1,129 @@ -+.TH "prelink_cron_system_selinux" "8" "12-11-01" "prelink_cron_system" "SELinux Policy documentation for prelink_cron_system" +@@ -0,0 +1,223 @@ ++.TH "prelink_cron_system_selinux" "8" "13-01-16" "prelink_cron_system" "SELinux Policy documentation for prelink_cron_system" +.SH "NAME" +prelink_cron_system_selinux \- Security Enhanced Linux Policy for the prelink_cron_system processes +.SH "DESCRIPTION" @@ -68248,7 +119683,9 @@ index 0000000..b622f23 + +.SH "ENTRYPOINTS" + -+The prelink_cron_system_t SELinux type can be entered via the "prelink_cron_system_exec_t" file type. The default entrypoint paths for the prelink_cron_system_t domain are the following:" ++The prelink_cron_system_t SELinux type can be entered via the \fBprelink_cron_system_exec_t\fP file type. ++ ++The default entrypoint paths for the prelink_cron_system_t domain are the following: + +/etc/cron\.daily/prelink +.SH PROCESS TYPES @@ -68266,34 +119703,100 @@ index 0000000..b622f23 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a prelink_cron_system_t ++can be used to make the process type prelink_cron_system_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux prelink_cron_system policy is very flexible allowing users to setup their prelink_cron_system processes in as secure a method as possible. -+.PP -+The following file types are defined for prelink_cron_system: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. prelink_cron_system policy is extremely flexible and has several booleans that allow you to manipulate the policy and run prelink_cron_system with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B prelink_cron_system_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the prelink_cron_system_exec_t type, if you want to transition an executable to the prelink_cron_system_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the prelink_cron_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the prelink_cron_system_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -68323,21 +119826,44 @@ index 0000000..b622f23 + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux prelink_cron_system policy is very flexible allowing users to setup their prelink_cron_system processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelink_cron_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the prelink_cron_system, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t prelink_cron_system_exec_t '/srv/prelink_cron_system/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myprelink_cron_system_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for prelink_cron_system: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B prelink_cron_system_exec_t +.EE + ++- Set files with the prelink_cron_system_exec_t type, if you want to transition an executable to the prelink_cron_system_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the prelink_cron_system_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -68349,6 +119875,9 @@ index 0000000..b622f23 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -68360,15 +119889,15 @@ index 0000000..b622f23 + +.SH "SEE ALSO" +selinux(8), prelink_cron_system(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, prelink_selinux(8), prelink_selinux(8) ++, setsebool(8), prelink_selinux(8), prelink_selinux(8) \ No newline at end of file diff --git a/man/man8/prelink_selinux.8 b/man/man8/prelink_selinux.8 new file mode 100644 -index 0000000..9c74265 +index 0000000..d0129a1 --- /dev/null +++ b/man/man8/prelink_selinux.8 -@@ -0,0 +1,765 @@ -+.TH "prelink_selinux" "8" "12-11-01" "prelink" "SELinux Policy documentation for prelink" +@@ -0,0 +1,858 @@ ++.TH "prelink_selinux" "8" "13-01-16" "prelink" "SELinux Policy documentation for prelink" +.SH "NAME" +prelink_selinux \- Security Enhanced Linux Policy for the prelink processes +.SH "DESCRIPTION" @@ -68384,7 +119913,9 @@ index 0000000..9c74265 + +.SH "ENTRYPOINTS" + -+The prelink_t SELinux type can be entered via the "prelink_exec_t" file type. The default entrypoint paths for the prelink_t domain are the following:" ++The prelink_t SELinux type can be entered via the \fBprelink_exec_t\fP file type. ++ ++The default entrypoint paths for the prelink_t domain are the following: + +/usr/sbin/prelink(\.bin)? +.SH PROCESS TYPES @@ -68402,82 +119933,76 @@ index 0000000..9c74265 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a prelink_t ++can be used to make the process type prelink_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux prelink policy is very flexible allowing users to setup their prelink processes in as secure a method as possible. -+.PP -+The following file types are defined for prelink: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. prelink policy is extremely flexible and has several booleans that allow you to manipulate the policy and run prelink with the tightest access possible. + + ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ +.EX -+.PP -+.B prelink_cache_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the prelink_cache_t type, if you want to store the files under the /var/cache directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B prelink_cron_system_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the prelink_cron_system_exec_t type, if you want to transition an executable to the prelink_cron_system_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B prelink_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the prelink_exec_t type, if you want to transition an executable to the prelink_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B prelink_log_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the prelink_log_t type, if you want to treat the data as prelink log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B prelink_tmp_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the prelink_tmp_t type, if you want to store prelink temporary files in the /tmp directories. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B prelink_tmpfs_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the prelink_tmpfs_t type, if you want to store prelink files on a tmpfs file system. ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the prelink_cron_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B prelink_var_lib_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the prelink_var_lib_t type, if you want to store the prelink files under the /var/lib directory. -+ -+ +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to run with kerberos for the prelink_cron_system_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -68540,6 +120065,8 @@ index 0000000..9c74265 +.br + /usr/lib/xfce4/.*\.so.* +.br ++ /usr/lib/dovecot/(.*/)?lib.*\.so.* ++.br + /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] +.br + /emul/ia32-linux/lib(/.*)? @@ -69046,6 +120573,8 @@ index 0000000..9c74265 +.br + /home/[^/]*/.*/plugins/nppdf\.so.* +.br ++ /home/pwalsh/.*/plugins/nppdf\.so.* ++.br + /home/dwalsh/.*/plugins/nppdf\.so.* +.br + /var/lib/xguest/home/xguest/.*/plugins/nppdf\.so.* @@ -69086,31 +120615,121 @@ index 0000000..9c74265 + + /nsr(/.*)? +.br -+ /var/.* -+.br + /srv/.* +.br ++ /var/.* ++.br + /var +.br + /srv +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux prelink policy is very flexible allowing users to setup their prelink processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelink_cron_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the prelink_cron_system_t, you must turn on the kerberos_enabled boolean. ++prelink policy stores data with multiple different file context types under the /var/log/prelink directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/log/prelink /srv/prelink ++.br ++.B restorecon -R -v /srv/prelink ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the prelink, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t prelink_cache_t '/srv/prelink/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myprelink_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for prelink: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B prelink_cache_t +.EE + ++- Set files with the prelink_cache_t type, if you want to store the files under the /var/cache directory. ++ ++ ++.EX ++.PP ++.B prelink_cron_system_exec_t ++.EE ++ ++- Set files with the prelink_cron_system_exec_t type, if you want to transition an executable to the prelink_cron_system_t domain. ++ ++ ++.EX ++.PP ++.B prelink_exec_t ++.EE ++ ++- Set files with the prelink_exec_t type, if you want to transition an executable to the prelink_t domain. ++ ++ ++.EX ++.PP ++.B prelink_log_t ++.EE ++ ++- Set files with the prelink_log_t type, if you want to treat the data as prelink log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/prelink(/.*)?, /var/log/prelink\.log.* ++ ++.EX ++.PP ++.B prelink_tmp_t ++.EE ++ ++- Set files with the prelink_tmp_t type, if you want to store prelink temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B prelink_tmpfs_t ++.EE ++ ++- Set files with the prelink_tmpfs_t type, if you want to store prelink files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B prelink_var_lib_t ++.EE ++ ++- Set files with the prelink_var_lib_t type, if you want to store the prelink files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/prelink(/.*)?, /var/lib/misc/prelink.* ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -69121,6 +120740,9 @@ index 0000000..9c74265 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -69132,15 +120754,15 @@ index 0000000..9c74265 + +.SH "SEE ALSO" +selinux(8), prelink(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, prelink_cron_system_selinux(8) ++, setsebool(8), prelink_cron_system_selinux(8) \ No newline at end of file diff --git a/man/man8/prelude_audisp_selinux.8 b/man/man8/prelude_audisp_selinux.8 new file mode 100644 -index 0000000..18ba823 +index 0000000..ee1758c --- /dev/null +++ b/man/man8/prelude_audisp_selinux.8 -@@ -0,0 +1,107 @@ -+.TH "prelude_audisp_selinux" "8" "12-11-01" "prelude_audisp" "SELinux Policy documentation for prelude_audisp" +@@ -0,0 +1,211 @@ ++.TH "prelude_audisp_selinux" "8" "13-01-16" "prelude_audisp" "SELinux Policy documentation for prelude_audisp" +.SH "NAME" +prelude_audisp_selinux \- Security Enhanced Linux Policy for the prelude_audisp processes +.SH "DESCRIPTION" @@ -69156,7 +120778,9 @@ index 0000000..18ba823 + +.SH "ENTRYPOINTS" + -+The prelude_audisp_t SELinux type can be entered via the "prelude_audisp_exec_t" file type. The default entrypoint paths for the prelude_audisp_t domain are the following:" ++The prelude_audisp_t SELinux type can be entered via the \fBprelude_audisp_exec_t\fP file type. ++ ++The default entrypoint paths for the prelude_audisp_t domain are the following: + +/sbin/audisp-prelude, /usr/sbin/audisp-prelude +.SH PROCESS TYPES @@ -69174,42 +120798,84 @@ index 0000000..18ba823 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a prelude_audisp_t ++can be used to make the process type prelude_audisp_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux prelude_audisp policy is very flexible allowing users to setup their prelude_audisp processes in as secure a method as possible. -+.PP -+The following file types are defined for prelude_audisp: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. prelude_audisp policy is extremely flexible and has several booleans that allow you to manipulate the policy and run prelude_audisp with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B prelude_audisp_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the prelude_audisp_exec_t type, if you want to transition an executable to the prelude_audisp_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B prelude_audisp_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the prelude_audisp_var_run_t type, if you want to store the prelude audisp files under the /run directory. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -69223,7 +120889,64 @@ index 0000000..18ba823 + /var/spool/prelude-manager(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux prelude_audisp policy is very flexible allowing users to setup their prelude_audisp processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the prelude_audisp, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t prelude_audisp_exec_t '/srv/prelude_audisp/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myprelude_audisp_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for prelude_audisp: ++ ++ ++.EX ++.PP ++.B prelude_audisp_exec_t ++.EE ++ ++- Set files with the prelude_audisp_exec_t type, if you want to transition an executable to the prelude_audisp_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/audisp-prelude, /usr/sbin/audisp-prelude ++ ++.EX ++.PP ++.B prelude_audisp_var_run_t ++.EE ++ ++- Set files with the prelude_audisp_var_run_t type, if you want to store the prelude audisp files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -69235,6 +120958,9 @@ index 0000000..18ba823 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -69246,15 +120972,15 @@ index 0000000..18ba823 + +.SH "SEE ALSO" +selinux(8), prelude_audisp(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, prelude_selinux(8), prelude_selinux(8), prelude_correlator_selinux(8), prelude_lml_selinux(8) ++, setsebool(8), prelude_selinux(8), prelude_selinux(8), prelude_correlator_selinux(8), prelude_lml_selinux(8) \ No newline at end of file diff --git a/man/man8/prelude_correlator_selinux.8 b/man/man8/prelude_correlator_selinux.8 new file mode 100644 -index 0000000..54cfb46 +index 0000000..8375d61 --- /dev/null +++ b/man/man8/prelude_correlator_selinux.8 -@@ -0,0 +1,107 @@ -+.TH "prelude_correlator_selinux" "8" "12-11-01" "prelude_correlator" "SELinux Policy documentation for prelude_correlator" +@@ -0,0 +1,207 @@ ++.TH "prelude_correlator_selinux" "8" "13-01-16" "prelude_correlator" "SELinux Policy documentation for prelude_correlator" +.SH "NAME" +prelude_correlator_selinux \- Security Enhanced Linux Policy for the prelude_correlator processes +.SH "DESCRIPTION" @@ -69270,7 +120996,9 @@ index 0000000..54cfb46 + +.SH "ENTRYPOINTS" + -+The prelude_correlator_t SELinux type can be entered via the "prelude_correlator_exec_t" file type. The default entrypoint paths for the prelude_correlator_t domain are the following:" ++The prelude_correlator_t SELinux type can be entered via the \fBprelude_correlator_exec_t\fP file type. ++ ++The default entrypoint paths for the prelude_correlator_t domain are the following: + +/usr/bin/prelude-correlator +.SH PROCESS TYPES @@ -69288,8 +121016,104 @@ index 0000000..54cfb46 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a prelude_correlator_t ++can be used to make the process type prelude_correlator_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. prelude_correlator policy is extremely flexible and has several booleans that allow you to manipulate the policy and run prelude_correlator with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type prelude_correlator_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B prelude_spool_t ++ ++ /var/spool/prelude(/.*)? ++.br ++ /var/spool/prelude-manager(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -69299,7 +121123,20 @@ index 0000000..54cfb46 +Policy governs the access confined processes have to these files. +SELinux prelude_correlator policy is very flexible allowing users to setup their prelude_correlator processes in as secure a method as possible. +.PP -+The following file types are defined for prelude_correlator: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the prelude_correlator, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t prelude_correlator_config_t '/srv/prelude_correlator/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myprelude_correlator_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for prelude_correlator: + + +.EX @@ -69325,20 +121162,6 @@ index 0000000..54cfb46 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type prelude_correlator_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B prelude_spool_t -+ -+ /var/spool/prelude(/.*)? -+.br -+ /var/spool/prelude-manager(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -69349,6 +121172,9 @@ index 0000000..54cfb46 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -69360,15 +121186,15 @@ index 0000000..54cfb46 + +.SH "SEE ALSO" +selinux(8), prelude_correlator(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, prelude_selinux(8), prelude_selinux(8), prelude_audisp_selinux(8), prelude_lml_selinux(8) ++, setsebool(8), prelude_selinux(8), prelude_selinux(8), prelude_audisp_selinux(8), prelude_lml_selinux(8) \ No newline at end of file diff --git a/man/man8/prelude_lml_selinux.8 b/man/man8/prelude_lml_selinux.8 new file mode 100644 -index 0000000..9d345c5 +index 0000000..e5b1c83 --- /dev/null +++ b/man/man8/prelude_lml_selinux.8 -@@ -0,0 +1,149 @@ -+.TH "prelude_lml_selinux" "8" "12-11-01" "prelude_lml" "SELinux Policy documentation for prelude_lml" +@@ -0,0 +1,275 @@ ++.TH "prelude_lml_selinux" "8" "13-01-16" "prelude_lml" "SELinux Policy documentation for prelude_lml" +.SH "NAME" +prelude_lml_selinux \- Security Enhanced Linux Policy for the prelude_lml processes +.SH "DESCRIPTION" @@ -69384,7 +121210,9 @@ index 0000000..9d345c5 + +.SH "ENTRYPOINTS" + -+The prelude_lml_t SELinux type can be entered via the "prelude_lml_exec_t" file type. The default entrypoint paths for the prelude_lml_t domain are the following:" ++The prelude_lml_t SELinux type can be entered via the \fBprelude_lml_exec_t\fP file type. ++ ++The default entrypoint paths for the prelude_lml_t domain are the following: + +/usr/bin/prelude-lml +.SH PROCESS TYPES @@ -69402,8 +121230,164 @@ index 0000000..9d345c5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a prelude_lml_t ++can be used to make the process type prelude_lml_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. prelude_lml policy is extremely flexible and has several booleans that allow you to manipulate the policy and run prelude_lml with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the prelude_lml_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the prelude_lml_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type prelude_lml_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B prelude_lml_tmp_t ++ ++ ++.br ++.B prelude_lml_var_run_t ++ ++ /var/run/prelude-lml\.pid ++.br ++ ++.br ++.B prelude_spool_t ++ ++ /var/spool/prelude(/.*)? ++.br ++ /var/spool/prelude-manager(/.*)? ++.br ++ ++.br ++.B prelude_var_lib_t ++ ++ /var/lib/prelude-lml(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -69413,7 +121397,20 @@ index 0000000..9d345c5 +Policy governs the access confined processes have to these files. +SELinux prelude_lml policy is very flexible allowing users to setup their prelude_lml processes in as secure a method as possible. +.PP -+The following file types are defined for prelude_lml: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the prelude_lml, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t prelude_lml_exec_t '/srv/prelude_lml/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myprelude_lml_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for prelude_lml: + + +.EX @@ -69437,7 +121434,7 @@ index 0000000..9d345c5 +.B prelude_lml_var_run_t +.EE + -+- Set files with the prelude_lml_var_run_t type, if you want to store the prelude lml files under the /run directory. ++- Set files with the prelude_lml_var_run_t type, if you want to store the prelude lml files under the /run or /var/run directory. + + +.PP @@ -69447,54 +121444,6 @@ index 0000000..9d345c5 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type prelude_lml_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B anon_inodefs_t -+ -+ -+.br -+.B prelude_lml_tmp_t -+ -+ -+.br -+.B prelude_lml_var_run_t -+ -+ /var/run/prelude-lml.pid -+.br -+ -+.br -+.B prelude_spool_t -+ -+ /var/spool/prelude(/.*)? -+.br -+ /var/spool/prelude-manager(/.*)? -+.br -+ -+.br -+.B prelude_var_lib_t -+ -+ /var/lib/prelude-lml(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelude_lml_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the prelude_lml_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -69505,6 +121454,9 @@ index 0000000..9d345c5 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -69516,15 +121468,15 @@ index 0000000..9d345c5 + +.SH "SEE ALSO" +selinux(8), prelude_lml(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, prelude_selinux(8), prelude_selinux(8), prelude_audisp_selinux(8), prelude_correlator_selinux(8) ++, setsebool(8), prelude_selinux(8), prelude_selinux(8), prelude_audisp_selinux(8), prelude_correlator_selinux(8) \ No newline at end of file diff --git a/man/man8/prelude_selinux.8 b/man/man8/prelude_selinux.8 new file mode 100644 -index 0000000..8ad755d +index 0000000..5fcd302 --- /dev/null +++ b/man/man8/prelude_selinux.8 -@@ -0,0 +1,259 @@ -+.TH "prelude_selinux" "8" "12-11-01" "prelude" "SELinux Policy documentation for prelude" +@@ -0,0 +1,402 @@ ++.TH "prelude_selinux" "8" "13-01-16" "prelude" "SELinux Policy documentation for prelude" +.SH "NAME" +prelude_selinux \- Security Enhanced Linux Policy for the prelude processes +.SH "DESCRIPTION" @@ -69540,7 +121492,9 @@ index 0000000..8ad755d + +.SH "ENTRYPOINTS" + -+The prelude_t SELinux type can be entered via the "prelude_exec_t" file type. The default entrypoint paths for the prelude_t domain are the following:" ++The prelude_t SELinux type can be entered via the \fBprelude_exec_t\fP file type. ++ ++The default entrypoint paths for the prelude_t domain are the following: + +/usr/bin/prelude-manager +.SH PROCESS TYPES @@ -69558,130 +121512,124 @@ index 0000000..8ad755d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a prelude_t ++can be used to make the process type prelude_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux prelude policy is very flexible allowing users to setup their prelude processes in as secure a method as possible. -+.PP -+The following file types are defined for prelude: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. prelude policy is extremely flexible and has several booleans that allow you to manipulate the policy and run prelude with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B prelude_audisp_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the prelude_audisp_exec_t type, if you want to transition an executable to the prelude_audisp_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B prelude_audisp_var_run_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the prelude_audisp_var_run_t type, if you want to store the prelude audisp files under the /run directory. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B prelude_correlator_config_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the prelude_correlator_config_t type, if you want to treat the files as prelude correlator configuration data, usually stored under the /etc directory. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B prelude_correlator_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the prelude_correlator_exec_t type, if you want to transition an executable to the prelude_correlator_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B prelude_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the prelude_exec_t type, if you want to transition an executable to the prelude_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B prelude_initrc_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the prelude_initrc_exec_t type, if you want to transition an executable to the prelude_initrc_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B prelude_lml_exec_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the prelude_lml_exec_t type, if you want to transition an executable to the prelude_lml_t domain. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B prelude_lml_tmp_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the prelude_lml_tmp_t type, if you want to store prelude lml temporary files in the /tmp directories. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B prelude_lml_var_run_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the prelude_lml_var_run_t type, if you want to store the prelude lml files under the /run directory. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B prelude_log_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the prelude_log_t type, if you want to treat the data as prelude log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.PP -+.B prelude_spool_t ++.B setsebool -P nis_enabled 1 ++ +.EE + -+- Set files with the prelude_spool_t type, if you want to store the prelude files under the /var/spool directory. -+ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX -+.PP -+.B prelude_var_lib_t ++.B setsebool -P nscd_use_shm 1 ++ +.EE + -+- Set files with the prelude_var_lib_t type, if you want to store the prelude files under the /var/lib directory. ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the prelude_lml_t, prelude_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B prelude_var_run_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the prelude_var_run_t type, if you want to store the prelude files under the /run directory. -+ -+ +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to run with kerberos for the prelude_lml_t, prelude_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -69717,12 +121665,6 @@ index 0000000..8ad755d + + +.br -+.B prelude_log_t -+ -+ /var/log/prelude.* -+.br -+ -+.br +.B prelude_spool_t + + /var/spool/prelude(/.*)? @@ -69742,22 +121684,172 @@ index 0000000..8ad755d + /var/run/prelude-manager(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux prelude policy is very flexible allowing users to setup their prelude processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelude_lml_t, prelude_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the prelude_lml_t, prelude_t, you must turn on the kerberos_enabled boolean. ++prelude policy stores data with multiple different file context types under the /var/spool/prelude directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/spool/prelude /srv/prelude ++.br ++.B restorecon -R -v /srv/prelude ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the prelude, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t prelude_audisp_exec_t '/srv/prelude/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myprelude_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for prelude: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B prelude_audisp_exec_t +.EE + ++- Set files with the prelude_audisp_exec_t type, if you want to transition an executable to the prelude_audisp_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/audisp-prelude, /usr/sbin/audisp-prelude ++ ++.EX ++.PP ++.B prelude_audisp_var_run_t ++.EE ++ ++- Set files with the prelude_audisp_var_run_t type, if you want to store the prelude audisp files under the /run or /var/run directory. ++ ++ ++.EX ++.PP ++.B prelude_correlator_config_t ++.EE ++ ++- Set files with the prelude_correlator_config_t type, if you want to treat the files as prelude correlator configuration data, usually stored under the /etc directory. ++ ++ ++.EX ++.PP ++.B prelude_correlator_exec_t ++.EE ++ ++- Set files with the prelude_correlator_exec_t type, if you want to transition an executable to the prelude_correlator_t domain. ++ ++ ++.EX ++.PP ++.B prelude_exec_t ++.EE ++ ++- Set files with the prelude_exec_t type, if you want to transition an executable to the prelude_t domain. ++ ++ ++.EX ++.PP ++.B prelude_initrc_exec_t ++.EE ++ ++- Set files with the prelude_initrc_exec_t type, if you want to transition an executable to the prelude_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/prelude-lml, /etc/rc\.d/init\.d/prelude-manager, /etc/rc\.d/init\.d/prelude-correlator ++ ++.EX ++.PP ++.B prelude_lml_exec_t ++.EE ++ ++- Set files with the prelude_lml_exec_t type, if you want to transition an executable to the prelude_lml_t domain. ++ ++ ++.EX ++.PP ++.B prelude_lml_tmp_t ++.EE ++ ++- Set files with the prelude_lml_tmp_t type, if you want to store prelude lml temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B prelude_lml_var_run_t ++.EE ++ ++- Set files with the prelude_lml_var_run_t type, if you want to store the prelude lml files under the /run or /var/run directory. ++ ++ ++.EX ++.PP ++.B prelude_log_t ++.EE ++ ++- Set files with the prelude_log_t type, if you want to treat the data as prelude log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B prelude_spool_t ++.EE ++ ++- Set files with the prelude_spool_t type, if you want to store the prelude files under the /var/spool directory. ++ ++.br ++.TP 5 ++Paths: ++/var/spool/prelude(/.*)?, /var/spool/prelude-manager(/.*)? ++ ++.EX ++.PP ++.B prelude_var_lib_t ++.EE ++ ++- Set files with the prelude_var_lib_t type, if you want to store the prelude files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B prelude_var_run_t ++.EE ++ ++- Set files with the prelude_var_run_t type, if you want to store the prelude files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -69771,6 +121863,9 @@ index 0000000..8ad755d +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -69782,15 +121877,15 @@ index 0000000..8ad755d + +.SH "SEE ALSO" +selinux(8), prelude(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, prelude_audisp_selinux(8), prelude_correlator_selinux(8), prelude_lml_selinux(8) ++, setsebool(8), prelude_audisp_selinux(8), prelude_correlator_selinux(8), prelude_lml_selinux(8) \ No newline at end of file diff --git a/man/man8/privoxy_selinux.8 b/man/man8/privoxy_selinux.8 new file mode 100644 -index 0000000..f7a88d0 +index 0000000..4a79cce --- /dev/null +++ b/man/man8/privoxy_selinux.8 -@@ -0,0 +1,174 @@ -+.TH "privoxy_selinux" "8" "12-11-01" "privoxy" "SELinux Policy documentation for privoxy" +@@ -0,0 +1,283 @@ ++.TH "privoxy_selinux" "8" "13-01-16" "privoxy" "SELinux Policy documentation for privoxy" +.SH "NAME" +privoxy_selinux \- Security Enhanced Linux Policy for the privoxy processes +.SH "DESCRIPTION" @@ -69806,7 +121901,9 @@ index 0000000..f7a88d0 + +.SH "ENTRYPOINTS" + -+The privoxy_t SELinux type can be entered via the "privoxy_exec_t" file type. The default entrypoint paths for the privoxy_t domain are the following:" ++The privoxy_t SELinux type can be entered via the \fBprivoxy_exec_t\fP file type. ++ ++The default entrypoint paths for the privoxy_t domain are the following: + +/usr/sbin/privoxy +.SH PROCESS TYPES @@ -69824,27 +121921,157 @@ index 0000000..f7a88d0 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a privoxy_t ++can be used to make the process type privoxy_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. privoxy policy is extremely flexible and has several booleans that allow you to manipulate the policy and run privoxy with the tightest access possible. + + +.PP -+If you want to allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the privoxy_connect_any boolean. ++If you want to determine whether privoxy can connect to all tcp ports, you must turn on the privoxy_connect_any boolean. Enabled by default. + +.EX +.B setsebool -P privoxy_connect_any 1 ++ +.EE + +.PP -+If you want to allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the privoxy_connect_any boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P privoxy_connect_any 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the privoxy_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the privoxy_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type privoxy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B privoxy_etc_rw_t ++ ++ /etc/privoxy/[^/]*\.action ++.br ++ ++.br ++.B privoxy_var_run_t ++ ++ /var/run/privoxy\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -69853,7 +122080,20 @@ index 0000000..f7a88d0 +Policy governs the access confined processes have to these files. +SELinux privoxy policy is very flexible allowing users to setup their privoxy processes in as secure a method as possible. +.PP -+The following file types are defined for privoxy: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the privoxy, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t privoxy_etc_rw_t '/srv/privoxy/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myprivoxy_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for privoxy: + + +.EX @@ -69893,7 +122133,7 @@ index 0000000..f7a88d0 +.B privoxy_var_run_t +.EE + -+- Set files with the privoxy_var_run_t type, if you want to store the privoxy files under the /run directory. ++- Set files with the privoxy_var_run_t type, if you want to store the privoxy files under the /run or /var/run directory. + + +.PP @@ -69903,42 +122143,6 @@ index 0000000..f7a88d0 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type privoxy_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B privoxy_etc_rw_t -+ -+ /etc/privoxy/[^/]*\.action -+.br -+ -+.br -+.B privoxy_log_t -+ -+ /var/log/privoxy(/.*)? -+.br -+ -+.br -+.B privoxy_var_run_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the privoxy_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the privoxy_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -69967,11 +122171,11 @@ index 0000000..f7a88d0 \ No newline at end of file diff --git a/man/man8/procmail_selinux.8 b/man/man8/procmail_selinux.8 new file mode 100644 -index 0000000..12bd0d0 +index 0000000..1fe0122 --- /dev/null +++ b/man/man8/procmail_selinux.8 -@@ -0,0 +1,180 @@ -+.TH "procmail_selinux" "8" "12-11-01" "procmail" "SELinux Policy documentation for procmail" +@@ -0,0 +1,372 @@ ++.TH "procmail_selinux" "8" "13-01-16" "procmail" "SELinux Policy documentation for procmail" +.SH "NAME" +procmail_selinux \- Security Enhanced Linux Policy for the procmail processes +.SH "DESCRIPTION" @@ -69987,7 +122191,9 @@ index 0000000..12bd0d0 + +.SH "ENTRYPOINTS" + -+The procmail_t SELinux type can be entered via the "procmail_exec_t" file type. The default entrypoint paths for the procmail_t domain are the following:" ++The procmail_t SELinux type can be entered via the \fBprocmail_exec_t\fP file type. ++ ++The default entrypoint paths for the procmail_t domain are the following: + +/usr/bin/procmail +.SH PROCESS TYPES @@ -70005,8 +122211,234 @@ index 0000000..12bd0d0 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a procmail_t ++can be used to make the process type procmail_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. procmail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run procmail with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the procmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the procmail_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type procmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B data_home_t ++ ++ /root/\.local/share(/.*)? ++.br ++ /home/[^/]*/\.local/share(/.*)? ++.br ++ /home/pwalsh/\.local/share(/.*)? ++.br ++ /home/dwalsh/\.local/share(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.local/share(/.*)? ++.br ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B mail_home_rw_t ++ ++ /root/Maildir(/.*)? ++.br ++ /home/[^/]*/.maildir(/.*)? ++.br ++ /home/[^/]*/Maildir(/.*)? ++.br ++ /home/pwalsh/.maildir(/.*)? ++.br ++ /home/pwalsh/Maildir(/.*)? ++.br ++ /home/dwalsh/.maildir(/.*)? ++.br ++ /home/dwalsh/Maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/.maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/Maildir(/.*)? ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B procmail_tmp_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -70016,7 +122448,31 @@ index 0000000..12bd0d0 +Policy governs the access confined processes have to these files. +SELinux procmail policy is very flexible allowing users to setup their procmail processes in as secure a method as possible. +.PP -+The following file types are defined for procmail: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++procmail policy stores data with multiple different file context types under the /var/log/procmail directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/log/procmail /srv/procmail ++.br ++.B restorecon -R -v /srv/procmail ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the procmail, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t procmail_exec_t '/srv/procmail/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myprocmail_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for procmail: + + +.EX @@ -70034,6 +122490,10 @@ index 0000000..12bd0d0 + +- Set files with the procmail_home_t type, if you want to store procmail files in the users home directory. + ++.br ++.TP 5 ++Paths: ++/root/\.procmailrc, /home/[^/]*/\.procmailrc, /home/pwalsh/\.procmailrc, /home/dwalsh/\.procmailrc, /var/lib/xguest/home/xguest/\.procmailrc + +.EX +.PP @@ -70042,6 +122502,10 @@ index 0000000..12bd0d0 + +- Set files with the procmail_log_t type, if you want to treat the data as procmail log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/procmail(/.*)?, /var/log/procmail\.log.* + +.EX +.PP @@ -70058,78 +122522,6 @@ index 0000000..12bd0d0 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type procmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B anon_inodefs_t -+ -+ -+.br -+.B data_home_t -+ -+ /root/\.local/share(/.*)? -+.br -+ /home/[^/]*/\.local/share(/.*)? -+.br -+ /home/dwalsh/\.local/share(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.local/share(/.*)? -+.br -+ -+.br -+.B mail_home_rw_t -+ -+ /root/Maildir(/.*)? -+.br -+ /home/[^/]*/Maildir(/.*)? -+.br -+ /home/dwalsh/Maildir(/.*)? -+.br -+ /var/lib/xguest/home/xguest/Maildir(/.*)? -+.br -+ -+.br -+.B mail_spool_t -+ -+ /var/mail(/.*)? -+.br -+ /var/spool/imap(/.*)? -+.br -+ /var/spool/mail(/.*)? -+.br -+ -+.br -+.B procmail_tmp_t -+ -+ -+.br -+.B user_home_t -+ -+ /home/[^/]*/.+ -+.br -+ /home/dwalsh/.+ -+.br -+ /var/lib/xguest/home/xguest/.+ -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the procmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the procmail_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -70140,6 +122532,9 @@ index 0000000..12bd0d0 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -70151,13 +122546,15 @@ index 0000000..12bd0d0 + +.SH "SEE ALSO" +selinux(8), procmail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/psad_selinux.8 b/man/man8/psad_selinux.8 new file mode 100644 -index 0000000..ce2de13 +index 0000000..3880cdd --- /dev/null +++ b/man/man8/psad_selinux.8 -@@ -0,0 +1,168 @@ -+.TH "psad_selinux" "8" "12-11-01" "psad" "SELinux Policy documentation for psad" +@@ -0,0 +1,289 @@ ++.TH "psad_selinux" "8" "13-01-16" "psad" "SELinux Policy documentation for psad" +.SH "NAME" +psad_selinux \- Security Enhanced Linux Policy for the psad processes +.SH "DESCRIPTION" @@ -70173,7 +122570,9 @@ index 0000000..ce2de13 + +.SH "ENTRYPOINTS" + -+The psad_t SELinux type can be entered via the "psad_exec_t" file type. The default entrypoint paths for the psad_t domain are the following:" ++The psad_t SELinux type can be entered via the \fBpsad_exec_t\fP file type. ++ ++The default entrypoint paths for the psad_t domain are the following: + +/usr/sbin/psad +.SH PROCESS TYPES @@ -70191,8 +122590,146 @@ index 0000000..ce2de13 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a psad_t ++can be used to make the process type psad_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. psad policy is extremely flexible and has several booleans that allow you to manipulate the policy and run psad with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the psad_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the psad_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type psad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B psad_tmp_t ++ ++ ++.br ++.B psad_var_run_t ++ ++ /var/run/psad(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -70202,7 +122739,20 @@ index 0000000..ce2de13 +Policy governs the access confined processes have to these files. +SELinux psad policy is very flexible allowing users to setup their psad processes in as secure a method as possible. +.PP -+The following file types are defined for psad: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the psad, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t psad_etc_t '/srv/psad/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypsad_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for psad: + + +.EX @@ -70258,7 +122808,7 @@ index 0000000..ce2de13 +.B psad_var_run_t +.EE + -+- Set files with the psad_var_run_t type, if you want to store the psad files under the /run directory. ++- Set files with the psad_var_run_t type, if you want to store the psad files under the /run or /var/run directory. + + +.PP @@ -70268,42 +122818,6 @@ index 0000000..ce2de13 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type psad_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B psad_tmp_t -+ -+ -+.br -+.B psad_var_log_t -+ -+ /var/log/psad(/.*)? -+.br -+ -+.br -+.B psad_var_run_t -+ -+ /var/run/psad(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the psad_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the psad_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -70314,6 +122828,9 @@ index 0000000..ce2de13 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -70325,13 +122842,15 @@ index 0000000..ce2de13 + +.SH "SEE ALSO" +selinux(8), psad(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ptal_selinux.8 b/man/man8/ptal_selinux.8 new file mode 100644 -index 0000000..aa2365a +index 0000000..5dde6d5 --- /dev/null +++ b/man/man8/ptal_selinux.8 -@@ -0,0 +1,140 @@ -+.TH "ptal_selinux" "8" "12-11-01" "ptal" "SELinux Policy documentation for ptal" +@@ -0,0 +1,241 @@ ++.TH "ptal_selinux" "8" "13-01-16" "ptal" "SELinux Policy documentation for ptal" +.SH "NAME" +ptal_selinux \- Security Enhanced Linux Policy for the ptal processes +.SH "DESCRIPTION" @@ -70347,7 +122866,9 @@ index 0000000..aa2365a + +.SH "ENTRYPOINTS" + -+The ptal_t SELinux type can be entered via the "ptal_exec_t" file type. The default entrypoint paths for the ptal_t domain are the following:" ++The ptal_t SELinux type can be entered via the \fBptal_exec_t\fP file type. ++ ++The default entrypoint paths for the ptal_t domain are the following: + +/usr/sbin/ptal-mlcd, /usr/sbin/ptal-printd, /usr/sbin/ptal-photod +.SH PROCESS TYPES @@ -70365,50 +122886,76 @@ index 0000000..aa2365a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ptal_t ++can be used to make the process type ptal_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux ptal policy is very flexible allowing users to setup their ptal processes in as secure a method as possible. -+.PP -+The following file types are defined for ptal: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ptal policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ptal with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B ptal_etc_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the ptal_etc_t type, if you want to store ptal files in the /etc directories. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B ptal_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the ptal_exec_t type, if you want to transition an executable to the ptal_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B ptal_var_run_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the ptal_var_run_t type, if you want to store the ptal files under the /run directory. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -70445,7 +122992,76 @@ index 0000000..aa2365a + /var/run/ptal-printd(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux ptal policy is very flexible allowing users to setup their ptal processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ptal, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ptal_etc_t '/srv/ptal/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myptal_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ptal: ++ ++ ++.EX ++.PP ++.B ptal_etc_t ++.EE ++ ++- Set files with the ptal_etc_t type, if you want to store ptal files in the /etc directories. ++ ++ ++.EX ++.PP ++.B ptal_exec_t ++.EE ++ ++- Set files with the ptal_exec_t type, if you want to transition an executable to the ptal_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/ptal-mlcd, /usr/sbin/ptal-printd, /usr/sbin/ptal-photod ++ ++.EX ++.PP ++.B ptal_var_run_t ++.EE ++ ++- Set files with the ptal_var_run_t type, if you want to store the ptal files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/ptal-mlcd(/.*)?, /var/run/ptal-printd(/.*)? ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -70460,6 +123076,9 @@ index 0000000..aa2365a +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -70471,13 +123090,15 @@ index 0000000..aa2365a + +.SH "SEE ALSO" +selinux(8), ptal(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ptchown_selinux.8 b/man/man8/ptchown_selinux.8 new file mode 100644 -index 0000000..31e96e1 +index 0000000..434ad39 --- /dev/null +++ b/man/man8/ptchown_selinux.8 -@@ -0,0 +1,94 @@ -+.TH "ptchown_selinux" "8" "12-11-01" "ptchown" "SELinux Policy documentation for ptchown" +@@ -0,0 +1,155 @@ ++.TH "ptchown_selinux" "8" "13-01-16" "ptchown" "SELinux Policy documentation for ptchown" +.SH "NAME" +ptchown_selinux \- Security Enhanced Linux Policy for the ptchown processes +.SH "DESCRIPTION" @@ -70493,7 +123114,9 @@ index 0000000..31e96e1 + +.SH "ENTRYPOINTS" + -+The ptchown_t SELinux type can be entered via the "ptchown_exec_t" file type. The default entrypoint paths for the ptchown_t domain are the following:" ++The ptchown_t SELinux type can be entered via the \fBptchown_exec_t\fP file type. ++ ++The default entrypoint paths for the ptchown_t domain are the following: + +/usr/libexec/pt_chown +.SH PROCESS TYPES @@ -70511,8 +123134,60 @@ index 0000000..31e96e1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ptchown_t ++can be used to make the process type ptchown_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ptchown policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ptchown with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type ptchown_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -70522,7 +123197,20 @@ index 0000000..31e96e1 +Policy governs the access confined processes have to these files. +SELinux ptchown policy is very flexible allowing users to setup their ptchown processes in as secure a method as possible. +.PP -+The following file types are defined for ptchown: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ptchown, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ptchown_exec_t '/srv/ptchown/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myptchown_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ptchown: + + +.EX @@ -70540,16 +123228,6 @@ index 0000000..31e96e1 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type ptchown_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B anon_inodefs_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -70560,6 +123238,9 @@ index 0000000..31e96e1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -70571,13 +123252,15 @@ index 0000000..31e96e1 + +.SH "SEE ALSO" +selinux(8), ptchown(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/publicfile_selinux.8 b/man/man8/publicfile_selinux.8 new file mode 100644 -index 0000000..6021aa7 +index 0000000..d263825 --- /dev/null +++ b/man/man8/publicfile_selinux.8 -@@ -0,0 +1,94 @@ -+.TH "publicfile_selinux" "8" "12-11-01" "publicfile" "SELinux Policy documentation for publicfile" +@@ -0,0 +1,195 @@ ++.TH "publicfile_selinux" "8" "13-01-16" "publicfile" "SELinux Policy documentation for publicfile" +.SH "NAME" +publicfile_selinux \- Security Enhanced Linux Policy for the publicfile processes +.SH "DESCRIPTION" @@ -70593,7 +123276,9 @@ index 0000000..6021aa7 + +.SH "ENTRYPOINTS" + -+The publicfile_t SELinux type can be entered via the "publicfile_exec_t" file type. The default entrypoint paths for the publicfile_t domain are the following:" ++The publicfile_t SELinux type can be entered via the \fBpublicfile_exec_t\fP file type. ++ ++The default entrypoint paths for the publicfile_t domain are the following: + +/usr/bin/ftpd, /usr/bin/httpd +.SH PROCESS TYPES @@ -70611,8 +123296,88 @@ index 0000000..6021aa7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a publicfile_t ++can be used to make the process type publicfile_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. publicfile policy is extremely flexible and has several booleans that allow you to manipulate the policy and run publicfile with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type publicfile_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -70622,7 +123387,20 @@ index 0000000..6021aa7 +Policy governs the access confined processes have to these files. +SELinux publicfile policy is very flexible allowing users to setup their publicfile processes in as secure a method as possible. +.PP -+The following file types are defined for publicfile: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the publicfile, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t publicfile_content_t '/srv/publicfile/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypublicfile_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for publicfile: + + +.EX @@ -70640,6 +123418,10 @@ index 0000000..6021aa7 + +- Set files with the publicfile_exec_t type, if you want to transition an executable to the publicfile_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/ftpd, /usr/bin/httpd + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -70648,8 +123430,6 @@ index 0000000..6021aa7 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -70660,6 +123440,9 @@ index 0000000..6021aa7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -70671,13 +123454,15 @@ index 0000000..6021aa7 + +.SH "SEE ALSO" +selinux(8), publicfile(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/pulseaudio_selinux.8 b/man/man8/pulseaudio_selinux.8 new file mode 100644 -index 0000000..f889102 +index 0000000..122066e --- /dev/null +++ b/man/man8/pulseaudio_selinux.8 -@@ -0,0 +1,300 @@ -+.TH "pulseaudio_selinux" "8" "12-11-01" "pulseaudio" "SELinux Policy documentation for pulseaudio" +@@ -0,0 +1,536 @@ ++.TH "pulseaudio_selinux" "8" "13-01-16" "pulseaudio" "SELinux Policy documentation for pulseaudio" +.SH "NAME" +pulseaudio_selinux \- Security Enhanced Linux Policy for the pulseaudio processes +.SH "DESCRIPTION" @@ -70693,7 +123478,9 @@ index 0000000..f889102 + +.SH "ENTRYPOINTS" + -+The pulseaudio_t SELinux type can be entered via the "pulseaudio_exec_t" file type. The default entrypoint paths for the pulseaudio_t domain are the following:" ++The pulseaudio_t SELinux type can be entered via the \fBpulseaudio_exec_t\fP file type. ++ ++The default entrypoint paths for the pulseaudio_t domain are the following: + +/usr/bin/pulseaudio +.SH PROCESS TYPES @@ -70711,66 +123498,164 @@ index 0000000..f889102 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pulseaudio_t ++can be used to make the process type pulseaudio_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux pulseaudio policy is very flexible allowing users to setup their pulseaudio processes in as secure a method as possible. -+.PP -+The following file types are defined for pulseaudio: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pulseaudio policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pulseaudio with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B pulseaudio_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the pulseaudio_exec_t type, if you want to transition an executable to the pulseaudio_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B pulseaudio_home_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the pulseaudio_home_t type, if you want to store pulseaudio files in the users home directory. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B pulseaudio_tmpfs_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the pulseaudio_tmpfs_t type, if you want to store pulseaudio files on a tmpfs file system. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B pulseaudio_var_lib_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the pulseaudio_var_lib_t type, if you want to store the pulseaudio files under the /var/lib directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B pulseaudio_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the pulseaudio_var_run_t type, if you want to store the pulseaudio files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the pulseaudio_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pulseaudio_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -70806,26 +123691,48 @@ index 0000000..f889102 + + +.br ++.B cifs_t ++ ++ ++.br +.B gstreamer_home_t + + /var/run/user/[^/]*/\.orc(/.*)? +.br + /root/\.gstreamer-.* +.br ++ /root/\.cache/gstreamer-.* ++.br + /home/[^/]*/\.orc(/.*)? +.br + /home/[^/]*/\.gstreamer-.* +.br ++ /home/[^/]*/\.cache/gstreamer-.* ++.br + /home/[^/]*/\.grl-bookmarks +.br + /home/[^/]*/\.grl-bookmarks +.br + /home/[^/]*/\.grl-metadata-store +.br ++ /home/pwalsh/\.orc(/.*)? ++.br ++ /home/pwalsh/\.gstreamer-.* ++.br ++ /home/pwalsh/\.cache/gstreamer-.* ++.br ++ /home/pwalsh/\.grl-bookmarks ++.br ++ /home/pwalsh/\.grl-bookmarks ++.br ++ /home/pwalsh/\.grl-metadata-store ++.br + /home/dwalsh/\.orc(/.*)? +.br + /home/dwalsh/\.gstreamer-.* +.br ++ /home/dwalsh/\.cache/gstreamer-.* ++.br + /home/dwalsh/\.grl-bookmarks +.br + /home/dwalsh/\.grl-bookmarks @@ -70836,6 +123743,8 @@ index 0000000..f889102 +.br + /var/lib/xguest/home/xguest/\.gstreamer-.* +.br ++ /var/lib/xguest/home/xguest/\.cache/gstreamer-.* ++.br + /var/lib/xguest/home/xguest/\.grl-bookmarks +.br + /var/lib/xguest/home/xguest/\.grl-bookmarks @@ -70844,28 +123753,48 @@ index 0000000..f889102 +.br + +.br ++.B nfs_t ++ ++ ++.br +.B pulseaudio_home_t + + /root/\.pulse(/.*)? +.br ++ /root/\.config/pulse(/.*)? ++.br + /root/\.esd_auth +.br + /root/\.pulse-cookie +.br + /home/[^/]*/\.pulse(/.*)? +.br ++ /home/[^/]*/\.config/pulse(/.*)? ++.br + /home/[^/]*/\.esd_auth +.br + /home/[^/]*/\.pulse-cookie +.br ++ /home/pwalsh/\.pulse(/.*)? ++.br ++ /home/pwalsh/\.config/pulse(/.*)? ++.br ++ /home/pwalsh/\.esd_auth ++.br ++ /home/pwalsh/\.pulse-cookie ++.br + /home/dwalsh/\.pulse(/.*)? +.br ++ /home/dwalsh/\.config/pulse(/.*)? ++.br + /home/dwalsh/\.esd_auth +.br + /home/dwalsh/\.pulse-cookie +.br + /var/lib/xguest/home/xguest/\.pulse(/.*)? +.br ++ /var/lib/xguest/home/xguest/\.config/pulse(/.*)? ++.br + /var/lib/xguest/home/xguest/\.esd_auth +.br + /var/lib/xguest/home/xguest/\.pulse-cookie @@ -70884,6 +123813,14 @@ index 0000000..f889102 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B user_fonts_cache_t + + /root/\.fontconfig(/.*)? @@ -70898,6 +123835,12 @@ index 0000000..f889102 +.br + /home/[^/]*/\.fonts\.cache-.* +.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br + /home/dwalsh/\.fontconfig(/.*)? +.br + /home/dwalsh/\.fonts/auto(/.*)? @@ -70937,22 +123880,96 @@ index 0000000..f889102 + /tmp/\.X0-lock +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B xserver_tmpfs_t ++ ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux pulseaudio policy is very flexible allowing users to setup their pulseaudio processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pulseaudio_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the pulseaudio_t, you must turn on the kerberos_enabled boolean. ++pulseaudio policy stores data with multiple different file context types under the /var/lib/xguest/home/xguest/\.pulse directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/xguest/home/xguest/\.pulse /srv/\.pulse ++.br ++.B restorecon -R -v /srv/\.pulse ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pulseaudio, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pulseaudio_exec_t '/srv/pulseaudio/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypulseaudio_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pulseaudio: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B pulseaudio_exec_t +.EE + ++- Set files with the pulseaudio_exec_t type, if you want to transition an executable to the pulseaudio_t domain. ++ ++ ++.EX ++.PP ++.B pulseaudio_home_t ++.EE ++ ++- Set files with the pulseaudio_home_t type, if you want to store pulseaudio files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/root/\.pulse(/.*)?, /root/\.config/pulse(/.*)?, /root/\.esd_auth, /root/\.pulse-cookie, /home/[^/]*/\.pulse(/.*)?, /home/[^/]*/\.config/pulse(/.*)?, /home/[^/]*/\.esd_auth, /home/[^/]*/\.pulse-cookie, /home/pwalsh/\.pulse(/.*)?, /home/pwalsh/\.config/pulse(/.*)?, /home/pwalsh/\.esd_auth, /home/pwalsh/\.pulse-cookie, /home/dwalsh/\.pulse(/.*)?, /home/dwalsh/\.config/pulse(/.*)?, /home/dwalsh/\.esd_auth, /home/dwalsh/\.pulse-cookie, /var/lib/xguest/home/xguest/\.pulse(/.*)?, /var/lib/xguest/home/xguest/\.config/pulse(/.*)?, /var/lib/xguest/home/xguest/\.esd_auth, /var/lib/xguest/home/xguest/\.pulse-cookie ++ ++.EX ++.PP ++.B pulseaudio_tmpfs_t ++.EE ++ ++- Set files with the pulseaudio_tmpfs_t type, if you want to store pulseaudio files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B pulseaudio_var_lib_t ++.EE ++ ++- Set files with the pulseaudio_var_lib_t type, if you want to store the pulseaudio files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B pulseaudio_var_run_t ++.EE ++ ++- Set files with the pulseaudio_var_run_t type, if you want to store the pulseaudio files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -70966,6 +123983,9 @@ index 0000000..f889102 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -70977,13 +123997,15 @@ index 0000000..f889102 + +.SH "SEE ALSO" +selinux(8), pulseaudio(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/puppet_selinux.8 b/man/man8/puppet_selinux.8 new file mode 100644 -index 0000000..1e449cb +index 0000000..1a58a12 --- /dev/null +++ b/man/man8/puppet_selinux.8 -@@ -0,0 +1,368 @@ -+.TH "puppet_selinux" "8" "12-11-01" "puppet" "SELinux Policy documentation for puppet" +@@ -0,0 +1,437 @@ ++.TH "puppet_selinux" "8" "13-01-16" "puppet" "SELinux Policy documentation for puppet" +.SH "NAME" +puppet_selinux \- Security Enhanced Linux Policy for the puppet processes +.SH "DESCRIPTION" @@ -70999,7 +124021,9 @@ index 0000000..1e449cb + +.SH "ENTRYPOINTS" + -+The puppet_t SELinux type can be entered via the "puppet_exec_t" file type. The default entrypoint paths for the puppet_t domain are the following:" ++The puppet_t SELinux type can be entered via the \fBpuppet_exec_t\fP file type. ++ ++The default entrypoint paths for the puppet_t domain are the following: + +/usr/sbin/puppetd +.SH PROCESS TYPES @@ -71017,146 +124041,140 @@ index 0000000..1e449cb +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a puppet_t ++can be used to make the process type puppet_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. puppet policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppet with the tightest access possible. + + +.PP -+If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean. -+ -+.EX -+.B setsebool -P puppetmaster_use_db 1 -+.EE -+ -+.PP -+If you want to allow Puppet client to manage all file types, you must turn on the puppet_manage_all_files boolean. ++If you want to allow Puppet client to manage all file types, you must turn on the puppet_manage_all_files boolean. Disabled by default. + +.EX +.B setsebool -P puppet_manage_all_files 1 ++ +.EE + +.PP -+If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P puppetmaster_use_db 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow Puppet client to manage all file types, you must turn on the puppet_manage_all_files boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P puppet_manage_all_files 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux puppet policy is very flexible allowing users to setup their puppet processes in as secure a method as possible. -+.PP -+The following file types are defined for puppet: -+ ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B puppet_etc_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the puppet_etc_t type, if you want to store puppet files in the /etc directories. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B puppet_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the puppet_exec_t type, if you want to transition an executable to the puppet_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B puppet_initrc_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the puppet_initrc_exec_t type, if you want to transition an executable to the puppet_initrc_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B puppet_log_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the puppet_log_t type, if you want to treat the data as puppet log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B puppet_tmp_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the puppet_tmp_t type, if you want to store puppet temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B puppet_var_lib_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the puppet_var_lib_t type, if you want to store the puppet files under the /var/lib directory. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B puppet_var_run_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the puppet_var_run_t type, if you want to store the puppet files under the /run directory. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B puppetca_exec_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the puppetca_exec_t type, if you want to transition an executable to the puppetca_t domain. -+ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.PP -+.B puppetmaster_exec_t ++.B setsebool -P nis_enabled 1 ++ +.EE + -+- Set files with the puppetmaster_exec_t type, if you want to transition an executable to the puppetmaster_t domain. -+ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX -+.PP -+.B puppetmaster_initrc_exec_t ++.B setsebool -P nscd_use_shm 1 ++ +.EE + -+- Set files with the puppetmaster_initrc_exec_t type, if you want to transition an executable to the puppetmaster_initrc_t domain. -+ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. + +.EX -+.PP -+.B puppetmaster_tmp_t ++.B setsebool -P secure_mode_policyload 1 ++ +.EE + -+- Set files with the puppetmaster_tmp_t type, if you want to store puppetmaster temporary files in the /tmp directories. -+ ++.SH NSSWITCH DOMAIN + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the puppetmaster_t, puppet_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the puppetmaster_t, puppet_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -71260,150 +124278,101 @@ index 0000000..1e449cb +.br + +.br -+.B puppet_tmp_t ++.B non_security_file_type + + +.br -+.B puppet_var_lib_t -+ -+ /var/lib/puppet(/.*)? -+.br -+ -+.br -+.B puppet_var_run_t -+ -+ /var/run/puppet(/.*)? -+.br -+ -+.br -+.B rpm_log_t -+ -+ /var/log/yum\.log.* -+.br -+ -+.br +.B rpm_var_lib_t + + /var/lib/rpm(/.*)? +.br + /var/lib/yum(/.*)? +.br ++ /var/lib/dnf(/.*)? ++.br + /var/lib/PackageKit(/.*)? +.br + /var/lib/alternatives(/.*)? +.br + -+.br -+.B var_t -+ -+ /nsr(/.*)? -+.br -+ /var/.* -+.br -+ /srv/.* -+.br -+ /var -+.br -+ /srv -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the puppetmaster_t, puppet_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the puppetmaster_t, puppet_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.B semanage port -+can also be used to manipulate the port definitions -+ -+.B semanage boolean -+can also be used to manipulate the booleans -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), puppet(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8), puppetca_selinux(8), puppetmaster_selinux(8) -\ No newline at end of file -diff --git a/man/man8/puppetca_selinux.8 b/man/man8/puppetca_selinux.8 -new file mode 100644 -index 0000000..b0b4381 ---- /dev/null -+++ b/man/man8/puppetca_selinux.8 -@@ -0,0 +1,103 @@ -+.TH "puppetca_selinux" "8" "12-11-01" "puppetca" "SELinux Policy documentation for puppetca" -+.SH "NAME" -+puppetca_selinux \- Security Enhanced Linux Policy for the puppetca processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the puppetca processes via flexible mandatory access control. -+ -+The puppetca processes execute with the puppetca_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep puppetca_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The puppetca_t SELinux type can be entered via the "puppetca_exec_t" file type. The default entrypoint paths for the puppetca_t domain are the following:" -+ -+/usr/sbin/puppetca -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux puppetca policy is very flexible allowing users to setup their puppetca processes in as secure a method as possible. -+.PP -+The following process types are defined for puppetca: -+ -+.EX -+.B puppetca_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP +You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP +Policy governs the access confined processes have to these files. -+SELinux puppetca policy is very flexible allowing users to setup their puppetca processes in as secure a method as possible. ++SELinux puppet policy is very flexible allowing users to setup their puppet processes in as secure a method as possible. +.PP -+The following file types are defined for puppetca: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the puppet, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t puppet_etc_t '/srv/puppet/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypuppet_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for puppet: ++ ++ ++.EX ++.PP ++.B puppet_etc_t ++.EE ++ ++- Set files with the puppet_etc_t type, if you want to store puppet files in the /etc directories. ++ ++ ++.EX ++.PP ++.B puppet_exec_t ++.EE ++ ++- Set files with the puppet_exec_t type, if you want to transition an executable to the puppet_t domain. ++ ++ ++.EX ++.PP ++.B puppet_initrc_exec_t ++.EE ++ ++- Set files with the puppet_initrc_exec_t type, if you want to transition an executable to the puppet_initrc_t domain. ++ ++ ++.EX ++.PP ++.B puppet_log_t ++.EE ++ ++- Set files with the puppet_log_t type, if you want to treat the data as puppet log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B puppet_tmp_t ++.EE ++ ++- Set files with the puppet_tmp_t type, if you want to store puppet temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B puppet_var_lib_t ++.EE ++ ++- Set files with the puppet_var_lib_t type, if you want to store the puppet files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B puppet_var_run_t ++.EE ++ ++- Set files with the puppet_var_run_t type, if you want to store the puppet files under the /run or /var/run directory. + + +.EX @@ -71414,126 +124383,6 @@ index 0000000..b0b4381 +- Set files with the puppetca_exec_t type, if you want to transition an executable to the puppetca_t domain. + + -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ -+.SH "MANAGED FILES" -+ -+The SELinux process type puppetca_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B puppet_var_lib_t -+ -+ /var/lib/puppet(/.*)? -+.br -+ -+.br -+.B security_t -+ -+ /selinux -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), puppetca(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, puppet_selinux(8) -\ No newline at end of file -diff --git a/man/man8/puppetmaster_selinux.8 b/man/man8/puppetmaster_selinux.8 -new file mode 100644 -index 0000000..83d8f60 ---- /dev/null -+++ b/man/man8/puppetmaster_selinux.8 -@@ -0,0 +1,170 @@ -+.TH "puppetmaster_selinux" "8" "12-11-01" "puppetmaster" "SELinux Policy documentation for puppetmaster" -+.SH "NAME" -+puppetmaster_selinux \- Security Enhanced Linux Policy for the puppetmaster processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the puppetmaster processes via flexible mandatory access control. -+ -+The puppetmaster processes execute with the puppetmaster_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep puppetmaster_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The puppetmaster_t SELinux type can be entered via the "puppetmaster_exec_t" file type. The default entrypoint paths for the puppetmaster_t domain are the following:" -+ -+/usr/sbin/puppetmasterd -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux puppetmaster policy is very flexible allowing users to setup their puppetmaster processes in as secure a method as possible. -+.PP -+The following process types are defined for puppetmaster: -+ -+.EX -+.B puppetmaster_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ -+.SH BOOLEANS -+SELinux policy is customizable based on least access required. puppetmaster policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppetmaster with the tightest access possible. -+ -+ -+.PP -+If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean. -+ -+.EX -+.B setsebool -P puppetmaster_use_db 1 -+.EE -+ -+.PP -+If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean. -+ -+.EX -+.B setsebool -P puppetmaster_use_db 1 -+.EE -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux puppetmaster policy is very flexible allowing users to setup their puppetmaster processes in as secure a method as possible. -+.PP -+The following file types are defined for puppetmaster: -+ -+ +.EX +.PP +.B puppetmaster_exec_t @@ -71565,6 +124414,374 @@ index 0000000..83d8f60 +.B restorecon +to apply the labels. + ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage port ++can also be used to manipulate the port definitions ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), puppet(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), puppetca_selinux(8), puppetmaster_selinux(8) +\ No newline at end of file +diff --git a/man/man8/puppetca_selinux.8 b/man/man8/puppetca_selinux.8 +new file mode 100644 +index 0000000..305cf1a +--- /dev/null ++++ b/man/man8/puppetca_selinux.8 +@@ -0,0 +1,163 @@ ++.TH "puppetca_selinux" "8" "13-01-16" "puppetca" "SELinux Policy documentation for puppetca" ++.SH "NAME" ++puppetca_selinux \- Security Enhanced Linux Policy for the puppetca processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the puppetca processes via flexible mandatory access control. ++ ++The puppetca processes execute with the puppetca_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep puppetca_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The puppetca_t SELinux type can be entered via the \fBpuppetca_exec_t\fP file type. ++ ++The default entrypoint paths for the puppetca_t domain are the following: ++ ++/usr/sbin/puppetca ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux puppetca policy is very flexible allowing users to setup their puppetca processes in as secure a method as possible. ++.PP ++The following process types are defined for puppetca: ++ ++.EX ++.B puppetca_t ++.EE ++.PP ++Note: ++.B semanage permissive -a puppetca_t ++can be used to make the process type puppetca_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. puppetca policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppetca with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type puppetca_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B puppet_var_lib_t ++ ++ /var/lib/puppet(/.*)? ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux puppetca policy is very flexible allowing users to setup their puppetca processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the puppetca, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t puppetca_exec_t '/srv/puppetca/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypuppetca_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for puppetca: ++ ++ ++.EX ++.PP ++.B puppetca_exec_t ++.EE ++ ++- Set files with the puppetca_exec_t type, if you want to transition an executable to the puppetca_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), puppetca(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), puppet_selinux(8) +\ No newline at end of file +diff --git a/man/man8/puppetmaster_selinux.8 b/man/man8/puppetmaster_selinux.8 +new file mode 100644 +index 0000000..2b1f72e +--- /dev/null ++++ b/man/man8/puppetmaster_selinux.8 +@@ -0,0 +1,283 @@ ++.TH "puppetmaster_selinux" "8" "13-01-16" "puppetmaster" "SELinux Policy documentation for puppetmaster" ++.SH "NAME" ++puppetmaster_selinux \- Security Enhanced Linux Policy for the puppetmaster processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the puppetmaster processes via flexible mandatory access control. ++ ++The puppetmaster processes execute with the puppetmaster_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep puppetmaster_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The puppetmaster_t SELinux type can be entered via the \fBpuppetmaster_exec_t\fP file type. ++ ++The default entrypoint paths for the puppetmaster_t domain are the following: ++ ++/usr/sbin/puppetmasterd ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux puppetmaster policy is very flexible allowing users to setup their puppetmaster processes in as secure a method as possible. ++.PP ++The following process types are defined for puppetmaster: ++ ++.EX ++.B puppetmaster_t ++.EE ++.PP ++Note: ++.B semanage permissive -a puppetmaster_t ++can be used to make the process type puppetmaster_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. puppetmaster policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppetmaster with the tightest access possible. ++ ++ ++.PP ++If you want to allow Puppet master to use connect to MySQL and PostgreSQL database, you must turn on the puppetmaster_use_db boolean. Disabled by default. ++ ++.EX ++.B setsebool -P puppetmaster_use_db 1 ++ ++.EE ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the puppetmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the puppetmaster_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ +.SH "MANAGED FILES" + +The SELinux process type puppetmaster_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -71592,26 +124809,73 @@ index 0000000..83d8f60 + + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux puppetmaster policy is very flexible allowing users to setup their puppetmaster processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the puppetmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the puppetmaster, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t puppetmaster_exec_t '/srv/puppetmaster/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypuppetmaster_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for puppetmaster: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B puppetmaster_exec_t +.EE + ++- Set files with the puppetmaster_exec_t type, if you want to transition an executable to the puppetmaster_t domain. ++ ++ ++.EX ++.PP ++.B puppetmaster_initrc_exec_t ++.EE ++ ++- Set files with the puppetmaster_initrc_exec_t type, if you want to transition an executable to the puppetmaster_initrc_t domain. ++ ++ ++.EX ++.PP ++.B puppetmaster_tmp_t ++.EE ++ ++- Set files with the puppetmaster_tmp_t type, if you want to store puppetmaster temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the puppetmaster_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -71641,11 +124905,11 @@ index 0000000..83d8f60 \ No newline at end of file diff --git a/man/man8/pwauth_selinux.8 b/man/man8/pwauth_selinux.8 new file mode 100644 -index 0000000..ce82d8a +index 0000000..479eab7 --- /dev/null +++ b/man/man8/pwauth_selinux.8 -@@ -0,0 +1,118 @@ -+.TH "pwauth_selinux" "8" "12-11-01" "pwauth" "SELinux Policy documentation for pwauth" +@@ -0,0 +1,213 @@ ++.TH "pwauth_selinux" "8" "13-01-16" "pwauth" "SELinux Policy documentation for pwauth" +.SH "NAME" +pwauth_selinux \- Security Enhanced Linux Policy for the pwauth processes +.SH "DESCRIPTION" @@ -71661,7 +124925,9 @@ index 0000000..ce82d8a + +.SH "ENTRYPOINTS" + -+The pwauth_t SELinux type can be entered via the "pwauth_exec_t" file type. The default entrypoint paths for the pwauth_t domain are the following:" ++The pwauth_t SELinux type can be entered via the \fBpwauth_exec_t\fP file type. ++ ++The default entrypoint paths for the pwauth_t domain are the following: + +/usr/bin/pwauth +.SH PROCESS TYPES @@ -71679,8 +124945,110 @@ index 0000000..ce82d8a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pwauth_t ++can be used to make the process type pwauth_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pwauth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pwauth with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the pwauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pwauth_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type pwauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B pwauth_var_run_t ++ ++ /var/run/pwauth.lock ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -71690,7 +125058,20 @@ index 0000000..ce82d8a +Policy governs the access confined processes have to these files. +SELinux pwauth policy is very flexible allowing users to setup their pwauth processes in as secure a method as possible. +.PP -+The following file types are defined for pwauth: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pwauth, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pwauth_exec_t '/srv/pwauth/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypwauth_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pwauth: + + +.EX @@ -71706,7 +125087,7 @@ index 0000000..ce82d8a +.B pwauth_var_run_t +.EE + -+- Set files with the pwauth_var_run_t type, if you want to store the pwauth files under the /run directory. ++- Set files with the pwauth_var_run_t type, if you want to store the pwauth files under the /run or /var/run directory. + + +.PP @@ -71716,32 +125097,6 @@ index 0000000..ce82d8a +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type pwauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B pwauth_var_run_t -+ -+ /var/run/pwauth.lock -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pwauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the pwauth_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -71752,6 +125107,9 @@ index 0000000..ce82d8a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -71763,13 +125121,15 @@ index 0000000..ce82d8a + +.SH "SEE ALSO" +selinux(8), pwauth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/pyicqt_selinux.8 b/man/man8/pyicqt_selinux.8 new file mode 100644 -index 0000000..d92e759 +index 0000000..53cc310 --- /dev/null +++ b/man/man8/pyicqt_selinux.8 -@@ -0,0 +1,146 @@ -+.TH "pyicqt_selinux" "8" "12-11-01" "pyicqt" "SELinux Policy documentation for pyicqt" +@@ -0,0 +1,273 @@ ++.TH "pyicqt_selinux" "8" "13-01-16" "pyicqt" "SELinux Policy documentation for pyicqt" +.SH "NAME" +pyicqt_selinux \- Security Enhanced Linux Policy for the pyicqt processes +.SH "DESCRIPTION" @@ -71785,7 +125145,9 @@ index 0000000..d92e759 + +.SH "ENTRYPOINTS" + -+The pyicqt_t SELinux type can be entered via the "pyicqt_exec_t" file type. The default entrypoint paths for the pyicqt_t domain are the following:" ++The pyicqt_t SELinux type can be entered via the \fBpyicqt_exec_t\fP file type. ++ ++The default entrypoint paths for the pyicqt_t domain are the following: + +/usr/share/pyicq-t/PyICQt\.py +.SH PROCESS TYPES @@ -71803,58 +125165,124 @@ index 0000000..d92e759 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a pyicqt_t ++can be used to make the process type pyicqt_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux pyicqt policy is very flexible allowing users to setup their pyicqt processes in as secure a method as possible. -+.PP -+The following file types are defined for pyicqt: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. pyicqt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pyicqt with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B pyicqt_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the pyicqt_exec_t type, if you want to transition an executable to the pyicqt_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B pyicqt_log_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the pyicqt_log_t type, if you want to treat the data as pyicqt log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B pyicqt_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the pyicqt_var_run_t type, if you want to store the pyicqt files under the /run directory. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B pyicqt_var_spool_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the pyicqt_var_spool_t type, if you want to store the pyicqt var files under the /var/spool directory. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the pyicqt_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pyicqt_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -71878,21 +125306,76 @@ index 0000000..d92e759 + /var/spool/pyicq-t(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux pyicqt policy is very flexible allowing users to setup their pyicqt processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pyicqt_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the pyicqt, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t pyicqt_exec_t '/srv/pyicqt/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mypyicqt_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for pyicqt: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B pyicqt_exec_t +.EE + ++- Set files with the pyicqt_exec_t type, if you want to transition an executable to the pyicqt_t domain. ++ ++ ++.EX ++.PP ++.B pyicqt_log_t ++.EE ++ ++- Set files with the pyicqt_log_t type, if you want to treat the data as pyicqt log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B pyicqt_var_run_t ++.EE ++ ++- Set files with the pyicqt_var_run_t type, if you want to store the pyicqt files under the /run or /var/run directory. ++ ++ ++.EX ++.PP ++.B pyicqt_var_spool_t ++.EE ++ ++- Set files with the pyicqt_var_spool_t type, if you want to store the pyicqt var files under the /var/spool directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the pyicqt_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -71904,6 +125387,9 @@ index 0000000..d92e759 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -71915,13 +125401,15 @@ index 0000000..d92e759 + +.SH "SEE ALSO" +selinux(8), pyicqt(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/qdiskd_selinux.8 b/man/man8/qdiskd_selinux.8 new file mode 100644 -index 0000000..e6e2867 +index 0000000..43f1af1 --- /dev/null +++ b/man/man8/qdiskd_selinux.8 -@@ -0,0 +1,164 @@ -+.TH "qdiskd_selinux" "8" "12-11-01" "qdiskd" "SELinux Policy documentation for qdiskd" +@@ -0,0 +1,285 @@ ++.TH "qdiskd_selinux" "8" "13-01-16" "qdiskd" "SELinux Policy documentation for qdiskd" +.SH "NAME" +qdiskd_selinux \- Security Enhanced Linux Policy for the qdiskd processes +.SH "DESCRIPTION" @@ -71937,7 +125425,9 @@ index 0000000..e6e2867 + +.SH "ENTRYPOINTS" + -+The qdiskd_t SELinux type can be entered via the "qdiskd_exec_t" file type. The default entrypoint paths for the qdiskd_t domain are the following:" ++The qdiskd_t SELinux type can be entered via the \fBqdiskd_exec_t\fP file type. ++ ++The default entrypoint paths for the qdiskd_t domain are the following: + +/usr/sbin/qdiskd +.SH PROCESS TYPES @@ -71955,8 +125445,158 @@ index 0000000..e6e2867 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qdiskd_t ++can be used to make the process type qdiskd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qdiskd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qdiskd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the qdiskd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the qdiskd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type qdiskd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B qdiskd_tmpfs_t ++ ++ ++.br ++.B qdiskd_var_lib_t ++ ++ /var/lib/qdiskd(/.*)? ++.br ++ ++.br ++.B qdiskd_var_log_t ++ ++ /var/log/cluster/qdiskd\.log.* ++.br ++ ++.br ++.B qdiskd_var_run_t ++ ++ /var/run/qdiskd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -71966,7 +125606,20 @@ index 0000000..e6e2867 +Policy governs the access confined processes have to these files. +SELinux qdiskd policy is very flexible allowing users to setup their qdiskd processes in as secure a method as possible. +.PP -+The following file types are defined for qdiskd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the qdiskd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t qdiskd_exec_t '/srv/qdiskd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myqdiskd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for qdiskd: + + +.EX @@ -72006,7 +125659,7 @@ index 0000000..e6e2867 +.B qdiskd_var_run_t +.EE + -+- Set files with the qdiskd_var_run_t type, if you want to store the qdiskd files under the /run directory. ++- Set files with the qdiskd_var_run_t type, if you want to store the qdiskd files under the /run or /var/run directory. + + +.PP @@ -72016,54 +125669,6 @@ index 0000000..e6e2867 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type qdiskd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cluster_var_lib_t -+ -+ /var/lib/cluster(/.*)? -+.br -+ -+.br -+.B qdiskd_tmpfs_t -+ -+ -+.br -+.B qdiskd_var_lib_t -+ -+ /var/lib/qdiskd(/.*)? -+.br -+ -+.br -+.B qdiskd_var_log_t -+ -+ /var/log/cluster/qdiskd\.log.* -+.br -+ -+.br -+.B qdiskd_var_run_t -+ -+ /var/run/qdiskd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the qdiskd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the qdiskd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -72074,6 +125679,9 @@ index 0000000..e6e2867 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -72085,13 +125693,15 @@ index 0000000..e6e2867 + +.SH "SEE ALSO" +selinux(8), qdiskd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/qemu_dm_selinux.8 b/man/man8/qemu_dm_selinux.8 new file mode 100644 -index 0000000..a367e12 +index 0000000..3536a5e --- /dev/null +++ b/man/man8/qemu_dm_selinux.8 -@@ -0,0 +1,94 @@ -+.TH "qemu_dm_selinux" "8" "12-11-01" "qemu_dm" "SELinux Policy documentation for qemu_dm" +@@ -0,0 +1,124 @@ ++.TH "qemu_dm_selinux" "8" "13-01-16" "qemu_dm" "SELinux Policy documentation for qemu_dm" +.SH "NAME" +qemu_dm_selinux \- Security Enhanced Linux Policy for the qemu_dm processes +.SH "DESCRIPTION" @@ -72107,7 +125717,9 @@ index 0000000..a367e12 + +.SH "ENTRYPOINTS" + -+The qemu_dm_t SELinux type can be entered via the "qemu_dm_exec_t" file type. The default entrypoint paths for the qemu_dm_t domain are the following:" ++The qemu_dm_t SELinux type can be entered via the \fBqemu_dm_exec_t\fP file type. ++ ++The default entrypoint paths for the qemu_dm_t domain are the following: + + +.SH PROCESS TYPES @@ -72125,34 +125737,60 @@ index 0000000..a367e12 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qemu_dm_t ++can be used to make the process type qemu_dm_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux qemu_dm policy is very flexible allowing users to setup their qemu_dm processes in as secure a method as possible. -+.PP -+The following file types are defined for qemu_dm: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qemu_dm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qemu_dm with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B qemu_dm_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the qemu_dm_exec_t type, if you want to transition an executable to the qemu_dm_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow xend to run qemu-dm. Not required if using paravirt and no vfb, you must turn on the xend_run_qemu boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xend_run_qemu 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -72162,8 +125800,6 @@ index 0000000..a367e12 +.B xenfs_t + + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -72174,6 +125810,9 @@ index 0000000..a367e12 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -72185,13 +125824,15 @@ index 0000000..a367e12 + +.SH "SEE ALSO" +selinux(8), qemu_dm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/qmail_clean_selinux.8 b/man/man8/qmail_clean_selinux.8 new file mode 100644 -index 0000000..4688dbf +index 0000000..b99be20 --- /dev/null +++ b/man/man8/qmail_clean_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "qmail_clean_selinux" "8" "12-11-01" "qmail_clean" "SELinux Policy documentation for qmail_clean" +@@ -0,0 +1,147 @@ ++.TH "qmail_clean_selinux" "8" "13-01-16" "qmail_clean" "SELinux Policy documentation for qmail_clean" +.SH "NAME" +qmail_clean_selinux \- Security Enhanced Linux Policy for the qmail_clean processes +.SH "DESCRIPTION" @@ -72207,7 +125848,9 @@ index 0000000..4688dbf + +.SH "ENTRYPOINTS" + -+The qmail_clean_t SELinux type can be entered via the "qmail_clean_exec_t" file type. The default entrypoint paths for the qmail_clean_t domain are the following:" ++The qmail_clean_t SELinux type can be entered via the \fBqmail_clean_exec_t\fP file type. ++ ++The default entrypoint paths for the qmail_clean_t domain are the following: + +/var/qmail/bin/qmail-clean +.SH PROCESS TYPES @@ -72225,8 +125868,52 @@ index 0000000..4688dbf +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qmail_clean_t ++can be used to make the process type qmail_clean_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qmail_clean policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qmail_clean with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -72236,7 +125923,20 @@ index 0000000..4688dbf +Policy governs the access confined processes have to these files. +SELinux qmail_clean policy is very flexible allowing users to setup their qmail_clean processes in as secure a method as possible. +.PP -+The following file types are defined for qmail_clean: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the qmail_clean, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t qmail_clean_exec_t '/srv/qmail_clean/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myqmail_clean_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for qmail_clean: + + +.EX @@ -72254,8 +125954,6 @@ index 0000000..4688dbf +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -72266,6 +125964,9 @@ index 0000000..4688dbf +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -72277,15 +125978,15 @@ index 0000000..4688dbf + +.SH "SEE ALSO" +selinux(8), qmail_clean(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) ++, setsebool(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) \ No newline at end of file diff --git a/man/man8/qmail_inject_selinux.8 b/man/man8/qmail_inject_selinux.8 new file mode 100644 -index 0000000..b61fe99 +index 0000000..581753f --- /dev/null +++ b/man/man8/qmail_inject_selinux.8 -@@ -0,0 +1,95 @@ -+.TH "qmail_inject_selinux" "8" "12-11-01" "qmail_inject" "SELinux Policy documentation for qmail_inject" +@@ -0,0 +1,171 @@ ++.TH "qmail_inject_selinux" "8" "13-01-16" "qmail_inject" "SELinux Policy documentation for qmail_inject" +.SH "NAME" +qmail_inject_selinux \- Security Enhanced Linux Policy for the qmail_inject processes +.SH "DESCRIPTION" @@ -72301,7 +126002,9 @@ index 0000000..b61fe99 + +.SH "ENTRYPOINTS" + -+The qmail_inject_t SELinux type can be entered via the "qmail_inject_exec_t" file type. The default entrypoint paths for the qmail_inject_t domain are the following:" ++The qmail_inject_t SELinux type can be entered via the \fBqmail_inject_exec_t\fP file type. ++ ++The default entrypoint paths for the qmail_inject_t domain are the following: + +/var/qmail/bin/qmail-inject +.SH PROCESS TYPES @@ -72319,8 +126022,76 @@ index 0000000..b61fe99 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qmail_inject_t ++can be used to make the process type qmail_inject_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qmail_inject policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qmail_inject with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Gitosis can send mail, you must turn on the gitosis_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P gitosis_can_sendmail 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_sendmail 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type qmail_inject_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B arpwatch_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -72330,7 +126101,20 @@ index 0000000..b61fe99 +Policy governs the access confined processes have to these files. +SELinux qmail_inject policy is very flexible allowing users to setup their qmail_inject processes in as secure a method as possible. +.PP -+The following file types are defined for qmail_inject: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the qmail_inject, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t qmail_inject_exec_t '/srv/qmail_inject/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myqmail_inject_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for qmail_inject: + + +.EX @@ -72348,16 +126132,6 @@ index 0000000..b61fe99 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type qmail_inject_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B arpwatch_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -72368,6 +126142,9 @@ index 0000000..b61fe99 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -72379,15 +126156,15 @@ index 0000000..b61fe99 + +.SH "SEE ALSO" +selinux(8), qmail_inject(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, qmail_clean_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) ++, setsebool(8), qmail_clean_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) \ No newline at end of file diff --git a/man/man8/qmail_local_selinux.8 b/man/man8/qmail_local_selinux.8 new file mode 100644 -index 0000000..923074e +index 0000000..281fb59 --- /dev/null +++ b/man/man8/qmail_local_selinux.8 -@@ -0,0 +1,151 @@ -+.TH "qmail_local_selinux" "8" "12-11-01" "qmail_local" "SELinux Policy documentation for qmail_local" +@@ -0,0 +1,321 @@ ++.TH "qmail_local_selinux" "8" "13-01-16" "qmail_local" "SELinux Policy documentation for qmail_local" +.SH "NAME" +qmail_local_selinux \- Security Enhanced Linux Policy for the qmail_local processes +.SH "DESCRIPTION" @@ -72403,7 +126180,9 @@ index 0000000..923074e + +.SH "ENTRYPOINTS" + -+The qmail_local_t SELinux type can be entered via the "qmail_local_exec_t" file type. The default entrypoint paths for the qmail_local_t domain are the following:" ++The qmail_local_t SELinux type can be entered via the \fBqmail_local_exec_t\fP file type. ++ ++The default entrypoint paths for the qmail_local_t domain are the following: + +/var/qmail/bin/qmail-local +.SH PROCESS TYPES @@ -72421,8 +126200,226 @@ index 0000000..923074e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qmail_local_t ++can be used to make the process type qmail_local_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qmail_local policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qmail_local with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the qmail_local_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the qmail_local_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type qmail_local_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B dovecot_spool_t ++ ++ /var/spool/dovecot(/.*)? ++.br ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B mail_home_rw_t ++ ++ /root/Maildir(/.*)? ++.br ++ /home/[^/]*/.maildir(/.*)? ++.br ++ /home/[^/]*/Maildir(/.*)? ++.br ++ /home/pwalsh/.maildir(/.*)? ++.br ++ /home/pwalsh/Maildir(/.*)? ++.br ++ /home/dwalsh/.maildir(/.*)? ++.br ++ /home/dwalsh/Maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/.maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/Maildir(/.*)? ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B qmail_alias_home_t ++ ++ /var/qmail/alias(/.*)? ++.br ++ /var/qmail/alias ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -72432,7 +126429,20 @@ index 0000000..923074e +Policy governs the access confined processes have to these files. +SELinux qmail_local policy is very flexible allowing users to setup their qmail_local processes in as secure a method as possible. +.PP -+The following file types are defined for qmail_local: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the qmail_local, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t qmail_local_exec_t '/srv/qmail_local/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myqmail_local_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for qmail_local: + + +.EX @@ -72450,72 +126460,6 @@ index 0000000..923074e +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type qmail_local_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B dovecot_spool_t -+ -+ /var/spool/dovecot(/.*)? -+.br -+ -+.br -+.B mail_home_rw_t -+ -+ /root/Maildir(/.*)? -+.br -+ /home/[^/]*/Maildir(/.*)? -+.br -+ /home/dwalsh/Maildir(/.*)? -+.br -+ /var/lib/xguest/home/xguest/Maildir(/.*)? -+.br -+ -+.br -+.B mail_spool_t -+ -+ /var/mail(/.*)? -+.br -+ /var/spool/imap(/.*)? -+.br -+ /var/spool/mail(/.*)? -+.br -+ -+.br -+.B qmail_alias_home_t -+ -+ /var/qmail/alias(/.*)? -+.br -+ /var/qmail/alias -+.br -+ -+.br -+.B user_home_t -+ -+ /home/[^/]*/.+ -+.br -+ /home/dwalsh/.+ -+.br -+ /var/lib/xguest/home/xguest/.+ -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the qmail_local_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the qmail_local_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -72526,6 +126470,9 @@ index 0000000..923074e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -72537,15 +126484,15 @@ index 0000000..923074e + +.SH "SEE ALSO" +selinux(8), qmail_local(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) ++, setsebool(8), qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) \ No newline at end of file diff --git a/man/man8/qmail_lspawn_selinux.8 b/man/man8/qmail_lspawn_selinux.8 new file mode 100644 -index 0000000..7ac2a16 +index 0000000..c3528ed --- /dev/null +++ b/man/man8/qmail_lspawn_selinux.8 -@@ -0,0 +1,119 @@ -+.TH "qmail_lspawn_selinux" "8" "12-11-01" "qmail_lspawn" "SELinux Policy documentation for qmail_lspawn" +@@ -0,0 +1,255 @@ ++.TH "qmail_lspawn_selinux" "8" "13-01-16" "qmail_lspawn" "SELinux Policy documentation for qmail_lspawn" +.SH "NAME" +qmail_lspawn_selinux \- Security Enhanced Linux Policy for the qmail_lspawn processes +.SH "DESCRIPTION" @@ -72561,7 +126508,9 @@ index 0000000..7ac2a16 + +.SH "ENTRYPOINTS" + -+The qmail_lspawn_t SELinux type can be entered via the "qmail_lspawn_exec_t" file type. The default entrypoint paths for the qmail_lspawn_t domain are the following:" ++The qmail_lspawn_t SELinux type can be entered via the \fBqmail_lspawn_exec_t\fP file type. ++ ++The default entrypoint paths for the qmail_lspawn_t domain are the following: + +/var/qmail/bin/qmail-lspawn +.SH PROCESS TYPES @@ -72579,8 +126528,160 @@ index 0000000..7ac2a16 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qmail_lspawn_t ++can be used to make the process type qmail_lspawn_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qmail_lspawn policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qmail_lspawn with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type qmail_lspawn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B dovecot_spool_t ++ ++ /var/spool/dovecot(/.*)? ++.br ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B mail_home_rw_t ++ ++ /root/Maildir(/.*)? ++.br ++ /home/[^/]*/.maildir(/.*)? ++.br ++ /home/[^/]*/Maildir(/.*)? ++.br ++ /home/pwalsh/.maildir(/.*)? ++.br ++ /home/pwalsh/Maildir(/.*)? ++.br ++ /home/dwalsh/.maildir(/.*)? ++.br ++ /home/dwalsh/Maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/.maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/Maildir(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -72590,7 +126691,20 @@ index 0000000..7ac2a16 +Policy governs the access confined processes have to these files. +SELinux qmail_lspawn policy is very flexible allowing users to setup their qmail_lspawn processes in as secure a method as possible. +.PP -+The following file types are defined for qmail_lspawn: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the qmail_lspawn, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t qmail_lspawn_exec_t '/srv/qmail_lspawn/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myqmail_lspawn_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for qmail_lspawn: + + +.EX @@ -72608,40 +126722,6 @@ index 0000000..7ac2a16 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type qmail_lspawn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B dovecot_spool_t -+ -+ /var/spool/dovecot(/.*)? -+.br -+ -+.br -+.B mail_home_rw_t -+ -+ /root/Maildir(/.*)? -+.br -+ /home/[^/]*/Maildir(/.*)? -+.br -+ /home/dwalsh/Maildir(/.*)? -+.br -+ /var/lib/xguest/home/xguest/Maildir(/.*)? -+.br -+ -+.br -+.B user_home_t -+ -+ /home/[^/]*/.+ -+.br -+ /home/dwalsh/.+ -+.br -+ /var/lib/xguest/home/xguest/.+ -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -72652,6 +126732,9 @@ index 0000000..7ac2a16 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -72663,15 +126746,15 @@ index 0000000..7ac2a16 + +.SH "SEE ALSO" +selinux(8), qmail_lspawn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) ++, setsebool(8), qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) \ No newline at end of file diff --git a/man/man8/qmail_queue_selinux.8 b/man/man8/qmail_queue_selinux.8 new file mode 100644 -index 0000000..473dcd0 +index 0000000..9178301 --- /dev/null +++ b/man/man8/qmail_queue_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "qmail_queue_selinux" "8" "12-11-01" "qmail_queue" "SELinux Policy documentation for qmail_queue" +@@ -0,0 +1,177 @@ ++.TH "qmail_queue_selinux" "8" "13-01-16" "qmail_queue" "SELinux Policy documentation for qmail_queue" +.SH "NAME" +qmail_queue_selinux \- Security Enhanced Linux Policy for the qmail_queue processes +.SH "DESCRIPTION" @@ -72687,7 +126770,9 @@ index 0000000..473dcd0 + +.SH "ENTRYPOINTS" + -+The qmail_queue_t SELinux type can be entered via the "qmail_queue_exec_t" file type. The default entrypoint paths for the qmail_queue_t domain are the following:" ++The qmail_queue_t SELinux type can be entered via the \fBqmail_queue_exec_t\fP file type. ++ ++The default entrypoint paths for the qmail_queue_t domain are the following: + +/var/qmail/bin/qmail-queue +.SH PROCESS TYPES @@ -72705,8 +126790,82 @@ index 0000000..473dcd0 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qmail_queue_t ++can be used to make the process type qmail_queue_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qmail_queue policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qmail_queue with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Gitosis can send mail, you must turn on the gitosis_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P gitosis_can_sendmail 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_sendmail 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type qmail_queue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B arpwatch_tmp_t ++ ++ ++.br ++.B qmail_spool_t ++ ++ /var/qmail/queue(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -72716,7 +126875,20 @@ index 0000000..473dcd0 +Policy governs the access confined processes have to these files. +SELinux qmail_queue policy is very flexible allowing users to setup their qmail_queue processes in as secure a method as possible. +.PP -+The following file types are defined for qmail_queue: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the qmail_queue, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t qmail_queue_exec_t '/srv/qmail_queue/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myqmail_queue_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for qmail_queue: + + +.EX @@ -72734,22 +126906,6 @@ index 0000000..473dcd0 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type qmail_queue_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B arpwatch_tmp_t -+ -+ -+.br -+.B qmail_spool_t -+ -+ /var/qmail/queue(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -72760,6 +126916,9 @@ index 0000000..473dcd0 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -72771,15 +126930,15 @@ index 0000000..473dcd0 + +.SH "SEE ALSO" +selinux(8), qmail_queue(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) ++, setsebool(8), qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) \ No newline at end of file diff --git a/man/man8/qmail_remote_selinux.8 b/man/man8/qmail_remote_selinux.8 new file mode 100644 -index 0000000..0760c51 +index 0000000..14153fa --- /dev/null +++ b/man/man8/qmail_remote_selinux.8 -@@ -0,0 +1,97 @@ -+.TH "qmail_remote_selinux" "8" "12-11-01" "qmail_remote" "SELinux Policy documentation for qmail_remote" +@@ -0,0 +1,157 @@ ++.TH "qmail_remote_selinux" "8" "13-01-16" "qmail_remote" "SELinux Policy documentation for qmail_remote" +.SH "NAME" +qmail_remote_selinux \- Security Enhanced Linux Policy for the qmail_remote processes +.SH "DESCRIPTION" @@ -72795,7 +126954,9 @@ index 0000000..0760c51 + +.SH "ENTRYPOINTS" + -+The qmail_remote_t SELinux type can be entered via the "qmail_remote_exec_t" file type. The default entrypoint paths for the qmail_remote_t domain are the following:" ++The qmail_remote_t SELinux type can be entered via the \fBqmail_remote_exec_t\fP file type. ++ ++The default entrypoint paths for the qmail_remote_t domain are the following: + +/var/qmail/bin/qmail-remote +.SH PROCESS TYPES @@ -72813,8 +126974,62 @@ index 0000000..0760c51 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qmail_remote_t ++can be used to make the process type qmail_remote_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qmail_remote policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qmail_remote with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type qmail_remote_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B qmail_spool_t ++ ++ /var/qmail/queue(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -72824,7 +127039,20 @@ index 0000000..0760c51 +Policy governs the access confined processes have to these files. +SELinux qmail_remote policy is very flexible allowing users to setup their qmail_remote processes in as secure a method as possible. +.PP -+The following file types are defined for qmail_remote: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the qmail_remote, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t qmail_remote_exec_t '/srv/qmail_remote/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myqmail_remote_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for qmail_remote: + + +.EX @@ -72842,18 +127070,6 @@ index 0000000..0760c51 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type qmail_remote_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B qmail_spool_t -+ -+ /var/qmail/queue(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -72864,6 +127080,9 @@ index 0000000..0760c51 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -72875,15 +127094,15 @@ index 0000000..0760c51 + +.SH "SEE ALSO" +selinux(8), qmail_remote(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) ++, setsebool(8), qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) \ No newline at end of file diff --git a/man/man8/qmail_rspawn_selinux.8 b/man/man8/qmail_rspawn_selinux.8 new file mode 100644 -index 0000000..5c8ef31 +index 0000000..4aef96c --- /dev/null +++ b/man/man8/qmail_rspawn_selinux.8 -@@ -0,0 +1,97 @@ -+.TH "qmail_rspawn_selinux" "8" "12-11-01" "qmail_rspawn" "SELinux Policy documentation for qmail_rspawn" +@@ -0,0 +1,157 @@ ++.TH "qmail_rspawn_selinux" "8" "13-01-16" "qmail_rspawn" "SELinux Policy documentation for qmail_rspawn" +.SH "NAME" +qmail_rspawn_selinux \- Security Enhanced Linux Policy for the qmail_rspawn processes +.SH "DESCRIPTION" @@ -72899,7 +127118,9 @@ index 0000000..5c8ef31 + +.SH "ENTRYPOINTS" + -+The qmail_rspawn_t SELinux type can be entered via the "qmail_rspawn_exec_t" file type. The default entrypoint paths for the qmail_rspawn_t domain are the following:" ++The qmail_rspawn_t SELinux type can be entered via the \fBqmail_rspawn_exec_t\fP file type. ++ ++The default entrypoint paths for the qmail_rspawn_t domain are the following: + +/var/qmail/bin/qmail-rspawn +.SH PROCESS TYPES @@ -72917,8 +127138,62 @@ index 0000000..5c8ef31 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qmail_rspawn_t ++can be used to make the process type qmail_rspawn_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qmail_rspawn policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qmail_rspawn with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type qmail_rspawn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B qmail_spool_t ++ ++ /var/qmail/queue(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -72928,7 +127203,20 @@ index 0000000..5c8ef31 +Policy governs the access confined processes have to these files. +SELinux qmail_rspawn policy is very flexible allowing users to setup their qmail_rspawn processes in as secure a method as possible. +.PP -+The following file types are defined for qmail_rspawn: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the qmail_rspawn, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t qmail_rspawn_exec_t '/srv/qmail_rspawn/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myqmail_rspawn_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for qmail_rspawn: + + +.EX @@ -72946,18 +127234,6 @@ index 0000000..5c8ef31 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type qmail_rspawn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B qmail_spool_t -+ -+ /var/qmail/queue(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -72968,6 +127244,9 @@ index 0000000..5c8ef31 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -72979,15 +127258,15 @@ index 0000000..5c8ef31 + +.SH "SEE ALSO" +selinux(8), qmail_rspawn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) ++, setsebool(8), qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) \ No newline at end of file diff --git a/man/man8/qmail_send_selinux.8 b/man/man8/qmail_send_selinux.8 new file mode 100644 -index 0000000..2dd46dd +index 0000000..286c764 --- /dev/null +++ b/man/man8/qmail_send_selinux.8 -@@ -0,0 +1,97 @@ -+.TH "qmail_send_selinux" "8" "12-11-01" "qmail_send" "SELinux Policy documentation for qmail_send" +@@ -0,0 +1,157 @@ ++.TH "qmail_send_selinux" "8" "13-01-16" "qmail_send" "SELinux Policy documentation for qmail_send" +.SH "NAME" +qmail_send_selinux \- Security Enhanced Linux Policy for the qmail_send processes +.SH "DESCRIPTION" @@ -73003,7 +127282,9 @@ index 0000000..2dd46dd + +.SH "ENTRYPOINTS" + -+The qmail_send_t SELinux type can be entered via the "qmail_send_exec_t" file type. The default entrypoint paths for the qmail_send_t domain are the following:" ++The qmail_send_t SELinux type can be entered via the \fBqmail_send_exec_t\fP file type. ++ ++The default entrypoint paths for the qmail_send_t domain are the following: + +/var/qmail/bin/qmail-send +.SH PROCESS TYPES @@ -73021,8 +127302,62 @@ index 0000000..2dd46dd +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qmail_send_t ++can be used to make the process type qmail_send_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qmail_send policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qmail_send with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type qmail_send_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B qmail_spool_t ++ ++ /var/qmail/queue(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -73032,7 +127367,20 @@ index 0000000..2dd46dd +Policy governs the access confined processes have to these files. +SELinux qmail_send policy is very flexible allowing users to setup their qmail_send processes in as secure a method as possible. +.PP -+The following file types are defined for qmail_send: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the qmail_send, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t qmail_send_exec_t '/srv/qmail_send/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myqmail_send_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for qmail_send: + + +.EX @@ -73050,18 +127398,6 @@ index 0000000..2dd46dd +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type qmail_send_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B qmail_spool_t -+ -+ /var/qmail/queue(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -73072,6 +127408,9 @@ index 0000000..2dd46dd +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -73083,15 +127422,15 @@ index 0000000..2dd46dd + +.SH "SEE ALSO" +selinux(8), qmail_send(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) ++, setsebool(8), qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) \ No newline at end of file diff --git a/man/man8/qmail_smtpd_selinux.8 b/man/man8/qmail_smtpd_selinux.8 new file mode 100644 -index 0000000..9e7c3d8 +index 0000000..cb37f7e --- /dev/null +++ b/man/man8/qmail_smtpd_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "qmail_smtpd_selinux" "8" "12-11-01" "qmail_smtpd" "SELinux Policy documentation for qmail_smtpd" +@@ -0,0 +1,155 @@ ++.TH "qmail_smtpd_selinux" "8" "13-01-16" "qmail_smtpd" "SELinux Policy documentation for qmail_smtpd" +.SH "NAME" +qmail_smtpd_selinux \- Security Enhanced Linux Policy for the qmail_smtpd processes +.SH "DESCRIPTION" @@ -73107,7 +127446,9 @@ index 0000000..9e7c3d8 + +.SH "ENTRYPOINTS" + -+The qmail_smtpd_t SELinux type can be entered via the "qmail_smtpd_exec_t" file type. The default entrypoint paths for the qmail_smtpd_t domain are the following:" ++The qmail_smtpd_t SELinux type can be entered via the \fBqmail_smtpd_exec_t\fP file type. ++ ++The default entrypoint paths for the qmail_smtpd_t domain are the following: + +/var/qmail/bin/qmail-smtpd +.SH PROCESS TYPES @@ -73125,8 +127466,60 @@ index 0000000..9e7c3d8 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qmail_smtpd_t ++can be used to make the process type qmail_smtpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qmail_smtpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qmail_smtpd with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -73136,7 +127529,20 @@ index 0000000..9e7c3d8 +Policy governs the access confined processes have to these files. +SELinux qmail_smtpd policy is very flexible allowing users to setup their qmail_smtpd processes in as secure a method as possible. +.PP -+The following file types are defined for qmail_smtpd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the qmail_smtpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t qmail_smtpd_exec_t '/srv/qmail_smtpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myqmail_smtpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for qmail_smtpd: + + +.EX @@ -73154,8 +127560,6 @@ index 0000000..9e7c3d8 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -73166,6 +127570,9 @@ index 0000000..9e7c3d8 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -73177,15 +127584,15 @@ index 0000000..9e7c3d8 + +.SH "SEE ALSO" +selinux(8), qmail_smtpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) ++, setsebool(8), qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) \ No newline at end of file diff --git a/man/man8/qmail_splogger_selinux.8 b/man/man8/qmail_splogger_selinux.8 new file mode 100644 -index 0000000..4598efb +index 0000000..a9deea0 --- /dev/null +++ b/man/man8/qmail_splogger_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "qmail_splogger_selinux" "8" "12-11-01" "qmail_splogger" "SELinux Policy documentation for qmail_splogger" +@@ -0,0 +1,147 @@ ++.TH "qmail_splogger_selinux" "8" "13-01-16" "qmail_splogger" "SELinux Policy documentation for qmail_splogger" +.SH "NAME" +qmail_splogger_selinux \- Security Enhanced Linux Policy for the qmail_splogger processes +.SH "DESCRIPTION" @@ -73201,7 +127608,9 @@ index 0000000..4598efb + +.SH "ENTRYPOINTS" + -+The qmail_splogger_t SELinux type can be entered via the "qmail_splogger_exec_t" file type. The default entrypoint paths for the qmail_splogger_t domain are the following:" ++The qmail_splogger_t SELinux type can be entered via the \fBqmail_splogger_exec_t\fP file type. ++ ++The default entrypoint paths for the qmail_splogger_t domain are the following: + +/var/qmail/bin/splogger +.SH PROCESS TYPES @@ -73219,8 +127628,52 @@ index 0000000..4598efb +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qmail_splogger_t ++can be used to make the process type qmail_splogger_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qmail_splogger policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qmail_splogger with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -73230,7 +127683,20 @@ index 0000000..4598efb +Policy governs the access confined processes have to these files. +SELinux qmail_splogger policy is very flexible allowing users to setup their qmail_splogger processes in as secure a method as possible. +.PP -+The following file types are defined for qmail_splogger: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the qmail_splogger, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t qmail_splogger_exec_t '/srv/qmail_splogger/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myqmail_splogger_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for qmail_splogger: + + +.EX @@ -73248,8 +127714,6 @@ index 0000000..4598efb +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -73260,6 +127724,9 @@ index 0000000..4598efb +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -73271,15 +127738,15 @@ index 0000000..4598efb + +.SH "SEE ALSO" +selinux(8), qmail_splogger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) ++, setsebool(8), qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_start_selinux(8), qmail_tcp_env_selinux(8) \ No newline at end of file diff --git a/man/man8/qmail_start_selinux.8 b/man/man8/qmail_start_selinux.8 new file mode 100644 -index 0000000..ff8236b +index 0000000..b244df2 --- /dev/null +++ b/man/man8/qmail_start_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "qmail_start_selinux" "8" "12-11-01" "qmail_start" "SELinux Policy documentation for qmail_start" +@@ -0,0 +1,183 @@ ++.TH "qmail_start_selinux" "8" "13-01-16" "qmail_start" "SELinux Policy documentation for qmail_start" +.SH "NAME" +qmail_start_selinux \- Security Enhanced Linux Policy for the qmail_start processes +.SH "DESCRIPTION" @@ -73295,7 +127762,9 @@ index 0000000..ff8236b + +.SH "ENTRYPOINTS" + -+The qmail_start_t SELinux type can be entered via the "qmail_start_exec_t" file type. The default entrypoint paths for the qmail_start_t domain are the following:" ++The qmail_start_t SELinux type can be entered via the \fBqmail_start_exec_t\fP file type. ++ ++The default entrypoint paths for the qmail_start_t domain are the following: + +/var/qmail/bin/qmail-start +.SH PROCESS TYPES @@ -73313,8 +127782,88 @@ index 0000000..ff8236b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qmail_start_t ++can be used to make the process type qmail_start_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qmail_start policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qmail_start with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type qmail_start_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -73324,7 +127873,20 @@ index 0000000..ff8236b +Policy governs the access confined processes have to these files. +SELinux qmail_start policy is very flexible allowing users to setup their qmail_start processes in as secure a method as possible. +.PP -+The following file types are defined for qmail_start: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the qmail_start, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t qmail_start_exec_t '/srv/qmail_start/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myqmail_start_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for qmail_start: + + +.EX @@ -73342,8 +127904,6 @@ index 0000000..ff8236b +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -73354,6 +127914,9 @@ index 0000000..ff8236b +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -73365,15 +127928,15 @@ index 0000000..ff8236b + +.SH "SEE ALSO" +selinux(8), qmail_start(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_tcp_env_selinux(8) ++, setsebool(8), qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_tcp_env_selinux(8) \ No newline at end of file diff --git a/man/man8/qmail_tcp_env_selinux.8 b/man/man8/qmail_tcp_env_selinux.8 new file mode 100644 -index 0000000..86b82a0 +index 0000000..314a052 --- /dev/null +++ b/man/man8/qmail_tcp_env_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "qmail_tcp_env_selinux" "8" "12-11-01" "qmail_tcp_env" "SELinux Policy documentation for qmail_tcp_env" +@@ -0,0 +1,147 @@ ++.TH "qmail_tcp_env_selinux" "8" "13-01-16" "qmail_tcp_env" "SELinux Policy documentation for qmail_tcp_env" +.SH "NAME" +qmail_tcp_env_selinux \- Security Enhanced Linux Policy for the qmail_tcp_env processes +.SH "DESCRIPTION" @@ -73389,7 +127952,9 @@ index 0000000..86b82a0 + +.SH "ENTRYPOINTS" + -+The qmail_tcp_env_t SELinux type can be entered via the "qmail_tcp_env_exec_t" file type. The default entrypoint paths for the qmail_tcp_env_t domain are the following:" ++The qmail_tcp_env_t SELinux type can be entered via the \fBqmail_tcp_env_exec_t\fP file type. ++ ++The default entrypoint paths for the qmail_tcp_env_t domain are the following: + +/var/qmail/bin/tcp-env +.SH PROCESS TYPES @@ -73407,8 +127972,52 @@ index 0000000..86b82a0 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qmail_tcp_env_t ++can be used to make the process type qmail_tcp_env_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qmail_tcp_env policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qmail_tcp_env with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -73418,7 +128027,20 @@ index 0000000..86b82a0 +Policy governs the access confined processes have to these files. +SELinux qmail_tcp_env policy is very flexible allowing users to setup their qmail_tcp_env processes in as secure a method as possible. +.PP -+The following file types are defined for qmail_tcp_env: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the qmail_tcp_env, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t qmail_tcp_env_exec_t '/srv/qmail_tcp_env/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myqmail_tcp_env_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for qmail_tcp_env: + + +.EX @@ -73436,8 +128058,6 @@ index 0000000..86b82a0 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -73448,6 +128068,9 @@ index 0000000..86b82a0 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -73459,15 +128082,15 @@ index 0000000..86b82a0 + +.SH "SEE ALSO" +selinux(8), qmail_tcp_env(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8) ++, setsebool(8), qmail_clean_selinux(8), qmail_inject_selinux(8), qmail_local_selinux(8), qmail_lspawn_selinux(8), qmail_queue_selinux(8), qmail_remote_selinux(8), qmail_rspawn_selinux(8), qmail_send_selinux(8), qmail_smtpd_selinux(8), qmail_splogger_selinux(8), qmail_start_selinux(8) \ No newline at end of file diff --git a/man/man8/qpidd_selinux.8 b/man/man8/qpidd_selinux.8 new file mode 100644 -index 0000000..0d185be +index 0000000..ae830d2 --- /dev/null +++ b/man/man8/qpidd_selinux.8 -@@ -0,0 +1,140 @@ -+.TH "qpidd_selinux" "8" "12-11-01" "qpidd" "SELinux Policy documentation for qpidd" +@@ -0,0 +1,256 @@ ++.TH "qpidd_selinux" "8" "13-01-16" "qpidd" "SELinux Policy documentation for qpidd" +.SH "NAME" +qpidd_selinux \- Security Enhanced Linux Policy for the qpidd processes +.SH "DESCRIPTION" @@ -73483,7 +128106,9 @@ index 0000000..0d185be + +.SH "ENTRYPOINTS" + -+The qpidd_t SELinux type can be entered via the "qpidd_exec_t" file type. The default entrypoint paths for the qpidd_t domain are the following:" ++The qpidd_t SELinux type can be entered via the \fBqpidd_exec_t\fP file type. ++ ++The default entrypoint paths for the qpidd_t domain are the following: + +/usr/sbin/qpidd +.SH PROCESS TYPES @@ -73501,8 +128126,114 @@ index 0000000..0d185be +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a qpidd_t ++can be used to make the process type qpidd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. qpidd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qpidd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type qpidd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B qpidd_tmpfs_t ++ ++ ++.br ++.B qpidd_var_lib_t ++ ++ /var/lib/qpidd(/.*)? ++.br ++ ++.br ++.B qpidd_var_run_t ++ ++ /var/run/qpidd(/.*)? ++.br ++ /var/run/qpidd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -73512,7 +128243,31 @@ index 0000000..0d185be +Policy governs the access confined processes have to these files. +SELinux qpidd policy is very flexible allowing users to setup their qpidd processes in as secure a method as possible. +.PP -+The following file types are defined for qpidd: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++qpidd policy stores data with multiple different file context types under the /var/run/qpidd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/qpidd /srv/qpidd ++.br ++.B restorecon -R -v /srv/qpidd ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the qpidd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t qpidd_exec_t '/srv/qpidd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myqpidd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for qpidd: + + +.EX @@ -73552,8 +128307,12 @@ index 0000000..0d185be +.B qpidd_var_run_t +.EE + -+- Set files with the qpidd_var_run_t type, if you want to store the qpidd files under the /run directory. ++- Set files with the qpidd_var_run_t type, if you want to store the qpidd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/qpidd(/.*)?, /var/run/qpidd\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -73562,30 +128321,6 @@ index 0000000..0d185be +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type qpidd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B qpidd_tmpfs_t -+ -+ -+.br -+.B qpidd_var_lib_t -+ -+ /var/lib/qpidd(/.*)? -+.br -+ -+.br -+.B qpidd_var_run_t -+ -+ /var/run/qpidd(/.*)? -+.br -+ /var/run/qpidd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -73596,6 +128331,9 @@ index 0000000..0d185be +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -73607,13 +128345,15 @@ index 0000000..0d185be + +.SH "SEE ALSO" +selinux(8), qpidd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/quantum_selinux.8 b/man/man8/quantum_selinux.8 new file mode 100644 -index 0000000..7ccd16b +index 0000000..b004e76 --- /dev/null +++ b/man/man8/quantum_selinux.8 -@@ -0,0 +1,178 @@ -+.TH "quantum_selinux" "8" "12-11-01" "quantum" "SELinux Policy documentation for quantum" +@@ -0,0 +1,311 @@ ++.TH "quantum_selinux" "8" "13-01-16" "quantum" "SELinux Policy documentation for quantum" +.SH "NAME" +quantum_selinux \- Security Enhanced Linux Policy for the quantum processes +.SH "DESCRIPTION" @@ -73629,7 +128369,9 @@ index 0000000..7ccd16b + +.SH "ENTRYPOINTS" + -+The quantum_t SELinux type can be entered via the "quantum_exec_t" file type. The default entrypoint paths for the quantum_t domain are the following:" ++The quantum_t SELinux type can be entered via the \fBquantum_exec_t\fP file type. ++ ++The default entrypoint paths for the quantum_t domain are the following: + +/usr/bin/quantum-server, /usr/bin/quantum-ryu-agent, /usr/bin/quantum-openvswitch-agent, /usr/bin/quantum-linuxbridge-agent +.SH PROCESS TYPES @@ -73647,8 +128389,169 @@ index 0000000..7ccd16b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a quantum_t ++can be used to make the process type quantum_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. quantum policy is extremely flexible and has several booleans that allow you to manipulate the policy and run quantum with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the quantum_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the quantum_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible. ++.PP ++The following port types are defined for quantum: ++ ++.EX ++.TP 5 ++.B quantum_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 9696 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type quantum_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B quantum_tmp_t ++ ++ ++.br ++.B quantum_var_lib_t ++ ++ /var/lib/quantum(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -73658,7 +128561,20 @@ index 0000000..7ccd16b +Policy governs the access confined processes have to these files. +SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible. +.PP -+The following file types are defined for quantum: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the quantum, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t quantum_exec_t '/srv/quantum/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myquantum_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for quantum: + + +.EX @@ -73668,6 +128584,18 @@ index 0000000..7ccd16b + +- Set files with the quantum_exec_t type, if you want to transition an executable to the quantum_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/quantum-server, /usr/bin/quantum-ryu-agent, /usr/bin/quantum-openvswitch-agent, /usr/bin/quantum-linuxbridge-agent ++ ++.EX ++.PP ++.B quantum_initrc_exec_t ++.EE ++ ++- Set files with the quantum_initrc_exec_t type, if you want to transition an executable to the quantum_initrc_t domain. ++ + +.EX +.PP @@ -73708,65 +128636,6 @@ index 0000000..7ccd16b +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible. -+.PP -+The following port types are defined for quantum: -+ -+.EX -+.TP 5 -+.B quantum_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 9696 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type quantum_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B quantum_log_t -+ -+ /var/log/quantum(/.*)? -+.br -+ -+.br -+.B quantum_tmp_t -+ -+ -+.br -+.B quantum_var_lib_t -+ -+ /var/lib/quantum(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quantum_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the quantum_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -73780,6 +128649,9 @@ index 0000000..7ccd16b +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -73791,13 +128663,15 @@ index 0000000..7ccd16b + +.SH "SEE ALSO" +selinux(8), quantum(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/quota_nld_selinux.8 b/man/man8/quota_nld_selinux.8 new file mode 100644 -index 0000000..e8c53e4 +index 0000000..5dd1832 --- /dev/null +++ b/man/man8/quota_nld_selinux.8 -@@ -0,0 +1,119 @@ -+.TH "quota_nld_selinux" "8" "12-11-01" "quota_nld" "SELinux Policy documentation for quota_nld" +@@ -0,0 +1,245 @@ ++.TH "quota_nld_selinux" "8" "13-01-16" "quota_nld" "SELinux Policy documentation for quota_nld" +.SH "NAME" +quota_nld_selinux \- Security Enhanced Linux Policy for the quota_nld processes +.SH "DESCRIPTION" @@ -73813,7 +128687,9 @@ index 0000000..e8c53e4 + +.SH "ENTRYPOINTS" + -+The quota_nld_t SELinux type can be entered via the "quota_nld_exec_t" file type. The default entrypoint paths for the quota_nld_t domain are the following:" ++The quota_nld_t SELinux type can be entered via the \fBquota_nld_exec_t\fP file type. ++ ++The default entrypoint paths for the quota_nld_t domain are the following: + +/usr/sbin/quota_nld +.SH PROCESS TYPES @@ -73831,8 +128707,142 @@ index 0000000..e8c53e4 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a quota_nld_t ++can be used to make the process type quota_nld_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. quota_nld policy is extremely flexible and has several booleans that allow you to manipulate the policy and run quota_nld with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the quota_nld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the quota_nld_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type quota_nld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B quota_nld_var_run_t ++ ++ /var/run/quota_nld\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -73842,7 +128852,20 @@ index 0000000..e8c53e4 +Policy governs the access confined processes have to these files. +SELinux quota_nld policy is very flexible allowing users to setup their quota_nld processes in as secure a method as possible. +.PP -+The following file types are defined for quota_nld: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the quota_nld, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t quota_nld_exec_t '/srv/quota_nld/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myquota_nld_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for quota_nld: + + +.EX @@ -73858,7 +128881,7 @@ index 0000000..e8c53e4 +.B quota_nld_var_run_t +.EE + -+- Set files with the quota_nld_var_run_t type, if you want to store the quota nld files under the /run directory. ++- Set files with the quota_nld_var_run_t type, if you want to store the quota nld files under the /run or /var/run directory. + + +.PP @@ -73868,32 +128891,6 @@ index 0000000..e8c53e4 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type quota_nld_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B quota_nld_var_run_t -+ -+ /var/run/quota_nld\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quota_nld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the quota_nld_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -73904,6 +128901,9 @@ index 0000000..e8c53e4 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -73915,15 +128915,15 @@ index 0000000..e8c53e4 + +.SH "SEE ALSO" +selinux(8), quota_nld(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, quota_selinux(8), quota_selinux(8) ++, setsebool(8), quota_selinux(8), quota_selinux(8) \ No newline at end of file diff --git a/man/man8/quota_selinux.8 b/man/man8/quota_selinux.8 new file mode 100644 -index 0000000..f6b1bff +index 0000000..223b53e --- /dev/null +++ b/man/man8/quota_selinux.8 -@@ -0,0 +1,163 @@ -+.TH "quota_selinux" "8" "12-11-01" "quota" "SELinux Policy documentation for quota" +@@ -0,0 +1,235 @@ ++.TH "quota_selinux" "8" "13-01-16" "quota" "SELinux Policy documentation for quota" +.SH "NAME" +quota_selinux \- Security Enhanced Linux Policy for the quota processes +.SH "DESCRIPTION" @@ -73939,7 +128939,9 @@ index 0000000..f6b1bff + +.SH "ENTRYPOINTS" + -+The quota_t SELinux type can be entered via the "quota_exec_t" file type. The default entrypoint paths for the quota_t domain are the following:" ++The quota_t SELinux type can be entered via the \fBquota_exec_t\fP file type. ++ ++The default entrypoint paths for the quota_t domain are the following: + +/sbin/quota(check|on), /usr/sbin/quota(check|on), /usr/sbin/convertquota +.SH PROCESS TYPES @@ -73957,66 +128959,68 @@ index 0000000..f6b1bff +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a quota_t ++can be used to make the process type quota_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux quota policy is very flexible allowing users to setup their quota processes in as secure a method as possible. -+.PP -+The following file types are defined for quota: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. quota policy is extremely flexible and has several booleans that allow you to manipulate the policy and run quota with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B quota_db_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the quota_db_t type, if you want to treat the files as quota database content. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B quota_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the quota_exec_t type, if you want to transition an executable to the quota_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B quota_flag_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the quota_flag_t type, if you want to treat the files as quota flag data. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B quota_nld_exec_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the quota_nld_exec_t type, if you want to transition an executable to the quota_nld_t domain. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B quota_nld_var_run_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the quota_nld_var_run_t type, if you want to store the quota nld files under the /run directory. -+ ++.SH NSSWITCH DOMAIN + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the quota_nld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the quota_nld_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -74043,26 +129047,91 @@ index 0000000..f6b1bff +.br + /home/a?quota\.(user|group) +.br ++ /home/pwalsh/a?quota\.(user|group) ++.br + /home/dwalsh/a?quota\.(user|group) +.br + /var/lib/xguest/home/xguest/a?quota\.(user|group) +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux quota policy is very flexible allowing users to setup their quota processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quota_nld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the quota, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t quota_db_t '/srv/quota/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myquota_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for quota: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B quota_db_t +.EE + ++- Set files with the quota_db_t type, if you want to treat the files as quota database content. ++ ++.br ++.TP 5 ++Paths: ++/a?quota\.(user|group), /etc/a?quota\.(user|group), /var/a?quota\.(user|group), /boot/a?quota\.(user|group), /var/spool/(.*/)?a?quota\.(user|group), /var/lib/openshift/a?quota\.(user|group), /var/lib/stickshift/a?quota\.(user|group), /home/[^/]*/a?quota\.(user|group), /home/a?quota\.(user|group), /home/pwalsh/a?quota\.(user|group), /home/dwalsh/a?quota\.(user|group), /var/lib/xguest/home/xguest/a?quota\.(user|group) ++ ++.EX ++.PP ++.B quota_exec_t ++.EE ++ ++- Set files with the quota_exec_t type, if you want to transition an executable to the quota_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/quota(check|on), /usr/sbin/quota(check|on), /usr/sbin/convertquota ++ ++.EX ++.PP ++.B quota_flag_t ++.EE ++ ++- Set files with the quota_flag_t type, if you want to treat the files as quota flag data. ++ ++ ++.EX ++.PP ++.B quota_nld_exec_t ++.EE ++ ++- Set files with the quota_nld_exec_t type, if you want to transition an executable to the quota_nld_t domain. ++ ++ ++.EX ++.PP ++.B quota_nld_var_run_t ++.EE ++ ++- Set files with the quota_nld_var_run_t type, if you want to store the quota nld files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the quota_nld_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -74074,6 +129143,9 @@ index 0000000..f6b1bff +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -74085,15 +129157,15 @@ index 0000000..f6b1bff + +.SH "SEE ALSO" +selinux(8), quota(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, quota_nld_selinux(8) ++, setsebool(8), quota_nld_selinux(8) \ No newline at end of file diff --git a/man/man8/rabbitmq_beam_selinux.8 b/man/man8/rabbitmq_beam_selinux.8 new file mode 100644 -index 0000000..01bdf1a +index 0000000..4585c51 --- /dev/null +++ b/man/man8/rabbitmq_beam_selinux.8 -@@ -0,0 +1,103 @@ -+.TH "rabbitmq_beam_selinux" "8" "12-11-01" "rabbitmq_beam" "SELinux Policy documentation for rabbitmq_beam" +@@ -0,0 +1,203 @@ ++.TH "rabbitmq_beam_selinux" "8" "13-01-16" "rabbitmq_beam" "SELinux Policy documentation for rabbitmq_beam" +.SH "NAME" +rabbitmq_beam_selinux \- Security Enhanced Linux Policy for the rabbitmq_beam processes +.SH "DESCRIPTION" @@ -74109,9 +129181,11 @@ index 0000000..01bdf1a + +.SH "ENTRYPOINTS" + -+The rabbitmq_beam_t SELinux type can be entered via the "rabbitmq_beam_exec_t" file type. The default entrypoint paths for the rabbitmq_beam_t domain are the following:" ++The rabbitmq_beam_t SELinux type can be entered via the \fBrabbitmq_beam_exec_t\fP file type. + -+/usr/lib64/erlang/erts-5.8.5/bin/beam.* ++The default entrypoint paths for the rabbitmq_beam_t domain are the following: ++ ++/usr/lib/erlang/erts.*/bin/beam.* +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -74127,8 +129201,108 @@ index 0000000..01bdf1a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rabbitmq_beam_t ++can be used to make the process type rabbitmq_beam_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rabbitmq_beam policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rabbitmq_beam with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type rabbitmq_beam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B rabbitmq_var_lib_t ++ ++ /var/lib/rabbitmq(/.*)? ++.br ++ ++.br ++.B rabbitmq_var_run_t ++ ++ /var/run/rabbitmq(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -74138,7 +129312,20 @@ index 0000000..01bdf1a +Policy governs the access confined processes have to these files. +SELinux rabbitmq_beam policy is very flexible allowing users to setup their rabbitmq_beam processes in as secure a method as possible. +.PP -+The following file types are defined for rabbitmq_beam: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rabbitmq_beam, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rabbitmq_beam_exec_t '/srv/rabbitmq_beam/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrabbitmq_beam_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rabbitmq_beam: + + +.EX @@ -74156,24 +129343,6 @@ index 0000000..01bdf1a +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type rabbitmq_beam_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B rabbitmq_var_lib_t -+ -+ /var/lib/rabbitmq(/.*)? -+.br -+ -+.br -+.B rabbitmq_var_log_t -+ -+ /var/log/rabbitmq(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -74184,6 +129353,9 @@ index 0000000..01bdf1a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -74195,15 +129367,15 @@ index 0000000..01bdf1a + +.SH "SEE ALSO" +selinux(8), rabbitmq_beam(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, rabbitmq_epmd_selinux(8) ++, setsebool(8), rabbitmq_epmd_selinux(8) \ No newline at end of file diff --git a/man/man8/rabbitmq_epmd_selinux.8 b/man/man8/rabbitmq_epmd_selinux.8 new file mode 100644 -index 0000000..5151b32 +index 0000000..022d5de --- /dev/null +++ b/man/man8/rabbitmq_epmd_selinux.8 -@@ -0,0 +1,97 @@ -+.TH "rabbitmq_epmd_selinux" "8" "12-11-01" "rabbitmq_epmd" "SELinux Policy documentation for rabbitmq_epmd" +@@ -0,0 +1,183 @@ ++.TH "rabbitmq_epmd_selinux" "8" "13-01-16" "rabbitmq_epmd" "SELinux Policy documentation for rabbitmq_epmd" +.SH "NAME" +rabbitmq_epmd_selinux \- Security Enhanced Linux Policy for the rabbitmq_epmd processes +.SH "DESCRIPTION" @@ -74219,9 +129391,11 @@ index 0000000..5151b32 + +.SH "ENTRYPOINTS" + -+The rabbitmq_epmd_t SELinux type can be entered via the "rabbitmq_epmd_exec_t" file type. The default entrypoint paths for the rabbitmq_epmd_t domain are the following:" ++The rabbitmq_epmd_t SELinux type can be entered via the \fBrabbitmq_epmd_exec_t\fP file type. + -+/usr/lib64/erlang/erts-5.8.5/bin/epmd ++The default entrypoint paths for the rabbitmq_epmd_t domain are the following: ++ ++/usr/lib/erlang/erts.*/bin/epmd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -74237,8 +129411,88 @@ index 0000000..5151b32 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rabbitmq_epmd_t ++can be used to make the process type rabbitmq_epmd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rabbitmq_epmd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rabbitmq_epmd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type rabbitmq_epmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -74248,7 +129502,20 @@ index 0000000..5151b32 +Policy governs the access confined processes have to these files. +SELinux rabbitmq_epmd policy is very flexible allowing users to setup their rabbitmq_epmd processes in as secure a method as possible. +.PP -+The following file types are defined for rabbitmq_epmd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rabbitmq_epmd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rabbitmq_epmd_exec_t '/srv/rabbitmq_epmd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrabbitmq_epmd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rabbitmq_epmd: + + +.EX @@ -74266,18 +129533,6 @@ index 0000000..5151b32 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type rabbitmq_epmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B rabbitmq_var_log_t -+ -+ /var/log/rabbitmq(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -74288,6 +129543,9 @@ index 0000000..5151b32 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -74299,15 +129557,15 @@ index 0000000..5151b32 + +.SH "SEE ALSO" +selinux(8), rabbitmq_epmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, rabbitmq_beam_selinux(8) ++, setsebool(8), rabbitmq_beam_selinux(8) \ No newline at end of file diff --git a/man/man8/racoon_selinux.8 b/man/man8/racoon_selinux.8 new file mode 100644 -index 0000000..58f53af +index 0000000..97ce29e --- /dev/null +++ b/man/man8/racoon_selinux.8 -@@ -0,0 +1,210 @@ -+.TH "racoon_selinux" "8" "12-11-01" "racoon" "SELinux Policy documentation for racoon" +@@ -0,0 +1,309 @@ ++.TH "racoon_selinux" "8" "13-01-16" "racoon" "SELinux Policy documentation for racoon" +.SH "NAME" +racoon_selinux \- Security Enhanced Linux Policy for the racoon processes +.SH "DESCRIPTION" @@ -74323,7 +129581,9 @@ index 0000000..58f53af + +.SH "ENTRYPOINTS" + -+The racoon_t SELinux type can be entered via the "racoon_exec_t" file type. The default entrypoint paths for the racoon_t domain are the following:" ++The racoon_t SELinux type can be entered via the \fBracoon_exec_t\fP file type. ++ ++The default entrypoint paths for the racoon_t domain are the following: + +/usr/sbin/racoon +.SH PROCESS TYPES @@ -74341,60 +129601,132 @@ index 0000000..58f53af +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a racoon_t ++can be used to make the process type racoon_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. racoon policy is extremely flexible and has several booleans that allow you to manipulate the policy and run racoon with the tightest access possible. + + +.PP -+If you want to allow racoon to read shadow, you must turn on the racoon_read_shadow boolean. ++If you want to allow racoon to read shadow, you must turn on the racoon_read_shadow boolean. Disabled by default. + +.EX +.B setsebool -P racoon_read_shadow 1 ++ +.EE + +.PP -+If you want to allow racoon to read shadow, you must turn on the racoon_read_shadow boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P racoon_read_shadow 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux racoon policy is very flexible allowing users to setup their racoon processes in as secure a method as possible. -+.PP -+The following file types are defined for racoon: -+ ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B racoon_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the racoon_exec_t type, if you want to transition an executable to the racoon_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B racoon_tmp_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the racoon_tmp_t type, if you want to store racoon temporary files in the /tmp directories. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the racoon_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the racoon_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -74405,12 +129737,12 @@ index 0000000..58f53af + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B ipsec_var_run_t @@ -74449,21 +129781,7 @@ index 0000000..58f53af +.br +.B lastlog_t + -+ /var/log/lastlog -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm ++ /var/log/lastlog.* +.br + +.br @@ -74471,26 +129789,65 @@ index 0000000..58f53af + + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux racoon policy is very flexible allowing users to setup their racoon processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the racoon_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the racoon, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t racoon_exec_t '/srv/racoon/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myracoon_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for racoon: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B racoon_exec_t +.EE + ++- Set files with the racoon_exec_t type, if you want to transition an executable to the racoon_t domain. ++ ++ ++.EX ++.PP ++.B racoon_tmp_t ++.EE ++ ++- Set files with the racoon_tmp_t type, if you want to store racoon temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the racoon_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -74520,11 +129877,11 @@ index 0000000..58f53af \ No newline at end of file diff --git a/man/man8/radiusd_selinux.8 b/man/man8/radiusd_selinux.8 new file mode 100644 -index 0000000..2a14d47 +index 0000000..21f18de --- /dev/null +++ b/man/man8/radiusd_selinux.8 -@@ -0,0 +1,264 @@ -+.TH "radiusd_selinux" "8" "12-11-01" "radiusd" "SELinux Policy documentation for radiusd" +@@ -0,0 +1,376 @@ ++.TH "radiusd_selinux" "8" "13-01-16" "radiusd" "SELinux Policy documentation for radiusd" +.SH "NAME" +radiusd_selinux \- Security Enhanced Linux Policy for the radiusd processes +.SH "DESCRIPTION" @@ -74540,7 +129897,9 @@ index 0000000..2a14d47 + +.SH "ENTRYPOINTS" + -+The radiusd_t SELinux type can be entered via the "radiusd_exec_t" file type. The default entrypoint paths for the radiusd_t domain are the following:" ++The radiusd_t SELinux type can be entered via the \fBradiusd_exec_t\fP file type. ++ ++The default entrypoint paths for the radiusd_t domain are the following: + +/etc/cron\.(daily|monthly)/radiusd, /etc/cron\.(daily|weekly|monthly)/freeradius, /usr/sbin/radiusd, /usr/sbin/freeradius +.SH PROCESS TYPES @@ -74558,100 +129917,124 @@ index 0000000..2a14d47 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a radiusd_t ++can be used to make the process type radiusd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. radiusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run radiusd with the tightest access possible. + + +.PP -+If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P authlogin_radius 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P authlogin_radius 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux radiusd policy is very flexible allowing users to setup their radiusd processes in as secure a method as possible. -+.PP -+The following file types are defined for radiusd: -+ ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B radiusd_etc_rw_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the radiusd_etc_rw_t type, if you want to treat the files as radiusd etc read/write content. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B radiusd_etc_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the radiusd_etc_t type, if you want to store radiusd files in the /etc directories. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B radiusd_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the radiusd_exec_t type, if you want to transition an executable to the radiusd_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B radiusd_initrc_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the radiusd_initrc_exec_t type, if you want to transition an executable to the radiusd_initrc_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B radiusd_log_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the radiusd_log_t type, if you want to treat the data as radiusd log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B radiusd_var_lib_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the radiusd_var_lib_t type, if you want to store the radiusd files under the /var/lib directory. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B radiusd_var_run_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the radiusd_var_run_t type, if you want to store the radiusd files under the /run directory. ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the radiusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the radiusd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -74685,26 +130068,12 @@ index 0000000..2a14d47 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br + +.br +.B radiusd_etc_rw_t @@ -74713,24 +130082,6 @@ index 0000000..2a14d47 +.br + +.br -+.B radiusd_log_t -+ -+ /var/log/radius(/.*)? -+.br -+ /var/log/radwtmp.* -+.br -+ /var/log/radacct(/.*)? -+.br -+ /var/log/radius\.log.* -+.br -+ /var/log/freeradius(/.*)? -+.br -+ /var/log/radiusd-freeradius(/.*)? -+.br -+ /var/log/radutmp -+.br -+ -+.br +.B radiusd_var_lib_t + + /var/lib/radiousd(/.*)? @@ -74744,22 +130095,140 @@ index 0000000..2a14d47 + /var/run/radiusd\.pid +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux radiusd policy is very flexible allowing users to setup their radiusd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the radiusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the radiusd_t, you must turn on the kerberos_enabled boolean. ++radiusd policy stores data with multiple different file context types under the /var/run/radiusd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/radiusd /srv/radiusd ++.br ++.B restorecon -R -v /srv/radiusd ++.PP ++ ++.PP ++radiusd policy stores data with multiple different file context types under the /var/log/radius directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/log/radius /srv/radius ++.br ++.B restorecon -R -v /srv/radius ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the radiusd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t radiusd_etc_rw_t '/srv/radiusd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myradiusd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for radiusd: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B radiusd_etc_rw_t +.EE + ++- Set files with the radiusd_etc_rw_t type, if you want to treat the files as radiusd etc read/write content. ++ ++ ++.EX ++.PP ++.B radiusd_etc_t ++.EE ++ ++- Set files with the radiusd_etc_t type, if you want to store radiusd files in the /etc directories. ++ ++ ++.EX ++.PP ++.B radiusd_exec_t ++.EE ++ ++- Set files with the radiusd_exec_t type, if you want to transition an executable to the radiusd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/cron\.(daily|monthly)/radiusd, /etc/cron\.(daily|weekly|monthly)/freeradius, /usr/sbin/radiusd, /usr/sbin/freeradius ++ ++.EX ++.PP ++.B radiusd_initrc_exec_t ++.EE ++ ++- Set files with the radiusd_initrc_exec_t type, if you want to transition an executable to the radiusd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B radiusd_log_t ++.EE ++ ++- Set files with the radiusd_log_t type, if you want to treat the data as radiusd log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/radius(/.*)?, /var/log/radutmp.*, /var/log/radwtmp.*, /var/log/radacct(/.*)?, /var/log/radius\.log.*, /var/log/freeradius(/.*)?, /var/log/radiusd-freeradius(/.*)? ++ ++.EX ++.PP ++.B radiusd_unit_file_t ++.EE ++ ++- Set files with the radiusd_unit_file_t type, if you want to treat the files as radiusd unit content. ++ ++ ++.EX ++.PP ++.B radiusd_var_lib_t ++.EE ++ ++- Set files with the radiusd_var_lib_t type, if you want to store the radiusd files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B radiusd_var_run_t ++.EE ++ ++- Set files with the radiusd_var_run_t type, if you want to store the radiusd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/radiusd(/.*)?, /var/run/radiusd\.pid ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -74791,11 +130260,11 @@ index 0000000..2a14d47 \ No newline at end of file diff --git a/man/man8/radvd_selinux.8 b/man/man8/radvd_selinux.8 new file mode 100644 -index 0000000..1fba22f +index 0000000..7512b74 --- /dev/null +++ b/man/man8/radvd_selinux.8 -@@ -0,0 +1,136 @@ -+.TH "radvd_selinux" "8" "12-11-01" "radvd" "SELinux Policy documentation for radvd" +@@ -0,0 +1,278 @@ ++.TH "radvd_selinux" "8" "13-01-16" "radvd" "SELinux Policy documentation for radvd" +.SH "NAME" +radvd_selinux \- Security Enhanced Linux Policy for the radvd processes +.SH "DESCRIPTION" @@ -74811,7 +130280,9 @@ index 0000000..1fba22f + +.SH "ENTRYPOINTS" + -+The radvd_t SELinux type can be entered via the "radvd_exec_t" file type. The default entrypoint paths for the radvd_t domain are the following:" ++The radvd_t SELinux type can be entered via the \fBradvd_exec_t\fP file type. ++ ++The default entrypoint paths for the radvd_t domain are the following: + +/usr/sbin/radvd +.SH PROCESS TYPES @@ -74829,8 +130300,144 @@ index 0000000..1fba22f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a radvd_t ++can be used to make the process type radvd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. radvd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run radvd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the radvd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the radvd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type radvd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B radvd_var_run_t ++ ++ /var/run/radvd(/.*)? ++.br ++ /var/run/radvd\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -74840,7 +130447,31 @@ index 0000000..1fba22f +Policy governs the access confined processes have to these files. +SELinux radvd policy is very flexible allowing users to setup their radvd processes in as secure a method as possible. +.PP -+The following file types are defined for radvd: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++radvd policy stores data with multiple different file context types under the /var/run/radvd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/radvd /srv/radvd ++.br ++.B restorecon -R -v /srv/radvd ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the radvd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t radvd_etc_t '/srv/radvd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myradvd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for radvd: + + +.EX @@ -74872,8 +130503,12 @@ index 0000000..1fba22f +.B radvd_var_run_t +.EE + -+- Set files with the radvd_var_run_t type, if you want to store the radvd files under the /run directory. ++- Set files with the radvd_var_run_t type, if you want to store the radvd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/radvd(/.*)?, /var/run/radvd\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -74882,34 +130517,6 @@ index 0000000..1fba22f +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type radvd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B radvd_var_run_t -+ -+ /var/run/radvd(/.*)? -+.br -+ /var/run/radvd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the radvd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the radvd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -74920,6 +130527,9 @@ index 0000000..1fba22f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -74931,13 +130541,23 @@ index 0000000..1fba22f + +.SH "SEE ALSO" +selinux(8), radvd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/raid_selinux.8 b/man/man8/raid_selinux.8 +new file mode 100644 +index 0000000..6fb1e18 +--- /dev/null ++++ b/man/man8/raid_selinux.8 +@@ -0,0 +1 @@ ++.so man8/mdadm_selinux.8 +\ No newline at end of file diff --git a/man/man8/rdisc_selinux.8 b/man/man8/rdisc_selinux.8 new file mode 100644 -index 0000000..436b9f8 +index 0000000..ae47f23 --- /dev/null +++ b/man/man8/rdisc_selinux.8 -@@ -0,0 +1,86 @@ -+.TH "rdisc_selinux" "8" "12-11-01" "rdisc" "SELinux Policy documentation for rdisc" +@@ -0,0 +1,187 @@ ++.TH "rdisc_selinux" "8" "13-01-16" "rdisc" "SELinux Policy documentation for rdisc" +.SH "NAME" +rdisc_selinux \- Security Enhanced Linux Policy for the rdisc processes +.SH "DESCRIPTION" @@ -74953,7 +130573,9 @@ index 0000000..436b9f8 + +.SH "ENTRYPOINTS" + -+The rdisc_t SELinux type can be entered via the "rdisc_exec_t" file type. The default entrypoint paths for the rdisc_t domain are the following:" ++The rdisc_t SELinux type can be entered via the \fBrdisc_exec_t\fP file type. ++ ++The default entrypoint paths for the rdisc_t domain are the following: + +/sbin/rdisc, /usr/sbin/rdisc +.SH PROCESS TYPES @@ -74971,8 +130593,88 @@ index 0000000..436b9f8 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rdisc_t ++can be used to make the process type rdisc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rdisc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rdisc with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type rdisc_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -74982,7 +130684,20 @@ index 0000000..436b9f8 +Policy governs the access confined processes have to these files. +SELinux rdisc policy is very flexible allowing users to setup their rdisc processes in as secure a method as possible. +.PP -+The following file types are defined for rdisc: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rdisc, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rdisc_exec_t '/srv/rdisc/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrdisc_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rdisc: + + +.EX @@ -74992,6 +130707,10 @@ index 0000000..436b9f8 + +- Set files with the rdisc_exec_t type, if you want to transition an executable to the rdisc_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/rdisc, /usr/sbin/rdisc + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -75000,8 +130719,6 @@ index 0000000..436b9f8 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -75012,6 +130729,9 @@ index 0000000..436b9f8 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -75023,13 +130743,15 @@ index 0000000..436b9f8 + +.SH "SEE ALSO" +selinux(8), rdisc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/readahead_selinux.8 b/man/man8/readahead_selinux.8 new file mode 100644 -index 0000000..56587b5 +index 0000000..725ec15 --- /dev/null +++ b/man/man8/readahead_selinux.8 -@@ -0,0 +1,180 @@ -+.TH "readahead_selinux" "8" "12-11-01" "readahead" "SELinux Policy documentation for readahead" +@@ -0,0 +1,257 @@ ++.TH "readahead_selinux" "8" "13-01-16" "readahead" "SELinux Policy documentation for readahead" +.SH "NAME" +readahead_selinux \- Security Enhanced Linux Policy for the readahead processes +.SH "DESCRIPTION" @@ -75045,7 +130767,9 @@ index 0000000..56587b5 + +.SH "ENTRYPOINTS" + -+The readahead_t SELinux type can be entered via the "readahead_exec_t" file type. The default entrypoint paths for the readahead_t domain are the following:" ++The readahead_t SELinux type can be entered via the \fBreadahead_exec_t\fP file type. ++ ++The default entrypoint paths for the readahead_t domain are the following: + +/sbin/readahead.*, /usr/sbin/readahead.*, /usr/lib/systemd/systemd-readahead.* +.SH PROCESS TYPES @@ -75063,50 +130787,60 @@ index 0000000..56587b5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a readahead_t ++can be used to make the process type readahead_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux readahead policy is very flexible allowing users to setup their readahead processes in as secure a method as possible. -+.PP -+The following file types are defined for readahead: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. readahead policy is extremely flexible and has several booleans that allow you to manipulate the policy and run readahead with the tightest access possible. + + ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ +.EX -+.PP -+.B readahead_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the readahead_exec_t type, if you want to transition an executable to the readahead_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B readahead_var_lib_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the readahead_var_lib_t type, if you want to store the readahead files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B readahead_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the readahead_var_run_t type, if you want to store the readahead files under the /run directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -75133,10 +130867,10 @@ index 0000000..56587b5 +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -75145,10 +130879,10 @@ index 0000000..56587b5 +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -75186,7 +130920,68 @@ index 0000000..56587b5 + /sys(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux readahead policy is very flexible allowing users to setup their readahead processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the readahead, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t readahead_exec_t '/srv/readahead/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myreadahead_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for readahead: ++ ++ ++.EX ++.PP ++.B readahead_exec_t ++.EE ++ ++- Set files with the readahead_exec_t type, if you want to transition an executable to the readahead_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/readahead.*, /usr/sbin/readahead.*, /usr/lib/systemd/systemd-readahead.* ++ ++.EX ++.PP ++.B readahead_var_lib_t ++.EE ++ ++- Set files with the readahead_var_lib_t type, if you want to store the readahead files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B readahead_var_run_t ++.EE ++ ++- Set files with the readahead_var_run_t type, if you want to store the readahead files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/dev/\.systemd/readahead(/.*)?, /var/run/systemd/readahead(/.*)? ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -75198,6 +130993,9 @@ index 0000000..56587b5 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -75209,13 +131007,15 @@ index 0000000..56587b5 + +.SH "SEE ALSO" +selinux(8), readahead(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/realmd_selinux.8 b/man/man8/realmd_selinux.8 new file mode 100644 -index 0000000..926344d +index 0000000..99fb97c --- /dev/null +++ b/man/man8/realmd_selinux.8 -@@ -0,0 +1,166 @@ -+.TH "realmd_selinux" "8" "12-11-01" "realmd" "SELinux Policy documentation for realmd" +@@ -0,0 +1,265 @@ ++.TH "realmd_selinux" "8" "13-01-16" "realmd" "SELinux Policy documentation for realmd" +.SH "NAME" +realmd_selinux \- Security Enhanced Linux Policy for the realmd processes +.SH "DESCRIPTION" @@ -75231,7 +131031,9 @@ index 0000000..926344d + +.SH "ENTRYPOINTS" + -+The realmd_t SELinux type can be entered via the "realmd_exec_t" file type. The default entrypoint paths for the realmd_t domain are the following:" ++The realmd_t SELinux type can be entered via the \fBrealmd_exec_t\fP file type. ++ ++The default entrypoint paths for the realmd_t domain are the following: + +/usr/lib/realmd/realmd +.SH PROCESS TYPES @@ -75249,34 +131051,100 @@ index 0000000..926344d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a realmd_t ++can be used to make the process type realmd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux realmd policy is very flexible allowing users to setup their realmd processes in as secure a method as possible. -+.PP -+The following file types are defined for realmd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. realmd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run realmd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B realmd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the realmd_exec_t type, if you want to transition an executable to the realmd_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the realmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the realmd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -75291,6 +131159,10 @@ index 0000000..926344d +.br + /home/[^/]*/\.cache(/.*)? +.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br + /home/dwalsh/\.nv(/.*)? +.br + /home/dwalsh/\.cache(/.*)? @@ -75344,21 +131216,44 @@ index 0000000..926344d + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux realmd policy is very flexible allowing users to setup their realmd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the realmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the realmd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t realmd_exec_t '/srv/realmd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrealmd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for realmd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B realmd_exec_t +.EE + ++- Set files with the realmd_exec_t type, if you want to transition an executable to the realmd_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the realmd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -75370,6 +131265,9 @@ index 0000000..926344d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -75381,13 +131279,15 @@ index 0000000..926344d + +.SH "SEE ALSO" +selinux(8), realmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/regex_milter_selinux.8 b/man/man8/regex_milter_selinux.8 new file mode 100644 -index 0000000..6b0d3db +index 0000000..feb92ff --- /dev/null +++ b/man/man8/regex_milter_selinux.8 -@@ -0,0 +1,118 @@ -+.TH "regex_milter_selinux" "8" "12-11-01" "regex_milter" "SELinux Policy documentation for regex_milter" +@@ -0,0 +1,245 @@ ++.TH "regex_milter_selinux" "8" "13-01-16" "regex_milter" "SELinux Policy documentation for regex_milter" +.SH "NAME" +regex_milter_selinux \- Security Enhanced Linux Policy for the regex_milter processes +.SH "DESCRIPTION" @@ -75403,7 +131303,9 @@ index 0000000..6b0d3db + +.SH "ENTRYPOINTS" + -+The regex_milter_t SELinux type can be entered via the "regex_milter_exec_t" file type. The default entrypoint paths for the regex_milter_t domain are the following:" ++The regex_milter_t SELinux type can be entered via the \fBregex_milter_exec_t\fP file type. ++ ++The default entrypoint paths for the regex_milter_t domain are the following: + +/usr/sbin/milter-regex +.SH PROCESS TYPES @@ -75421,8 +131323,142 @@ index 0000000..6b0d3db +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a regex_milter_t ++can be used to make the process type regex_milter_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. regex_milter policy is extremely flexible and has several booleans that allow you to manipulate the policy and run regex_milter with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the regex_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the regex_milter_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type regex_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B regex_milter_data_t ++ ++ /var/spool/milter-regex(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -75432,7 +131468,20 @@ index 0000000..6b0d3db +Policy governs the access confined processes have to these files. +SELinux regex_milter policy is very flexible allowing users to setup their regex_milter processes in as secure a method as possible. +.PP -+The following file types are defined for regex_milter: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the regex_milter, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t regex_milter_data_t '/srv/regex_milter/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myregex_milter_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for regex_milter: + + +.EX @@ -75458,32 +131507,6 @@ index 0000000..6b0d3db +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type regex_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B regex_milter_data_t -+ -+ /var/spool/milter-regex(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the regex_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the regex_milter_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -75494,6 +131517,9 @@ index 0000000..6b0d3db +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -75505,13 +131531,404 @@ index 0000000..6b0d3db + +.SH "SEE ALSO" +selinux(8), regex_milter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/remote_login_selinux.8 b/man/man8/remote_login_selinux.8 +new file mode 100644 +index 0000000..edf2180 +--- /dev/null ++++ b/man/man8/remote_login_selinux.8 +@@ -0,0 +1,382 @@ ++.TH "remote_login_selinux" "8" "13-01-16" "remote_login" "SELinux Policy documentation for remote_login" ++.SH "NAME" ++remote_login_selinux \- Security Enhanced Linux Policy for the remote_login processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the remote_login processes via flexible mandatory access control. ++ ++The remote_login processes execute with the remote_login_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep remote_login_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The remote_login_t SELinux type can be entered via the \fBlogin_exec_t\fP file type. ++ ++The default entrypoint paths for the remote_login_t domain are the following: ++ ++/bin/login, /usr/bin/login, /usr/kerberos/sbin/login\.krb5 ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux remote_login policy is very flexible allowing users to setup their remote_login processes in as secure a method as possible. ++.PP ++The following process types are defined for remote_login: ++ ++.EX ++.B remote_login_t ++.EE ++.PP ++Note: ++.B semanage permissive -a remote_login_t ++can be used to make the process type remote_login_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. remote_login policy is extremely flexible and has several booleans that allow you to manipulate the policy and run remote_login with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_radius 1 ++ ++.EE ++ ++.PP ++If you want to allow users to login using a yubikey server, you must turn on the authlogin_yubikey boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_yubikey 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to enable polyinstantiated directory support, you must turn on the polyinstantiation_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P polyinstantiation_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow a user to login as an unconfined domain, you must turn on the unconfined_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P unconfined_login 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the remote_login_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the remote_login_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type remote_login_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B auth_cache_t ++ ++ /var/cache/coolkey(/.*)? ++.br ++ ++.br ++.B auth_home_t ++ ++ /root/\.google_authenticator ++.br ++ /root/\.google_authenticator~ ++.br ++ /home/[^/]*/\.google_authenticator ++.br ++ /home/[^/]*/\.google_authenticator~ ++.br ++ /home/pwalsh/\.google_authenticator ++.br ++ /home/pwalsh/\.google_authenticator~ ++.br ++ /home/dwalsh/\.google_authenticator ++.br ++ /home/dwalsh/\.google_authenticator~ ++.br ++ /var/lib/xguest/home/xguest/\.google_authenticator ++.br ++ /var/lib/xguest/home/xguest/\.google_authenticator~ ++.br ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B lastlog_t ++ ++ /var/log/lastlog.* ++.br ++ ++.br ++.B pam_var_console_t ++ ++ /var/run/console(/.*)? ++.br ++ ++.br ++.B pam_var_run_t ++ ++ /var/(db|lib|adm)/sudo(/.*)? ++.br ++ /var/run/sudo(/.*)? ++.br ++ /var/run/sepermit(/.*)? ++.br ++ /var/run/pam_mount(/.*)? ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.br ++.B var_auth_t ++ ++ /var/ace(/.*)? ++.br ++ /var/rsa(/.*)? ++.br ++ /var/lib/abl(/.*)? ++.br ++ /var/lib/rsa(/.*)? ++.br ++ /var/lib/pam_ssh(/.*)? ++.br ++ /var/run/pam_ssh(/.*)? ++.br ++ /var/lib/pam_shield(/.*)? ++.br ++ /var/opt/quest/vas/vasd(/.*)? ++.br ++ /var/lib/google-authenticator(/.*)? ++.br ++ ++.br ++.B wtmp_t ++ ++ /var/log/wtmp.* ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), remote_login(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/restorecond_selinux.8 b/man/man8/restorecond_selinux.8 new file mode 100644 -index 0000000..0810458 +index 0000000..2ed2b30 --- /dev/null +++ b/man/man8/restorecond_selinux.8 -@@ -0,0 +1,124 @@ -+.TH "restorecond_selinux" "8" "12-11-01" "restorecond" "SELinux Policy documentation for restorecond" +@@ -0,0 +1,251 @@ ++.TH "restorecond_selinux" "8" "13-01-16" "restorecond" "SELinux Policy documentation for restorecond" +.SH "NAME" +restorecond_selinux \- Security Enhanced Linux Policy for the restorecond processes +.SH "DESCRIPTION" @@ -75527,7 +131944,9 @@ index 0000000..0810458 + +.SH "ENTRYPOINTS" + -+The restorecond_t SELinux type can be entered via the "restorecond_exec_t" file type. The default entrypoint paths for the restorecond_t domain are the following:" ++The restorecond_t SELinux type can be entered via the \fBrestorecond_exec_t\fP file type. ++ ++The default entrypoint paths for the restorecond_t domain are the following: + +/usr/sbin/restorecond +.SH PROCESS TYPES @@ -75545,8 +131964,148 @@ index 0000000..0810458 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a restorecond_t ++can be used to make the process type restorecond_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. restorecond policy is extremely flexible and has several booleans that allow you to manipulate the policy and run restorecond with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the restorecond_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the restorecond_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type restorecond_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B restorecond_var_run_t ++ ++ /var/run/restorecond\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -75556,7 +132115,20 @@ index 0000000..0810458 +Policy governs the access confined processes have to these files. +SELinux restorecond policy is very flexible allowing users to setup their restorecond processes in as secure a method as possible. +.PP -+The following file types are defined for restorecond: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the restorecond, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t restorecond_exec_t '/srv/restorecond/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrestorecond_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for restorecond: + + +.EX @@ -75572,7 +132144,7 @@ index 0000000..0810458 +.B restorecond_var_run_t +.EE + -+- Set files with the restorecond_var_run_t type, if you want to store the restorecond files under the /run directory. ++- Set files with the restorecond_var_run_t type, if you want to store the restorecond files under the /run or /var/run directory. + + +.PP @@ -75582,38 +132154,6 @@ index 0000000..0810458 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type restorecond_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B restorecond_var_run_t -+ -+ /var/run/restorecond\.pid -+.br -+ -+.br -+.B security_t -+ -+ /selinux -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the restorecond_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the restorecond_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -75624,6 +132164,9 @@ index 0000000..0810458 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -75635,13 +132178,15 @@ index 0000000..0810458 + +.SH "SEE ALSO" +selinux(8), restorecond(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/rgmanager_selinux.8 b/man/man8/rgmanager_selinux.8 new file mode 100644 -index 0000000..feb0254 +index 0000000..2a370f4 --- /dev/null +++ b/man/man8/rgmanager_selinux.8 -@@ -0,0 +1,276 @@ -+.TH "rgmanager_selinux" "8" "12-11-01" "rgmanager" "SELinux Policy documentation for rgmanager" +@@ -0,0 +1,411 @@ ++.TH "rgmanager_selinux" "8" "13-01-16" "rgmanager" "SELinux Policy documentation for rgmanager" +.SH "NAME" +rgmanager_selinux \- Security Enhanced Linux Policy for the rgmanager processes +.SH "DESCRIPTION" @@ -75657,9 +132202,11 @@ index 0000000..feb0254 + +.SH "ENTRYPOINTS" + -+The rgmanager_t SELinux type can be entered via the "rgmanager_exec_t" file type. The default entrypoint paths for the rgmanager_t domain are the following:" ++The rgmanager_t SELinux type can be entered via the \fBrgmanager_exec_t\fP file type. + -+/usr/lib(64)?/heartbeat/heartbeat, /usr/sbin/cpglockd, /usr/sbin/rgmanager ++The default entrypoint paths for the rgmanager_t domain are the following: ++ ++/usr/sbin/cpglockd, /usr/sbin/ccs_tool, /usr/sbin/rgmanager, /usr/sbin/cman_tool, /usr/lib/heartbeat/heartbeat +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -75675,100 +132222,132 @@ index 0000000..feb0254 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rgmanager_t ++can be used to make the process type rgmanager_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. rgmanager policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rgmanager with the tightest access possible. + + +.PP -+If you want to allow rgmanager domain to connect to the network using TCP, you must turn on the rgmanager_can_network_connect boolean. ++If you want to allow rgmanager domain to connect to the network using TCP, you must turn on the rgmanager_can_network_connect boolean. Disabled by default. + +.EX +.B setsebool -P rgmanager_can_network_connect 1 ++ +.EE + +.PP -+If you want to allow rgmanager domain to connect to the network using TCP, you must turn on the rgmanager_can_network_connect boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P rgmanager_can_network_connect 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux rgmanager policy is very flexible allowing users to setup their rgmanager processes in as secure a method as possible. -+.PP -+The following file types are defined for rgmanager: -+ ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B rgmanager_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the rgmanager_exec_t type, if you want to transition an executable to the rgmanager_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B rgmanager_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the rgmanager_initrc_exec_t type, if you want to transition an executable to the rgmanager_initrc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B rgmanager_tmp_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the rgmanager_tmp_t type, if you want to store rgmanager temporary files in the /tmp directories. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B rgmanager_tmpfs_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the rgmanager_tmpfs_t type, if you want to store rgmanager files on a tmpfs file system. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B rgmanager_var_lib_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the rgmanager_var_lib_t type, if you want to store the rgmanager files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B rgmanager_var_log_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the rgmanager_var_log_t type, if you want to treat the data as rgmanager var log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B rgmanager_var_run_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the rgmanager_var_run_t type, if you want to store the rgmanager files under the /run directory. ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the rgmanager_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rgmanager_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -75821,7 +132400,7 @@ index 0000000..feb0254 +.br +.B rgmanager_var_lib_t + -+ /usr/lib(64)?/heartbeat(/.*)? ++ /usr/lib/heartbeat(/.*)? +.br + /var/lib/heartbeat(/.*)? +.br @@ -75847,6 +132426,14 @@ index 0000000..feb0254 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B samba_etc_t + + /etc/samba(/.*)? @@ -75855,6 +132442,8 @@ index 0000000..feb0254 +.br +.B samba_var_t + ++ /var/nmbd(/.*)? ++.br + /var/lib/samba(/.*)? +.br + /var/cache/samba(/.*)? @@ -75876,21 +132465,112 @@ index 0000000..feb0254 + /var/lib/nfs(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux rgmanager policy is very flexible allowing users to setup their rgmanager processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rgmanager_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rgmanager, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rgmanager_exec_t '/srv/rgmanager/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrgmanager_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rgmanager: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B rgmanager_exec_t +.EE + ++- Set files with the rgmanager_exec_t type, if you want to transition an executable to the rgmanager_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/cpglockd, /usr/sbin/ccs_tool, /usr/sbin/rgmanager, /usr/sbin/cman_tool, /usr/lib/heartbeat/heartbeat ++ ++.EX ++.PP ++.B rgmanager_initrc_exec_t ++.EE ++ ++- Set files with the rgmanager_initrc_exec_t type, if you want to transition an executable to the rgmanager_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/cpglockd, /etc/rc\.d/init\.d/rgmanager, /etc/rc\.d/init\.d/heartbeat ++ ++.EX ++.PP ++.B rgmanager_tmp_t ++.EE ++ ++- Set files with the rgmanager_tmp_t type, if you want to store rgmanager temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B rgmanager_tmpfs_t ++.EE ++ ++- Set files with the rgmanager_tmpfs_t type, if you want to store rgmanager files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B rgmanager_var_lib_t ++.EE ++ ++- Set files with the rgmanager_var_lib_t type, if you want to store the rgmanager files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/heartbeat(/.*)?, /var/lib/heartbeat(/.*)? ++ ++.EX ++.PP ++.B rgmanager_var_log_t ++.EE ++ ++- Set files with the rgmanager_var_log_t type, if you want to treat the data as rgmanager var log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/cluster/cpglockd\.log.*, /var/log/cluster/rgmanager\.log.* ++ ++.EX ++.PP ++.B rgmanager_var_run_t ++.EE ++ ++- Set files with the rgmanager_var_run_t type, if you want to store the rgmanager files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/heartbeat(/.*)?, /var/run/cpglockd\.pid, /var/run/rgmanager\.pid, /var/run/cluster/rgmanager\.sk ++ +.PP -+If you want to allow confined applications to run with kerberos for the rgmanager_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -75918,13 +132598,258 @@ index 0000000..feb0254 +selinux(8), rgmanager(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) +, setsebool(8) \ No newline at end of file +diff --git a/man/man8/rhev_agentd_consolehelper_selinux.8 b/man/man8/rhev_agentd_consolehelper_selinux.8 +new file mode 100644 +index 0000000..c5cfaf3 +--- /dev/null ++++ b/man/man8/rhev_agentd_consolehelper_selinux.8 +@@ -0,0 +1,238 @@ ++.TH "rhev_agentd_consolehelper_selinux" "8" "13-01-16" "rhev_agentd_consolehelper" "SELinux Policy documentation for rhev_agentd_consolehelper" ++.SH "NAME" ++rhev_agentd_consolehelper_selinux \- Security Enhanced Linux Policy for the rhev_agentd_consolehelper processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the rhev_agentd_consolehelper processes via flexible mandatory access control. ++ ++The rhev_agentd_consolehelper processes execute with the rhev_agentd_consolehelper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep rhev_agentd_consolehelper_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The rhev_agentd_consolehelper_t SELinux type can be entered via the \fBconsolehelper_exec_t\fP file type. ++ ++The default entrypoint paths for the rhev_agentd_consolehelper_t domain are the following: ++ ++/usr/bin/consolehelper ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux rhev_agentd_consolehelper policy is very flexible allowing users to setup their rhev_agentd_consolehelper processes in as secure a method as possible. ++.PP ++The following process types are defined for rhev_agentd_consolehelper: ++ ++.EX ++.B rhev_agentd_consolehelper_t ++.EE ++.PP ++Note: ++.B semanage permissive -a rhev_agentd_consolehelper_t ++can be used to make the process type rhev_agentd_consolehelper_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rhev_agentd_consolehelper policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rhev_agentd_consolehelper with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the rhev_agentd_consolehelper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rhev_agentd_consolehelper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type rhev_agentd_consolehelper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B lastlog_t ++ ++ /var/log/lastlog.* ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br ++ ++.br ++.B user_tmpfs_type ++ ++ all user content in tmpfs file systems ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), rhev_agentd_consolehelper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), rhev_agentd_selinux(8), rhev_agentd_selinux(8) +\ No newline at end of file diff --git a/man/man8/rhev_agentd_selinux.8 b/man/man8/rhev_agentd_selinux.8 new file mode 100644 -index 0000000..5550bd3 +index 0000000..02efda0 --- /dev/null +++ b/man/man8/rhev_agentd_selinux.8 -@@ -0,0 +1,152 @@ -+.TH "rhev_agentd_selinux" "8" "12-11-01" "rhev_agentd" "SELinux Policy documentation for rhev_agentd" +@@ -0,0 +1,295 @@ ++.TH "rhev_agentd_selinux" "8" "13-01-16" "rhev_agentd" "SELinux Policy documentation for rhev_agentd" +.SH "NAME" +rhev_agentd_selinux \- Security Enhanced Linux Policy for the rhev_agentd processes +.SH "DESCRIPTION" @@ -75940,9 +132865,11 @@ index 0000000..5550bd3 + +.SH "ENTRYPOINTS" + -+The rhev_agentd_t SELinux type can be entered via the "rhev_agentd_exec_t" file type. The default entrypoint paths for the rhev_agentd_t domain are the following:" ++The rhev_agentd_t SELinux type can be entered via the \fBrhev_agentd_exec_t\fP file type. + -+/usr/share/ovirt-guest-agent, /usr/share/rhev-agent/rhev-agentd\.py ++The default entrypoint paths for the rhev_agentd_t domain are the following: ++ ++/usr/share/ovirt-guest-agent, /usr/share/rhev-agent/rhev-agentd\.py, /usr/share/rhev-agent/LockActiveSession\.py, /usr/share/ovirt-guest-agent/LockActiveSession\.py +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -75958,8 +132885,156 @@ index 0000000..5550bd3 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rhev_agentd_t ++can be used to make the process type rhev_agentd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rhev_agentd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rhev_agentd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type rhev_agentd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B rhev_agentd_log_t ++ ++ /var/log/rhev-agent(/.*)? ++.br ++ /var/log/ovirt-guest-agent(/.*)? ++.br ++ ++.br ++.B rhev_agentd_tmp_t ++ ++ ++.br ++.B rhev_agentd_var_run_t ++ ++ /var/run/rhev-agentd\.pid ++.br ++ /var/run/ovirt-guest-agent\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -75969,7 +133044,20 @@ index 0000000..5550bd3 +Policy governs the access confined processes have to these files. +SELinux rhev_agentd policy is very flexible allowing users to setup their rhev_agentd processes in as secure a method as possible. +.PP -+The following file types are defined for rhev_agentd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rhev_agentd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rhev_agentd_exec_t '/srv/rhev_agentd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrhev_agentd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rhev_agentd: + + +.EX @@ -75979,6 +133067,10 @@ index 0000000..5550bd3 + +- Set files with the rhev_agentd_exec_t type, if you want to transition an executable to the rhev_agentd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/share/ovirt-guest-agent, /usr/share/rhev-agent/rhev-agentd\.py, /usr/share/rhev-agent/LockActiveSession\.py, /usr/share/ovirt-guest-agent/LockActiveSession\.py + +.EX +.PP @@ -75987,6 +133079,10 @@ index 0000000..5550bd3 + +- Set files with the rhev_agentd_log_t type, if you want to treat the data as rhev agentd log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/rhev-agent(/.*)?, /var/log/ovirt-guest-agent(/.*)? + +.EX +.PP @@ -76009,8 +133105,12 @@ index 0000000..5550bd3 +.B rhev_agentd_var_run_t +.EE + -+- Set files with the rhev_agentd_var_run_t type, if you want to store the rhev agentd files under the /run directory. ++- Set files with the rhev_agentd_var_run_t type, if you want to store the rhev agentd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/rhev-agentd\.pid, /var/run/ovirt-guest-agent\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -76019,42 +133119,6 @@ index 0000000..5550bd3 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type rhev_agentd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B rhev_agentd_log_t -+ -+ /var/log/rhev-agent(/.*)? -+.br -+ -+.br -+.B rhev_agentd_tmp_t -+ -+ -+.br -+.B rhev_agentd_var_run_t -+ -+ /var/run/rhev-agentd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -76065,6 +133129,9 @@ index 0000000..5550bd3 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -76076,13 +133143,15 @@ index 0000000..5550bd3 + +.SH "SEE ALSO" +selinux(8), rhev_agentd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), rhev_agentd_consolehelper_selinux(8) +\ No newline at end of file diff --git a/man/man8/rhgb_selinux.8 b/man/man8/rhgb_selinux.8 new file mode 100644 -index 0000000..a384089 +index 0000000..4faa850 --- /dev/null +++ b/man/man8/rhgb_selinux.8 -@@ -0,0 +1,106 @@ -+.TH "rhgb_selinux" "8" "12-11-01" "rhgb" "SELinux Policy documentation for rhgb" +@@ -0,0 +1,215 @@ ++.TH "rhgb_selinux" "8" "13-01-16" "rhgb" "SELinux Policy documentation for rhgb" +.SH "NAME" +rhgb_selinux \- Security Enhanced Linux Policy for the rhgb processes +.SH "DESCRIPTION" @@ -76098,7 +133167,9 @@ index 0000000..a384089 + +.SH "ENTRYPOINTS" + -+The rhgb_t SELinux type can be entered via the "rhgb_exec_t" file type. The default entrypoint paths for the rhgb_t domain are the following:" ++The rhgb_t SELinux type can be entered via the \fBrhgb_exec_t\fP file type. ++ ++The default entrypoint paths for the rhgb_t domain are the following: + +/usr/bin/rhgb +.SH PROCESS TYPES @@ -76116,8 +133187,112 @@ index 0000000..a384089 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rhgb_t ++can be used to make the process type rhgb_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rhgb policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rhgb with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type rhgb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B ramfs_t ++ ++ ++.br ++.B rhgb_tmpfs_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -76127,7 +133302,20 @@ index 0000000..a384089 +Policy governs the access confined processes have to these files. +SELinux rhgb policy is very flexible allowing users to setup their rhgb processes in as secure a method as possible. +.PP -+The following file types are defined for rhgb: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rhgb, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rhgb_exec_t '/srv/rhgb/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrhgb_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rhgb: + + +.EX @@ -76153,20 +133341,6 @@ index 0000000..a384089 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type rhgb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B ramfs_t -+ -+ -+.br -+.B rhgb_tmpfs_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -76177,6 +133351,9 @@ index 0000000..a384089 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -76188,13 +133365,15 @@ index 0000000..a384089 + +.SH "SEE ALSO" +selinux(8), rhgb(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/rhsmcertd_selinux.8 b/man/man8/rhsmcertd_selinux.8 new file mode 100644 -index 0000000..7350aa2 +index 0000000..26f77b9 --- /dev/null +++ b/man/man8/rhsmcertd_selinux.8 -@@ -0,0 +1,164 @@ -+.TH "rhsmcertd_selinux" "8" "12-11-01" "rhsmcertd" "SELinux Policy documentation for rhsmcertd" +@@ -0,0 +1,259 @@ ++.TH "rhsmcertd_selinux" "8" "13-01-16" "rhsmcertd" "SELinux Policy documentation for rhsmcertd" +.SH "NAME" +rhsmcertd_selinux \- Security Enhanced Linux Policy for the rhsmcertd processes +.SH "DESCRIPTION" @@ -76210,7 +133389,9 @@ index 0000000..7350aa2 + +.SH "ENTRYPOINTS" + -+The rhsmcertd_t SELinux type can be entered via the "rhsmcertd_exec_t" file type. The default entrypoint paths for the rhsmcertd_t domain are the following:" ++The rhsmcertd_t SELinux type can be entered via the \fBrhsmcertd_exec_t\fP file type. ++ ++The default entrypoint paths for the rhsmcertd_t domain are the following: + +/usr/bin/rhsmcertd +.SH PROCESS TYPES @@ -76228,8 +133409,124 @@ index 0000000..7350aa2 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rhsmcertd_t ++can be used to make the process type rhsmcertd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rhsmcertd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rhsmcertd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type rhsmcertd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B rhsmcertd_lock_t ++ ++ /var/lock/subsys/rhsmcertd ++.br ++ ++.br ++.B rhsmcertd_var_lib_t ++ ++ /var/lib/rhsm(/.*)? ++.br ++ ++.br ++.B rhsmcertd_var_run_t ++ ++ /var/run/rhsm(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B var_lock_t ++ ++ /var/lock(/.*)? ++.br ++ /run/lock(/.*)? ++.br ++ /var/lock ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -76239,7 +133536,20 @@ index 0000000..7350aa2 +Policy governs the access confined processes have to these files. +SELinux rhsmcertd policy is very flexible allowing users to setup their rhsmcertd processes in as secure a method as possible. +.PP -+The following file types are defined for rhsmcertd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rhsmcertd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rhsmcertd_exec_t '/srv/rhsmcertd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrhsmcertd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rhsmcertd: + + +.EX @@ -76287,7 +133597,7 @@ index 0000000..7350aa2 +.B rhsmcertd_var_run_t +.EE + -+- Set files with the rhsmcertd_var_run_t type, if you want to store the rhsmcertd files under the /run directory. ++- Set files with the rhsmcertd_var_run_t type, if you want to store the rhsmcertd files under the /run or /var/run directory. + + +.PP @@ -76297,46 +133607,6 @@ index 0000000..7350aa2 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type rhsmcertd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B rhsmcertd_lock_t -+ -+ /var/lock/subsys/rhsmcertd -+.br -+ -+.br -+.B rhsmcertd_log_t -+ -+ /var/log/rhsm(/.*)? -+.br -+ -+.br -+.B rhsmcertd_var_lib_t -+ -+ /var/lib/rhsm(/.*)? -+.br -+ -+.br -+.B rhsmcertd_var_run_t -+ -+ /var/run/rhsm(/.*)? -+.br -+ -+.br -+.B var_lock_t -+ -+ /var/lock(/.*)? -+.br -+ /run/lock(/.*)? -+.br -+ /var/lock -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -76347,6 +133617,9 @@ index 0000000..7350aa2 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -76358,13 +133631,15 @@ index 0000000..7350aa2 + +.SH "SEE ALSO" +selinux(8), rhsmcertd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ricci_modcluster_selinux.8 b/man/man8/ricci_modcluster_selinux.8 new file mode 100644 -index 0000000..bbe6e5e +index 0000000..b0aae39 --- /dev/null +++ b/man/man8/ricci_modcluster_selinux.8 -@@ -0,0 +1,187 @@ -+.TH "ricci_modcluster_selinux" "8" "12-11-01" "ricci_modcluster" "SELinux Policy documentation for ricci_modcluster" +@@ -0,0 +1,285 @@ ++.TH "ricci_modcluster_selinux" "8" "13-01-16" "ricci_modcluster" "SELinux Policy documentation for ricci_modcluster" +.SH "NAME" +ricci_modcluster_selinux \- Security Enhanced Linux Policy for the ricci_modcluster processes +.SH "DESCRIPTION" @@ -76380,7 +133655,9 @@ index 0000000..bbe6e5e + +.SH "ENTRYPOINTS" + -+The ricci_modcluster_t SELinux type can be entered via the "ricci_modcluster_exec_t" file type. The default entrypoint paths for the ricci_modcluster_t domain are the following:" ++The ricci_modcluster_t SELinux type can be entered via the \fBricci_modcluster_exec_t\fP file type. ++ ++The default entrypoint paths for the ricci_modcluster_t domain are the following: + +/usr/libexec/modcluster +.SH PROCESS TYPES @@ -76398,74 +133675,100 @@ index 0000000..bbe6e5e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ricci_modcluster_t ++can be used to make the process type ricci_modcluster_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux ricci_modcluster policy is very flexible allowing users to setup their ricci_modcluster processes in as secure a method as possible. -+.PP -+The following file types are defined for ricci_modcluster: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ricci_modcluster policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ricci_modcluster with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B ricci_modcluster_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the ricci_modcluster_exec_t type, if you want to transition an executable to the ricci_modcluster_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B ricci_modcluster_var_lib_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the ricci_modcluster_var_lib_t type, if you want to store the ricci modcluster files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B ricci_modcluster_var_log_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the ricci_modcluster_var_log_t type, if you want to treat the data as ricci modcluster var log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B ricci_modcluster_var_run_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the ricci_modcluster_var_run_t type, if you want to store the ricci modcluster files under the /run directory. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B ricci_modclusterd_exec_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the ricci_modclusterd_exec_t type, if you want to transition an executable to the ricci_modclusterd_t domain. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B ricci_modclusterd_tmpfs_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the ricci_modclusterd_tmpfs_t type, if you want to store ricci modclusterd files on a tmpfs file system. ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -76510,101 +133813,65 @@ index 0000000..bbe6e5e + /var/run/systemd/ask-password-block(/.*)? +.br + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.B semanage port -+can also be used to manipulate the port definitions -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), ricci_modcluster(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, ricci_selinux(8), ricci_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8) -\ No newline at end of file -diff --git a/man/man8/ricci_modclusterd_selinux.8 b/man/man8/ricci_modclusterd_selinux.8 -new file mode 100644 -index 0000000..7d43326 ---- /dev/null -+++ b/man/man8/ricci_modclusterd_selinux.8 -@@ -0,0 +1,159 @@ -+.TH "ricci_modclusterd_selinux" "8" "12-11-01" "ricci_modclusterd" "SELinux Policy documentation for ricci_modclusterd" -+.SH "NAME" -+ricci_modclusterd_selinux \- Security Enhanced Linux Policy for the ricci_modclusterd processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the ricci_modclusterd processes via flexible mandatory access control. -+ -+The ricci_modclusterd processes execute with the ricci_modclusterd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep ricci_modclusterd_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The ricci_modclusterd_t SELinux type can be entered via the "ricci_modclusterd_exec_t" file type. The default entrypoint paths for the ricci_modclusterd_t domain are the following:" -+ -+/usr/sbin/modclusterd -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux ricci_modclusterd policy is very flexible allowing users to setup their ricci_modclusterd processes in as secure a method as possible. -+.PP -+The following process types are defined for ricci_modclusterd: -+ -+.EX -+.B ricci_modclusterd_t, ricci_modcluster_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP +You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP +Policy governs the access confined processes have to these files. -+SELinux ricci_modclusterd policy is very flexible allowing users to setup their ricci_modclusterd processes in as secure a method as possible. ++SELinux ricci_modcluster policy is very flexible allowing users to setup their ricci_modcluster processes in as secure a method as possible. +.PP -+The following file types are defined for ricci_modclusterd: + ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ricci_modcluster, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ricci_modcluster_exec_t '/srv/ricci_modcluster/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myricci_modcluster_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ricci_modcluster: ++ ++ ++.EX ++.PP ++.B ricci_modcluster_exec_t ++.EE ++ ++- Set files with the ricci_modcluster_exec_t type, if you want to transition an executable to the ricci_modcluster_t domain. ++ ++ ++.EX ++.PP ++.B ricci_modcluster_var_lib_t ++.EE ++ ++- Set files with the ricci_modcluster_var_lib_t type, if you want to store the ricci modcluster files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B ricci_modcluster_var_log_t ++.EE ++ ++- Set files with the ricci_modcluster_var_log_t type, if you want to treat the data as ricci modcluster var log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B ricci_modcluster_var_run_t ++.EE ++ ++- Set files with the ricci_modcluster_var_run_t type, if you want to store the ricci modcluster files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/clumond\.sock, /var/run/modclusterd\.pid + +.EX +.PP @@ -76629,6 +133896,196 @@ index 0000000..7d43326 +.B restorecon +to apply the labels. + ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage port ++can also be used to manipulate the port definitions ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), ricci_modcluster(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), ricci_selinux(8), ricci_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8) +\ No newline at end of file +diff --git a/man/man8/ricci_modclusterd_selinux.8 b/man/man8/ricci_modclusterd_selinux.8 +new file mode 100644 +index 0000000..05dbf6f +--- /dev/null ++++ b/man/man8/ricci_modclusterd_selinux.8 +@@ -0,0 +1,279 @@ ++.TH "ricci_modclusterd_selinux" "8" "13-01-16" "ricci_modclusterd" "SELinux Policy documentation for ricci_modclusterd" ++.SH "NAME" ++ricci_modclusterd_selinux \- Security Enhanced Linux Policy for the ricci_modclusterd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the ricci_modclusterd processes via flexible mandatory access control. ++ ++The ricci_modclusterd processes execute with the ricci_modclusterd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep ricci_modclusterd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The ricci_modclusterd_t SELinux type can be entered via the \fBricci_modclusterd_exec_t\fP file type. ++ ++The default entrypoint paths for the ricci_modclusterd_t domain are the following: ++ ++/usr/sbin/modclusterd ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux ricci_modclusterd policy is very flexible allowing users to setup their ricci_modclusterd processes in as secure a method as possible. ++.PP ++The following process types are defined for ricci_modclusterd: ++ ++.EX ++.B ricci_modclusterd_t, ricci_modcluster_t ++.EE ++.PP ++Note: ++.B semanage permissive -a ricci_modclusterd_t ++can be used to make the process type ricci_modclusterd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ricci_modclusterd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ricci_modclusterd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. +.PP @@ -76659,12 +134116,6 @@ index 0000000..7d43326 +The SELinux process type ricci_modclusterd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B ricci_modcluster_var_log_t -+ -+ /var/log/clumond\.log.* -+.br -+ -+.br +.B ricci_modcluster_var_run_t + + /var/run/clumond\.sock @@ -76676,21 +134127,60 @@ index 0000000..7d43326 +.B ricci_modclusterd_tmpfs_t + + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux ricci_modclusterd policy is very flexible allowing users to setup their ricci_modclusterd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ricci_modclusterd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ricci_modclusterd_exec_t '/srv/ricci_modclusterd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myricci_modclusterd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ricci_modclusterd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B ricci_modclusterd_exec_t +.EE + ++- Set files with the ricci_modclusterd_exec_t type, if you want to transition an executable to the ricci_modclusterd_t domain. ++ ++ ++.EX ++.PP ++.B ricci_modclusterd_tmpfs_t ++.EE ++ ++- Set files with the ricci_modclusterd_tmpfs_t type, if you want to store ricci modclusterd files on a tmpfs file system. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the ricci_modcluster_t, ricci_modclusterd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -76705,6 +134195,9 @@ index 0000000..7d43326 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -76716,15 +134209,15 @@ index 0000000..7d43326 + +.SH "SEE ALSO" +selinux(8), ricci_modclusterd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modcluster_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8) ++, setsebool(8), ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modcluster_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8) \ No newline at end of file diff --git a/man/man8/ricci_modlog_selinux.8 b/man/man8/ricci_modlog_selinux.8 new file mode 100644 -index 0000000..f0ca4e5 +index 0000000..eee80ea --- /dev/null +++ b/man/man8/ricci_modlog_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "ricci_modlog_selinux" "8" "12-11-01" "ricci_modlog" "SELinux Policy documentation for ricci_modlog" +@@ -0,0 +1,147 @@ ++.TH "ricci_modlog_selinux" "8" "13-01-16" "ricci_modlog" "SELinux Policy documentation for ricci_modlog" +.SH "NAME" +ricci_modlog_selinux \- Security Enhanced Linux Policy for the ricci_modlog processes +.SH "DESCRIPTION" @@ -76740,7 +134233,9 @@ index 0000000..f0ca4e5 + +.SH "ENTRYPOINTS" + -+The ricci_modlog_t SELinux type can be entered via the "ricci_modlog_exec_t" file type. The default entrypoint paths for the ricci_modlog_t domain are the following:" ++The ricci_modlog_t SELinux type can be entered via the \fBricci_modlog_exec_t\fP file type. ++ ++The default entrypoint paths for the ricci_modlog_t domain are the following: + +/usr/libexec/ricci-modlog +.SH PROCESS TYPES @@ -76758,8 +134253,52 @@ index 0000000..f0ca4e5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ricci_modlog_t ++can be used to make the process type ricci_modlog_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ricci_modlog policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ricci_modlog with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -76769,7 +134308,20 @@ index 0000000..f0ca4e5 +Policy governs the access confined processes have to these files. +SELinux ricci_modlog policy is very flexible allowing users to setup their ricci_modlog processes in as secure a method as possible. +.PP -+The following file types are defined for ricci_modlog: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ricci_modlog, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ricci_modlog_exec_t '/srv/ricci_modlog/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myricci_modlog_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ricci_modlog: + + +.EX @@ -76787,8 +134339,6 @@ index 0000000..f0ca4e5 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -76799,6 +134349,9 @@ index 0000000..f0ca4e5 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -76810,15 +134363,15 @@ index 0000000..f0ca4e5 + +.SH "SEE ALSO" +selinux(8), ricci_modlog(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8) ++, setsebool(8), ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8) \ No newline at end of file diff --git a/man/man8/ricci_modrpm_selinux.8 b/man/man8/ricci_modrpm_selinux.8 new file mode 100644 -index 0000000..123f519 +index 0000000..5709422 --- /dev/null +++ b/man/man8/ricci_modrpm_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "ricci_modrpm_selinux" "8" "12-11-01" "ricci_modrpm" "SELinux Policy documentation for ricci_modrpm" +@@ -0,0 +1,147 @@ ++.TH "ricci_modrpm_selinux" "8" "13-01-16" "ricci_modrpm" "SELinux Policy documentation for ricci_modrpm" +.SH "NAME" +ricci_modrpm_selinux \- Security Enhanced Linux Policy for the ricci_modrpm processes +.SH "DESCRIPTION" @@ -76834,7 +134387,9 @@ index 0000000..123f519 + +.SH "ENTRYPOINTS" + -+The ricci_modrpm_t SELinux type can be entered via the "ricci_modrpm_exec_t" file type. The default entrypoint paths for the ricci_modrpm_t domain are the following:" ++The ricci_modrpm_t SELinux type can be entered via the \fBricci_modrpm_exec_t\fP file type. ++ ++The default entrypoint paths for the ricci_modrpm_t domain are the following: + +/usr/libexec/ricci-modrpm +.SH PROCESS TYPES @@ -76852,8 +134407,52 @@ index 0000000..123f519 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ricci_modrpm_t ++can be used to make the process type ricci_modrpm_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ricci_modrpm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ricci_modrpm with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -76863,7 +134462,20 @@ index 0000000..123f519 +Policy governs the access confined processes have to these files. +SELinux ricci_modrpm policy is very flexible allowing users to setup their ricci_modrpm processes in as secure a method as possible. +.PP -+The following file types are defined for ricci_modrpm: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ricci_modrpm, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ricci_modrpm_exec_t '/srv/ricci_modrpm/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myricci_modrpm_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ricci_modrpm: + + +.EX @@ -76881,8 +134493,6 @@ index 0000000..123f519 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -76893,6 +134503,9 @@ index 0000000..123f519 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -76904,15 +134517,15 @@ index 0000000..123f519 + +.SH "SEE ALSO" +selinux(8), ricci_modrpm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8) ++, setsebool(8), ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8) \ No newline at end of file diff --git a/man/man8/ricci_modservice_selinux.8 b/man/man8/ricci_modservice_selinux.8 new file mode 100644 -index 0000000..4c964e3 +index 0000000..68064fb --- /dev/null +++ b/man/man8/ricci_modservice_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "ricci_modservice_selinux" "8" "12-11-01" "ricci_modservice" "SELinux Policy documentation for ricci_modservice" +@@ -0,0 +1,147 @@ ++.TH "ricci_modservice_selinux" "8" "13-01-16" "ricci_modservice" "SELinux Policy documentation for ricci_modservice" +.SH "NAME" +ricci_modservice_selinux \- Security Enhanced Linux Policy for the ricci_modservice processes +.SH "DESCRIPTION" @@ -76928,7 +134541,9 @@ index 0000000..4c964e3 + +.SH "ENTRYPOINTS" + -+The ricci_modservice_t SELinux type can be entered via the "ricci_modservice_exec_t" file type. The default entrypoint paths for the ricci_modservice_t domain are the following:" ++The ricci_modservice_t SELinux type can be entered via the \fBricci_modservice_exec_t\fP file type. ++ ++The default entrypoint paths for the ricci_modservice_t domain are the following: + +/usr/libexec/ricci-modservice +.SH PROCESS TYPES @@ -76946,8 +134561,52 @@ index 0000000..4c964e3 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ricci_modservice_t ++can be used to make the process type ricci_modservice_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ricci_modservice policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ricci_modservice with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -76957,7 +134616,20 @@ index 0000000..4c964e3 +Policy governs the access confined processes have to these files. +SELinux ricci_modservice policy is very flexible allowing users to setup their ricci_modservice processes in as secure a method as possible. +.PP -+The following file types are defined for ricci_modservice: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ricci_modservice, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ricci_modservice_exec_t '/srv/ricci_modservice/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myricci_modservice_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ricci_modservice: + + +.EX @@ -76975,8 +134647,6 @@ index 0000000..4c964e3 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -76987,6 +134657,9 @@ index 0000000..4c964e3 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -76998,15 +134671,15 @@ index 0000000..4c964e3 + +.SH "SEE ALSO" +selinux(8), ricci_modservice(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modstorage_selinux(8) ++, setsebool(8), ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modstorage_selinux(8) \ No newline at end of file diff --git a/man/man8/ricci_modstorage_selinux.8 b/man/man8/ricci_modstorage_selinux.8 new file mode 100644 -index 0000000..d9a4baa +index 0000000..91ebd9c --- /dev/null +++ b/man/man8/ricci_modstorage_selinux.8 -@@ -0,0 +1,157 @@ -+.TH "ricci_modstorage_selinux" "8" "12-11-01" "ricci_modstorage" "SELinux Policy documentation for ricci_modstorage" +@@ -0,0 +1,251 @@ ++.TH "ricci_modstorage_selinux" "8" "13-01-16" "ricci_modstorage" "SELinux Policy documentation for ricci_modstorage" +.SH "NAME" +ricci_modstorage_selinux \- Security Enhanced Linux Policy for the ricci_modstorage processes +.SH "DESCRIPTION" @@ -77022,7 +134695,9 @@ index 0000000..d9a4baa + +.SH "ENTRYPOINTS" + -+The ricci_modstorage_t SELinux type can be entered via the "ricci_modstorage_exec_t" file type. The default entrypoint paths for the ricci_modstorage_t domain are the following:" ++The ricci_modstorage_t SELinux type can be entered via the \fBricci_modstorage_exec_t\fP file type. ++ ++The default entrypoint paths for the ricci_modstorage_t domain are the following: + +/usr/libexec/ricci-modstorage +.SH PROCESS TYPES @@ -77040,42 +134715,100 @@ index 0000000..d9a4baa +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ricci_modstorage_t ++can be used to make the process type ricci_modstorage_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux ricci_modstorage policy is very flexible allowing users to setup their ricci_modstorage processes in as secure a method as possible. -+.PP -+The following file types are defined for ricci_modstorage: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ricci_modstorage policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ricci_modstorage with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B ricci_modstorage_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the ricci_modstorage_exec_t type, if you want to transition an executable to the ricci_modstorage_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B ricci_modstorage_lock_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the ricci_modstorage_lock_t type, if you want to treat the files as ricci modstorage lock data, stored under the /var/lock directory ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ricci_modstorage_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ricci_modstorage_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -77125,21 +134858,52 @@ index 0000000..d9a4baa + /etc/lvm(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux ricci_modstorage policy is very flexible allowing users to setup their ricci_modstorage processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modstorage_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ricci_modstorage, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ricci_modstorage_exec_t '/srv/ricci_modstorage/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myricci_modstorage_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ricci_modstorage: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B ricci_modstorage_exec_t +.EE + ++- Set files with the ricci_modstorage_exec_t type, if you want to transition an executable to the ricci_modstorage_t domain. ++ ++ ++.EX ++.PP ++.B ricci_modstorage_lock_t ++.EE ++ ++- Set files with the ricci_modstorage_lock_t type, if you want to treat the files as ricci modstorage lock data, stored under the /var/lock directory ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the ricci_modstorage_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -77151,6 +134915,9 @@ index 0000000..d9a4baa +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -77162,15 +134929,15 @@ index 0000000..d9a4baa + +.SH "SEE ALSO" +selinux(8), ricci_modstorage(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8) ++, setsebool(8), ricci_selinux(8), ricci_selinux(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8) \ No newline at end of file diff --git a/man/man8/ricci_selinux.8 b/man/man8/ricci_selinux.8 new file mode 100644 -index 0000000..77e1008 +index 0000000..5bc4817 --- /dev/null +++ b/man/man8/ricci_selinux.8 -@@ -0,0 +1,394 @@ -+.TH "ricci_selinux" "8" "12-11-01" "ricci" "SELinux Policy documentation for ricci" +@@ -0,0 +1,495 @@ ++.TH "ricci_selinux" "8" "13-01-16" "ricci" "SELinux Policy documentation for ricci" +.SH "NAME" +ricci_selinux \- Security Enhanced Linux Policy for the ricci processes +.SH "DESCRIPTION" @@ -77186,9 +134953,12 @@ index 0000000..77e1008 + +.SH "ENTRYPOINTS" + -+The ricci_t SELinux type can be entered via the "ricci_exec_t,bin_t" file types. The default entrypoint paths for the ricci_t domain are the following:" ++The ricci_t SELinux type can be entered via the \fBricci_exec_t, bin_t\fP file types. + -+/usr/sbin/ricci, /bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py ++The default entrypoint paths for the ricci_t domain are the following: ++ ++All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin. ++/usr/sbin/ricci +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -77204,8 +134974,264 @@ index 0000000..77e1008 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ricci_t ++can be used to make the process type ricci_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ricci policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ricci with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux ricci policy is very flexible allowing users to setup their ricci processes in as secure a method as possible. ++.PP ++The following port types are defined for ricci: ++ ++.EX ++.TP 5 ++.B ricci_modcluster_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 16851 ++.EE ++udp 16851 ++.EE ++ ++.EX ++.TP 5 ++.B ricci_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 11111 ++.EE ++udp 11111 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type ricci_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B etc_runtime_t ++ ++ /[^/]+ ++.br ++ /etc/mtab.* ++.br ++ /etc/blkid(/.*)? ++.br ++ /etc/nologin.* ++.br ++ /etc/\.fstab\.hal\..+ ++.br ++ /halt ++.br ++ /fastboot ++.br ++ /poweroff ++.br ++ /etc/cmtab ++.br ++ /forcefsck ++.br ++ /\.autofsck ++.br ++ /\.suspended ++.br ++ /fsckoptions ++.br ++ /\.autorelabel ++.br ++ /etc/securetty ++.br ++ /etc/nohotplug ++.br ++ /etc/killpower ++.br ++ /etc/ioctl\.save ++.br ++ /etc/fstab\.REVOKE ++.br ++ /etc/network/ifstate ++.br ++ /etc/sysconfig/hwconf ++.br ++ /etc/ptal/ptal-printd-like ++.br ++ /etc/sysconfig/iptables\.save ++.br ++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf ++.br ++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf ++.br ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B ricci_tmp_t ++ ++ ++.br ++.B ricci_var_lib_t ++ ++ /var/lib/ricci(/.*)? ++.br ++ ++.br ++.B ricci_var_run_t ++ ++ /var/run/ricci\.pid ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -77215,7 +135241,20 @@ index 0000000..77e1008 +Policy governs the access confined processes have to these files. +SELinux ricci policy is very flexible allowing users to setup their ricci processes in as secure a method as possible. +.PP -+The following file types are defined for ricci: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ricci, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ricci_exec_t '/srv/ricci/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myricci_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ricci: + + +.EX @@ -77263,8 +135302,12 @@ index 0000000..77e1008 +.B ricci_modcluster_var_run_t +.EE + -+- Set files with the ricci_modcluster_var_run_t type, if you want to store the ricci modcluster files under the /run directory. ++- Set files with the ricci_modcluster_var_run_t type, if you want to store the ricci modcluster files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/clumond\.sock, /var/run/modclusterd\.pid + +.EX +.PP @@ -77351,7 +135394,7 @@ index 0000000..77e1008 +.B ricci_var_run_t +.EE + -+- Set files with the ricci_var_run_t type, if you want to store the ricci files under the /run directory. ++- Set files with the ricci_var_run_t type, if you want to store the ricci files under the /run or /var/run directory. + + +.PP @@ -77361,184 +135404,6 @@ index 0000000..77e1008 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux ricci policy is very flexible allowing users to setup their ricci processes in as secure a method as possible. -+.PP -+The following port types are defined for ricci: -+ -+.EX -+.TP 5 -+.B ricci_modcluster_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 16851 -+.EE -+udp 16851 -+.EE -+ -+.EX -+.TP 5 -+.B ricci_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 11111 -+.EE -+udp 11111 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type ricci_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B etc_runtime_t -+ -+ /[^/]+ -+.br -+ /etc/mtab.* -+.br -+ /etc/blkid(/.*)? -+.br -+ /etc/nologin.* -+.br -+ /etc/\.fstab\.hal\..+ -+.br -+ /halt -+.br -+ /fastboot -+.br -+ /poweroff -+.br -+ /etc/cmtab -+.br -+ /\.autofsck -+.br -+ /forcefsck -+.br -+ /\.suspended -+.br -+ /fsckoptions -+.br -+ /\.autorelabel -+.br -+ /etc/securetty -+.br -+ /etc/killpower -+.br -+ /etc/nohotplug -+.br -+ /etc/ioctl\.save -+.br -+ /etc/fstab\.REVOKE -+.br -+ /etc/network/ifstate -+.br -+ /etc/sysconfig/hwconf -+.br -+ /etc/ptal/ptal-printd-like -+.br -+ /etc/sysconfig/iptables\.save -+.br -+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -+.br -+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -+.br -+ -+.br -+.B faillog_t -+ -+ /var/log/btmp.* -+.br -+ /var/run/faillock(/.*)? -+.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br -+ -+.br -+.B initrc_var_run_t -+ -+ /var/run/utmp -+.br -+ /var/run/random-seed -+.br -+ /var/run/runlevel\.dir -+.br -+ /var/run/setmixer_flag -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br -+.B ricci_tmp_t -+ -+ -+.br -+.B ricci_var_lib_t -+ -+ /var/lib/ricci(/.*)? -+.br -+ -+.br -+.B ricci_var_log_t -+ -+ -+.br -+.B ricci_var_run_t -+ -+ /var/run/ricci\.pid -+.br -+ -+.br -+.B systemd_passwd_var_run_t -+ -+ /var/run/systemd/ask-password(/.*)? -+.br -+ /var/run/systemd/ask-password-block(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -77552,6 +135417,9 @@ index 0000000..77e1008 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -77563,15 +135431,15 @@ index 0000000..77e1008 + +.SH "SEE ALSO" +selinux(8), ricci(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8) ++, setsebool(8), ricci_modcluster_selinux(8), ricci_modclusterd_selinux(8), ricci_modlog_selinux(8), ricci_modrpm_selinux(8), ricci_modservice_selinux(8), ricci_modstorage_selinux(8) \ No newline at end of file diff --git a/man/man8/rlogind_selinux.8 b/man/man8/rlogind_selinux.8 new file mode 100644 -index 0000000..436ab6e +index 0000000..8b26d45 --- /dev/null +++ b/man/man8/rlogind_selinux.8 -@@ -0,0 +1,328 @@ -+.TH "rlogind_selinux" "8" "12-11-01" "rlogind" "SELinux Policy documentation for rlogind" +@@ -0,0 +1,481 @@ ++.TH "rlogind_selinux" "8" "13-01-16" "rlogind" "SELinux Policy documentation for rlogind" +.SH "NAME" +rlogind_selinux \- Security Enhanced Linux Policy for the rlogind processes +.SH "DESCRIPTION" @@ -77587,7 +135455,9 @@ index 0000000..436ab6e + +.SH "ENTRYPOINTS" + -+The rlogind_t SELinux type can be entered via the "rlogind_exec_t" file type. The default entrypoint paths for the rlogind_t domain are the following:" ++The rlogind_t SELinux type can be entered via the \fBrlogind_exec_t\fP file type. ++ ++The default entrypoint paths for the rlogind_t domain are the following: + +/usr/lib/telnetlogin, /usr/sbin/in\.rlogind, /usr/kerberos/sbin/klogind +.SH PROCESS TYPES @@ -77605,66 +135475,156 @@ index 0000000..436ab6e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rlogind_t ++can be used to make the process type rlogind_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux rlogind policy is very flexible allowing users to setup their rlogind processes in as secure a method as possible. -+.PP -+The following file types are defined for rlogind: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rlogind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rlogind with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B rlogind_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the rlogind_exec_t type, if you want to transition an executable to the rlogind_t domain. -+ ++.PP ++If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean. Disabled by default. + +.EX -+.PP -+.B rlogind_home_t ++.B setsebool -P authlogin_radius 1 ++ +.EE + -+- Set files with the rlogind_home_t type, if you want to store rlogind files in the users home directory. -+ ++.PP ++If you want to allow users to login using a yubikey server, you must turn on the authlogin_yubikey boolean. Disabled by default. + +.EX -+.PP -+.B rlogind_keytab_t ++.B setsebool -P authlogin_yubikey 1 ++ +.EE + -+- Set files with the rlogind_keytab_t type, if you want to treat the files as kerberos keytab files. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B rlogind_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the rlogind_tmp_t type, if you want to store rlogind temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B rlogind_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the rlogind_var_run_t type, if you want to store the rlogind files under the /run directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to enable polyinstantiated directory support, you must turn on the polyinstantiation_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P polyinstantiation_enabled 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the rlogind_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rlogind_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -77710,6 +135670,10 @@ index 0000000..436ab6e +.br + /home/[^/]*/\.google_authenticator~ +.br ++ /home/pwalsh/\.google_authenticator ++.br ++ /home/pwalsh/\.google_authenticator~ ++.br + /home/dwalsh/\.google_authenticator +.br + /home/dwalsh/\.google_authenticator~ @@ -77732,12 +135696,12 @@ index 0000000..436ab6e + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B initrc_var_run_t @@ -77778,7 +135742,7 @@ index 0000000..436ab6e +.br +.B lastlog_t + -+ /var/log/lastlog ++ /var/log/lastlog.* +.br + +.br @@ -77794,20 +135758,6 @@ index 0000000..436ab6e +.br + +.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br +.B rlogind_tmp_t + + @@ -77828,6 +135778,8 @@ index 0000000..436ab6e +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest @@ -77850,6 +135802,8 @@ index 0000000..436ab6e +.br + /var/lib/pam_shield(/.*)? +.br ++ /var/opt/quest/vas/vasd(/.*)? ++.br + /var/lib/google-authenticator(/.*)? +.br + @@ -77859,21 +135813,84 @@ index 0000000..436ab6e + /var/log/wtmp.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux rlogind policy is very flexible allowing users to setup their rlogind processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rlogind_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rlogind, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rlogind_exec_t '/srv/rlogind/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrlogind_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rlogind: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B rlogind_exec_t +.EE + ++- Set files with the rlogind_exec_t type, if you want to transition an executable to the rlogind_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/telnetlogin, /usr/sbin/in\.rlogind, /usr/kerberos/sbin/klogind ++ ++.EX ++.PP ++.B rlogind_home_t ++.EE ++ ++- Set files with the rlogind_home_t type, if you want to store rlogind files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/root/\.rlogin, /root/\.rhosts, /home/[^/]*/\.rlogin, /home/[^/]*/\.rhosts, /home/pwalsh/\.rlogin, /home/pwalsh/\.rhosts, /home/dwalsh/\.rlogin, /home/dwalsh/\.rhosts, /var/lib/xguest/home/xguest/\.rlogin, /var/lib/xguest/home/xguest/\.rhosts ++ ++.EX ++.PP ++.B rlogind_keytab_t ++.EE ++ ++- Set files with the rlogind_keytab_t type, if you want to treat the files as kerberos keytab files. ++ ++ ++.EX ++.PP ++.B rlogind_tmp_t ++.EE ++ ++- Set files with the rlogind_tmp_t type, if you want to store rlogind temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B rlogind_var_run_t ++.EE ++ ++- Set files with the rlogind_var_run_t type, if you want to store the rlogind files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the rlogind_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -77888,6 +135905,9 @@ index 0000000..436ab6e +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -77899,13 +135919,15 @@ index 0000000..436ab6e + +.SH "SEE ALSO" +selinux(8), rlogind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/rngd_selinux.8 b/man/man8/rngd_selinux.8 new file mode 100644 -index 0000000..bd28b6f +index 0000000..569ffb7 --- /dev/null +++ b/man/man8/rngd_selinux.8 -@@ -0,0 +1,102 @@ -+.TH "rngd_selinux" "8" "12-11-01" "rngd" "SELinux Policy documentation for rngd" +@@ -0,0 +1,199 @@ ++.TH "rngd_selinux" "8" "13-01-16" "rngd" "SELinux Policy documentation for rngd" +.SH "NAME" +rngd_selinux \- Security Enhanced Linux Policy for the rngd processes +.SH "DESCRIPTION" @@ -77921,7 +135943,9 @@ index 0000000..bd28b6f + +.SH "ENTRYPOINTS" + -+The rngd_t SELinux type can be entered via the "rngd_exec_t" file type. The default entrypoint paths for the rngd_t domain are the following:" ++The rngd_t SELinux type can be entered via the \fBrngd_exec_t\fP file type. ++ ++The default entrypoint paths for the rngd_t domain are the following: + +/usr/sbin/rngd +.SH PROCESS TYPES @@ -77939,8 +135963,88 @@ index 0000000..bd28b6f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rngd_t ++can be used to make the process type rngd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rngd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rngd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type rngd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -77950,7 +136054,20 @@ index 0000000..bd28b6f +Policy governs the access confined processes have to these files. +SELinux rngd policy is very flexible allowing users to setup their rngd processes in as secure a method as possible. +.PP -+The following file types are defined for rngd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rngd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rngd_exec_t '/srv/rngd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrngd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rngd: + + +.EX @@ -77984,8 +136101,6 @@ index 0000000..bd28b6f +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -77996,6 +136111,9 @@ index 0000000..bd28b6f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -78007,13 +136125,15 @@ index 0000000..bd28b6f + +.SH "SEE ALSO" +selinux(8), rngd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/roundup_selinux.8 b/man/man8/roundup_selinux.8 new file mode 100644 -index 0000000..22ad9ee +index 0000000..44cdde0 --- /dev/null +++ b/man/man8/roundup_selinux.8 -@@ -0,0 +1,124 @@ -+.TH "roundup_selinux" "8" "12-11-01" "roundup" "SELinux Policy documentation for roundup" +@@ -0,0 +1,225 @@ ++.TH "roundup_selinux" "8" "13-01-16" "roundup" "SELinux Policy documentation for roundup" +.SH "NAME" +roundup_selinux \- Security Enhanced Linux Policy for the roundup processes +.SH "DESCRIPTION" @@ -78029,7 +136149,9 @@ index 0000000..22ad9ee + +.SH "ENTRYPOINTS" + -+The roundup_t SELinux type can be entered via the "roundup_exec_t" file type. The default entrypoint paths for the roundup_t domain are the following:" ++The roundup_t SELinux type can be entered via the \fBroundup_exec_t\fP file type. ++ ++The default entrypoint paths for the roundup_t domain are the following: + +/usr/bin/roundup-server +.SH PROCESS TYPES @@ -78047,8 +136169,106 @@ index 0000000..22ad9ee +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a roundup_t ++can be used to make the process type roundup_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. roundup policy is extremely flexible and has several booleans that allow you to manipulate the policy and run roundup with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type roundup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B roundup_var_lib_t ++ ++ /var/lib/roundup(/.*)? ++.br ++ ++.br ++.B roundup_var_run_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -78058,7 +136278,20 @@ index 0000000..22ad9ee +Policy governs the access confined processes have to these files. +SELinux roundup policy is very flexible allowing users to setup their roundup processes in as secure a method as possible. +.PP -+The following file types are defined for roundup: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the roundup, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t roundup_exec_t '/srv/roundup/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myroundup_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for roundup: + + +.EX @@ -78090,7 +136323,7 @@ index 0000000..22ad9ee +.B roundup_var_run_t +.EE + -+- Set files with the roundup_var_run_t type, if you want to store the roundup files under the /run directory. ++- Set files with the roundup_var_run_t type, if you want to store the roundup files under the /run or /var/run directory. + + +.PP @@ -78100,22 +136333,6 @@ index 0000000..22ad9ee +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type roundup_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B roundup_var_lib_t -+ -+ /var/lib/roundup(/.*)? -+.br -+ -+.br -+.B roundup_var_run_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -78126,6 +136343,9 @@ index 0000000..22ad9ee +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -78137,13 +136357,15 @@ index 0000000..22ad9ee + +.SH "SEE ALSO" +selinux(8), roundup(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/rpcbind_selinux.8 b/man/man8/rpcbind_selinux.8 new file mode 100644 -index 0000000..9f38f73 +index 0000000..b1108be --- /dev/null +++ b/man/man8/rpcbind_selinux.8 -@@ -0,0 +1,130 @@ -+.TH "rpcbind_selinux" "8" "12-11-01" "rpcbind" "SELinux Policy documentation for rpcbind" +@@ -0,0 +1,251 @@ ++.TH "rpcbind_selinux" "8" "13-01-16" "rpcbind" "SELinux Policy documentation for rpcbind" +.SH "NAME" +rpcbind_selinux \- Security Enhanced Linux Policy for the rpcbind processes +.SH "DESCRIPTION" @@ -78159,7 +136381,9 @@ index 0000000..9f38f73 + +.SH "ENTRYPOINTS" + -+The rpcbind_t SELinux type can be entered via the "rpcbind_exec_t" file type. The default entrypoint paths for the rpcbind_t domain are the following:" ++The rpcbind_t SELinux type can be entered via the \fBrpcbind_exec_t\fP file type. ++ ++The default entrypoint paths for the rpcbind_t domain are the following: + +/sbin/rpcbind, /usr/sbin/rpcbind +.SH PROCESS TYPES @@ -78177,64 +136401,106 @@ index 0000000..9f38f73 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rpcbind_t ++can be used to make the process type rpcbind_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux rpcbind policy is very flexible allowing users to setup their rpcbind processes in as secure a method as possible. -+.PP -+The following file types are defined for rpcbind: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rpcbind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rpcbind with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B rpcbind_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the rpcbind_exec_t type, if you want to transition an executable to the rpcbind_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B rpcbind_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the rpcbind_initrc_exec_t type, if you want to transition an executable to the rpcbind_initrc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B rpcbind_var_lib_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the rpcbind_var_lib_t type, if you want to store the rpcbind files under the /var/lib directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B rpcbind_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the rpcbind_var_run_t type, if you want to store the rpcbind files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + +The SELinux process type rpcbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B rpcbind_var_lib_t + + /var/lib/rpcbind(/.*)? @@ -78250,7 +136516,80 @@ index 0000000..9f38f73 + /var/run/rpcbind.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux rpcbind policy is very flexible allowing users to setup their rpcbind processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rpcbind, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rpcbind_exec_t '/srv/rpcbind/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrpcbind_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rpcbind: ++ ++ ++.EX ++.PP ++.B rpcbind_exec_t ++.EE ++ ++- Set files with the rpcbind_exec_t type, if you want to transition an executable to the rpcbind_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/rpcbind, /usr/sbin/rpcbind ++ ++.EX ++.PP ++.B rpcbind_initrc_exec_t ++.EE ++ ++- Set files with the rpcbind_initrc_exec_t type, if you want to transition an executable to the rpcbind_initrc_t domain. ++ ++ ++.EX ++.PP ++.B rpcbind_var_lib_t ++.EE ++ ++- Set files with the rpcbind_var_lib_t type, if you want to store the rpcbind files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/rpcbind(/.*)?, /var/cache/rpcbind(/.*)? ++ ++.EX ++.PP ++.B rpcbind_var_run_t ++.EE ++ ++- Set files with the rpcbind_var_run_t type, if you want to store the rpcbind files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/rpc.statd\.pid, /var/run/rpcbind.* ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -78262,6 +136601,9 @@ index 0000000..9f38f73 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -78273,13 +136615,15 @@ index 0000000..9f38f73 + +.SH "SEE ALSO" +selinux(8), rpcbind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/rpcd_selinux.8 b/man/man8/rpcd_selinux.8 new file mode 100644 -index 0000000..054ef5a +index 0000000..69cfc0f --- /dev/null +++ b/man/man8/rpcd_selinux.8 -@@ -0,0 +1,181 @@ -+.TH "rpcd_selinux" "8" "12-11-01" "rpcd" "SELinux Policy documentation for rpcd" +@@ -0,0 +1,332 @@ ++.TH "rpcd_selinux" "8" "13-01-16" "rpcd" "SELinux Policy documentation for rpcd" +.SH "NAME" +rpcd_selinux \- Security Enhanced Linux Policy for the rpcd processes +.SH "DESCRIPTION" @@ -78295,7 +136639,9 @@ index 0000000..054ef5a + +.SH "ENTRYPOINTS" + -+The rpcd_t SELinux type can be entered via the "rpcd_exec_t" file type. The default entrypoint paths for the rpcd_t domain are the following:" ++The rpcd_t SELinux type can be entered via the \fBrpcd_exec_t\fP file type. ++ ++The default entrypoint paths for the rpcd_t domain are the following: + +/sbin/rpc\..*, /usr/sbin/rpc\..*, /sbin/sm-notify, /usr/sbin/sm-notify, /usr/sbin/rpc\.idmapd, /usr/sbin/rpc\.rquotad +.SH PROCESS TYPES @@ -78313,58 +136659,124 @@ index 0000000..054ef5a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rpcd_t ++can be used to make the process type rpcd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux rpcd policy is very flexible allowing users to setup their rpcd processes in as secure a method as possible. -+.PP -+The following file types are defined for rpcd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rpcd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rpcd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B rpcd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the rpcd_exec_t type, if you want to transition an executable to the rpcd_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B rpcd_initrc_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the rpcd_initrc_exec_t type, if you want to transition an executable to the rpcd_initrc_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B rpcd_unit_file_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the rpcd_unit_file_t type, if you want to treat the files as rpcd unit content. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B rpcd_var_run_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the rpcd_var_run_t type, if you want to store the rpcd files under the /run directory. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the rpcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rpcd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -78391,6 +136803,8 @@ index 0000000..054ef5a +.br + /home/a?quota\.(user|group) +.br ++ /home/pwalsh/a?quota\.(user|group) ++.br + /home/dwalsh/a?quota\.(user|group) +.br + /var/lib/xguest/home/xguest/a?quota\.(user|group) @@ -78401,6 +136815,14 @@ index 0000000..054ef5a + + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B rpcd_var_run_t + + /var/run/rpc\.statd(/.*)? @@ -78422,22 +136844,92 @@ index 0000000..054ef5a + /var/lib(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux rpcd policy is very flexible allowing users to setup their rpcd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the rpcd_t, you must turn on the kerberos_enabled boolean. ++rpcd policy stores data with multiple different file context types under the /var/run/rpc\.statd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/rpc\.statd /srv/rpc\.statd ++.br ++.B restorecon -R -v /srv/rpc\.statd ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rpcd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rpcd_exec_t '/srv/rpcd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrpcd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rpcd: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B rpcd_exec_t +.EE + ++- Set files with the rpcd_exec_t type, if you want to transition an executable to the rpcd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/rpc\..*, /usr/sbin/rpc\..*, /sbin/sm-notify, /usr/sbin/sm-notify, /usr/sbin/rpc\.idmapd, /usr/sbin/rpc\.rquotad ++ ++.EX ++.PP ++.B rpcd_initrc_exec_t ++.EE ++ ++- Set files with the rpcd_initrc_exec_t type, if you want to transition an executable to the rpcd_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/nfslock, /etc/rc\.d/init\.d/rpcidmapd ++ ++.EX ++.PP ++.B rpcd_unit_file_t ++.EE ++ ++- Set files with the rpcd_unit_file_t type, if you want to treat the files as rpcd unit content. ++ ++ ++.EX ++.PP ++.B rpcd_var_run_t ++.EE ++ ++- Set files with the rpcd_var_run_t type, if you want to store the rpcd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/rpc\.statd(/.*)?, /var/run/rpc\.statd\.pid ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -78448,6 +136940,9 @@ index 0000000..054ef5a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -78459,15 +136954,15 @@ index 0000000..054ef5a + +.SH "SEE ALSO" +selinux(8), rpcd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, rpcbind_selinux(8) ++, setsebool(8), rpcbind_selinux(8) \ No newline at end of file diff --git a/man/man8/rpm_script_selinux.8 b/man/man8/rpm_script_selinux.8 new file mode 100644 -index 0000000..3a3d1db +index 0000000..a001a8b --- /dev/null +++ b/man/man8/rpm_script_selinux.8 -@@ -0,0 +1,127 @@ -+.TH "rpm_script_selinux" "8" "12-11-01" "rpm_script" "SELinux Policy documentation for rpm_script" +@@ -0,0 +1,231 @@ ++.TH "rpm_script_selinux" "8" "13-01-16" "rpm_script" "SELinux Policy documentation for rpm_script" +.SH "NAME" +rpm_script_selinux \- Security Enhanced Linux Policy for the rpm_script processes +.SH "DESCRIPTION" @@ -78483,9 +136978,12 @@ index 0000000..3a3d1db + +.SH "ENTRYPOINTS" + -+The rpm_script_t SELinux type can be entered via the "filesystem_type,unlabeled_t,proc_type,bin_t,ldconfig_exec_t,mtrr_device_t,shell_exec_t,sysctl_type,file_type" file types. The default entrypoint paths for the rpm_script_t domain are the following:" ++The rpm_script_t SELinux type can be entered via the \fBldconfig_exec_t, bin_t, sysctl_type, shell_exec_t, filesystem_type, mtrr_device_t, unlabeled_t, proc_type, file_type\fP file types. + -+/bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py, /sbin/ldconfig, /usr/sbin/ldconfig, /dev/cpu/mtrr, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, all files on the system ++The default entrypoint paths for the rpm_script_t domain are the following: ++ ++All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin. ++/sbin/ldconfig, /usr/sbin/ldconfig, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /dev/cpu/mtrr, all files on the system +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -78501,65 +136999,153 @@ index 0000000..3a3d1db +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rpm_script_t ++can be used to make the process type rpm_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux rpm_script policy is very flexible allowing users to setup their rpm_script processes in as secure a method as possible. -+.PP -+The following file types are defined for rpm_script: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rpm_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rpm_script with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B rpm_script_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the rpm_script_exec_t type, if you want to transition an executable to the rpm_script_t domain. -+ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. + +.EX -+.PP -+.B rpm_script_tmp_t ++.B setsebool -P deny_execmem 1 ++ +.EE + -+- Set files with the rpm_script_tmp_t type, if you want to store rpm script temporary files in the /tmp directories. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B rpm_script_tmpfs_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the rpm_script_tmpfs_t type, if you want to store rpm script files on a tmpfs file system. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + -+.SH "MANAGED FILES" ++.EX ++.B setsebool -P domain_kernel_load_modules 1 + -+The SELinux process type rpm_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++.EE + -+.br -+.B file_type ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + -+ all files on the system -+.br ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_insmod 1 ++ ++.EE ++ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_policyload 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execheap 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpm_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the rpm_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -78572,6 +137158,16 @@ index 0000000..3a3d1db +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH "MANAGED FILES" ++ ++The SELinux process type rpm_script_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B file_type ++ ++ all files on the system ++.br ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -78582,6 +137178,9 @@ index 0000000..3a3d1db +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -78593,15 +137192,15 @@ index 0000000..3a3d1db + +.SH "SEE ALSO" +selinux(8), rpm_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, rpm_selinux(8), rpm_selinux(8) ++, setsebool(8), rpm_selinux(8), rpm_selinux(8) \ No newline at end of file diff --git a/man/man8/rpm_selinux.8 b/man/man8/rpm_selinux.8 new file mode 100644 -index 0000000..0b6f8e2 +index 0000000..3e5a719 --- /dev/null +++ b/man/man8/rpm_selinux.8 -@@ -0,0 +1,191 @@ -+.TH "rpm_selinux" "8" "12-11-01" "rpm" "SELinux Policy documentation for rpm" +@@ -0,0 +1,373 @@ ++.TH "rpm_selinux" "8" "13-01-16" "rpm" "SELinux Policy documentation for rpm" +.SH "NAME" +rpm_selinux \- Security Enhanced Linux Policy for the rpm processes +.SH "DESCRIPTION" @@ -78617,7 +137216,9 @@ index 0000000..0b6f8e2 + +.SH "ENTRYPOINTS" + -+The rpm_t SELinux type can be entered via the "rpm_exec_t,debuginfo_exec_t,filesystem_type,rpm_script_exec_t,unlabeled_t,proc_type,mtrr_device_t,sysctl_type,file_type" file types. The default entrypoint paths for the rpm_t domain are the following:" ++The rpm_t SELinux type can be entered via the \fBsysctl_type, rpm_exec_t, filesystem_type, debuginfo_exec_t, rpm_script_exec_t, mtrr_device_t, unlabeled_t, proc_type, file_type\fP file types. ++ ++The default entrypoint paths for the rpm_t domain are the following: + +/usr/libexec/yumDBUSBackend.py, /bin/rpm, /usr/bin/dnf, /usr/bin/rpm, /usr/bin/yum, /usr/bin/zif, /usr/sbin/pup, /usr/bin/smart, /usr/sbin/bcfg2, /usr/sbin/pirut, /usr/bin/apt-get, /usr/sbin/up2date, /usr/sbin/synaptic, /usr/bin/apt-shell, /usr/sbin/rhn_check, /usr/sbin/rhnreg_ks, /usr/sbin/packagekitd, /usr/sbin/yum-updatesd, /usr/libexec/packagekitd, /usr/bin/package-cleanup, /usr/bin/fedora-rmdevelrpms, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/system-install-packages, /usr/share/yumex/yum_childtask\.py, /usr/sbin/yum-complete-transaction, /usr/share/yumex/yumex-yum-backend, /usr/bin/debuginfo-install, /dev/cpu/mtrr, all files on the system +.SH PROCESS TYPES @@ -78635,8 +137236,182 @@ index 0000000..0b6f8e2 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rpm_t ++can be used to make the process type rpm_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rpm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rpm with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_insmod 1 ++ ++.EE ++ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_policyload 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execheap 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the rpm_script_t, rpm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rpm_script_t, rpm_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type rpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B file_type ++ ++ all files on the system ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -78646,7 +137421,20 @@ index 0000000..0b6f8e2 +Policy governs the access confined processes have to these files. +SELinux rpm policy is very flexible allowing users to setup their rpm processes in as secure a method as possible. +.PP -+The following file types are defined for rpm: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rpm, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rpm_exec_t '/srv/rpm/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrpm_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rpm: + + +.EX @@ -78656,6 +137444,10 @@ index 0000000..0b6f8e2 + +- Set files with the rpm_exec_t type, if you want to transition an executable to the rpm_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/libexec/yumDBUSBackend.py, /bin/rpm, /usr/bin/dnf, /usr/bin/rpm, /usr/bin/yum, /usr/bin/zif, /usr/sbin/pup, /usr/bin/smart, /usr/sbin/bcfg2, /usr/sbin/pirut, /usr/bin/apt-get, /usr/sbin/up2date, /usr/sbin/synaptic, /usr/bin/apt-shell, /usr/sbin/rhn_check, /usr/sbin/rhnreg_ks, /usr/sbin/packagekitd, /usr/sbin/yum-updatesd, /usr/libexec/packagekitd, /usr/bin/package-cleanup, /usr/bin/fedora-rmdevelrpms, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/system-install-packages, /usr/share/yumex/yum_childtask\.py, /usr/sbin/yum-complete-transaction, /usr/share/yumex/yumex-yum-backend + +.EX +.PP @@ -78720,6 +137512,10 @@ index 0000000..0b6f8e2 + +- Set files with the rpm_var_cache_t type, if you want to store the files under the /var/cache directory. + ++.br ++.TP 5 ++Paths: ++/var/cache/yum(/.*)?, /var/spool/up2date(/.*)?, /var/cache/PackageKit(/.*)? + +.EX +.PP @@ -78728,14 +137524,22 @@ index 0000000..0b6f8e2 + +- Set files with the rpm_var_lib_t type, if you want to store the rpm files under the /var/lib directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/rpm(/.*)?, /var/lib/yum(/.*)?, /var/lib/dnf(/.*)?, /var/lib/PackageKit(/.*)?, /var/lib/alternatives(/.*)? + +.EX +.PP +.B rpm_var_run_t +.EE + -+- Set files with the rpm_var_run_t type, if you want to store the rpm files under the /run directory. ++- Set files with the rpm_var_run_t type, if you want to store the rpm files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/yum.*, /var/run/PackageKit(/.*)? + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -78744,32 +137548,6 @@ index 0000000..0b6f8e2 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type rpm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B file_type -+ -+ all files on the system -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpm_script_t, rpm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the rpm_script_t, rpm_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -78780,6 +137558,9 @@ index 0000000..0b6f8e2 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -78791,15 +137572,15 @@ index 0000000..0b6f8e2 + +.SH "SEE ALSO" +selinux(8), rpm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, rpm_script_selinux(8) ++, setsebool(8), rpm_script_selinux(8) \ No newline at end of file diff --git a/man/man8/rshd_selinux.8 b/man/man8/rshd_selinux.8 new file mode 100644 -index 0000000..8958739 +index 0000000..8d6d4c5 --- /dev/null +++ b/man/man8/rshd_selinux.8 -@@ -0,0 +1,302 @@ -+.TH "rshd_selinux" "8" "12-11-01" "rshd" "SELinux Policy documentation for rshd" +@@ -0,0 +1,459 @@ ++.TH "rshd_selinux" "8" "13-01-16" "rshd" "SELinux Policy documentation for rshd" +.SH "NAME" +rshd_selinux \- Security Enhanced Linux Policy for the rshd processes +.SH "DESCRIPTION" @@ -78815,7 +137596,9 @@ index 0000000..8958739 + +.SH "ENTRYPOINTS" + -+The rshd_t SELinux type can be entered via the "rshd_exec_t" file type. The default entrypoint paths for the rshd_t domain are the following:" ++The rshd_t SELinux type can be entered via the \fBrshd_exec_t\fP file type. ++ ++The default entrypoint paths for the rshd_t domain are the following: + +/usr/sbin/in\.rshd, /usr/sbin/in\.rexecd, /usr/kerberos/sbin/kshd +.SH PROCESS TYPES @@ -78833,42 +137616,164 @@ index 0000000..8958739 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rshd_t ++can be used to make the process type rshd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux rshd policy is very flexible allowing users to setup their rshd processes in as secure a method as possible. -+.PP -+The following file types are defined for rshd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rshd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rshd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B rshd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the rshd_exec_t type, if you want to transition an executable to the rshd_t domain. -+ ++.PP ++If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean. Disabled by default. + +.EX -+.PP -+.B rshd_keytab_t ++.B setsebool -P authlogin_radius 1 ++ +.EE + -+- Set files with the rshd_keytab_t type, if you want to treat the files as kerberos keytab files. ++.PP ++If you want to allow users to login using a yubikey server, you must turn on the authlogin_yubikey boolean. Disabled by default. + ++.EX ++.B setsebool -P authlogin_yubikey 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to enable polyinstantiated directory support, you must turn on the polyinstantiation_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P polyinstantiation_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow a user to login as an unconfined domain, you must turn on the unconfined_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P unconfined_login 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the rshd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rshd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -78914,6 +137819,10 @@ index 0000000..8958739 +.br + /home/[^/]*/\.google_authenticator~ +.br ++ /home/pwalsh/\.google_authenticator ++.br ++ /home/pwalsh/\.google_authenticator~ ++.br + /home/dwalsh/\.google_authenticator +.br + /home/dwalsh/\.google_authenticator~ @@ -78936,12 +137845,12 @@ index 0000000..8958739 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B initrc_var_run_t @@ -78982,7 +137891,7 @@ index 0000000..8958739 +.br +.B lastlog_t + -+ /var/log/lastlog ++ /var/log/lastlog.* +.br + +.br @@ -78998,20 +137907,6 @@ index 0000000..8958739 +.br + +.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br +.B security_t + + /selinux @@ -79024,6 +137919,8 @@ index 0000000..8958739 +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest @@ -79052,6 +137949,8 @@ index 0000000..8958739 +.br + /var/lib/pam_shield(/.*)? +.br ++ /var/opt/quest/vas/vasd(/.*)? ++.br + /var/lib/google-authenticator(/.*)? +.br + @@ -79061,21 +137960,56 @@ index 0000000..8958739 + /var/log/wtmp.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux rshd policy is very flexible allowing users to setup their rshd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rshd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rshd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rshd_exec_t '/srv/rshd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrshd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rshd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B rshd_exec_t +.EE + ++- Set files with the rshd_exec_t type, if you want to transition an executable to the rshd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/in\.rshd, /usr/sbin/in\.rexecd, /usr/kerberos/sbin/kshd ++ ++.EX ++.PP ++.B rshd_keytab_t ++.EE ++ ++- Set files with the rshd_keytab_t type, if you want to treat the files as kerberos keytab files. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the rshd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -79090,6 +138024,9 @@ index 0000000..8958739 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -79101,13 +138038,15 @@ index 0000000..8958739 + +.SH "SEE ALSO" +selinux(8), rshd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/rssh_chroot_helper_selinux.8 b/man/man8/rssh_chroot_helper_selinux.8 new file mode 100644 -index 0000000..42e38a6 +index 0000000..d4866c5 --- /dev/null +++ b/man/man8/rssh_chroot_helper_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "rssh_chroot_helper_selinux" "8" "12-11-01" "rssh_chroot_helper" "SELinux Policy documentation for rssh_chroot_helper" +@@ -0,0 +1,203 @@ ++.TH "rssh_chroot_helper_selinux" "8" "13-01-16" "rssh_chroot_helper" "SELinux Policy documentation for rssh_chroot_helper" +.SH "NAME" +rssh_chroot_helper_selinux \- Security Enhanced Linux Policy for the rssh_chroot_helper processes +.SH "DESCRIPTION" @@ -79123,7 +138062,9 @@ index 0000000..42e38a6 + +.SH "ENTRYPOINTS" + -+The rssh_chroot_helper_t SELinux type can be entered via the "rssh_chroot_helper_exec_t" file type. The default entrypoint paths for the rssh_chroot_helper_t domain are the following:" ++The rssh_chroot_helper_t SELinux type can be entered via the \fBrssh_chroot_helper_exec_t\fP file type. ++ ++The default entrypoint paths for the rssh_chroot_helper_t domain are the following: + +/usr/libexec/rssh_chroot_helper +.SH PROCESS TYPES @@ -79141,8 +138082,108 @@ index 0000000..42e38a6 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rssh_chroot_helper_t ++can be used to make the process type rssh_chroot_helper_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rssh_chroot_helper policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rssh_chroot_helper with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the rssh_chroot_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rssh_chroot_helper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -79152,7 +138193,20 @@ index 0000000..42e38a6 +Policy governs the access confined processes have to these files. +SELinux rssh_chroot_helper policy is very flexible allowing users to setup their rssh_chroot_helper processes in as secure a method as possible. +.PP -+The following file types are defined for rssh_chroot_helper: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rssh_chroot_helper, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rssh_chroot_helper_exec_t '/srv/rssh_chroot_helper/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrssh_chroot_helper_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rssh_chroot_helper: + + +.EX @@ -79170,22 +138224,6 @@ index 0000000..42e38a6 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rssh_chroot_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the rssh_chroot_helper_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -79196,6 +138234,9 @@ index 0000000..42e38a6 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -79207,15 +138248,15 @@ index 0000000..42e38a6 + +.SH "SEE ALSO" +selinux(8), rssh_chroot_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, rssh_selinux(8), rssh_selinux(8) ++, setsebool(8), rssh_selinux(8), rssh_selinux(8) \ No newline at end of file diff --git a/man/man8/rssh_selinux.8 b/man/man8/rssh_selinux.8 new file mode 100644 -index 0000000..f418ac6 +index 0000000..7ff577d --- /dev/null +++ b/man/man8/rssh_selinux.8 -@@ -0,0 +1,133 @@ -+.TH "rssh_selinux" "8" "12-11-01" "rssh" "SELinux Policy documentation for rssh" +@@ -0,0 +1,203 @@ ++.TH "rssh_selinux" "8" "13-01-16" "rssh" "SELinux Policy documentation for rssh" +.SH "NAME" +rssh_selinux \- Security Enhanced Linux Policy for the rssh processes +.SH "DESCRIPTION" @@ -79231,7 +138272,9 @@ index 0000000..f418ac6 + +.SH "ENTRYPOINTS" + -+The rssh_t SELinux type can be entered via the "rssh_exec_t" file type. The default entrypoint paths for the rssh_t domain are the following:" ++The rssh_t SELinux type can be entered via the \fBrssh_exec_t\fP file type. ++ ++The default entrypoint paths for the rssh_t domain are the following: + +/usr/bin/rssh +.SH PROCESS TYPES @@ -79249,8 +138292,84 @@ index 0000000..f418ac6 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rssh_t ++can be used to make the process type rssh_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rssh policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rssh with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the rssh_chroot_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rssh_chroot_helper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type rssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B rssh_rw_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -79260,7 +138379,20 @@ index 0000000..f418ac6 +Policy governs the access confined processes have to these files. +SELinux rssh policy is very flexible allowing users to setup their rssh processes in as secure a method as possible. +.PP -+The following file types are defined for rssh: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rssh, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rssh_chroot_helper_exec_t '/srv/rssh/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrssh_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rssh: + + +.EX @@ -79302,30 +138434,6 @@ index 0000000..f418ac6 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type rssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B rssh_rw_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rssh_chroot_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the rssh_chroot_helper_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -79336,6 +138444,9 @@ index 0000000..f418ac6 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -79347,13 +138458,13 @@ index 0000000..f418ac6 + +.SH "SEE ALSO" +selinux(8), rssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, rssh_chroot_helper_selinux(8) ++, setsebool(8), rssh_chroot_helper_selinux(8) \ No newline at end of file diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8 -index ad9ccf5..bf0928c 100644 +index ad9ccf5..a5bcdf1 100644 --- a/man/man8/rsync_selinux.8 +++ b/man/man8/rsync_selinux.8 -@@ -1,52 +1,299 @@ +@@ -1,52 +1,431 @@ -.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation" -.de EX -.nf @@ -79363,7 +138474,7 @@ index ad9ccf5..bf0928c 100644 -.ft R -.fi -.. -+.TH "rsync_selinux" "8" "12-11-01" "rsync" "SELinux Policy documentation for rsync" ++.TH "rsync_selinux" "8" "13-01-16" "rsync" "SELinux Policy documentation for rsync" .SH "NAME" -rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon +rsync_selinux \- Security Enhanced Linux Policy for the rsync processes @@ -79392,7 +138503,9 @@ index ad9ccf5..bf0928c 100644 + +.SH "ENTRYPOINTS" + -+The rsync_t SELinux type can be entered via the "rsync_exec_t" file type. The default entrypoint paths for the rsync_t domain are the following:" ++The rsync_t SELinux type can be entered via the \fBrsync_exec_t\fP file type. ++ ++The default entrypoint paths for the rsync_t domain are the following: + +/usr/bin/rsync +.SH PROCESS TYPES @@ -79410,131 +138523,268 @@ index ad9ccf5..bf0928c 100644 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rsync_t ++can be used to make the process type rsync_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. rsync policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rsync with the tightest access possible. + + +.PP -+If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean. -+ -+.EX -+.B setsebool -P postgresql_can_rsync 1 -+.EE -+ -+.PP -+If you want to allow rsync to export any files/directories read only, you must turn on the rsync_export_all_ro boolean. -+ -+.EX -+.B setsebool -P rsync_export_all_ro 1 -+.EE -+ -+.PP -+If you want to allow rsync servers to share nfs files systems, you must turn on the rsync_use_nfs boolean. -+ -+.EX -+.B setsebool -P rsync_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow rsync servers to share cifs files systems, you must turn on the rsync_use_cifs boolean. -+ -+.EX -+.B setsebool -P rsync_use_cifs 1 -+.EE -+ -+.PP -+If you want to allow rsync to run as a client, you must turn on the rsync_client boolean. ++If you want to allow rsync to run as a client, you must turn on the rsync_client boolean. Disabled by default. + +.EX +.B setsebool -P rsync_client 1 ++ +.EE + +.PP -+If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean. -+ -+.EX -+.B setsebool -P postgresql_can_rsync 1 -+.EE -+ -+.PP -+If you want to allow rsync to export any files/directories read only, you must turn on the rsync_export_all_ro boolean. ++If you want to allow rsync to export any files/directories read only, you must turn on the rsync_export_all_ro boolean. Disabled by default. + +.EX +.B setsebool -P rsync_export_all_ro 1 ++ +.EE + +.PP -+If you want to allow rsync servers to share nfs files systems, you must turn on the rsync_use_nfs boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P rsync_use_nfs 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow rsync servers to share cifs files systems, you must turn on the rsync_use_cifs boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P rsync_use_cifs 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow rsync to run as a client, you must turn on the rsync_client boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.B setsebool -P rsync_client 1 ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+.SH SHARING FILES -+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. - .TP -+Allow rsync servers to read the /var/rsync directory by adding the public_content_t file type to the directory and by restoring the file type. +.PP -+.B - semanage fcontext -a -t public_content_t "/var/rsync(/.*)?" ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the rsync_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rsync_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux rsync policy is very flexible allowing users to setup their rsync processes in as secure a method as possible. ++.PP ++The following port types are defined for rsync: ++ ++.EX ++.TP 5 ++.B rsync_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 873 ++.EE ++udp 873 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type rsync_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ +.br -+.B restorecon -F -R -v /var/rsync -+.pp - .TP --This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local: --.TP --/var/rsync(/.*)? system_u:object_r:publix_content_t:s0 --.TP --Run the restorecon command to apply the changes: --.TP --restorecon -R -v /var/rsync/ -+Allow rsync servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_rsyncd_anon_write boolean to be set. -+.PP -+.B -+semanage fcontext -a -t public_content_rw_t "/var/rsync/incoming(/.*)?" ++.B cifs_t ++ ++ +.br -+.B restorecon -F -R -v /var/rsync/incoming ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t + + -+.PP -+If you want to allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the rsync_anon_write boolean. ++.br ++.B nfs_t ++ ++ ++.br ++.B public_content_rw_t ++ ++ /var/spool/abrt-upload(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B rsync_data_t ++ ++ ++.br ++.B rsync_log_t ++ ++ /var/log/rsync\.log.* ++.br ++ ++.br ++.B rsync_tmp_t ++ ++ ++.br ++.B rsync_var_run_t ++ ++ /var/run/rsyncd\.lock ++.br + -+.EX -+.B setsebool -P rsync_anon_write 1 - .EE - --.SH SHARING FILES --If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute: -+.PP -+If you want to allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the rsync_anon_write boolean. - - .EX --setsebool -P allow_rsync_anon_write=1 -+.B setsebool -P rsync_anon_write 1 - .EE - --.SH BOOLEANS --.TP --system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR --This manual page was written by Dan Walsh . +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -79543,7 +138793,20 @@ index ad9ccf5..bf0928c 100644 +Policy governs the access confined processes have to these files. +SELinux rsync policy is very flexible allowing users to setup their rsync processes in as secure a method as possible. +.PP -+The following file types are defined for rsync: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rsync, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rsync_data_t '/srv/rsync/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrsync_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rsync: + + +.EX @@ -79591,7 +138854,7 @@ index ad9ccf5..bf0928c 100644 +.B rsync_var_run_t +.EE + -+- Set files with the rsync_var_run_t type, if you want to store the rsync files under the /run directory. ++- Set files with the rsync_var_run_t type, if you want to store the rsync files under the /run or /var/run directory. + + +.PP @@ -79601,67 +138864,48 @@ index ad9ccf5..bf0928c 100644 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. ++.SH SHARING FILES ++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. + .TP ++Allow rsync servers to read the /var/rsync directory by adding the public_content_t file type to the directory and by restoring the file type. +.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l ++.B + semanage fcontext -a -t public_content_t "/var/rsync(/.*)?" ++.br ++.B restorecon -F -R -v /var/rsync ++.pp + .TP +-This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local: +-.TP +-/var/rsync(/.*)? system_u:object_r:publix_content_t:s0 +-.TP +-Run the restorecon command to apply the changes: +-.TP +-restorecon -R -v /var/rsync/ +-.EE ++Allow rsync servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_rsyncd_anon_write boolean to be set. ++.PP ++.B ++semanage fcontext -a -t public_content_rw_t "/var/rsync/incoming(/.*)?" ++.br ++.B restorecon -F -R -v /var/rsync/incoming + +-.SH SHARING FILES +-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute: + +.PP -+Policy governs the access confined processes have to these ports. -+SELinux rsync policy is very flexible allowing users to setup their rsync processes in as secure a method as possible. -+.PP -+The following port types are defined for rsync: -+ -+.EX -+.TP 5 -+.B rsync_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 873 -+.EE -+udp 873 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type rsync_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B rsync_log_t -+ -+ /var/log/rsync\.log.* -+.br -+ -+.br -+.B rsync_tmp_t -+ -+ -+.br -+.B rsync_var_run_t -+ -+ /var/run/rsyncd\.lock -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rsync_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the rsync_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ ++If you want to allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the rsync_anon_write boolean. + + .EX +-setsebool -P allow_rsync_anon_write=1 ++.B setsebool -P rsync_anon_write 1 + .EE + +-.SH BOOLEANS +-.TP +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +-.SH AUTHOR +-This manual page was written by Dan Walsh . +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -79694,11 +138938,11 @@ index ad9ccf5..bf0928c 100644 \ No newline at end of file diff --git a/man/man8/rtkit_daemon_selinux.8 b/man/man8/rtkit_daemon_selinux.8 new file mode 100644 -index 0000000..0e3bbbc +index 0000000..2b3d7e9 --- /dev/null +++ b/man/man8/rtkit_daemon_selinux.8 -@@ -0,0 +1,108 @@ -+.TH "rtkit_daemon_selinux" "8" "12-11-01" "rtkit_daemon" "SELinux Policy documentation for rtkit_daemon" +@@ -0,0 +1,223 @@ ++.TH "rtkit_daemon_selinux" "8" "13-01-16" "rtkit_daemon" "SELinux Policy documentation for rtkit_daemon" +.SH "NAME" +rtkit_daemon_selinux \- Security Enhanced Linux Policy for the rtkit_daemon processes +.SH "DESCRIPTION" @@ -79714,9 +138958,11 @@ index 0000000..0e3bbbc + +.SH "ENTRYPOINTS" + -+The rtkit_daemon_t SELinux type can be entered via the "rtkit_daemon_exec_t" file type. The default entrypoint paths for the rtkit_daemon_t domain are the following:" ++The rtkit_daemon_t SELinux type can be entered via the \fBrtkit_daemon_exec_t\fP file type. + -+/usr/libexec/rtkit-daemon ++The default entrypoint paths for the rtkit_daemon_t domain are the following: ++ ++/usr/libexec/rtkit-daemon, /usr/lib/rtkit/rtkit-daemon +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -79732,47 +138978,97 @@ index 0000000..0e3bbbc +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rtkit_daemon_t ++can be used to make the process type rtkit_daemon_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux rtkit_daemon policy is very flexible allowing users to setup their rtkit_daemon processes in as secure a method as possible. -+.PP -+The following file types are defined for rtkit_daemon: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rtkit_daemon policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rtkit_daemon with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B rtkit_daemon_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the rtkit_daemon_exec_t type, if you want to transition an executable to the rtkit_daemon_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + -+.SH "MANAGED FILES" ++.EX ++.B setsebool -P deny_ptrace 1 + -+The SELinux process type rtkit_daemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++.EE + -+.br -+.B anon_inodefs_t ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rtkit_daemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the rtkit_daemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -79785,6 +139081,65 @@ index 0000000..0e3bbbc +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH "MANAGED FILES" ++ ++The SELinux process type rtkit_daemon_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux rtkit_daemon policy is very flexible allowing users to setup their rtkit_daemon processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rtkit_daemon, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rtkit_daemon_exec_t '/srv/rtkit_daemon/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrtkit_daemon_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rtkit_daemon: ++ ++ ++.EX ++.PP ++.B rtkit_daemon_exec_t ++.EE ++ ++- Set files with the rtkit_daemon_exec_t type, if you want to transition an executable to the rtkit_daemon_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/libexec/rtkit-daemon, /usr/lib/rtkit/rtkit-daemon ++ ++.EX ++.PP ++.B rtkit_daemon_initrc_exec_t ++.EE ++ ++- Set files with the rtkit_daemon_initrc_exec_t type, if you want to transition an executable to the rtkit_daemon_initrc_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -79795,6 +139150,9 @@ index 0000000..0e3bbbc +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -79806,13 +139164,15 @@ index 0000000..0e3bbbc + +.SH "SEE ALSO" +selinux(8), rtkit_daemon(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/run_init_selinux.8 b/man/man8/run_init_selinux.8 new file mode 100644 -index 0000000..69e4288 +index 0000000..be32022 --- /dev/null +++ b/man/man8/run_init_selinux.8 -@@ -0,0 +1,148 @@ -+.TH "run_init_selinux" "8" "12-11-01" "run_init" "SELinux Policy documentation for run_init" +@@ -0,0 +1,229 @@ ++.TH "run_init_selinux" "8" "13-01-16" "run_init" "SELinux Policy documentation for run_init" +.SH "NAME" +run_init_selinux \- Security Enhanced Linux Policy for the run_init processes +.SH "DESCRIPTION" @@ -79828,7 +139188,9 @@ index 0000000..69e4288 + +.SH "ENTRYPOINTS" + -+The run_init_t SELinux type can be entered via the "run_init_exec_t" file type. The default entrypoint paths for the run_init_t domain are the following:" ++The run_init_t SELinux type can be entered via the \fBrun_init_exec_t\fP file type. ++ ++The default entrypoint paths for the run_init_t domain are the following: + +/usr/sbin/run_init +.SH PROCESS TYPES @@ -79846,8 +139208,134 @@ index 0000000..69e4288 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a run_init_t ++can be used to make the process type run_init_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. run_init policy is extremely flexible and has several booleans that allow you to manipulate the policy and run run_init with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the run_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the run_init_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type run_init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -79857,7 +139345,20 @@ index 0000000..69e4288 +Policy governs the access confined processes have to these files. +SELinux run_init policy is very flexible allowing users to setup their run_init processes in as secure a method as possible. +.PP -+The following file types are defined for run_init: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the run_init, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t run_init_exec_t '/srv/run_init/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrun_init_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for run_init: + + +.EX @@ -79875,70 +139376,6 @@ index 0000000..69e4288 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type run_init_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B faillog_t -+ -+ /var/log/btmp.* -+.br -+ /var/run/faillock(/.*)? -+.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br -+ -+.br -+.B initrc_var_run_t -+ -+ /var/run/utmp -+.br -+ /var/run/random-seed -+.br -+ /var/run/runlevel\.dir -+.br -+ /var/run/setmixer_flag -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br -+.B security_t -+ -+ /selinux -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the run_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the run_init_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -79949,6 +139386,9 @@ index 0000000..69e4288 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -79960,13 +139400,15 @@ index 0000000..69e4288 + +.SH "SEE ALSO" +selinux(8), run_init(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/rwho_selinux.8 b/man/man8/rwho_selinux.8 new file mode 100644 -index 0000000..6044f11 +index 0000000..115d93c --- /dev/null +++ b/man/man8/rwho_selinux.8 -@@ -0,0 +1,152 @@ -+.TH "rwho_selinux" "8" "12-11-01" "rwho" "SELinux Policy documentation for rwho" +@@ -0,0 +1,247 @@ ++.TH "rwho_selinux" "8" "13-01-16" "rwho" "SELinux Policy documentation for rwho" +.SH "NAME" +rwho_selinux \- Security Enhanced Linux Policy for the rwho processes +.SH "DESCRIPTION" @@ -79982,7 +139424,9 @@ index 0000000..6044f11 + +.SH "ENTRYPOINTS" + -+The rwho_t SELinux type can be entered via the "rwho_exec_t" file type. The default entrypoint paths for the rwho_t domain are the following:" ++The rwho_t SELinux type can be entered via the \fBrwho_exec_t\fP file type. ++ ++The default entrypoint paths for the rwho_t domain are the following: + +/usr/sbin/rwhod +.SH PROCESS TYPES @@ -80000,8 +139444,125 @@ index 0000000..6044f11 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a rwho_t ++can be used to make the process type rwho_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. rwho policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rwho with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible. ++.PP ++The following port types are defined for rwho: ++ ++.EX ++.TP 5 ++.B rwho_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++udp 513 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type rwho_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B rwho_spool_t ++ ++ /var/spool/rwho(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -80011,7 +139572,20 @@ index 0000000..6044f11 +Policy governs the access confined processes have to these files. +SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible. +.PP -+The following file types are defined for rwho: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the rwho, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t rwho_exec_t '/srv/rwho/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myrwho_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for rwho: + + +.EX @@ -80053,47 +139627,6 @@ index 0000000..6044f11 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible. -+.PP -+The following port types are defined for rwho: -+ -+.EX -+.TP 5 -+.B rwho_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+udp 513 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type rwho_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B rwho_log_t -+ -+ /var/log/rwhod(/.*)? -+.br -+ -+.br -+.B rwho_spool_t -+ -+ /var/spool/rwho(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -80107,6 +139640,9 @@ index 0000000..6044f11 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -80118,13 +139654,15 @@ index 0000000..6044f11 + +.SH "SEE ALSO" +selinux(8), rwho(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/samba_net_selinux.8 b/man/man8/samba_net_selinux.8 new file mode 100644 -index 0000000..2b5c346 +index 0000000..3ff4184 --- /dev/null +++ b/man/man8/samba_net_selinux.8 -@@ -0,0 +1,155 @@ -+.TH "samba_net_selinux" "8" "12-11-01" "samba_net" "SELinux Policy documentation for samba_net" +@@ -0,0 +1,267 @@ ++.TH "samba_net_selinux" "8" "13-01-16" "samba_net" "SELinux Policy documentation for samba_net" +.SH "NAME" +samba_net_selinux \- Security Enhanced Linux Policy for the samba_net processes +.SH "DESCRIPTION" @@ -80140,7 +139678,9 @@ index 0000000..2b5c346 + +.SH "ENTRYPOINTS" + -+The samba_net_t SELinux type can be entered via the "samba_net_exec_t" file type. The default entrypoint paths for the samba_net_t domain are the following:" ++The samba_net_t SELinux type can be entered via the \fBsamba_net_exec_t\fP file type. ++ ++The default entrypoint paths for the samba_net_t domain are the following: + +/usr/bin/net +.SH PROCESS TYPES @@ -80158,42 +139698,116 @@ index 0000000..2b5c346 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a samba_net_t ++can be used to make the process type samba_net_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux samba_net policy is very flexible allowing users to setup their samba_net processes in as secure a method as possible. -+.PP -+The following file types are defined for samba_net: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. samba_net policy is extremely flexible and has several booleans that allow you to manipulate the policy and run samba_net with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B samba_net_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the samba_net_exec_t type, if you want to transition an executable to the samba_net_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B samba_net_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the samba_net_tmp_t type, if you want to store samba net temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the samba_net_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the samba_net_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -80234,6 +139848,8 @@ index 0000000..2b5c346 +.br +.B samba_var_t + ++ /var/nmbd(/.*)? ++.br + /var/lib/samba(/.*)? +.br + /var/cache/samba(/.*)? @@ -80241,21 +139857,52 @@ index 0000000..2b5c346 + /var/spool/samba(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux samba_net policy is very flexible allowing users to setup their samba_net processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the samba_net_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the samba_net, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t samba_net_exec_t '/srv/samba_net/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysamba_net_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for samba_net: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B samba_net_exec_t +.EE + ++- Set files with the samba_net_exec_t type, if you want to transition an executable to the samba_net_t domain. ++ ++ ++.EX ++.PP ++.B samba_net_tmp_t ++.EE ++ ++- Set files with the samba_net_tmp_t type, if you want to store samba net temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the samba_net_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -80267,6 +139914,9 @@ index 0000000..2b5c346 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -80278,7 +139928,7 @@ index 0000000..2b5c346 + +.SH "SEE ALSO" +selinux(8), samba_net(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, samba_unconfined_script_selinux(8), sambagui_selinux(8) ++, setsebool(8), samba_unconfined_script_selinux(8), sambagui_selinux(8) \ No newline at end of file diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8 index ca702c7..234a9c7 100644 @@ -80345,11 +139995,11 @@ index ca702c7..234a9c7 100644 \ No newline at end of file diff --git a/man/man8/samba_unconfined_script_selinux.8 b/man/man8/samba_unconfined_script_selinux.8 new file mode 100644 -index 0000000..293e93e +index 0000000..f51fa8e --- /dev/null +++ b/man/man8/samba_unconfined_script_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "samba_unconfined_script_selinux" "8" "12-11-01" "samba_unconfined_script" "SELinux Policy documentation for samba_unconfined_script" +@@ -0,0 +1,155 @@ ++.TH "samba_unconfined_script_selinux" "8" "13-01-16" "samba_unconfined_script" "SELinux Policy documentation for samba_unconfined_script" +.SH "NAME" +samba_unconfined_script_selinux \- Security Enhanced Linux Policy for the samba_unconfined_script processes +.SH "DESCRIPTION" @@ -80365,9 +140015,11 @@ index 0000000..293e93e + +.SH "ENTRYPOINTS" + -+The samba_unconfined_script_t SELinux type can be entered via the "shell_exec_t,samba_unconfined_script_exec_t" file types. The default entrypoint paths for the samba_unconfined_script_t domain are the following:" ++The samba_unconfined_script_t SELinux type can be entered via the \fBshell_exec_t, samba_unconfined_script_exec_t\fP file types. + -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/lib/samba/scripts(/.*)? ++The default entrypoint paths for the samba_unconfined_script_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /var/lib/samba/scripts(/.*)? +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -80383,8 +140035,60 @@ index 0000000..293e93e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a samba_unconfined_script_t ++can be used to make the process type samba_unconfined_script_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. samba_unconfined_script policy is extremely flexible and has several booleans that allow you to manipulate the policy and run samba_unconfined_script with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean. Disabled by default. ++ ++.EX ++.B setsebool -P samba_run_unconfined 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -80394,7 +140098,20 @@ index 0000000..293e93e +Policy governs the access confined processes have to these files. +SELinux samba_unconfined_script policy is very flexible allowing users to setup their samba_unconfined_script processes in as secure a method as possible. +.PP -+The following file types are defined for samba_unconfined_script: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the samba_unconfined_script, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t samba_unconfined_script_exec_t '/srv/samba_unconfined_script/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysamba_unconfined_script_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for samba_unconfined_script: + + +.EX @@ -80412,8 +140129,6 @@ index 0000000..293e93e +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -80424,6 +140139,9 @@ index 0000000..293e93e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -80435,15 +140153,15 @@ index 0000000..293e93e + +.SH "SEE ALSO" +selinux(8), samba_unconfined_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, samba_net_selinux(8), sambagui_selinux(8) ++, setsebool(8), samba_net_selinux(8), sambagui_selinux(8) \ No newline at end of file diff --git a/man/man8/sambagui_selinux.8 b/man/man8/sambagui_selinux.8 new file mode 100644 -index 0000000..3c17297 +index 0000000..46062f2 --- /dev/null +++ b/man/man8/sambagui_selinux.8 -@@ -0,0 +1,128 @@ -+.TH "sambagui_selinux" "8" "12-11-01" "sambagui" "SELinux Policy documentation for sambagui" +@@ -0,0 +1,225 @@ ++.TH "sambagui_selinux" "8" "13-01-16" "sambagui" "SELinux Policy documentation for sambagui" +.SH "NAME" +sambagui_selinux \- Security Enhanced Linux Policy for the sambagui processes +.SH "DESCRIPTION" @@ -80459,9 +140177,11 @@ index 0000000..3c17297 + +.SH "ENTRYPOINTS" + -+The sambagui_t SELinux type can be entered via the "sambagui_exec_t" file type. The default entrypoint paths for the sambagui_t domain are the following:" ++The sambagui_t SELinux type can be entered via the \fBsambagui_exec_t\fP file type. + -+/usr/share/system-config-samba/system-config-samba-mechanism.py ++The default entrypoint paths for the sambagui_t domain are the following: ++ ++/usr/share/system-config-samba/system-config-samba-mechanism\.py +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -80477,8 +140197,130 @@ index 0000000..3c17297 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sambagui_t ++can be used to make the process type sambagui_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sambagui policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sambagui with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sambagui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sambagui_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sambagui_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B samba_etc_t ++ ++ /etc/samba(/.*)? ++.br ++ ++.br ++.B samba_var_t ++ ++ /var/nmbd(/.*)? ++.br ++ /var/lib/samba(/.*)? ++.br ++ /var/cache/samba(/.*)? ++.br ++ /var/spool/samba(/.*)? ++.br ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -80488,7 +140330,20 @@ index 0000000..3c17297 +Policy governs the access confined processes have to these files. +SELinux sambagui policy is very flexible allowing users to setup their sambagui processes in as secure a method as possible. +.PP -+The following file types are defined for sambagui: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sambagui, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sambagui_exec_t '/srv/sambagui/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysambagui_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sambagui: + + +.EX @@ -80506,50 +140361,6 @@ index 0000000..3c17297 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type sambagui_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B samba_etc_t -+ -+ /etc/samba(/.*)? -+.br -+ -+.br -+.B samba_var_t -+ -+ /var/lib/samba(/.*)? -+.br -+ /var/cache/samba(/.*)? -+.br -+ /var/spool/samba(/.*)? -+.br -+ -+.br -+.B systemd_passwd_var_run_t -+ -+ /var/run/systemd/ask-password(/.*)? -+.br -+ /var/run/systemd/ask-password-block(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sambagui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the sambagui_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -80560,6 +140371,9 @@ index 0000000..3c17297 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -80571,13 +140385,921 @@ index 0000000..3c17297 + +.SH "SEE ALSO" +selinux(8), sambagui(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/sandbox_min_client_selinux.8 b/man/man8/sandbox_min_client_selinux.8 +new file mode 100644 +index 0000000..cd7f3c5 +--- /dev/null ++++ b/man/man8/sandbox_min_client_selinux.8 +@@ -0,0 +1,180 @@ ++.TH "sandbox_min_client_selinux" "8" "13-01-16" "sandbox_min_client" "SELinux Policy documentation for sandbox_min_client" ++.SH "NAME" ++sandbox_min_client_selinux \- Security Enhanced Linux Policy for the sandbox_min_client processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sandbox_min_client processes via flexible mandatory access control. ++ ++The sandbox_min_client processes execute with the sandbox_min_client_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sandbox_min_client_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sandbox_min_client_t SELinux type can be entered via the \fBsandbox_exec_t, file_type\fP file types. ++ ++The default entrypoint paths for the sandbox_min_client_t domain are the following: ++ ++/usr/share/sandbox/start, all files on the system ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sandbox_min_client policy is very flexible allowing users to setup their sandbox_min_client processes in as secure a method as possible. ++.PP ++The following process types are defined for sandbox_min_client: ++ ++.EX ++.B sandbox_min_client_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sandbox_min_client_t ++can be used to make the process type sandbox_min_client_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sandbox_min_client policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox_min_client with the tightest access possible. ++ ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sandbox_min_client_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_min_client_tmpfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B tmpfs_t ++ ++ /dev/shm ++.br ++ /lib/udev/devices/shm ++.br ++ /usr/lib/udev/devices/shm ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sandbox_min_client(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sandbox_selinux(8), sandbox_selinux(8), sandbox_min_selinux(8), sandbox_min_selinux(8), sandbox_net_selinux(8), sandbox_net_client_selinux(8), sandbox_web_selinux(8), sandbox_web_client_selinux(8), sandbox_x_selinux(8), sandbox_x_client_selinux(8), sandbox_xserver_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sandbox_min_selinux.8 b/man/man8/sandbox_min_selinux.8 +new file mode 100644 +index 0000000..f9b777f +--- /dev/null ++++ b/man/man8/sandbox_min_selinux.8 +@@ -0,0 +1,228 @@ ++.TH "sandbox_min_selinux" "8" "13-01-16" "sandbox_min" "SELinux Policy documentation for sandbox_min" ++.SH "NAME" ++sandbox_min_selinux \- Security Enhanced Linux Policy for the sandbox_min processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sandbox_min processes via flexible mandatory access control. ++ ++The sandbox_min processes execute with the sandbox_min_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sandbox_min_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sandbox_min_t SELinux type can be entered via the \fBfile_type\fP file type. ++ ++The default entrypoint paths for the sandbox_min_t domain are the following: ++ ++all files on the system ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sandbox_min policy is very flexible allowing users to setup their sandbox_min processes in as secure a method as possible. ++.PP ++The following process types are defined for sandbox_min: ++ ++.EX ++.B sandbox_min_t, sandbox_min_client_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sandbox_min_t ++can be used to make the process type sandbox_min_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sandbox_min policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox_min with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sandbox_min_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sandbox_min_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sandbox_min_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_min_client_tmpfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B tmpfs_t ++ ++ /dev/shm ++.br ++ /lib/udev/devices/shm ++.br ++ /usr/lib/udev/devices/shm ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sandbox_min(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sandbox_selinux(8), sandbox_selinux(8), sandbox_min_client_selinux(8), sandbox_net_selinux(8), sandbox_net_client_selinux(8), sandbox_web_selinux(8), sandbox_web_client_selinux(8), sandbox_x_selinux(8), sandbox_x_client_selinux(8), sandbox_xserver_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sandbox_net_client_selinux.8 b/man/man8/sandbox_net_client_selinux.8 +new file mode 100644 +index 0000000..8602f7a +--- /dev/null ++++ b/man/man8/sandbox_net_client_selinux.8 +@@ -0,0 +1,242 @@ ++.TH "sandbox_net_client_selinux" "8" "13-01-16" "sandbox_net_client" "SELinux Policy documentation for sandbox_net_client" ++.SH "NAME" ++sandbox_net_client_selinux \- Security Enhanced Linux Policy for the sandbox_net_client processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sandbox_net_client processes via flexible mandatory access control. ++ ++The sandbox_net_client processes execute with the sandbox_net_client_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sandbox_net_client_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sandbox_net_client_t SELinux type can be entered via the \fBsandbox_exec_t, file_type\fP file types. ++ ++The default entrypoint paths for the sandbox_net_client_t domain are the following: ++ ++/usr/share/sandbox/start, all files on the system ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sandbox_net_client policy is very flexible allowing users to setup their sandbox_net_client processes in as secure a method as possible. ++.PP ++The following process types are defined for sandbox_net_client: ++ ++.EX ++.B sandbox_net_client_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sandbox_net_client_t ++can be used to make the process type sandbox_net_client_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sandbox_net_client policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox_net_client with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sandbox_net_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sandbox_net_client_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sandbox_net_client_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B mozilla_plugin_rw_t ++ ++ /usr/lib/mozilla/plugins-wrapped(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_net_client_tmpfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B tmpfs_t ++ ++ /dev/shm ++.br ++ /lib/udev/devices/shm ++.br ++ /usr/lib/udev/devices/shm ++.br ++ ++.br ++.B user_tmpfs_t ++ ++ /dev/shm/mono.* ++.br ++ /dev/shm/pulse-shm.* ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sandbox_net_client(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sandbox_selinux(8), sandbox_selinux(8), sandbox_min_selinux(8), sandbox_min_client_selinux(8), sandbox_net_selinux(8), sandbox_net_selinux(8), sandbox_web_selinux(8), sandbox_web_client_selinux(8), sandbox_x_selinux(8), sandbox_x_client_selinux(8), sandbox_xserver_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sandbox_net_selinux.8 b/man/man8/sandbox_net_selinux.8 +new file mode 100644 +index 0000000..ab91992 +--- /dev/null ++++ b/man/man8/sandbox_net_selinux.8 +@@ -0,0 +1,228 @@ ++.TH "sandbox_net_selinux" "8" "13-01-16" "sandbox_net" "SELinux Policy documentation for sandbox_net" ++.SH "NAME" ++sandbox_net_selinux \- Security Enhanced Linux Policy for the sandbox_net processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sandbox_net processes via flexible mandatory access control. ++ ++The sandbox_net processes execute with the sandbox_net_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sandbox_net_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sandbox_net_t SELinux type can be entered via the \fBfile_type\fP file type. ++ ++The default entrypoint paths for the sandbox_net_t domain are the following: ++ ++all files on the system ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sandbox_net policy is very flexible allowing users to setup their sandbox_net processes in as secure a method as possible. ++.PP ++The following process types are defined for sandbox_net: ++ ++.EX ++.B sandbox_net_client_t, sandbox_net_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sandbox_net_t ++can be used to make the process type sandbox_net_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sandbox_net policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox_net with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sandbox_net_client_t, sandbox_net_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sandbox_net_client_t, sandbox_net_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sandbox_net_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_net_client_tmpfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B tmpfs_t ++ ++ /dev/shm ++.br ++ /lib/udev/devices/shm ++.br ++ /usr/lib/udev/devices/shm ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sandbox_net(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sandbox_selinux(8), sandbox_selinux(8), sandbox_min_selinux(8), sandbox_min_client_selinux(8), sandbox_net_client_selinux(8), sandbox_web_selinux(8), sandbox_web_client_selinux(8), sandbox_x_selinux(8), sandbox_x_client_selinux(8), sandbox_xserver_selinux(8) +\ No newline at end of file diff --git a/man/man8/sandbox_selinux.8 b/man/man8/sandbox_selinux.8 new file mode 100644 -index 0000000..ee32f27 +index 0000000..461767f --- /dev/null +++ b/man/man8/sandbox_selinux.8 -@@ -0,0 +1,192 @@ -+.TH "sandbox_selinux" "8" "12-11-01" "sandbox" "SELinux Policy documentation for sandbox" +@@ -0,0 +1,241 @@ ++.TH "sandbox_selinux" "8" "13-01-16" "sandbox" "SELinux Policy documentation for sandbox" +.SH "NAME" +sandbox_selinux \- Security Enhanced Linux Policy for the sandbox processes +.SH "DESCRIPTION" @@ -80593,7 +141315,9 @@ index 0000000..ee32f27 + +.SH "ENTRYPOINTS" + -+The sandbox_t SELinux type can be entered via the "file_type" file type. The default entrypoint paths for the sandbox_t domain are the following:" ++The sandbox_t SELinux type can be entered via the \fBfile_type\fP file type. ++ ++The default entrypoint paths for the sandbox_t domain are the following: + +all files on the system +.SH PROCESS TYPES @@ -80611,27 +141335,91 @@ index 0000000..ee32f27 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sandbox_t ++can be used to make the process type sandbox_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. sandbox policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox with the tightest access possible. + + +.PP -+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean. ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. + +.EX -+.B setsebool -P unconfined_chrome_sandbox_transition 1 ++.B setsebool -P deny_execmem 1 ++ +.EE + +.PP -+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P unconfined_chrome_sandbox_transition 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sandbox_min_t, sandbox_net_t, sandbox_web_client_t, sandbox_xserver_t, sandbox_web_t, sandbox_x_client_t, sandbox_x_t, sandbox_net_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sandbox_min_t, sandbox_net_t, sandbox_web_client_t, sandbox_xserver_t, sandbox_web_t, sandbox_x_client_t, sandbox_x_t, sandbox_net_client_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sandbox_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_tmpfs_type ++ ++ all sandbox content in tmpfs file systems ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -80640,7 +141428,20 @@ index 0000000..ee32f27 +Policy governs the access confined processes have to these files. +SELinux sandbox policy is very flexible allowing users to setup their sandbox processes in as secure a method as possible. +.PP -+The following file types are defined for sandbox: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sandbox, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sandbox_devpts_t '/srv/sandbox/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysandbox_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sandbox: + + +.EX @@ -80714,36 +141515,6 @@ index 0000000..ee32f27 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type sandbox_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B sandbox_file_t -+ -+ -+.br -+.B sandbox_tmpfs_type -+ -+ all sandbox content in tmpfs file systems -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sandbox_min_t, sandbox_net_t, sandbox_web_client_t, sandbox_xserver_t, sandbox_web_t, sandbox_x_client_t, sandbox_x_t, sandbox_net_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the sandbox_min_t, sandbox_net_t, sandbox_web_client_t, sandbox_xserver_t, sandbox_web_t, sandbox_x_client_t, sandbox_x_t, sandbox_net_client_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -80768,15 +141539,1244 @@ index 0000000..ee32f27 + +.SH "SEE ALSO" +selinux(8), sandbox(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8) ++, setsebool(8), sandbox_min_selinux(8), sandbox_min_client_selinux(8), sandbox_net_selinux(8), sandbox_net_client_selinux(8), sandbox_web_selinux(8), sandbox_web_client_selinux(8), sandbox_x_selinux(8), sandbox_x_client_selinux(8), sandbox_xserver_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sandbox_web_client_selinux.8 b/man/man8/sandbox_web_client_selinux.8 +new file mode 100644 +index 0000000..eaa7961 +--- /dev/null ++++ b/man/man8/sandbox_web_client_selinux.8 +@@ -0,0 +1,242 @@ ++.TH "sandbox_web_client_selinux" "8" "13-01-16" "sandbox_web_client" "SELinux Policy documentation for sandbox_web_client" ++.SH "NAME" ++sandbox_web_client_selinux \- Security Enhanced Linux Policy for the sandbox_web_client processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sandbox_web_client processes via flexible mandatory access control. ++ ++The sandbox_web_client processes execute with the sandbox_web_client_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sandbox_web_client_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sandbox_web_client_t SELinux type can be entered via the \fBsandbox_exec_t, file_type\fP file types. ++ ++The default entrypoint paths for the sandbox_web_client_t domain are the following: ++ ++/usr/share/sandbox/start, all files on the system ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sandbox_web_client policy is very flexible allowing users to setup their sandbox_web_client processes in as secure a method as possible. ++.PP ++The following process types are defined for sandbox_web_client: ++ ++.EX ++.B sandbox_web_client_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sandbox_web_client_t ++can be used to make the process type sandbox_web_client_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sandbox_web_client policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox_web_client with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sandbox_web_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sandbox_web_client_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sandbox_web_client_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B mozilla_plugin_rw_t ++ ++ /usr/lib/mozilla/plugins-wrapped(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_web_client_tmpfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B tmpfs_t ++ ++ /dev/shm ++.br ++ /lib/udev/devices/shm ++.br ++ /usr/lib/udev/devices/shm ++.br ++ ++.br ++.B user_tmpfs_t ++ ++ /dev/shm/mono.* ++.br ++ /dev/shm/pulse-shm.* ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sandbox_web_client(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sandbox_selinux(8), sandbox_selinux(8), sandbox_min_selinux(8), sandbox_min_client_selinux(8), sandbox_net_selinux(8), sandbox_net_client_selinux(8), sandbox_web_selinux(8), sandbox_web_selinux(8), sandbox_x_selinux(8), sandbox_x_client_selinux(8), sandbox_xserver_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sandbox_web_selinux.8 b/man/man8/sandbox_web_selinux.8 +new file mode 100644 +index 0000000..78bd2ba +--- /dev/null ++++ b/man/man8/sandbox_web_selinux.8 +@@ -0,0 +1,228 @@ ++.TH "sandbox_web_selinux" "8" "13-01-16" "sandbox_web" "SELinux Policy documentation for sandbox_web" ++.SH "NAME" ++sandbox_web_selinux \- Security Enhanced Linux Policy for the sandbox_web processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sandbox_web processes via flexible mandatory access control. ++ ++The sandbox_web processes execute with the sandbox_web_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sandbox_web_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sandbox_web_t SELinux type can be entered via the \fBfile_type\fP file type. ++ ++The default entrypoint paths for the sandbox_web_t domain are the following: ++ ++all files on the system ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sandbox_web policy is very flexible allowing users to setup their sandbox_web processes in as secure a method as possible. ++.PP ++The following process types are defined for sandbox_web: ++ ++.EX ++.B sandbox_web_client_t, sandbox_web_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sandbox_web_t ++can be used to make the process type sandbox_web_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sandbox_web policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox_web with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sandbox_web_client_t, sandbox_web_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sandbox_web_client_t, sandbox_web_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sandbox_web_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_web_client_tmpfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B tmpfs_t ++ ++ /dev/shm ++.br ++ /lib/udev/devices/shm ++.br ++ /usr/lib/udev/devices/shm ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sandbox_web(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sandbox_selinux(8), sandbox_selinux(8), sandbox_min_selinux(8), sandbox_min_client_selinux(8), sandbox_net_selinux(8), sandbox_net_client_selinux(8), sandbox_web_client_selinux(8), sandbox_x_selinux(8), sandbox_x_client_selinux(8), sandbox_xserver_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sandbox_x_client_selinux.8 b/man/man8/sandbox_x_client_selinux.8 +new file mode 100644 +index 0000000..8e8b698 +--- /dev/null ++++ b/man/man8/sandbox_x_client_selinux.8 +@@ -0,0 +1,228 @@ ++.TH "sandbox_x_client_selinux" "8" "13-01-16" "sandbox_x_client" "SELinux Policy documentation for sandbox_x_client" ++.SH "NAME" ++sandbox_x_client_selinux \- Security Enhanced Linux Policy for the sandbox_x_client processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sandbox_x_client processes via flexible mandatory access control. ++ ++The sandbox_x_client processes execute with the sandbox_x_client_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sandbox_x_client_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sandbox_x_client_t SELinux type can be entered via the \fBsandbox_exec_t, file_type\fP file types. ++ ++The default entrypoint paths for the sandbox_x_client_t domain are the following: ++ ++/usr/share/sandbox/start, all files on the system ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sandbox_x_client policy is very flexible allowing users to setup their sandbox_x_client processes in as secure a method as possible. ++.PP ++The following process types are defined for sandbox_x_client: ++ ++.EX ++.B sandbox_x_client_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sandbox_x_client_t ++can be used to make the process type sandbox_x_client_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sandbox_x_client policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox_x_client with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sandbox_x_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sandbox_x_client_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sandbox_x_client_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_x_client_tmpfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B tmpfs_t ++ ++ /dev/shm ++.br ++ /lib/udev/devices/shm ++.br ++ /usr/lib/udev/devices/shm ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sandbox_x_client(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sandbox_selinux(8), sandbox_selinux(8), sandbox_min_selinux(8), sandbox_min_client_selinux(8), sandbox_net_selinux(8), sandbox_net_client_selinux(8), sandbox_web_selinux(8), sandbox_web_client_selinux(8), sandbox_x_selinux(8), sandbox_x_selinux(8), sandbox_xserver_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sandbox_x_selinux.8 b/man/man8/sandbox_x_selinux.8 +new file mode 100644 +index 0000000..6815372 +--- /dev/null ++++ b/man/man8/sandbox_x_selinux.8 +@@ -0,0 +1,228 @@ ++.TH "sandbox_x_selinux" "8" "13-01-16" "sandbox_x" "SELinux Policy documentation for sandbox_x" ++.SH "NAME" ++sandbox_x_selinux \- Security Enhanced Linux Policy for the sandbox_x processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sandbox_x processes via flexible mandatory access control. ++ ++The sandbox_x processes execute with the sandbox_x_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sandbox_x_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sandbox_x_t SELinux type can be entered via the \fBfile_type\fP file type. ++ ++The default entrypoint paths for the sandbox_x_t domain are the following: ++ ++all files on the system ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sandbox_x policy is very flexible allowing users to setup their sandbox_x processes in as secure a method as possible. ++.PP ++The following process types are defined for sandbox_x: ++ ++.EX ++.B sandbox_x_client_t, sandbox_xserver_t, sandbox_x_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sandbox_x_t ++can be used to make the process type sandbox_x_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sandbox_x policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox_x with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sandbox_xserver_t, sandbox_x_t, sandbox_x_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sandbox_xserver_t, sandbox_x_t, sandbox_x_client_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sandbox_x_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_x_client_tmpfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B tmpfs_t ++ ++ /dev/shm ++.br ++ /lib/udev/devices/shm ++.br ++ /usr/lib/udev/devices/shm ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sandbox_x(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sandbox_selinux(8), sandbox_selinux(8), sandbox_min_selinux(8), sandbox_min_client_selinux(8), sandbox_net_selinux(8), sandbox_net_client_selinux(8), sandbox_web_selinux(8), sandbox_web_client_selinux(8), sandbox_x_client_selinux(8), sandbox_xserver_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sandbox_xserver_selinux.8 b/man/man8/sandbox_xserver_selinux.8 +new file mode 100644 +index 0000000..dd736d2 +--- /dev/null ++++ b/man/man8/sandbox_xserver_selinux.8 +@@ -0,0 +1,268 @@ ++.TH "sandbox_xserver_selinux" "8" "13-01-16" "sandbox_xserver" "SELinux Policy documentation for sandbox_xserver" ++.SH "NAME" ++sandbox_xserver_selinux \- Security Enhanced Linux Policy for the sandbox_xserver processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sandbox_xserver processes via flexible mandatory access control. ++ ++The sandbox_xserver processes execute with the sandbox_xserver_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sandbox_xserver_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sandbox_xserver_t SELinux type can be entered via the \fBxserver_exec_t\fP file type. ++ ++The default entrypoint paths for the sandbox_xserver_t domain are the following: ++ ++/usr/bin/Xair, /usr/bin/Xorg, /usr/bin/Xvnc, /usr/bin/Xephyr, /usr/X11R6/bin/X, /usr/X11R6/bin/Xorg, /usr/X11R6/bin/Xipaq, /usr/X11R6/bin/XFree86, /usr/X11R6/bin/Xwrapper ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sandbox_xserver policy is very flexible allowing users to setup their sandbox_xserver processes in as secure a method as possible. ++.PP ++The following process types are defined for sandbox_xserver: ++ ++.EX ++.B sandbox_xserver_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sandbox_xserver_t ++can be used to make the process type sandbox_xserver_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sandbox_xserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox_xserver with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sandbox_xserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sandbox_xserver_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sandbox_xserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_xserver_tmpfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B user_fonts_cache_t ++ ++ /root/\.fontconfig(/.*)? ++.br ++ /root/\.fonts/auto(/.*)? ++.br ++ /root/\.fonts\.cache-.* ++.br ++ /home/[^/]*/\.fontconfig(/.*)? ++.br ++ /home/[^/]*/\.fonts/auto(/.*)? ++.br ++ /home/[^/]*/\.fonts\.cache-.* ++.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br ++ /home/dwalsh/\.fontconfig(/.*)? ++.br ++ /home/dwalsh/\.fonts/auto(/.*)? ++.br ++ /home/dwalsh/\.fonts\.cache-.* ++.br ++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts\.cache-.* ++.br ++ ++.br ++.B xserver_tmpfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sandbox_xserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sandbox_selinux(8), sandbox_selinux(8), sandbox_min_selinux(8), sandbox_min_client_selinux(8), sandbox_net_selinux(8), sandbox_net_client_selinux(8), sandbox_web_selinux(8), sandbox_web_client_selinux(8), sandbox_x_selinux(8), sandbox_x_selinux(8), sandbox_x_client_selinux(8) \ No newline at end of file diff --git a/man/man8/sanlock_selinux.8 b/man/man8/sanlock_selinux.8 new file mode 100644 -index 0000000..91bbc31 +index 0000000..5cdf4fd --- /dev/null +++ b/man/man8/sanlock_selinux.8 -@@ -0,0 +1,220 @@ -+.TH "sanlock_selinux" "8" "12-11-01" "sanlock" "SELinux Policy documentation for sanlock" +@@ -0,0 +1,319 @@ ++.TH "sanlock_selinux" "8" "13-01-16" "sanlock" "SELinux Policy documentation for sanlock" +.SH "NAME" +sanlock_selinux \- Security Enhanced Linux Policy for the sanlock processes +.SH "DESCRIPTION" @@ -80792,7 +142792,9 @@ index 0000000..91bbc31 + +.SH "ENTRYPOINTS" + -+The sanlock_t SELinux type can be entered via the "sanlock_exec_t" file type. The default entrypoint paths for the sanlock_t domain are the following:" ++The sanlock_t SELinux type can be entered via the \fBsanlock_exec_t\fP file type. ++ ++The default entrypoint paths for the sanlock_t domain are the following: + +/usr/sbin/sanlock +.SH PROCESS TYPES @@ -80810,69 +142812,193 @@ index 0000000..91bbc31 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sanlock_t ++can be used to make the process type sanlock_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. sanlock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sanlock with the tightest access possible. + + +.PP -+If you want to allow sanlock to read/write fuse files, you must turn on the sanlock_use_fusefs boolean. ++If you want to allow sanlock to read/write fuse files, you must turn on the sanlock_use_fusefs boolean. Disabled by default. + +.EX +.B setsebool -P sanlock_use_fusefs 1 ++ +.EE + +.PP -+If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean. -+ -+.EX -+.B setsebool -P sanlock_use_samba 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean. -+ -+.EX -+.B setsebool -P virt_use_sanlock 1 -+.EE -+ -+.PP -+If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean. ++If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean. Disabled by default. + +.EX +.B setsebool -P sanlock_use_nfs 1 ++ +.EE + +.PP -+If you want to allow sanlock to read/write fuse files, you must turn on the sanlock_use_fusefs boolean. -+ -+.EX -+.B setsebool -P sanlock_use_fusefs 1 -+.EE -+ -+.PP -+If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean. ++If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean. Disabled by default. + +.EX +.B setsebool -P sanlock_use_samba 1 ++ +.EE + +.PP -+If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P virt_use_sanlock 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow sanlock to manage nfs files, you must turn on the sanlock_use_nfs boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P sanlock_use_nfs 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sanlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sanlock_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sanlock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sanlock_log_t ++ ++ /var/log/sanlock\.log.* ++.br ++ ++.br ++.B sanlock_var_run_t ++ ++ /var/run/sanlock(/.*)? ++.br ++ ++.br ++.B virt_var_lib_t ++ ++ /var/lib/oz(/.*)? ++.br ++ /var/lib/libvirt(/.*)? ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -80881,7 +143007,20 @@ index 0000000..91bbc31 +Policy governs the access confined processes have to these files. +SELinux sanlock policy is very flexible allowing users to setup their sanlock processes in as secure a method as possible. +.PP -+The following file types are defined for sanlock: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sanlock, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sanlock_exec_t '/srv/sanlock/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysanlock_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sanlock: + + +.EX @@ -80921,7 +143060,7 @@ index 0000000..91bbc31 +.B sanlock_var_run_t +.EE + -+- Set files with the sanlock_var_run_t type, if you want to store the sanlock files under the /run directory. ++- Set files with the sanlock_var_run_t type, if you want to store the sanlock files under the /run or /var/run directory. + + +.PP @@ -80931,46 +143070,6 @@ index 0000000..91bbc31 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type sanlock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B sanlock_log_t -+ -+ /var/log/sanlock\.log.* -+.br -+ -+.br -+.B sanlock_var_run_t -+ -+ /var/run/sanlock(/.*)? -+.br -+ -+.br -+.B virt_var_lib_t -+ -+ /var/lib/oz(/.*)? -+.br -+ /var/lib/libvirt(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sanlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the sanlock_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -80999,11 +143098,11 @@ index 0000000..91bbc31 \ No newline at end of file diff --git a/man/man8/saslauthd_selinux.8 b/man/man8/saslauthd_selinux.8 new file mode 100644 -index 0000000..da990ec +index 0000000..c4a87fc --- /dev/null +++ b/man/man8/saslauthd_selinux.8 -@@ -0,0 +1,220 @@ -+.TH "saslauthd_selinux" "8" "12-11-01" "saslauthd" "SELinux Policy documentation for saslauthd" +@@ -0,0 +1,323 @@ ++.TH "saslauthd_selinux" "8" "13-01-16" "saslauthd" "SELinux Policy documentation for saslauthd" +.SH "NAME" +saslauthd_selinux \- Security Enhanced Linux Policy for the saslauthd processes +.SH "DESCRIPTION" @@ -81019,7 +143118,9 @@ index 0000000..da990ec + +.SH "ENTRYPOINTS" + -+The saslauthd_t SELinux type can be entered via the "saslauthd_exec_t" file type. The default entrypoint paths for the saslauthd_t domain are the following:" ++The saslauthd_t SELinux type can be entered via the \fBsaslauthd_exec_t\fP file type. ++ ++The default entrypoint paths for the saslauthd_t domain are the following: + +/usr/sbin/saslauthd +.SH PROCESS TYPES @@ -81037,27 +143138,201 @@ index 0000000..da990ec +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a saslauthd_t ++can be used to make the process type saslauthd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. saslauthd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run saslauthd with the tightest access possible. + + +.PP -+If you want to allow sasl to read shadow, you must turn on the saslauthd_read_shadow boolean. ++If you want to allow sasl to read shadow, you must turn on the saslauthd_read_shadow boolean. Disabled by default. + +.EX +.B setsebool -P saslauthd_read_shadow 1 ++ +.EE + +.PP -+If you want to allow sasl to read shadow, you must turn on the saslauthd_read_shadow boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P saslauthd_read_shadow 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the saslauthd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the saslauthd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type saslauthd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B lastlog_t ++ ++ /var/log/lastlog.* ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B saslauthd_var_run_t ++ ++ /var/lib/sasl2(/.*)? ++.br ++ /var/run/saslauthd(/.*)? ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -81066,7 +143341,20 @@ index 0000000..da990ec +Policy governs the access confined processes have to these files. +SELinux saslauthd policy is very flexible allowing users to setup their saslauthd processes in as secure a method as possible. +.PP -+The following file types are defined for saslauthd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the saslauthd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t saslauthd_exec_t '/srv/saslauthd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysaslauthd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for saslauthd: + + +.EX @@ -81098,8 +143386,12 @@ index 0000000..da990ec +.B saslauthd_var_run_t +.EE + -+- Set files with the saslauthd_var_run_t type, if you want to store the saslauthd files under the /run directory. ++- Set files with the saslauthd_var_run_t type, if you want to store the saslauthd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/sasl2(/.*)?, /var/run/saslauthd(/.*)? + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -81108,96 +143400,6 @@ index 0000000..da990ec +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type saslauthd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B faillog_t -+ -+ /var/log/btmp.* -+.br -+ /var/run/faillock(/.*)? -+.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br -+ -+.br -+.B krb5_host_rcache_t -+ -+ /var/cache/krb5rcache(/.*)? -+.br -+ /var/tmp/nfs_0 -+.br -+ /var/tmp/DNS_25 -+.br -+ /var/tmp/host_0 -+.br -+ /var/tmp/imap_0 -+.br -+ /var/tmp/HTTP_23 -+.br -+ /var/tmp/HTTP_48 -+.br -+ /var/tmp/ldap_55 -+.br -+ /var/tmp/ldap_487 -+.br -+ /var/tmp/ldapmap1_0 -+.br -+ -+.br -+.B lastlog_t -+ -+ /var/log/lastlog -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br -+.B saslauthd_var_run_t -+ -+ /var/lib/sasl2(/.*)? -+.br -+ /var/run/saslauthd(/.*)? -+.br -+ -+.br -+.B security_t -+ -+ /selinux -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the saslauthd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the saslauthd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -81226,11 +143428,11 @@ index 0000000..da990ec \ No newline at end of file diff --git a/man/man8/sblim_gatherd_selinux.8 b/man/man8/sblim_gatherd_selinux.8 new file mode 100644 -index 0000000..85b84c9 +index 0000000..8ce781e --- /dev/null +++ b/man/man8/sblim_gatherd_selinux.8 -@@ -0,0 +1,97 @@ -+.TH "sblim_gatherd_selinux" "8" "12-11-01" "sblim_gatherd" "SELinux Policy documentation for sblim_gatherd" +@@ -0,0 +1,197 @@ ++.TH "sblim_gatherd_selinux" "8" "13-01-16" "sblim_gatherd" "SELinux Policy documentation for sblim_gatherd" +.SH "NAME" +sblim_gatherd_selinux \- Security Enhanced Linux Policy for the sblim_gatherd processes +.SH "DESCRIPTION" @@ -81246,7 +143448,9 @@ index 0000000..85b84c9 + +.SH "ENTRYPOINTS" + -+The sblim_gatherd_t SELinux type can be entered via the "sblim_gatherd_exec_t" file type. The default entrypoint paths for the sblim_gatherd_t domain are the following:" ++The sblim_gatherd_t SELinux type can be entered via the \fBsblim_gatherd_exec_t\fP file type. ++ ++The default entrypoint paths for the sblim_gatherd_t domain are the following: + +/usr/sbin/gatherd +.SH PROCESS TYPES @@ -81264,8 +143468,102 @@ index 0000000..85b84c9 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sblim_gatherd_t ++can be used to make the process type sblim_gatherd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sblim_gatherd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sblim_gatherd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sblim_gatherd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sblim_var_run_t ++ ++ /var/run/gather(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -81275,7 +143573,20 @@ index 0000000..85b84c9 +Policy governs the access confined processes have to these files. +SELinux sblim_gatherd policy is very flexible allowing users to setup their sblim_gatherd processes in as secure a method as possible. +.PP -+The following file types are defined for sblim_gatherd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sblim_gatherd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sblim_gatherd_exec_t '/srv/sblim_gatherd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysblim_gatherd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sblim_gatherd: + + +.EX @@ -81293,18 +143604,6 @@ index 0000000..85b84c9 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type sblim_gatherd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B sblim_var_run_t -+ -+ /var/run/gather(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -81315,6 +143614,9 @@ index 0000000..85b84c9 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -81326,15 +143628,15 @@ index 0000000..85b84c9 + +.SH "SEE ALSO" +selinux(8), sblim_gatherd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, sblim_reposd_selinux(8) ++, setsebool(8), sblim_reposd_selinux(8) \ No newline at end of file diff --git a/man/man8/sblim_reposd_selinux.8 b/man/man8/sblim_reposd_selinux.8 new file mode 100644 -index 0000000..10407e3 +index 0000000..6616465 --- /dev/null +++ b/man/man8/sblim_reposd_selinux.8 -@@ -0,0 +1,97 @@ -+.TH "sblim_reposd_selinux" "8" "12-11-01" "sblim_reposd" "SELinux Policy documentation for sblim_reposd" +@@ -0,0 +1,189 @@ ++.TH "sblim_reposd_selinux" "8" "13-01-16" "sblim_reposd" "SELinux Policy documentation for sblim_reposd" +.SH "NAME" +sblim_reposd_selinux \- Security Enhanced Linux Policy for the sblim_reposd processes +.SH "DESCRIPTION" @@ -81350,7 +143652,9 @@ index 0000000..10407e3 + +.SH "ENTRYPOINTS" + -+The sblim_reposd_t SELinux type can be entered via the "sblim_reposd_exec_t" file type. The default entrypoint paths for the sblim_reposd_t domain are the following:" ++The sblim_reposd_t SELinux type can be entered via the \fBsblim_reposd_exec_t\fP file type. ++ ++The default entrypoint paths for the sblim_reposd_t domain are the following: + +/usr/sbin/reposd +.SH PROCESS TYPES @@ -81368,8 +143672,94 @@ index 0000000..10407e3 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sblim_reposd_t ++can be used to make the process type sblim_reposd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sblim_reposd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sblim_reposd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sblim_reposd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sblim_var_run_t ++ ++ /var/run/gather(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -81379,7 +143769,20 @@ index 0000000..10407e3 +Policy governs the access confined processes have to these files. +SELinux sblim_reposd policy is very flexible allowing users to setup their sblim_reposd processes in as secure a method as possible. +.PP -+The following file types are defined for sblim_reposd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sblim_reposd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sblim_reposd_exec_t '/srv/sblim_reposd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysblim_reposd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sblim_reposd: + + +.EX @@ -81397,18 +143800,6 @@ index 0000000..10407e3 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type sblim_reposd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B sblim_var_run_t -+ -+ /var/run/gather(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -81419,6 +143810,9 @@ index 0000000..10407e3 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -81430,14 +143824,825 @@ index 0000000..10407e3 + +.SH "SEE ALSO" +selinux(8), sblim_reposd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, sblim_gatherd_selinux(8) ++, setsebool(8), sblim_gatherd_selinux(8) +\ No newline at end of file +diff --git a/man/man8/secadm_dbusd_selinux.8 b/man/man8/secadm_dbusd_selinux.8 +new file mode 100644 +index 0000000..a7aa418 +--- /dev/null ++++ b/man/man8/secadm_dbusd_selinux.8 +@@ -0,0 +1,254 @@ ++.TH "secadm_dbusd_selinux" "8" "13-01-16" "secadm_dbusd" "SELinux Policy documentation for secadm_dbusd" ++.SH "NAME" ++secadm_dbusd_selinux \- Security Enhanced Linux Policy for the secadm_dbusd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the secadm_dbusd processes via flexible mandatory access control. ++ ++The secadm_dbusd processes execute with the secadm_dbusd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep secadm_dbusd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The secadm_dbusd_t SELinux type can be entered via the \fBdbusd_exec_t\fP file type. ++ ++The default entrypoint paths for the secadm_dbusd_t domain are the following: ++ ++/usr/bin/dbus-daemon(-1)?, /bin/dbus-daemon, /lib/dbus-1/dbus-daemon-launch-helper, /usr/lib/dbus-1/dbus-daemon-launch-helper ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux secadm_dbusd policy is very flexible allowing users to setup their secadm_dbusd processes in as secure a method as possible. ++.PP ++The following process types are defined for secadm_dbusd: ++ ++.EX ++.B secadm_dbusd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a secadm_dbusd_t ++can be used to make the process type secadm_dbusd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. secadm_dbusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run secadm_dbusd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the secadm_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the secadm_dbusd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type secadm_dbusd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B session_dbusd_tmp_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmpfs_t ++ ++ /dev/shm/mono.* ++.br ++ /dev/shm/pulse-shm.* ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), secadm_dbusd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), secadm_selinux(8), secadm_selinux(8), secadm_gkeyringd_selinux(8), secadm_screen_selinux(8), secadm_seunshare_selinux(8), secadm_su_selinux(8), secadm_sudo_selinux(8), secadm_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/secadm_gkeyringd_selinux.8 b/man/man8/secadm_gkeyringd_selinux.8 +new file mode 100644 +index 0000000..f6ce705 +--- /dev/null ++++ b/man/man8/secadm_gkeyringd_selinux.8 +@@ -0,0 +1,314 @@ ++.TH "secadm_gkeyringd_selinux" "8" "13-01-16" "secadm_gkeyringd" "SELinux Policy documentation for secadm_gkeyringd" ++.SH "NAME" ++secadm_gkeyringd_selinux \- Security Enhanced Linux Policy for the secadm_gkeyringd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the secadm_gkeyringd processes via flexible mandatory access control. ++ ++The secadm_gkeyringd processes execute with the secadm_gkeyringd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep secadm_gkeyringd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The secadm_gkeyringd_t SELinux type can be entered via the \fBgkeyringd_exec_t\fP file type. ++ ++The default entrypoint paths for the secadm_gkeyringd_t domain are the following: ++ ++/usr/bin/gnome-keyring-daemon ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux secadm_gkeyringd policy is very flexible allowing users to setup their secadm_gkeyringd processes in as secure a method as possible. ++.PP ++The following process types are defined for secadm_gkeyringd: ++ ++.EX ++.B secadm_gkeyringd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a secadm_gkeyringd_t ++can be used to make the process type secadm_gkeyringd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. secadm_gkeyringd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run secadm_gkeyringd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the secadm_gkeyringd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the secadm_gkeyringd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type secadm_gkeyringd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cache_home_t ++ ++ /root/\.cache(/.*)? ++.br ++ /home/[^/]*/\.nv(/.*)? ++.br ++ /home/[^/]*/\.cache(/.*)? ++.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br ++ /home/dwalsh/\.nv(/.*)? ++.br ++ /home/dwalsh/\.cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.nv(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache(/.*)? ++.br ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B config_home_t ++ ++ /root/\.kde(/.*)? ++.br ++ /root/\.xine(/.*)? ++.br ++ /root/\.config(/.*)? ++.br ++ /var/run/user/[^/]*/dconf(/.*)? ++.br ++ /root/\.Xdefaults ++.br ++ /home/[^/]*/\.kde(/.*)? ++.br ++ /home/[^/]*/\.xine(/.*)? ++.br ++ /home/[^/]*/\.config(/.*)? ++.br ++ /home/[^/]*/\.Xdefaults ++.br ++ /home/pwalsh/\.kde(/.*)? ++.br ++ /home/pwalsh/\.xine(/.*)? ++.br ++ /home/pwalsh/\.config(/.*)? ++.br ++ /home/pwalsh/\.Xdefaults ++.br ++ /home/dwalsh/\.kde(/.*)? ++.br ++ /home/dwalsh/\.xine(/.*)? ++.br ++ /home/dwalsh/\.config(/.*)? ++.br ++ /home/dwalsh/\.Xdefaults ++.br ++ /var/lib/xguest/home/xguest/\.kde(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.xine(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Xdefaults ++.br ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B gkeyringd_gnome_home_t ++ ++ /root/\.gnome2/keyrings(/.*)? ++.br ++ /home/[^/]*/\.gnome2/keyrings(/.*)? ++.br ++ /home/[^/]*/\.local/share/keyrings(/.*)? ++.br ++ /home/pwalsh/\.gnome2/keyrings(/.*)? ++.br ++ /home/pwalsh/\.local/share/keyrings(/.*)? ++.br ++ /home/dwalsh/\.gnome2/keyrings(/.*)? ++.br ++ /home/dwalsh/\.local/share/keyrings(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.gnome2/keyrings(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.local/share/keyrings(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), secadm_gkeyringd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), secadm_selinux(8), secadm_selinux(8), secadm_dbusd_selinux(8), secadm_screen_selinux(8), secadm_seunshare_selinux(8), secadm_su_selinux(8), secadm_sudo_selinux(8), secadm_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/secadm_screen_selinux.8 b/man/man8/secadm_screen_selinux.8 +new file mode 100644 +index 0000000..fd0711b +--- /dev/null ++++ b/man/man8/secadm_screen_selinux.8 +@@ -0,0 +1,222 @@ ++.TH "secadm_screen_selinux" "8" "13-01-16" "secadm_screen" "SELinux Policy documentation for secadm_screen" ++.SH "NAME" ++secadm_screen_selinux \- Security Enhanced Linux Policy for the secadm_screen processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the secadm_screen processes via flexible mandatory access control. ++ ++The secadm_screen processes execute with the secadm_screen_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep secadm_screen_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The secadm_screen_t SELinux type can be entered via the \fBscreen_exec_t\fP file type. ++ ++The default entrypoint paths for the secadm_screen_t domain are the following: ++ ++/usr/bin/tmux, /usr/bin/screen ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux secadm_screen policy is very flexible allowing users to setup their secadm_screen processes in as secure a method as possible. ++.PP ++The following process types are defined for secadm_screen: ++ ++.EX ++.B secadm_screen_t ++.EE ++.PP ++Note: ++.B semanage permissive -a secadm_screen_t ++can be used to make the process type secadm_screen_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. secadm_screen policy is extremely flexible and has several booleans that allow you to manipulate the policy and run secadm_screen with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the secadm_screen_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the secadm_screen_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type secadm_screen_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B user_tmp_type ++ ++ all user tmp files ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), secadm_screen(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), secadm_selinux(8), secadm_selinux(8), secadm_dbusd_selinux(8), secadm_gkeyringd_selinux(8), secadm_seunshare_selinux(8), secadm_su_selinux(8), secadm_sudo_selinux(8), secadm_wine_selinux(8) \ No newline at end of file diff --git a/man/man8/secadm_selinux.8 b/man/man8/secadm_selinux.8 new file mode 100644 -index 0000000..bb8258d +index 0000000..df742aa --- /dev/null +++ b/man/man8/secadm_selinux.8 -@@ -0,0 +1,332 @@ +@@ -0,0 +1,592 @@ +.TH "secadm_selinux" "8" "secadm" "mgrepl@redhat.com" "secadm SELinux Policy documentation" +.SH "NAME" +secadm_r \- \fBSecurity administrator role\fP - Security Enhanced Linux Policy @@ -81489,6 +144694,242 @@ index 0000000..bb8258d +SELinux policy allows the sysadm_r, staff_r, auditadm_r roles can transition to the secadm_r role. + + ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. secadm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run secadm with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether calling user domains can execute Git daemon in the git_session_t domain, you must turn on the git_session_users boolean. Enabled by default. ++ ++.EX ++.B setsebool -P git_session_users 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean. Disabled by default. ++ ++.EX ++.B setsebool -P pppd_for_user 1 ++ ++.EE ++ ++.PP ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Disabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_policyload 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_mysql_connect_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_postgresql_connect_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_rw_noexattrfile 1 ++ ++.EE ++ ++.PP ++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_tcp_server 1 ++ ++.EE ++ ++.PP ++If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_use_ssh_chroot 1 ++ ++.EE ++ ++.PP ++If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_user_share_music 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ssh_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xdm_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ +.SH "MANAGED FILES" + +The SELinux process type secadm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -81520,6 +144961,10 @@ index 0000000..bb8258d + + +.br ++.B cifs_t ++ ++ ++.br +.B default_context_t + + /etc/selinux/([^/]*/)?contexts(/.*)? @@ -81548,10 +144993,10 @@ index 0000000..bb8258d +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -81560,10 +145005,10 @@ index 0000000..bb8258d +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -81600,6 +145045,8 @@ index 0000000..bb8258d + + /home/[^/]*/\.gnupg/log-socket +.br ++ /home/pwalsh/\.gnupg/log-socket ++.br + /home/dwalsh/\.gnupg/log-socket +.br + /var/lib/xguest/home/xguest/\.gnupg/log-socket @@ -81642,6 +145089,10 @@ index 0000000..bb8258d +.br + /home/[^/]*/\.screenrc +.br ++ /home/pwalsh/\.screen(/.*)? ++.br ++ /home/pwalsh/\.screenrc ++.br + /home/dwalsh/\.screen(/.*)? +.br + /home/dwalsh/\.screenrc @@ -81708,6 +145159,12 @@ index 0000000..bb8258d +.br + /home/[^/]*/\.fonts\.cache-.* +.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br + /home/dwalsh/\.fontconfig(/.*)? +.br + /home/dwalsh/\.fonts/auto(/.*)? @@ -81749,6 +145206,10 @@ index 0000000..bb8258d + /tmp/\.X0-lock +.br + ++.br ++.B xserver_tmpfs_t ++ ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -81759,6 +145220,9 @@ index 0000000..bb8258d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -81770,13 +145234,1317 @@ index 0000000..bb8258d + +.SH "SEE ALSO" +selinux(8), secadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), secadm_dbusd_selinux(8), secadm_gkeyringd_selinux(8), secadm_screen_selinux(8), secadm_seunshare_selinux(8), secadm_su_selinux(8), secadm_sudo_selinux(8), secadm_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/secadm_seunshare_selinux.8 b/man/man8/secadm_seunshare_selinux.8 +new file mode 100644 +index 0000000..26138c3 +--- /dev/null ++++ b/man/man8/secadm_seunshare_selinux.8 +@@ -0,0 +1,202 @@ ++.TH "secadm_seunshare_selinux" "8" "13-01-16" "secadm_seunshare" "SELinux Policy documentation for secadm_seunshare" ++.SH "NAME" ++secadm_seunshare_selinux \- Security Enhanced Linux Policy for the secadm_seunshare processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the secadm_seunshare processes via flexible mandatory access control. ++ ++The secadm_seunshare processes execute with the secadm_seunshare_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep secadm_seunshare_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The secadm_seunshare_t SELinux type can be entered via the \fBseunshare_exec_t\fP file type. ++ ++The default entrypoint paths for the secadm_seunshare_t domain are the following: ++ ++/usr/sbin/seunshare ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux secadm_seunshare policy is very flexible allowing users to setup their secadm_seunshare processes in as secure a method as possible. ++.PP ++The following process types are defined for secadm_seunshare: ++ ++.EX ++.B secadm_seunshare_t ++.EE ++.PP ++Note: ++.B semanage permissive -a secadm_seunshare_t ++can be used to make the process type secadm_seunshare_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. secadm_seunshare policy is extremely flexible and has several booleans that allow you to manipulate the policy and run secadm_seunshare with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the secadm_seunshare_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the secadm_seunshare_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type secadm_seunshare_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_tmpfs_type ++ ++ all sandbox content in tmpfs file systems ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), secadm_seunshare(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), secadm_selinux(8), secadm_selinux(8), secadm_dbusd_selinux(8), secadm_gkeyringd_selinux(8), secadm_screen_selinux(8), secadm_su_selinux(8), secadm_sudo_selinux(8), secadm_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/secadm_su_selinux.8 b/man/man8/secadm_su_selinux.8 +new file mode 100644 +index 0000000..da7aec4 +--- /dev/null ++++ b/man/man8/secadm_su_selinux.8 +@@ -0,0 +1,244 @@ ++.TH "secadm_su_selinux" "8" "13-01-16" "secadm_su" "SELinux Policy documentation for secadm_su" ++.SH "NAME" ++secadm_su_selinux \- Security Enhanced Linux Policy for the secadm_su processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the secadm_su processes via flexible mandatory access control. ++ ++The secadm_su processes execute with the secadm_su_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep secadm_su_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The secadm_su_t SELinux type can be entered via the \fBsu_exec_t\fP file type. ++ ++The default entrypoint paths for the secadm_su_t domain are the following: ++ ++/usr/(local/)?bin/ksu, /bin/su, /usr/bin/su, /usr/bin/kdesu ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux secadm_su policy is very flexible allowing users to setup their secadm_su processes in as secure a method as possible. ++.PP ++The following process types are defined for secadm_su: ++ ++.EX ++.B secadm_su_t, secadm_sudo_t ++.EE ++.PP ++Note: ++.B semanage permissive -a secadm_su_t ++can be used to make the process type secadm_su_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. secadm_su policy is extremely flexible and has several booleans that allow you to manipulate the policy and run secadm_su with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to enable polyinstantiated directory support, you must turn on the polyinstantiation_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P polyinstantiation_enabled 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the secadm_su_t, secadm_sudo_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the secadm_su_t, secadm_sudo_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type secadm_su_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B lastlog_t ++ ++ /var/log/lastlog.* ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), secadm_su(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), secadm_selinux(8), secadm_selinux(8), secadm_dbusd_selinux(8), secadm_gkeyringd_selinux(8), secadm_screen_selinux(8), secadm_seunshare_selinux(8), secadm_sudo_selinux(8), secadm_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/secadm_sudo_selinux.8 b/man/man8/secadm_sudo_selinux.8 +new file mode 100644 +index 0000000..e029c08 +--- /dev/null ++++ b/man/man8/secadm_sudo_selinux.8 +@@ -0,0 +1,326 @@ ++.TH "secadm_sudo_selinux" "8" "13-01-16" "secadm_sudo" "SELinux Policy documentation for secadm_sudo" ++.SH "NAME" ++secadm_sudo_selinux \- Security Enhanced Linux Policy for the secadm_sudo processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the secadm_sudo processes via flexible mandatory access control. ++ ++The secadm_sudo processes execute with the secadm_sudo_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep secadm_sudo_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The secadm_sudo_t SELinux type can be entered via the \fBsudo_exec_t\fP file type. ++ ++The default entrypoint paths for the secadm_sudo_t domain are the following: ++ ++/usr/bin/sudo(edit)? ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux secadm_sudo policy is very flexible allowing users to setup their secadm_sudo processes in as secure a method as possible. ++.PP ++The following process types are defined for secadm_sudo: ++ ++.EX ++.B secadm_sudo_t ++.EE ++.PP ++Note: ++.B semanage permissive -a secadm_sudo_t ++can be used to make the process type secadm_sudo_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. secadm_sudo policy is extremely flexible and has several booleans that allow you to manipulate the policy and run secadm_sudo with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the secadm_sudo_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the secadm_sudo_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type secadm_sudo_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B pam_var_run_t ++ ++ /var/(db|lib|adm)/sudo(/.*)? ++.br ++ /var/run/sudo(/.*)? ++.br ++ /var/run/sepermit(/.*)? ++.br ++ /var/run/pam_mount(/.*)? ++.br ++ ++.br ++.B secadm_sudo_tmp_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B sudo_db_t ++ ++ /var/db/sudo(/.*)? ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), secadm_sudo(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), secadm_selinux(8), secadm_selinux(8), secadm_dbusd_selinux(8), secadm_gkeyringd_selinux(8), secadm_screen_selinux(8), secadm_seunshare_selinux(8), secadm_su_selinux(8), secadm_su_selinux(8), secadm_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/secadm_wine_selinux.8 b/man/man8/secadm_wine_selinux.8 +new file mode 100644 +index 0000000..251920c +--- /dev/null ++++ b/man/man8/secadm_wine_selinux.8 +@@ -0,0 +1,502 @@ ++.TH "secadm_wine_selinux" "8" "13-01-16" "secadm_wine" "SELinux Policy documentation for secadm_wine" ++.SH "NAME" ++secadm_wine_selinux \- Security Enhanced Linux Policy for the secadm_wine processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the secadm_wine processes via flexible mandatory access control. ++ ++The secadm_wine processes execute with the secadm_wine_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep secadm_wine_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The secadm_wine_t SELinux type can be entered via the \fBuser_home_t, wine_exec_t, xsession_exec_t\fP file types. ++ ++The default entrypoint paths for the secadm_wine_t domain are the following: ++ ++/home/[^/]*/.+, /home/pwalsh/.+, /home/dwalsh/.+, /var/lib/xguest/home/xguest/.+, /usr/bin/wine.*, /opt/teamviewer(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/msiexec, /opt/google/picasa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/progman, /opt/google/picasa(/.*)?/bin/regedit, /opt/google/picasa(/.*)?/bin/regsvr32, /opt/google/picasa(/.*)?/Picasa3/.*exe, /opt/google/picasa(/.*)?/bin/uninstaller, /opt/cxoffice/bin/wine.*, /opt/picasa/wine/bin/wine.*, /usr/bin/msiexec, /usr/bin/notepad, /usr/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller, /home/[^/]*/cxoffice/bin/wine.+, /home/pwalsh/cxoffice/bin/wine.+, /home/dwalsh/cxoffice/bin/wine.+, /var/lib/xguest/home/xguest/cxoffice/bin/wine.+, /etc/gdm(3)?/Xsession, /etc/kde[34]?/kdm/Xreset, /etc/gdm(3)?/PreSession/.*, /etc/kde[34]?/kdm/Xstartup, /etc/kde[34]?/kdm/Xsession, /etc/gdm(3)?/PostSession/.*, /etc/X11/[wx]dm/Xreset.*, /etc/X11/[wxg]dm/Xsession, /etc/X11/Xsession[^/]*, /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.* ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux secadm_wine policy is very flexible allowing users to setup their secadm_wine processes in as secure a method as possible. ++.PP ++The following process types are defined for secadm_wine: ++ ++.EX ++.B secadm_wine_t ++.EE ++.PP ++Note: ++.B semanage permissive -a secadm_wine_t ++can be used to make the process type secadm_wine_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. secadm_wine policy is extremely flexible and has several booleans that allow you to manipulate the policy and run secadm_wine with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Disabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_postgresql_connect_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_rw_noexattrfile 1 ++ ++.EE ++ ++.PP ++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_tcp_server 1 ++ ++.EE ++ ++.PP ++If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_user_share_music 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ssh_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xdm_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the secadm_wine_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the secadm_wine_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type secadm_wine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B chrome_sandbox_tmpfs_t ++ ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B games_data_t ++ ++ /var/games(/.*)? ++.br ++ /var/lib/games(/.*)? ++.br ++ ++.br ++.B gpg_agent_tmp_t ++ ++ /home/[^/]*/\.gnupg/log-socket ++.br ++ /home/pwalsh/\.gnupg/log-socket ++.br ++ /home/dwalsh/\.gnupg/log-socket ++.br ++ /var/lib/xguest/home/xguest/\.gnupg/log-socket ++.br ++ ++.br ++.B iceauth_home_t ++ ++ /root/\.DCOP.* ++.br ++ /root/\.ICEauthority.* ++.br ++ /home/[^/]*/\.DCOP.* ++.br ++ /home/[^/]*/\.ICEauthority.* ++.br ++ /home/pwalsh/\.DCOP.* ++.br ++ /home/pwalsh/\.ICEauthority.* ++.br ++ /home/dwalsh/\.DCOP.* ++.br ++ /home/dwalsh/\.ICEauthority.* ++.br ++ /var/lib/xguest/home/xguest/\.DCOP.* ++.br ++ /var/lib/xguest/home/xguest/\.ICEauthority.* ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B mqueue_spool_t ++ ++ /var/spool/(client)?mqueue(/.*)? ++.br ++ /var/spool/mqueue\.in(/.*)? ++.br ++ ++.br ++.B nfsd_rw_t ++ ++ ++.br ++.B noxattrfs ++ ++ all files on file systems which do not support extended attributes ++.br ++ ++.br ++.B usbfs_t ++ ++ ++.br ++.B user_fonts_cache_t ++ ++ /root/\.fontconfig(/.*)? ++.br ++ /root/\.fonts/auto(/.*)? ++.br ++ /root/\.fonts\.cache-.* ++.br ++ /home/[^/]*/\.fontconfig(/.*)? ++.br ++ /home/[^/]*/\.fonts/auto(/.*)? ++.br ++ /home/[^/]*/\.fonts\.cache-.* ++.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br ++ /home/dwalsh/\.fontconfig(/.*)? ++.br ++ /home/dwalsh/\.fonts/auto(/.*)? ++.br ++ /home/dwalsh/\.fonts\.cache-.* ++.br ++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts\.cache-.* ++.br ++ ++.br ++.B user_fonts_t ++ ++ /root/\.fonts(/.*)? ++.br ++ /tmp/\.font-unix(/.*)? ++.br ++ /home/[^/]*/\.fonts(/.*)? ++.br ++ /home/pwalsh/\.fonts(/.*)? ++.br ++ /home/dwalsh/\.fonts(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts(/.*)? ++.br ++ ++.br ++.B user_home_type ++ ++ all user home files ++.br ++ ++.br ++.B user_tmp_type ++ ++ all user tmp files ++.br ++ ++.br ++.B user_tmpfs_type ++ ++ all user content in tmpfs file systems ++.br ++ ++.br ++.B xauth_home_t ++ ++ /root/\.xauth.* ++.br ++ /root/\.Xauth.* ++.br ++ /root/\.serverauth.* ++.br ++ /root/\.Xauthority.* ++.br ++ /var/lib/pqsql/\.xauth.* ++.br ++ /var/lib/pqsql/\.Xauthority.* ++.br ++ /var/lib/nxserver/home/\.xauth.* ++.br ++ /var/lib/nxserver/home/\.Xauthority.* ++.br ++ /home/[^/]*/\.xauth.* ++.br ++ /home/[^/]*/\.Xauth.* ++.br ++ /home/[^/]*/\.serverauth.* ++.br ++ /home/[^/]*/\.Xauthority.* ++.br ++ /home/pwalsh/\.xauth.* ++.br ++ /home/pwalsh/\.Xauth.* ++.br ++ /home/pwalsh/\.serverauth.* ++.br ++ /home/pwalsh/\.Xauthority.* ++.br ++ /home/dwalsh/\.xauth.* ++.br ++ /home/dwalsh/\.Xauth.* ++.br ++ /home/dwalsh/\.serverauth.* ++.br ++ /home/dwalsh/\.Xauthority.* ++.br ++ /var/lib/xguest/home/xguest/\.xauth.* ++.br ++ /var/lib/xguest/home/xguest/\.Xauth.* ++.br ++ /var/lib/xguest/home/xguest/\.serverauth.* ++.br ++ /var/lib/xguest/home/xguest/\.Xauthority.* ++.br ++ ++.br ++.B xdm_tmp_t ++ ++ /tmp/\.X11-unix(/.*)? ++.br ++ /tmp/\.ICE-unix(/.*)? ++.br ++ /tmp/\.X0-lock ++.br ++ ++.br ++.B xserver_tmpfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), secadm_wine(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), secadm_selinux(8), secadm_selinux(8), secadm_dbusd_selinux(8), secadm_gkeyringd_selinux(8), secadm_screen_selinux(8), secadm_seunshare_selinux(8), secadm_su_selinux(8), secadm_sudo_selinux(8) +\ No newline at end of file diff --git a/man/man8/sectoolm_selinux.8 b/man/man8/sectoolm_selinux.8 new file mode 100644 -index 0000000..145e360 +index 0000000..8b3cacd --- /dev/null +++ b/man/man8/sectoolm_selinux.8 -@@ -0,0 +1,126 @@ -+.TH "sectoolm_selinux" "8" "12-11-01" "sectoolm" "SELinux Policy documentation for sectoolm" +@@ -0,0 +1,253 @@ ++.TH "sectoolm_selinux" "8" "13-01-16" "sectoolm" "SELinux Policy documentation for sectoolm" +.SH "NAME" +sectoolm_selinux \- Security Enhanced Linux Policy for the sectoolm processes +.SH "DESCRIPTION" @@ -81792,7 +146560,9 @@ index 0000000..145e360 + +.SH "ENTRYPOINTS" + -+The sectoolm_t SELinux type can be entered via the "sectoolm_exec_t" file type. The default entrypoint paths for the sectoolm_t domain are the following:" ++The sectoolm_t SELinux type can be entered via the \fBsectoolm_exec_t\fP file type. ++ ++The default entrypoint paths for the sectoolm_t domain are the following: + +/usr/libexec/sectool-mechanism\.py +.SH PROCESS TYPES @@ -81810,40 +146580,138 @@ index 0000000..145e360 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sectoolm_t ++can be used to make the process type sectoolm_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux sectoolm policy is very flexible allowing users to setup their sectoolm processes in as secure a method as possible. -+.PP -+The following file types are defined for sectoolm: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sectoolm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sectoolm with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B sectoolm_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the sectoolm_exec_t type, if you want to transition an executable to the sectoolm_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sectoolm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sectoolm_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type sectoolm_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B sectool_tmp_t + + @@ -81865,21 +146733,44 @@ index 0000000..145e360 + /selinux +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux sectoolm policy is very flexible allowing users to setup their sectoolm processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sectoolm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sectoolm, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sectoolm_exec_t '/srv/sectoolm/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysectoolm_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sectoolm: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B sectoolm_exec_t +.EE + ++- Set files with the sectoolm_exec_t type, if you want to transition an executable to the sectoolm_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the sectoolm_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -81891,6 +146782,9 @@ index 0000000..145e360 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -81902,13 +146796,15 @@ index 0000000..145e360 + +.SH "SEE ALSO" +selinux(8), sectoolm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/selinux_munin_plugin_selinux.8 b/man/man8/selinux_munin_plugin_selinux.8 new file mode 100644 -index 0000000..d4bbce9 +index 0000000..cfe3869 --- /dev/null +++ b/man/man8/selinux_munin_plugin_selinux.8 -@@ -0,0 +1,108 @@ -+.TH "selinux_munin_plugin_selinux" "8" "12-11-01" "selinux_munin_plugin" "SELinux Policy documentation for selinux_munin_plugin" +@@ -0,0 +1,177 @@ ++.TH "selinux_munin_plugin_selinux" "8" "13-01-16" "selinux_munin_plugin" "SELinux Policy documentation for selinux_munin_plugin" +.SH "NAME" +selinux_munin_plugin_selinux \- Security Enhanced Linux Policy for the selinux_munin_plugin processes +.SH "DESCRIPTION" @@ -81924,7 +146820,9 @@ index 0000000..d4bbce9 + +.SH "ENTRYPOINTS" + -+The selinux_munin_plugin_t SELinux type can be entered via the "selinux_munin_plugin_exec_t" file type. The default entrypoint paths for the selinux_munin_plugin_t domain are the following:" ++The selinux_munin_plugin_t SELinux type can be entered via the \fBselinux_munin_plugin_exec_t\fP file type. ++ ++The default entrypoint paths for the selinux_munin_plugin_t domain are the following: + +/usr/share/munin/plugins/selinux_avcstat +.SH PROCESS TYPES @@ -81942,8 +146840,74 @@ index 0000000..d4bbce9 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a selinux_munin_plugin_t ++can be used to make the process type selinux_munin_plugin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. selinux_munin_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run selinux_munin_plugin with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type selinux_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B munin_plugin_state_t ++ ++ /var/lib/munin/plugin-state(/.*)? ++.br ++ ++.br ++.B selinux_munin_plugin_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -81953,7 +146917,20 @@ index 0000000..d4bbce9 +Policy governs the access confined processes have to these files. +SELinux selinux_munin_plugin policy is very flexible allowing users to setup their selinux_munin_plugin processes in as secure a method as possible. +.PP -+The following file types are defined for selinux_munin_plugin: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the selinux_munin_plugin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t selinux_munin_plugin_exec_t '/srv/selinux_munin_plugin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myselinux_munin_plugin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for selinux_munin_plugin: + + +.EX @@ -81979,22 +146956,6 @@ index 0000000..d4bbce9 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type selinux_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B munin_plugin_state_t -+ -+ /var/lib/munin/plugin-state(/.*)? -+.br -+ -+.br -+.B selinux_munin_plugin_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -82005,6 +146966,9 @@ index 0000000..d4bbce9 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -82016,13 +146980,15 @@ index 0000000..d4bbce9 + +.SH "SEE ALSO" +selinux(8), selinux_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/semanage_selinux.8 b/man/man8/semanage_selinux.8 new file mode 100644 -index 0000000..d6f6031 +index 0000000..4d66c36 --- /dev/null +++ b/man/man8/semanage_selinux.8 -@@ -0,0 +1,214 @@ -+.TH "semanage_selinux" "8" "12-11-01" "semanage" "SELinux Policy documentation for semanage" +@@ -0,0 +1,389 @@ ++.TH "semanage_selinux" "8" "13-01-16" "semanage" "SELinux Policy documentation for semanage" +.SH "NAME" +semanage_selinux \- Security Enhanced Linux Policy for the semanage processes +.SH "DESCRIPTION" @@ -82038,7 +147004,9 @@ index 0000000..d6f6031 + +.SH "ENTRYPOINTS" + -+The semanage_t SELinux type can be entered via the "semanage_exec_t" file type. The default entrypoint paths for the semanage_t domain are the following:" ++The semanage_t SELinux type can be entered via the \fBsemanage_exec_t\fP file type. ++ ++The default entrypoint paths for the semanage_t domain are the following: + +/usr/sbin/semanage, /usr/sbin/semodule, /usr/share/system-config-selinux/system-config-selinux-dbus\.py +.SH PROCESS TYPES @@ -82056,74 +147024,164 @@ index 0000000..d6f6031 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a semanage_t ++can be used to make the process type semanage_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux semanage policy is very flexible allowing users to setup their semanage processes in as secure a method as possible. -+.PP -+The following file types are defined for semanage: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. semanage policy is extremely flexible and has several booleans that allow you to manipulate the policy and run semanage with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B semanage_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the semanage_exec_t type, if you want to transition an executable to the semanage_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B semanage_read_lock_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the semanage_read_lock_t type, if you want to treat the files as semanage read lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B semanage_store_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the semanage_store_t type, if you want to treat the files as semanage store data. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B semanage_tmp_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the semanage_tmp_t type, if you want to store semanage temporary files in the /tmp directories. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B semanage_trans_lock_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the semanage_trans_lock_t type, if you want to treat the files as semanage trans lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B semanage_var_lib_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the semanage_var_lib_t type, if you want to store the semanage files under the /var/lib directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_policyload 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the semanage_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the semanage_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -82154,6 +147212,14 @@ index 0000000..d6f6031 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B selinux_config_t + + /etc/selinux(/.*)? @@ -82199,21 +147265,92 @@ index 0000000..d6f6031 + /var/lib/selinux(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux semanage policy is very flexible allowing users to setup their semanage processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the semanage_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the semanage, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t semanage_exec_t '/srv/semanage/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysemanage_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for semanage: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B semanage_exec_t +.EE + ++- Set files with the semanage_exec_t type, if you want to transition an executable to the semanage_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/semanage, /usr/sbin/semodule, /usr/share/system-config-selinux/system-config-selinux-dbus\.py ++ ++.EX ++.PP ++.B semanage_read_lock_t ++.EE ++ ++- Set files with the semanage_read_lock_t type, if you want to treat the files as semanage read lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B semanage_store_t ++.EE ++ ++- Set files with the semanage_store_t type, if you want to treat the files as semanage store data. ++ ++.br ++.TP 5 ++Paths: ++/etc/selinux/([^/]*/)?policy(/.*)?, /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?, /etc/share/selinux/mls(/.*)?, /etc/share/selinux/targeted(/.*)? ++ ++.EX ++.PP ++.B semanage_tmp_t ++.EE ++ ++- Set files with the semanage_tmp_t type, if you want to store semanage temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B semanage_trans_lock_t ++.EE ++ ++- Set files with the semanage_trans_lock_t type, if you want to treat the files as semanage trans lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B semanage_var_lib_t ++.EE ++ ++- Set files with the semanage_var_lib_t type, if you want to store the semanage files under the /var/lib directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the semanage_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -82225,6 +147362,9 @@ index 0000000..d6f6031 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -82236,13 +147376,15 @@ index 0000000..d6f6031 + +.SH "SEE ALSO" +selinux(8), semanage(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/sendmail_selinux.8 b/man/man8/sendmail_selinux.8 new file mode 100644 -index 0000000..b44a2e8 +index 0000000..5510f81 --- /dev/null +++ b/man/man8/sendmail_selinux.8 -@@ -0,0 +1,290 @@ -+.TH "sendmail_selinux" "8" "12-11-01" "sendmail" "SELinux Policy documentation for sendmail" +@@ -0,0 +1,431 @@ ++.TH "sendmail_selinux" "8" "13-01-16" "sendmail" "SELinux Policy documentation for sendmail" +.SH "NAME" +sendmail_selinux \- Security Enhanced Linux Policy for the sendmail processes +.SH "DESCRIPTION" @@ -82258,7 +147400,9 @@ index 0000000..b44a2e8 + +.SH "ENTRYPOINTS" + -+The sendmail_t SELinux type can be entered via the "mta_exec_type,sendmail_exec_t" file types. The default entrypoint paths for the sendmail_t domain are the following:" ++The sendmail_t SELinux type can be entered via the \fBmta_exec_type, sendmail_exec_t\fP file types. ++ ++The default entrypoint paths for the sendmail_t domain are the following: + +/bin/mail(x)?, /usr/bin/mail(x)?, /usr/sbin/sendmail(\.sendmail)?, /usr/bin/esmtp, /usr/sbin/rmail, /usr/sbin/ssmtp, /usr/lib/sendmail, /var/qmail/bin/sendmail, /usr/sbin/sendmail\.postfix, /usr/lib/courier/bin/sendmail +.SH PROCESS TYPES @@ -82276,55 +147420,285 @@ index 0000000..b44a2e8 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sendmail_t ++can be used to make the process type sendmail_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. sendmail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sendmail with the tightest access possible. + + +.PP -+If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_can_sendmail 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.B setsebool -P gitosis_can_sendmail 1 ++.B setsebool -P daemons_use_tty 1 ++ +.EE + +.PP -+If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P logging_syslogd_can_sendmail 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + +.PP -+If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.B setsebool -P httpd_can_sendmail 1 ++.B setsebool -P domain_fd_use 1 ++ +.EE + +.PP -+If you want to allow gitisis daemon to send mail, you must turn on the gitosis_can_sendmail boolean. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.B setsebool -P gitosis_can_sendmail 1 ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + +.PP -+If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.B setsebool -P logging_syslogd_can_sendmail 1 ++.B setsebool -P fips_mode 1 ++ +.EE + ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sendmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sendmail_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sendmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B dovecot_spool_t ++ ++ /var/spool/dovecot(/.*)? ++.br ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B etc_aliases_t ++ ++ /etc/mail/aliases.* ++.br ++ /etc/postfix/aliases.* ++.br ++ /etc/aliases ++.br ++ /etc/aliases\.db ++.br ++ ++.br ++.B exim_spool_t ++ ++ /var/spool/exim[0-9]?(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B initrc_tmp_t ++ ++ ++.br ++.B mail_home_rw_t ++ ++ /root/Maildir(/.*)? ++.br ++ /home/[^/]*/.maildir(/.*)? ++.br ++ /home/[^/]*/Maildir(/.*)? ++.br ++ /home/pwalsh/.maildir(/.*)? ++.br ++ /home/pwalsh/Maildir(/.*)? ++.br ++ /home/dwalsh/.maildir(/.*)? ++.br ++ /home/dwalsh/Maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/.maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/Maildir(/.*)? ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B mqueue_spool_t ++ ++ /var/spool/(client)?mqueue(/.*)? ++.br ++ /var/spool/mqueue\.in(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B procmail_tmp_t ++ ++ ++.br ++.B sendmail_log_t ++ ++ /var/log/mail(/.*)? ++.br ++ /var/log/sendmail\.st.* ++.br ++ ++.br ++.B sendmail_tmp_t ++ ++ ++.br ++.B sendmail_var_run_t ++ ++ /var/run/sendmail\.pid ++.br ++ /var/run/sm-client\.pid ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -82333,7 +147707,20 @@ index 0000000..b44a2e8 +Policy governs the access confined processes have to these files. +SELinux sendmail policy is very flexible allowing users to setup their sendmail processes in as secure a method as possible. +.PP -+The following file types are defined for sendmail: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sendmail, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sendmail_exec_t '/srv/sendmail/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysendmail_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sendmail: + + +.EX @@ -82343,6 +147730,10 @@ index 0000000..b44a2e8 + +- Set files with the sendmail_exec_t type, if you want to transition an executable to the sendmail_t domain. + ++.br ++.TP 5 ++Paths: ++/bin/mail(x)?, /usr/bin/mail(x)?, /usr/sbin/sendmail(\.sendmail)?, /usr/bin/esmtp, /usr/sbin/rmail, /usr/sbin/ssmtp, /usr/lib/sendmail, /var/qmail/bin/sendmail, /usr/sbin/sendmail\.postfix, /usr/lib/courier/bin/sendmail + +.EX +.PP @@ -82367,6 +147758,10 @@ index 0000000..b44a2e8 + +- Set files with the sendmail_log_t type, if you want to treat the data as sendmail log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/mail(/.*)?, /var/log/sendmail\.st.* + +.EX +.PP @@ -82381,8 +147776,12 @@ index 0000000..b44a2e8 +.B sendmail_var_run_t +.EE + -+- Set files with the sendmail_var_run_t type, if you want to store the sendmail files under the /run directory. ++- Set files with the sendmail_var_run_t type, if you want to store the sendmail files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/sendmail\.pid, /var/run/sm-client\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -82391,122 +147790,6 @@ index 0000000..b44a2e8 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type sendmail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B anon_inodefs_t -+ -+ -+.br -+.B dovecot_spool_t -+ -+ /var/spool/dovecot(/.*)? -+.br -+ -+.br -+.B etc_aliases_t -+ -+ /etc/mail/aliases.* -+.br -+ /etc/postfix/aliases.* -+.br -+ /etc/aliases -+.br -+ /etc/aliases\.db -+.br -+ -+.br -+.B exim_spool_t -+ -+ /var/spool/exim[0-9]?(/.*)? -+.br -+ -+.br -+.B initrc_tmp_t -+ -+ -+.br -+.B mail_home_rw_t -+ -+ /root/Maildir(/.*)? -+.br -+ /home/[^/]*/Maildir(/.*)? -+.br -+ /home/dwalsh/Maildir(/.*)? -+.br -+ /var/lib/xguest/home/xguest/Maildir(/.*)? -+.br -+ -+.br -+.B mail_spool_t -+ -+ /var/mail(/.*)? -+.br -+ /var/spool/imap(/.*)? -+.br -+ /var/spool/mail(/.*)? -+.br -+ -+.br -+.B mqueue_spool_t -+ -+ /var/spool/(client)?mqueue(/.*)? -+.br -+ /var/spool/mqueue\.in(/.*)? -+.br -+ -+.br -+.B procmail_tmp_t -+ -+ -+.br -+.B sendmail_log_t -+ -+ /var/log/mail(/.*)? -+.br -+ /var/log/sendmail\.st -+.br -+ -+.br -+.B sendmail_tmp_t -+ -+ -+.br -+.B sendmail_var_run_t -+ -+ /var/run/sendmail\.pid -+.br -+ /var/run/sm-client\.pid -+.br -+ -+.br -+.B user_home_t -+ -+ /home/[^/]*/.+ -+.br -+ /home/dwalsh/.+ -+.br -+ /var/lib/xguest/home/xguest/.+ -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sendmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the sendmail_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -82535,11 +147818,11 @@ index 0000000..b44a2e8 \ No newline at end of file diff --git a/man/man8/sensord_selinux.8 b/man/man8/sensord_selinux.8 new file mode 100644 -index 0000000..8969289 +index 0000000..7e9d2fc --- /dev/null +++ b/man/man8/sensord_selinux.8 -@@ -0,0 +1,112 @@ -+.TH "sensord_selinux" "8" "12-11-01" "sensord" "SELinux Policy documentation for sensord" +@@ -0,0 +1,213 @@ ++.TH "sensord_selinux" "8" "13-01-16" "sensord" "SELinux Policy documentation for sensord" +.SH "NAME" +sensord_selinux \- Security Enhanced Linux Policy for the sensord processes +.SH "DESCRIPTION" @@ -82555,7 +147838,9 @@ index 0000000..8969289 + +.SH "ENTRYPOINTS" + -+The sensord_t SELinux type can be entered via the "sensord_exec_t" file type. The default entrypoint paths for the sensord_t domain are the following:" ++The sensord_t SELinux type can be entered via the \fBsensord_exec_t\fP file type. ++ ++The default entrypoint paths for the sensord_t domain are the following: + +/usr/sbin/sensord +.SH PROCESS TYPES @@ -82573,8 +147858,94 @@ index 0000000..8969289 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sensord_t ++can be used to make the process type sensord_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sensord policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sensord with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sensord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sensord_var_run_t ++ ++ /var/run/sensord\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -82584,7 +147955,20 @@ index 0000000..8969289 +Policy governs the access confined processes have to these files. +SELinux sensord policy is very flexible allowing users to setup their sensord processes in as secure a method as possible. +.PP -+The following file types are defined for sensord: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sensord, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sensord_exec_t '/srv/sensord/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysensord_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sensord: + + +.EX @@ -82597,6 +147981,14 @@ index 0000000..8969289 + +.EX +.PP ++.B sensord_initrc_exec_t ++.EE ++ ++- Set files with the sensord_initrc_exec_t type, if you want to transition an executable to the sensord_initrc_t domain. ++ ++ ++.EX ++.PP +.B sensord_unit_file_t +.EE + @@ -82608,7 +148000,7 @@ index 0000000..8969289 +.B sensord_var_run_t +.EE + -+- Set files with the sensord_var_run_t type, if you want to store the sensord files under the /run directory. ++- Set files with the sensord_var_run_t type, if you want to store the sensord files under the /run or /var/run directory. + + +.PP @@ -82618,18 +148010,6 @@ index 0000000..8969289 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type sensord_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B sensord_var_run_t -+ -+ /var/run/sensord\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -82640,6 +148020,9 @@ index 0000000..8969289 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -82651,13 +148034,231 @@ index 0000000..8969289 + +.SH "SEE ALSO" +selinux(8), sensord(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/sepgsql_ranged_proc_selinux.8 b/man/man8/sepgsql_ranged_proc_selinux.8 +new file mode 100644 +index 0000000..74a2779 +--- /dev/null ++++ b/man/man8/sepgsql_ranged_proc_selinux.8 +@@ -0,0 +1,101 @@ ++.TH "sepgsql_ranged_proc_selinux" "8" "13-01-16" "sepgsql_ranged_proc" "SELinux Policy documentation for sepgsql_ranged_proc" ++.SH "NAME" ++sepgsql_ranged_proc_selinux \- Security Enhanced Linux Policy for the sepgsql_ranged_proc processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sepgsql_ranged_proc processes via flexible mandatory access control. ++ ++The sepgsql_ranged_proc processes execute with the sepgsql_ranged_proc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sepgsql_ranged_proc_t ++ ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sepgsql_ranged_proc policy is very flexible allowing users to setup their sepgsql_ranged_proc processes in as secure a method as possible. ++.PP ++The following process types are defined for sepgsql_ranged_proc: ++ ++.EX ++.B sepgsql_ranged_proc_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sepgsql_ranged_proc_t ++can be used to make the process type sepgsql_ranged_proc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sepgsql_ranged_proc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sepgsql_ranged_proc with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sepgsql_ranged_proc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sepgsql_trusted_proc_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sepgsql_trusted_proc_selinux.8 b/man/man8/sepgsql_trusted_proc_selinux.8 +new file mode 100644 +index 0000000..bd49713 +--- /dev/null ++++ b/man/man8/sepgsql_trusted_proc_selinux.8 +@@ -0,0 +1,101 @@ ++.TH "sepgsql_trusted_proc_selinux" "8" "13-01-16" "sepgsql_trusted_proc" "SELinux Policy documentation for sepgsql_trusted_proc" ++.SH "NAME" ++sepgsql_trusted_proc_selinux \- Security Enhanced Linux Policy for the sepgsql_trusted_proc processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sepgsql_trusted_proc processes via flexible mandatory access control. ++ ++The sepgsql_trusted_proc processes execute with the sepgsql_trusted_proc_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sepgsql_trusted_proc_t ++ ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sepgsql_trusted_proc policy is very flexible allowing users to setup their sepgsql_trusted_proc processes in as secure a method as possible. ++.PP ++The following process types are defined for sepgsql_trusted_proc: ++ ++.EX ++.B sepgsql_trusted_proc_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sepgsql_trusted_proc_t ++can be used to make the process type sepgsql_trusted_proc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sepgsql_trusted_proc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sepgsql_trusted_proc with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sepgsql_trusted_proc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sepgsql_ranged_proc_selinux(8) +\ No newline at end of file diff --git a/man/man8/services_munin_plugin_selinux.8 b/man/man8/services_munin_plugin_selinux.8 new file mode 100644 -index 0000000..6e5c075 +index 0000000..a3d93cb --- /dev/null +++ b/man/man8/services_munin_plugin_selinux.8 -@@ -0,0 +1,108 @@ -+.TH "services_munin_plugin_selinux" "8" "12-11-01" "services_munin_plugin" "SELinux Policy documentation for services_munin_plugin" +@@ -0,0 +1,181 @@ ++.TH "services_munin_plugin_selinux" "8" "13-01-16" "services_munin_plugin" "SELinux Policy documentation for services_munin_plugin" +.SH "NAME" +services_munin_plugin_selinux \- Security Enhanced Linux Policy for the services_munin_plugin processes +.SH "DESCRIPTION" @@ -82673,7 +148274,9 @@ index 0000000..6e5c075 + +.SH "ENTRYPOINTS" + -+The services_munin_plugin_t SELinux type can be entered via the "services_munin_plugin_exec_t" file type. The default entrypoint paths for the services_munin_plugin_t domain are the following:" ++The services_munin_plugin_t SELinux type can be entered via the \fBservices_munin_plugin_exec_t\fP file type. ++ ++The default entrypoint paths for the services_munin_plugin_t domain are the following: + +/usr/share/munin/plugins/nut.*, /usr/share/munin/plugins/ntp_.*, /usr/share/munin/plugins/snmp_.*, /usr/share/munin/plugins/mysql_.*, /usr/share/munin/plugins/slapd_.*, /usr/share/munin/plugins/squid_.*, /usr/share/munin/plugins/apache_.*, /usr/share/munin/plugins/tomcat_.*, /usr/share/munin/plugins/varnish_.*, /usr/share/munin/plugins/asterisk_.*, /usr/share/munin/plugins/postgres_.*, /usr/share/munin/plugins/named, /usr/share/munin/plugins/ping_, /usr/share/munin/plugins/samba, /usr/share/munin/plugins/lpstat, /usr/share/munin/plugins/openvpn, /usr/share/munin/plugins/fail2ban, /usr/share/munin/plugins/http_loadtime +.SH PROCESS TYPES @@ -82691,8 +148294,74 @@ index 0000000..6e5c075 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a services_munin_plugin_t ++can be used to make the process type services_munin_plugin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. services_munin_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run services_munin_plugin with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type services_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B munin_plugin_state_t ++ ++ /var/lib/munin/plugin-state(/.*)? ++.br ++ ++.br ++.B services_munin_plugin_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -82702,7 +148371,20 @@ index 0000000..6e5c075 +Policy governs the access confined processes have to these files. +SELinux services_munin_plugin policy is very flexible allowing users to setup their services_munin_plugin processes in as secure a method as possible. +.PP -+The following file types are defined for services_munin_plugin: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the services_munin_plugin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t services_munin_plugin_exec_t '/srv/services_munin_plugin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myservices_munin_plugin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for services_munin_plugin: + + +.EX @@ -82712,6 +148394,10 @@ index 0000000..6e5c075 + +- Set files with the services_munin_plugin_exec_t type, if you want to transition an executable to the services_munin_plugin_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/share/munin/plugins/nut.*, /usr/share/munin/plugins/ntp_.*, /usr/share/munin/plugins/snmp_.*, /usr/share/munin/plugins/mysql_.*, /usr/share/munin/plugins/slapd_.*, /usr/share/munin/plugins/squid_.*, /usr/share/munin/plugins/apache_.*, /usr/share/munin/plugins/tomcat_.*, /usr/share/munin/plugins/varnish_.*, /usr/share/munin/plugins/asterisk_.*, /usr/share/munin/plugins/postgres_.*, /usr/share/munin/plugins/named, /usr/share/munin/plugins/ping_, /usr/share/munin/plugins/samba, /usr/share/munin/plugins/lpstat, /usr/share/munin/plugins/openvpn, /usr/share/munin/plugins/fail2ban, /usr/share/munin/plugins/http_loadtime + +.EX +.PP @@ -82728,22 +148414,6 @@ index 0000000..6e5c075 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type services_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B munin_plugin_state_t -+ -+ /var/lib/munin/plugin-state(/.*)? -+.br -+ -+.br -+.B services_munin_plugin_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -82754,6 +148424,9 @@ index 0000000..6e5c075 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -82765,13 +148438,150 @@ index 0000000..6e5c075 + +.SH "SEE ALSO" +selinux(8), services_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/setfiles_mac_selinux.8 b/man/man8/setfiles_mac_selinux.8 +new file mode 100644 +index 0000000..f09bce2 +--- /dev/null ++++ b/man/man8/setfiles_mac_selinux.8 +@@ -0,0 +1,128 @@ ++.TH "setfiles_mac_selinux" "8" "13-01-16" "setfiles_mac" "SELinux Policy documentation for setfiles_mac" ++.SH "NAME" ++setfiles_mac_selinux \- Security Enhanced Linux Policy for the setfiles_mac processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the setfiles_mac processes via flexible mandatory access control. ++ ++The setfiles_mac processes execute with the setfiles_mac_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep setfiles_mac_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The setfiles_mac_t SELinux type can be entered via the \fBsetfiles_exec_t\fP file type. ++ ++The default entrypoint paths for the setfiles_mac_t domain are the following: ++ ++/sbin/setfiles.*, /usr/sbin/setfiles.*, /sbin/restorecon, /usr/sbin/restorecon ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux setfiles_mac policy is very flexible allowing users to setup their setfiles_mac processes in as secure a method as possible. ++.PP ++The following process types are defined for setfiles_mac: ++ ++.EX ++.B setfiles_mac_t ++.EE ++.PP ++Note: ++.B semanage permissive -a setfiles_mac_t ++can be used to make the process type setfiles_mac_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. setfiles_mac policy is extremely flexible and has several booleans that allow you to manipulate the policy and run setfiles_mac with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type setfiles_mac_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B livecd_tmp_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B user_home_type ++ ++ all user home files ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), setfiles_mac(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), setfiles_selinux(8), setfiles_selinux(8) +\ No newline at end of file diff --git a/man/man8/setfiles_selinux.8 b/man/man8/setfiles_selinux.8 new file mode 100644 -index 0000000..19b8e3f +index 0000000..f2f4bba --- /dev/null +++ b/man/man8/setfiles_selinux.8 -@@ -0,0 +1,102 @@ -+.TH "setfiles_selinux" "8" "12-11-01" "setfiles" "SELinux Policy documentation for setfiles" +@@ -0,0 +1,191 @@ ++.TH "setfiles_selinux" "8" "13-01-16" "setfiles" "SELinux Policy documentation for setfiles" +.SH "NAME" +setfiles_selinux \- Security Enhanced Linux Policy for the setfiles processes +.SH "DESCRIPTION" @@ -82787,7 +148597,9 @@ index 0000000..19b8e3f + +.SH "ENTRYPOINTS" + -+The setfiles_t SELinux type can be entered via the "setfiles_exec_t" file type. The default entrypoint paths for the setfiles_t domain are the following:" ++The setfiles_t SELinux type can be entered via the \fBsetfiles_exec_t\fP file type. ++ ++The default entrypoint paths for the setfiles_t domain are the following: + +/sbin/setfiles.*, /usr/sbin/setfiles.*, /sbin/restorecon, /usr/sbin/restorecon +.SH PROCESS TYPES @@ -82805,34 +148617,76 @@ index 0000000..19b8e3f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a setfiles_t ++can be used to make the process type setfiles_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux setfiles policy is very flexible allowing users to setup their setfiles processes in as secure a method as possible. -+.PP -+The following file types are defined for setfiles: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. setfiles policy is extremely flexible and has several booleans that allow you to manipulate the policy and run setfiles with the tightest access possible. + + ++.PP ++If you want to allow system cron jobs to relabel filesystem for restoring file contexts, you must turn on the cron_can_relabel boolean. Disabled by default. ++ +.EX -+.PP -+.B setfiles_exec_t ++.B setsebool -P cron_can_relabel 1 ++ +.EE + -+- Set files with the setfiles_exec_t type, if you want to transition an executable to the setfiles_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to enable polyinstantiated directory support, you must turn on the polyinstantiation_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P polyinstantiation_enabled 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -82850,7 +148704,48 @@ index 0000000..19b8e3f + all user home files +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux setfiles policy is very flexible allowing users to setup their setfiles processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the setfiles, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t setfiles_exec_t '/srv/setfiles/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysetfiles_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for setfiles: ++ ++ ++.EX ++.PP ++.B setfiles_exec_t ++.EE ++ ++- Set files with the setfiles_exec_t type, if you want to transition an executable to the setfiles_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/setfiles.*, /usr/sbin/setfiles.*, /sbin/restorecon, /usr/sbin/restorecon ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -82862,6 +148757,9 @@ index 0000000..19b8e3f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -82873,13 +148771,15 @@ index 0000000..19b8e3f + +.SH "SEE ALSO" +selinux(8), setfiles(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), setfiles_mac_selinux(8) +\ No newline at end of file diff --git a/man/man8/setkey_selinux.8 b/man/man8/setkey_selinux.8 new file mode 100644 -index 0000000..d2623ac +index 0000000..47b4809 --- /dev/null +++ b/man/man8/setkey_selinux.8 -@@ -0,0 +1,86 @@ -+.TH "setkey_selinux" "8" "12-11-01" "setkey" "SELinux Policy documentation for setkey" +@@ -0,0 +1,159 @@ ++.TH "setkey_selinux" "8" "13-01-16" "setkey" "SELinux Policy documentation for setkey" +.SH "NAME" +setkey_selinux \- Security Enhanced Linux Policy for the setkey processes +.SH "DESCRIPTION" @@ -82895,7 +148795,9 @@ index 0000000..d2623ac + +.SH "ENTRYPOINTS" + -+The setkey_t SELinux type can be entered via the "setkey_exec_t" file type. The default entrypoint paths for the setkey_t domain are the following:" ++The setkey_t SELinux type can be entered via the \fBsetkey_exec_t\fP file type. ++ ++The default entrypoint paths for the setkey_t domain are the following: + +/sbin/setkey, /usr/sbin/setkey +.SH PROCESS TYPES @@ -82913,8 +148815,60 @@ index 0000000..d2623ac +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a setkey_t ++can be used to make the process type setkey_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. setkey policy is extremely flexible and has several booleans that allow you to manipulate the policy and run setkey with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -82924,7 +148878,20 @@ index 0000000..d2623ac +Policy governs the access confined processes have to these files. +SELinux setkey policy is very flexible allowing users to setup their setkey processes in as secure a method as possible. +.PP -+The following file types are defined for setkey: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the setkey, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t setkey_exec_t '/srv/setkey/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysetkey_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for setkey: + + +.EX @@ -82934,6 +148901,10 @@ index 0000000..d2623ac + +- Set files with the setkey_exec_t type, if you want to transition an executable to the setkey_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/setkey, /usr/sbin/setkey + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -82942,8 +148913,6 @@ index 0000000..d2623ac +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -82954,6 +148923,9 @@ index 0000000..d2623ac +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -82965,13 +148937,15 @@ index 0000000..d2623ac + +.SH "SEE ALSO" +selinux(8), setkey(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/setrans_selinux.8 b/man/man8/setrans_selinux.8 new file mode 100644 -index 0000000..e0a6cbb +index 0000000..7bc7a9a --- /dev/null +++ b/man/man8/setrans_selinux.8 -@@ -0,0 +1,120 @@ -+.TH "setrans_selinux" "8" "12-11-01" "setrans" "SELinux Policy documentation for setrans" +@@ -0,0 +1,221 @@ ++.TH "setrans_selinux" "8" "13-01-16" "setrans" "SELinux Policy documentation for setrans" +.SH "NAME" +setrans_selinux \- Security Enhanced Linux Policy for the setrans processes +.SH "DESCRIPTION" @@ -82987,7 +148961,9 @@ index 0000000..e0a6cbb + +.SH "ENTRYPOINTS" + -+The setrans_t SELinux type can be entered via the "setrans_exec_t" file type. The default entrypoint paths for the setrans_t domain are the following:" ++The setrans_t SELinux type can be entered via the \fBsetrans_exec_t\fP file type. ++ ++The default entrypoint paths for the setrans_t domain are the following: + +/sbin/mcstransd, /usr/sbin/mcstransd +.SH PROCESS TYPES @@ -83005,56 +148981,90 @@ index 0000000..e0a6cbb +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a setrans_t ++can be used to make the process type setrans_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux setrans policy is very flexible allowing users to setup their setrans processes in as secure a method as possible. -+.PP -+The following file types are defined for setrans: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. setrans policy is extremely flexible and has several booleans that allow you to manipulate the policy and run setrans with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B setrans_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the setrans_exec_t type, if you want to transition an executable to the setrans_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B setrans_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the setrans_initrc_exec_t type, if you want to transition an executable to the setrans_initrc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B setrans_var_run_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the setrans_var_run_t type, if you want to store the setrans files under the /run directory. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + +The SELinux process type setrans_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux @@ -83068,7 +149078,68 @@ index 0000000..e0a6cbb + /var/run/mcstransd\.pid +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux setrans policy is very flexible allowing users to setup their setrans processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the setrans, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t setrans_exec_t '/srv/setrans/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysetrans_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for setrans: ++ ++ ++.EX ++.PP ++.B setrans_exec_t ++.EE ++ ++- Set files with the setrans_exec_t type, if you want to transition an executable to the setrans_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/mcstransd, /usr/sbin/mcstransd ++ ++.EX ++.PP ++.B setrans_initrc_exec_t ++.EE ++ ++- Set files with the setrans_initrc_exec_t type, if you want to transition an executable to the setrans_initrc_t domain. ++ ++ ++.EX ++.PP ++.B setrans_var_run_t ++.EE ++ ++- Set files with the setrans_var_run_t type, if you want to store the setrans files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/setrans(/.*)?, /var/run/mcstransd\.pid ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -83080,6 +149151,9 @@ index 0000000..e0a6cbb +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -83091,13 +149165,15 @@ index 0000000..e0a6cbb + +.SH "SEE ALSO" +selinux(8), setrans(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/setroubleshoot_fixit_selinux.8 b/man/man8/setroubleshoot_fixit_selinux.8 new file mode 100644 -index 0000000..a0089bb +index 0000000..b62b969 --- /dev/null +++ b/man/man8/setroubleshoot_fixit_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "setroubleshoot_fixit_selinux" "8" "12-11-01" "setroubleshoot_fixit" "SELinux Policy documentation for setroubleshoot_fixit" +@@ -0,0 +1,231 @@ ++.TH "setroubleshoot_fixit_selinux" "8" "13-01-16" "setroubleshoot_fixit" "SELinux Policy documentation for setroubleshoot_fixit" +.SH "NAME" +setroubleshoot_fixit_selinux \- Security Enhanced Linux Policy for the setroubleshoot_fixit processes +.SH "DESCRIPTION" @@ -83113,7 +149189,9 @@ index 0000000..a0089bb + +.SH "ENTRYPOINTS" + -+The setroubleshoot_fixit_t SELinux type can be entered via the "setroubleshoot_fixit_exec_t" file type. The default entrypoint paths for the setroubleshoot_fixit_t domain are the following:" ++The setroubleshoot_fixit_t SELinux type can be entered via the \fBsetroubleshoot_fixit_exec_t\fP file type. ++ ++The default entrypoint paths for the setroubleshoot_fixit_t domain are the following: + +/usr/share/setroubleshoot/SetroubleshootFixit\.py* +.SH PROCESS TYPES @@ -83131,8 +149209,136 @@ index 0000000..a0089bb +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a setroubleshoot_fixit_t ++can be used to make the process type setroubleshoot_fixit_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. setroubleshoot_fixit policy is extremely flexible and has several booleans that allow you to manipulate the policy and run setroubleshoot_fixit with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the setroubleshoot_fixit_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type setroubleshoot_fixit_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -83142,7 +149348,20 @@ index 0000000..a0089bb +Policy governs the access confined processes have to these files. +SELinux setroubleshoot_fixit policy is very flexible allowing users to setup their setroubleshoot_fixit processes in as secure a method as possible. +.PP -+The following file types are defined for setroubleshoot_fixit: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the setroubleshoot_fixit, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t setroubleshoot_fixit_exec_t '/srv/setroubleshoot_fixit/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysetroubleshoot_fixit_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for setroubleshoot_fixit: + + +.EX @@ -83160,22 +149379,6 @@ index 0000000..a0089bb +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the setroubleshoot_fixit_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -83186,6 +149389,9 @@ index 0000000..a0089bb +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -83197,15 +149403,15 @@ index 0000000..a0089bb + +.SH "SEE ALSO" +selinux(8), setroubleshoot_fixit(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setroubleshootd_selinux(8) ++, setsebool(8), setroubleshootd_selinux(8) \ No newline at end of file diff --git a/man/man8/setroubleshootd_selinux.8 b/man/man8/setroubleshootd_selinux.8 new file mode 100644 -index 0000000..66279d7 +index 0000000..80dc458 --- /dev/null +++ b/man/man8/setroubleshootd_selinux.8 -@@ -0,0 +1,129 @@ -+.TH "setroubleshootd_selinux" "8" "12-11-01" "setroubleshootd" "SELinux Policy documentation for setroubleshootd" +@@ -0,0 +1,255 @@ ++.TH "setroubleshootd_selinux" "8" "13-01-16" "setroubleshootd" "SELinux Policy documentation for setroubleshootd" +.SH "NAME" +setroubleshootd_selinux \- Security Enhanced Linux Policy for the setroubleshootd processes +.SH "DESCRIPTION" @@ -83221,7 +149427,9 @@ index 0000000..66279d7 + +.SH "ENTRYPOINTS" + -+The setroubleshootd_t SELinux type can be entered via the "setroubleshootd_exec_t" file type. The default entrypoint paths for the setroubleshootd_t domain are the following:" ++The setroubleshootd_t SELinux type can be entered via the \fBsetroubleshootd_exec_t\fP file type. ++ ++The default entrypoint paths for the setroubleshootd_t domain are the following: + +/usr/sbin/setroubleshootd +.SH PROCESS TYPES @@ -83239,40 +149447,138 @@ index 0000000..66279d7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a setroubleshootd_t ++can be used to make the process type setroubleshootd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux setroubleshootd policy is very flexible allowing users to setup their setroubleshootd processes in as secure a method as possible. -+.PP -+The following file types are defined for setroubleshootd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. setroubleshootd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run setroubleshootd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B setroubleshootd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the setroubleshootd_exec_t type, if you want to transition an executable to the setroubleshootd_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type setroubleshootd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux @@ -83296,21 +149602,44 @@ index 0000000..66279d7 + /var/run/setroubleshoot(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux setroubleshootd policy is very flexible allowing users to setup their setroubleshootd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the setroubleshootd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t setroubleshootd_exec_t '/srv/setroubleshootd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysetroubleshootd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for setroubleshootd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B setroubleshootd_exec_t +.EE + ++- Set files with the setroubleshootd_exec_t type, if you want to transition an executable to the setroubleshootd_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -83322,6 +149651,9 @@ index 0000000..66279d7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -83333,15 +149665,15 @@ index 0000000..66279d7 + +.SH "SEE ALSO" +selinux(8), setroubleshootd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setroubleshoot_fixit_selinux(8) ++, setsebool(8), setroubleshoot_fixit_selinux(8) \ No newline at end of file diff --git a/man/man8/setsebool_selinux.8 b/man/man8/setsebool_selinux.8 new file mode 100644 -index 0000000..f7ac281 +index 0000000..61a2031 --- /dev/null +++ b/man/man8/setsebool_selinux.8 -@@ -0,0 +1,162 @@ -+.TH "setsebool_selinux" "8" "12-11-01" "setsebool" "SELinux Policy documentation for setsebool" +@@ -0,0 +1,273 @@ ++.TH "setsebool_selinux" "8" "13-01-16" "setsebool" "SELinux Policy documentation for setsebool" +.SH "NAME" +setsebool_selinux \- Security Enhanced Linux Policy for the setsebool processes +.SH "DESCRIPTION" @@ -83357,7 +149689,9 @@ index 0000000..f7ac281 + +.SH "ENTRYPOINTS" + -+The setsebool_t SELinux type can be entered via the "setsebool_exec_t" file type. The default entrypoint paths for the setsebool_t domain are the following:" ++The setsebool_t SELinux type can be entered via the \fBsetsebool_exec_t\fP file type. ++ ++The default entrypoint paths for the setsebool_t domain are the following: + +/usr/sbin/setsebool +.SH PROCESS TYPES @@ -83375,34 +149709,116 @@ index 0000000..f7ac281 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a setsebool_t ++can be used to make the process type setsebool_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux setsebool policy is very flexible allowing users to setup their setsebool processes in as secure a method as possible. -+.PP -+The following file types are defined for setsebool: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. setsebool policy is extremely flexible and has several booleans that allow you to manipulate the policy and run setsebool with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B setsebool_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the setsebool_exec_t type, if you want to transition an executable to the setsebool_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_policyload 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the setsebool_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the setsebool_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -83466,21 +149882,44 @@ index 0000000..f7ac281 + /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux setsebool policy is very flexible allowing users to setup their setsebool processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setsebool_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the setsebool, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t setsebool_exec_t '/srv/setsebool/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysetsebool_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for setsebool: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B setsebool_exec_t +.EE + ++- Set files with the setsebool_exec_t type, if you want to transition an executable to the setsebool_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the setsebool_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -83492,6 +149931,9 @@ index 0000000..f7ac281 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -83503,13 +149945,243 @@ index 0000000..f7ac281 + +.SH "SEE ALSO" +selinux(8), setsebool(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/sftpd_selinux.8 b/man/man8/sftpd_selinux.8 +new file mode 100644 +index 0000000..0c75a69 +--- /dev/null ++++ b/man/man8/sftpd_selinux.8 +@@ -0,0 +1,221 @@ ++.TH "sftpd_selinux" "8" "13-01-16" "sftpd" "SELinux Policy documentation for sftpd" ++.SH "NAME" ++sftpd_selinux \- Security Enhanced Linux Policy for the sftpd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sftpd processes via flexible mandatory access control. ++ ++The sftpd processes execute with the sftpd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sftpd_t ++ ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sftpd policy is very flexible allowing users to setup their sftpd processes in as secure a method as possible. ++.PP ++The following process types are defined for sftpd: ++ ++.EX ++.B sftpd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sftpd_t ++can be used to make the process type sftpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sftpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sftpd with the tightest access possible. ++ ++ ++.PP ++If you want to determine whether sftpd-can read and write files in user home directories, you must turn on the sftpd_enable_homedirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P sftpd_enable_homedirs 1 ++ ++.EE ++ ++.PP ++If you want to determine whether sftpd-can login to local users and read and write all files on the system, governed by DAC, you must turn on the sftpd_full_access boolean. Disabled by default. ++ ++.EX ++.B setsebool -P sftpd_full_access 1 ++ ++.EE ++ ++.PP ++If you want to determine whether sftpd can read and write files in user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. Disabled by default. ++ ++.EX ++.B setsebool -P sftpd_write_ssh_home 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sftpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B non_security_file_type ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.SH SHARING FILES ++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. ++.TP ++Allow sftpd servers to read the /var/sftpd directory by adding the public_content_t file type to the directory and by restoring the file type. ++.PP ++.B ++semanage fcontext -a -t public_content_t "/var/sftpd(/.*)?" ++.br ++.B restorecon -F -R -v /var/sftpd ++.pp ++.TP ++Allow sftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_sftpdd_anon_write boolean to be set. ++.PP ++.B ++semanage fcontext -a -t public_content_rw_t "/var/sftpd/incoming(/.*)?" ++.br ++.B restorecon -F -R -v /var/sftpd/incoming ++ ++ ++.PP ++If you want to determine whether sftpd can modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t., you must turn on the sftpd_anon_write boolean. ++ ++.EX ++.B setsebool -P sftpd_anon_write 1 ++.EE ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sftpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/sge_execd_selinux.8 b/man/man8/sge_execd_selinux.8 new file mode 100644 -index 0000000..169d466 +index 0000000..935ed0f --- /dev/null +++ b/man/man8/sge_execd_selinux.8 -@@ -0,0 +1,115 @@ -+.TH "sge_execd_selinux" "8" "12-11-01" "sge_execd" "SELinux Policy documentation for sge_execd" +@@ -0,0 +1,261 @@ ++.TH "sge_execd_selinux" "8" "13-01-16" "sge_execd" "SELinux Policy documentation for sge_execd" +.SH "NAME" +sge_execd_selinux \- Security Enhanced Linux Policy for the sge_execd processes +.SH "DESCRIPTION" @@ -83525,7 +150197,9 @@ index 0000000..169d466 + +.SH "ENTRYPOINTS" + -+The sge_execd_t SELinux type can be entered via the "sge_execd_exec_t" file type. The default entrypoint paths for the sge_execd_t domain are the following:" ++The sge_execd_t SELinux type can be entered via the \fBsge_execd_exec_t\fP file type. ++ ++The default entrypoint paths for the sge_execd_t domain are the following: + +/usr/bin/sge_execd +.SH PROCESS TYPES @@ -83543,8 +150217,166 @@ index 0000000..169d466 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sge_execd_t ++can be used to make the process type sge_execd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sge_execd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sge_execd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow sge to connect to the network using any TCP port, you must turn on the sge_domain_can_network_connect boolean. Disabled by default. ++ ++.EX ++.B setsebool -P sge_domain_can_network_connect 1 ++ ++.EE ++ ++.PP ++If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P sge_use_nfs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sge_execd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sge_execd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sge_execd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sge_spool_t ++ ++ /var/spool/gridengine(/.*)? ++.br ++ ++.br ++.B sge_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -83554,7 +150386,20 @@ index 0000000..169d466 +Policy governs the access confined processes have to these files. +SELinux sge_execd policy is very flexible allowing users to setup their sge_execd processes in as secure a method as possible. +.PP -+The following file types are defined for sge_execd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sge_execd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sge_execd_exec_t '/srv/sge_execd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysge_execd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sge_execd: + + +.EX @@ -83572,36 +150417,6 @@ index 0000000..169d466 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type sge_execd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B sge_spool_t -+ -+ /var/spool/gridengine(/.*)? -+.br -+ -+.br -+.B sge_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sge_execd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the sge_execd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -83612,6 +150427,9 @@ index 0000000..169d466 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -83623,15 +150441,15 @@ index 0000000..169d466 + +.SH "SEE ALSO" +selinux(8), sge_execd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, sge_job_selinux(8), sge_shepherd_selinux(8) ++, setsebool(8), sge_job_selinux(8), sge_job_ssh_selinux(8), sge_shepherd_selinux(8) \ No newline at end of file diff --git a/man/man8/sge_job_selinux.8 b/man/man8/sge_job_selinux.8 new file mode 100644 -index 0000000..e017c54 +index 0000000..3940549 --- /dev/null +++ b/man/man8/sge_job_selinux.8 -@@ -0,0 +1,147 @@ -+.TH "sge_job_selinux" "8" "12-11-01" "sge_job" "SELinux Policy documentation for sge_job" +@@ -0,0 +1,204 @@ ++.TH "sge_job_selinux" "8" "13-01-16" "sge_job" "SELinux Policy documentation for sge_job" +.SH "NAME" +sge_job_selinux \- Security Enhanced Linux Policy for the sge_job processes +.SH "DESCRIPTION" @@ -83647,9 +150465,11 @@ index 0000000..e017c54 + +.SH "ENTRYPOINTS" + -+The sge_job_t SELinux type can be entered via the "shell_exec_t,sge_job_exec_t" file types. The default entrypoint paths for the sge_job_t domain are the following:" ++The sge_job_t SELinux type can be entered via the \fBsge_job_exec_t, shell_exec_t\fP file types. + -+/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/mksh, /usr/bin/sash, /usr/bin/bash, /usr/bin/fish, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell ++The default entrypoint paths for the sge_job_t domain are the following: ++ ++/bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -83665,40 +150485,102 @@ index 0000000..e017c54 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sge_job_t ++can be used to make the process type sge_job_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux sge_job policy is very flexible allowing users to setup their sge_job processes in as secure a method as possible. -+.PP -+The following file types are defined for sge_job: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sge_job policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sge_job with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B sge_job_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the sge_job_exec_t type, if you want to transition an executable to the sge_job_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow sge to connect to the network using any TCP port, you must turn on the sge_domain_can_network_connect boolean. Disabled by default. ++ ++.EX ++.B setsebool -P sge_domain_can_network_connect 1 ++ ++.EE ++ ++.PP ++If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P sge_use_nfs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sge_job_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sge_job_ssh_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type sge_job_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B nfs_t ++ ++ ++.br +.B sge_spool_t + + /var/spool/gridengine(/.*)? @@ -83713,6 +150595,8 @@ index 0000000..e017c54 + + /root/\.ssh(/.*)? +.br ++ /var/lib/pgsql/\.ssh(/.*)? ++.br + /var/lib/openshift/[^/]+/\.ssh(/.*)? +.br + /var/lib/amanda/\.ssh(/.*)? @@ -83731,6 +150615,10 @@ index 0000000..e017c54 +.br + /home/[^/]*/\.shosts +.br ++ /home/pwalsh/\.ssh(/.*)? ++.br ++ /home/pwalsh/\.shosts ++.br + /home/dwalsh/\.ssh(/.*)? +.br + /home/dwalsh/\.shosts @@ -83740,22 +150628,6 @@ index 0000000..e017c54 + /var/lib/xguest/home/xguest/\.shosts +.br + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sge_job_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the sge_job_ssh_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -83766,6 +150638,9 @@ index 0000000..e017c54 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -83777,15 +150652,246 @@ index 0000000..e017c54 + +.SH "SEE ALSO" +selinux(8), sge_job(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, sge_execd_selinux(8), sge_shepherd_selinux(8) ++, setsebool(8), sge_execd_selinux(8), sge_job_ssh_selinux(8), sge_shepherd_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sge_job_ssh_selinux.8 b/man/man8/sge_job_ssh_selinux.8 +new file mode 100644 +index 0000000..e17329d +--- /dev/null ++++ b/man/man8/sge_job_ssh_selinux.8 +@@ -0,0 +1,224 @@ ++.TH "sge_job_ssh_selinux" "8" "13-01-16" "sge_job_ssh" "SELinux Policy documentation for sge_job_ssh" ++.SH "NAME" ++sge_job_ssh_selinux \- Security Enhanced Linux Policy for the sge_job_ssh processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sge_job_ssh processes via flexible mandatory access control. ++ ++The sge_job_ssh processes execute with the sge_job_ssh_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sge_job_ssh_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sge_job_ssh_t SELinux type can be entered via the \fBssh_exec_t\fP file type. ++ ++The default entrypoint paths for the sge_job_ssh_t domain are the following: ++ ++/usr/bin/ssh ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sge_job_ssh policy is very flexible allowing users to setup their sge_job_ssh processes in as secure a method as possible. ++.PP ++The following process types are defined for sge_job_ssh: ++ ++.EX ++.B sge_job_ssh_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sge_job_ssh_t ++can be used to make the process type sge_job_ssh_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sge_job_ssh policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sge_job_ssh with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P sge_use_nfs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sge_job_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sge_job_ssh_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sge_job_ssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B ssh_home_t ++ ++ /root/\.ssh(/.*)? ++.br ++ /var/lib/pgsql/\.ssh(/.*)? ++.br ++ /var/lib/openshift/[^/]+/\.ssh(/.*)? ++.br ++ /var/lib/amanda/\.ssh(/.*)? ++.br ++ /var/lib/stickshift/[^/]+/\.ssh(/.*)? ++.br ++ /var/lib/gitolite/\.ssh(/.*)? ++.br ++ /var/lib/nocpulse/\.ssh(/.*)? ++.br ++ /var/lib/gitolite3/\.ssh(/.*)? ++.br ++ /root/\.shosts ++.br ++ /home/[^/]*/\.ssh(/.*)? ++.br ++ /home/[^/]*/\.shosts ++.br ++ /home/pwalsh/\.ssh(/.*)? ++.br ++ /home/pwalsh/\.shosts ++.br ++ /home/dwalsh/\.ssh(/.*)? ++.br ++ /home/dwalsh/\.shosts ++.br ++ /var/lib/xguest/home/xguest/\.ssh(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.shosts ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sge_job_ssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sge_execd_selinux(8), sge_job_selinux(8), sge_job_selinux(8), sge_shepherd_selinux(8) \ No newline at end of file diff --git a/man/man8/sge_shepherd_selinux.8 b/man/man8/sge_shepherd_selinux.8 new file mode 100644 -index 0000000..9a14e7d +index 0000000..3b7f33d --- /dev/null +++ b/man/man8/sge_shepherd_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "sge_shepherd_selinux" "8" "12-11-01" "sge_shepherd" "SELinux Policy documentation for sge_shepherd" +@@ -0,0 +1,189 @@ ++.TH "sge_shepherd_selinux" "8" "13-01-16" "sge_shepherd" "SELinux Policy documentation for sge_shepherd" +.SH "NAME" +sge_shepherd_selinux \- Security Enhanced Linux Policy for the sge_shepherd processes +.SH "DESCRIPTION" @@ -83801,7 +150907,9 @@ index 0000000..9a14e7d + +.SH "ENTRYPOINTS" + -+The sge_shepherd_t SELinux type can be entered via the "sge_shepherd_exec_t" file type. The default entrypoint paths for the sge_shepherd_t domain are the following:" ++The sge_shepherd_t SELinux type can be entered via the \fBsge_shepherd_exec_t\fP file type. ++ ++The default entrypoint paths for the sge_shepherd_t domain are the following: + +/usr/bin/sge_shepherd +.SH PROCESS TYPES @@ -83819,8 +150927,94 @@ index 0000000..9a14e7d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sge_shepherd_t ++can be used to make the process type sge_shepherd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sge_shepherd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sge_shepherd with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow sge to connect to the network using any TCP port, you must turn on the sge_domain_can_network_connect boolean. Disabled by default. ++ ++.EX ++.B setsebool -P sge_domain_can_network_connect 1 ++ ++.EE ++ ++.PP ++If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P sge_use_nfs 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sge_shepherd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B sge_spool_t ++ ++ /var/spool/gridengine(/.*)? ++.br ++ ++.br ++.B sge_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -83830,7 +151024,20 @@ index 0000000..9a14e7d +Policy governs the access confined processes have to these files. +SELinux sge_shepherd policy is very flexible allowing users to setup their sge_shepherd processes in as secure a method as possible. +.PP -+The following file types are defined for sge_shepherd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sge_shepherd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sge_shepherd_exec_t '/srv/sge_shepherd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysge_shepherd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sge_shepherd: + + +.EX @@ -83848,22 +151055,6 @@ index 0000000..9a14e7d +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type sge_shepherd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B sge_spool_t -+ -+ /var/spool/gridengine(/.*)? -+.br -+ -+.br -+.B sge_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -83874,6 +151065,9 @@ index 0000000..9a14e7d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -83885,15 +151079,15 @@ index 0000000..9a14e7d + +.SH "SEE ALSO" +selinux(8), sge_shepherd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, sge_execd_selinux(8), sge_job_selinux(8) ++, setsebool(8), sge_execd_selinux(8), sge_job_selinux(8), sge_job_ssh_selinux(8) \ No newline at end of file diff --git a/man/man8/shorewall_selinux.8 b/man/man8/shorewall_selinux.8 new file mode 100644 -index 0000000..ef276fc +index 0000000..603ed89 --- /dev/null +++ b/man/man8/shorewall_selinux.8 -@@ -0,0 +1,190 @@ -+.TH "shorewall_selinux" "8" "12-11-01" "shorewall" "SELinux Policy documentation for shorewall" +@@ -0,0 +1,334 @@ ++.TH "shorewall_selinux" "8" "13-01-16" "shorewall" "SELinux Policy documentation for shorewall" +.SH "NAME" +shorewall_selinux \- Security Enhanced Linux Policy for the shorewall processes +.SH "DESCRIPTION" @@ -83909,9 +151103,11 @@ index 0000000..ef276fc + +.SH "ENTRYPOINTS" + -+The shorewall_t SELinux type can be entered via the "shorewall_var_lib_t,shorewall_exec_t" file types. The default entrypoint paths for the shorewall_t domain are the following:" ++The shorewall_t SELinux type can be entered via the \fBshorewall_exec_t, shorewall_var_lib_t\fP file types. + -+/var/lib/shorewall(/.*)?, /var/lib/shorewall6(/.*)?, /var/lib/shorewall-lite(/.*)?, /sbin/shorewall6?, /usr/sbin/shorewall6?, /sbin/shorewall-lite, /usr/sbin/shorewall-lite ++The default entrypoint paths for the shorewall_t domain are the following: ++ ++/sbin/shorewall6?, /usr/sbin/shorewall6?, /sbin/shorewall-lite, /usr/sbin/shorewall-lite, /var/lib/shorewall(/.*)?, /var/lib/shorewall6(/.*)?, /var/lib/shorewall-lite(/.*)? +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -83927,8 +151123,168 @@ index 0000000..ef276fc +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a shorewall_t ++can be used to make the process type shorewall_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. shorewall policy is extremely flexible and has several booleans that allow you to manipulate the policy and run shorewall with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the shorewall_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the shorewall_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type shorewall_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B shorewall_lock_t ++ ++ /var/lock/subsys/shorewall ++.br ++ ++.br ++.B shorewall_tmp_t ++ ++ ++.br ++.B shorewall_var_lib_t ++ ++ /var/lib/shorewall(/.*)? ++.br ++ /var/lib/shorewall6(/.*)? ++.br ++ /var/lib/shorewall-lite(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -83938,7 +151294,31 @@ index 0000000..ef276fc +Policy governs the access confined processes have to these files. +SELinux shorewall policy is very flexible allowing users to setup their shorewall processes in as secure a method as possible. +.PP -+The following file types are defined for shorewall: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++shorewall policy stores data with multiple different file context types under the /var/lib/shorewall directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/shorewall /srv/shorewall ++.br ++.B restorecon -R -v /srv/shorewall ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the shorewall, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t shorewall_etc_t '/srv/shorewall/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myshorewall_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for shorewall: + + +.EX @@ -83948,6 +151328,10 @@ index 0000000..ef276fc + +- Set files with the shorewall_etc_t type, if you want to store shorewall files in the /etc directories. + ++.br ++.TP 5 ++Paths: ++/etc/shorewall(/.*)?, /etc/shorewall-lite(/.*)? + +.EX +.PP @@ -83956,6 +151340,10 @@ index 0000000..ef276fc + +- Set files with the shorewall_exec_t type, if you want to transition an executable to the shorewall_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/shorewall6?, /usr/sbin/shorewall6?, /sbin/shorewall-lite, /usr/sbin/shorewall-lite + +.EX +.PP @@ -83996,6 +151384,10 @@ index 0000000..ef276fc + +- Set files with the shorewall_var_lib_t type, if you want to store the shorewall files under the /var/lib directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/shorewall(/.*)?, /var/lib/shorewall6(/.*)?, /var/lib/shorewall-lite(/.*)? + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -84004,64 +151396,6 @@ index 0000000..ef276fc +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type shorewall_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B initrc_var_run_t -+ -+ /var/run/utmp -+.br -+ /var/run/random-seed -+.br -+ /var/run/runlevel\.dir -+.br -+ /var/run/setmixer_flag -+.br -+ -+.br -+.B shorewall_lock_t -+ -+ /var/lock/subsys/shorewall -+.br -+ -+.br -+.B shorewall_log_t -+ -+ /var/log/shorewall.* -+.br -+ -+.br -+.B shorewall_tmp_t -+ -+ -+.br -+.B shorewall_var_lib_t -+ -+ /var/lib/shorewall(/.*)? -+.br -+ /var/lib/shorewall6(/.*)? -+.br -+ /var/lib/shorewall-lite(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the shorewall_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the shorewall_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -84072,6 +151406,9 @@ index 0000000..ef276fc +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -84083,13 +151420,15 @@ index 0000000..ef276fc + +.SH "SEE ALSO" +selinux(8), shorewall(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/showmount_selinux.8 b/man/man8/showmount_selinux.8 new file mode 100644 -index 0000000..906e450 +index 0000000..bb89084 --- /dev/null +++ b/man/man8/showmount_selinux.8 -@@ -0,0 +1,86 @@ -+.TH "showmount_selinux" "8" "12-11-01" "showmount" "SELinux Policy documentation for showmount" +@@ -0,0 +1,155 @@ ++.TH "showmount_selinux" "8" "13-01-16" "showmount" "SELinux Policy documentation for showmount" +.SH "NAME" +showmount_selinux \- Security Enhanced Linux Policy for the showmount processes +.SH "DESCRIPTION" @@ -84105,7 +151444,9 @@ index 0000000..906e450 + +.SH "ENTRYPOINTS" + -+The showmount_t SELinux type can be entered via the "showmount_exec_t" file type. The default entrypoint paths for the showmount_t domain are the following:" ++The showmount_t SELinux type can be entered via the \fBshowmount_exec_t\fP file type. ++ ++The default entrypoint paths for the showmount_t domain are the following: + +/usr/sbin/showmount +.SH PROCESS TYPES @@ -84123,8 +151464,60 @@ index 0000000..906e450 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a showmount_t ++can be used to make the process type showmount_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. showmount policy is extremely flexible and has several booleans that allow you to manipulate the policy and run showmount with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -84134,7 +151527,20 @@ index 0000000..906e450 +Policy governs the access confined processes have to these files. +SELinux showmount policy is very flexible allowing users to setup their showmount processes in as secure a method as possible. +.PP -+The following file types are defined for showmount: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the showmount, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t showmount_exec_t '/srv/showmount/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myshowmount_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for showmount: + + +.EX @@ -84152,8 +151558,6 @@ index 0000000..906e450 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -84164,6 +151568,9 @@ index 0000000..906e450 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -84175,13 +151582,15 @@ index 0000000..906e450 + +.SH "SEE ALSO" +selinux(8), showmount(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/shutdown_selinux.8 b/man/man8/shutdown_selinux.8 new file mode 100644 -index 0000000..f54ff0c +index 0000000..443c8e1 --- /dev/null +++ b/man/man8/shutdown_selinux.8 -@@ -0,0 +1,180 @@ -+.TH "shutdown_selinux" "8" "12-11-01" "shutdown" "SELinux Policy documentation for shutdown" +@@ -0,0 +1,273 @@ ++.TH "shutdown_selinux" "8" "13-01-16" "shutdown" "SELinux Policy documentation for shutdown" +.SH "NAME" +shutdown_selinux \- Security Enhanced Linux Policy for the shutdown processes +.SH "DESCRIPTION" @@ -84197,7 +151606,9 @@ index 0000000..f54ff0c + +.SH "ENTRYPOINTS" + -+The shutdown_t SELinux type can be entered via the "shutdown_exec_t" file type. The default entrypoint paths for the shutdown_t domain are the following:" ++The shutdown_t SELinux type can be entered via the \fBshutdown_exec_t\fP file type. ++ ++The default entrypoint paths for the shutdown_t domain are the following: + +/sbin/shutdown, /usr/sbin/shutdown, /lib/upstart/shutdown, /usr/lib/upstart/shutdown +.SH PROCESS TYPES @@ -84215,68 +151626,116 @@ index 0000000..f54ff0c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a shutdown_t ++can be used to make the process type shutdown_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. shutdown policy is extremely flexible and has several booleans that allow you to manipulate the policy and run shutdown with the tightest access possible. + + +.PP -+If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_graceful_shutdown 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow HTTPD to connect to port 80 for graceful shutdown, you must turn on the httpd_graceful_shutdown boolean. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_graceful_shutdown 1 ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux shutdown policy is very flexible allowing users to setup their shutdown processes in as secure a method as possible. -+.PP -+The following file types are defined for shutdown: -+ ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B shutdown_etc_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the shutdown_etc_t type, if you want to store shutdown files in the /etc directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B shutdown_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the shutdown_exec_t type, if you want to transition an executable to the shutdown_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B shutdown_var_run_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the shutdown_var_run_t type, if you want to store the shutdown files under the /run directory. ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the shutdown_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the shutdown_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -84320,21 +151779,64 @@ index 0000000..f54ff0c + /var/log/wtmp.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux shutdown policy is very flexible allowing users to setup their shutdown processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the shutdown_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the shutdown, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t shutdown_etc_t '/srv/shutdown/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myshutdown_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for shutdown: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B shutdown_etc_t +.EE + ++- Set files with the shutdown_etc_t type, if you want to store shutdown files in the /etc directories. ++ ++ ++.EX ++.PP ++.B shutdown_exec_t ++.EE ++ ++- Set files with the shutdown_exec_t type, if you want to transition an executable to the shutdown_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/shutdown, /usr/sbin/shutdown, /lib/upstart/shutdown, /usr/lib/upstart/shutdown ++ ++.EX ++.PP ++.B shutdown_var_run_t ++.EE ++ ++- Set files with the shutdown_var_run_t type, if you want to store the shutdown files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the shutdown_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -84364,11 +151866,11 @@ index 0000000..f54ff0c \ No newline at end of file diff --git a/man/man8/slapd_selinux.8 b/man/man8/slapd_selinux.8 new file mode 100644 -index 0000000..b4a9ee2 +index 0000000..0ed5e5e --- /dev/null +++ b/man/man8/slapd_selinux.8 -@@ -0,0 +1,274 @@ -+.TH "slapd_selinux" "8" "12-11-01" "slapd" "SELinux Policy documentation for slapd" +@@ -0,0 +1,432 @@ ++.TH "slapd_selinux" "8" "13-01-16" "slapd" "SELinux Policy documentation for slapd" +.SH "NAME" +slapd_selinux \- Security Enhanced Linux Policy for the slapd processes +.SH "DESCRIPTION" @@ -84384,9 +151886,11 @@ index 0000000..b4a9ee2 + +.SH "ENTRYPOINTS" + -+The slapd_t SELinux type can be entered via the "slapd_exec_t" file type. The default entrypoint paths for the slapd_t domain are the following:" ++The slapd_t SELinux type can be entered via the \fBslapd_exec_t\fP file type. + -+/usr/sbin/slapd ++The default entrypoint paths for the slapd_t domain are the following: ++ ++/usr/lib/slapd, /usr/sbin/slapd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -84402,8 +151906,210 @@ index 0000000..b4a9ee2 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a slapd_t ++can be used to make the process type slapd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. slapd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run slapd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the slapd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the slapd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type slapd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B auth_cache_t ++ ++ /var/cache/coolkey(/.*)? ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B slapd_db_t ++ ++ /var/lib/ldap(/.*)? ++.br ++ /etc/openldap/slapd\.d(/.*)? ++.br ++ ++.br ++.B slapd_lock_t ++ ++ /var/lock/subsys/ldap ++.br ++ /var/lock/subsys/slapd ++.br ++ ++.br ++.B slapd_replog_t ++ ++ /var/lib/ldap/replog(/.*)? ++.br ++ ++.br ++.B slapd_tmp_t ++ ++ ++.br ++.B slapd_tmpfs_t ++ ++ ++.br ++.B slapd_var_run_t ++ ++ /var/run/slapd.* ++.br ++ /var/run/openldap(/.*)? ++.br ++ /var/run/ldapi ++.br ++ /var/run/slapd\.pid ++.br ++ /var/run/slapd\.args ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -84413,7 +152119,31 @@ index 0000000..b4a9ee2 +Policy governs the access confined processes have to these files. +SELinux slapd policy is very flexible allowing users to setup their slapd processes in as secure a method as possible. +.PP -+The following file types are defined for slapd: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++slapd policy stores data with multiple different file context types under the /var/lib/ldap directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/ldap /srv/ldap ++.br ++.B restorecon -R -v /srv/ldap ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the slapd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t slapd_cert_t '/srv/slapd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myslapd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for slapd: + + +.EX @@ -84431,6 +152161,10 @@ index 0000000..b4a9ee2 + +- Set files with the slapd_db_t type, if you want to treat the files as slapd database content. + ++.br ++.TP 5 ++Paths: ++/var/lib/ldap(/.*)?, /etc/openldap/slapd\.d(/.*)? + +.EX +.PP @@ -84447,6 +152181,10 @@ index 0000000..b4a9ee2 + +- Set files with the slapd_exec_t type, if you want to transition an executable to the slapd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/slapd, /usr/sbin/slapd + +.EX +.PP @@ -84471,6 +152209,10 @@ index 0000000..b4a9ee2 + +- Set files with the slapd_lock_t type, if you want to treat the files as slapd lock data, stored under the /var/lock directory + ++.br ++.TP 5 ++Paths: ++/var/lock/subsys/ldap, /var/lock/subsys/slapd + +.EX +.PP @@ -84479,6 +152221,10 @@ index 0000000..b4a9ee2 + +- Set files with the slapd_log_t type, if you want to treat the data as slapd log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/ldap.*, /var/log/slapd.* + +.EX +.PP @@ -84517,8 +152263,12 @@ index 0000000..b4a9ee2 +.B slapd_var_run_t +.EE + -+- Set files with the slapd_var_run_t type, if you want to store the slapd files under the /run directory. ++- Set files with the slapd_var_run_t type, if you want to store the slapd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/slapd.*, /var/run/openldap(/.*)?, /var/run/ldapi, /var/run/slapd\.pid, /var/run/slapd\.args + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -84527,100 +152277,6 @@ index 0000000..b4a9ee2 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type slapd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B auth_cache_t -+ -+ /var/cache/coolkey(/.*)? -+.br -+ -+.br -+.B krb5_host_rcache_t -+ -+ /var/cache/krb5rcache(/.*)? -+.br -+ /var/tmp/nfs_0 -+.br -+ /var/tmp/DNS_25 -+.br -+ /var/tmp/host_0 -+.br -+ /var/tmp/imap_0 -+.br -+ /var/tmp/HTTP_23 -+.br -+ /var/tmp/HTTP_48 -+.br -+ /var/tmp/ldap_55 -+.br -+ /var/tmp/ldap_487 -+.br -+ /var/tmp/ldapmap1_0 -+.br -+ -+.br -+.B slapd_db_t -+ -+ /var/lib/ldap(/.*)? -+.br -+ /etc/openldap/slapd\.d(/.*)? -+.br -+ -+.br -+.B slapd_lock_t -+ -+ -+.br -+.B slapd_log_t -+ -+ -+.br -+.B slapd_replog_t -+ -+ /var/lib/ldap/replog(/.*)? -+.br -+ -+.br -+.B slapd_tmp_t -+ -+ -+.br -+.B slapd_tmpfs_t -+ -+ -+.br -+.B slapd_var_run_t -+ -+ /var/run/slapd.* -+.br -+ /var/run/openldap(/.*)? -+.br -+ /var/run/ldapi -+.br -+ /var/run/slapd\.pid -+.br -+ /var/run/slapd\.args -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the slapd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the slapd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -84631,6 +152287,9 @@ index 0000000..b4a9ee2 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -84642,13 +152301,15 @@ index 0000000..b4a9ee2 + +.SH "SEE ALSO" +selinux(8), slapd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/slpd_selinux.8 b/man/man8/slpd_selinux.8 new file mode 100644 -index 0000000..0387935 +index 0000000..93c0d6b --- /dev/null +++ b/man/man8/slpd_selinux.8 -@@ -0,0 +1,140 @@ -+.TH "slpd_selinux" "8" "12-11-01" "slpd" "SELinux Policy documentation for slpd" +@@ -0,0 +1,261 @@ ++.TH "slpd_selinux" "8" "13-01-16" "slpd" "SELinux Policy documentation for slpd" +.SH "NAME" +slpd_selinux \- Security Enhanced Linux Policy for the slpd processes +.SH "DESCRIPTION" @@ -84664,7 +152325,9 @@ index 0000000..0387935 + +.SH "ENTRYPOINTS" + -+The slpd_t SELinux type can be entered via the "slpd_exec_t" file type. The default entrypoint paths for the slpd_t domain are the following:" ++The slpd_t SELinux type can be entered via the \fBslpd_exec_t\fP file type. ++ ++The default entrypoint paths for the slpd_t domain are the following: + +/usr/sbin/slpd +.SH PROCESS TYPES @@ -84682,8 +152345,142 @@ index 0000000..0387935 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a slpd_t ++can be used to make the process type slpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. slpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run slpd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the slpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the slpd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type slpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B slpd_var_run_t ++ ++ /var/run/slpd\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -84693,7 +152490,20 @@ index 0000000..0387935 +Policy governs the access confined processes have to these files. +SELinux slpd policy is very flexible allowing users to setup their slpd processes in as secure a method as possible. +.PP -+The following file types are defined for slpd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the slpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t slpd_exec_t '/srv/slpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myslpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for slpd: + + +.EX @@ -84714,10 +152524,10 @@ index 0000000..0387935 + +.EX +.PP -+.B slpd_var_log_t ++.B slpd_log_t +.EE + -+- Set files with the slpd_var_log_t type, if you want to treat the data as slpd var log data, usually stored under the /var/log directory. ++- Set files with the slpd_log_t type, if you want to treat the data as slpd log data, usually stored under the /var/log directory. + + +.EX @@ -84725,7 +152535,7 @@ index 0000000..0387935 +.B slpd_var_run_t +.EE + -+- Set files with the slpd_var_run_t type, if you want to store the slpd files under the /run directory. ++- Set files with the slpd_var_run_t type, if you want to store the slpd files under the /run or /var/run directory. + + +.PP @@ -84735,38 +152545,6 @@ index 0000000..0387935 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type slpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B slpd_var_log_t -+ -+ /var/log/slpd\.log -+.br -+ -+.br -+.B slpd_var_run_t -+ -+ /var/run/slpd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the slpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the slpd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -84777,6 +152555,9 @@ index 0000000..0387935 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -84788,13 +152569,23 @@ index 0000000..0387935 + +.SH "SEE ALSO" +selinux(8), slpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/smartmon_selinux.8 b/man/man8/smartmon_selinux.8 +new file mode 100644 +index 0000000..6795ec8 +--- /dev/null ++++ b/man/man8/smartmon_selinux.8 +@@ -0,0 +1 @@ ++.so man8/fsdaemon_selinux.8 +\ No newline at end of file diff --git a/man/man8/smbcontrol_selinux.8 b/man/man8/smbcontrol_selinux.8 new file mode 100644 -index 0000000..1b75541 +index 0000000..1182572 --- /dev/null +++ b/man/man8/smbcontrol_selinux.8 -@@ -0,0 +1,100 @@ -+.TH "smbcontrol_selinux" "8" "12-11-01" "smbcontrol" "SELinux Policy documentation for smbcontrol" +@@ -0,0 +1,163 @@ ++.TH "smbcontrol_selinux" "8" "13-01-16" "smbcontrol" "SELinux Policy documentation for smbcontrol" +.SH "NAME" +smbcontrol_selinux \- Security Enhanced Linux Policy for the smbcontrol processes +.SH "DESCRIPTION" @@ -84810,7 +152601,9 @@ index 0000000..1b75541 + +.SH "ENTRYPOINTS" + -+The smbcontrol_t SELinux type can be entered via the "smbcontrol_exec_t" file type. The default entrypoint paths for the smbcontrol_t domain are the following:" ++The smbcontrol_t SELinux type can be entered via the \fBsmbcontrol_exec_t\fP file type. ++ ++The default entrypoint paths for the smbcontrol_t domain are the following: + +/usr/bin/smbcontrol +.SH PROCESS TYPES @@ -84828,8 +152621,68 @@ index 0000000..1b75541 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a smbcontrol_t ++can be used to make the process type smbcontrol_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. smbcontrol policy is extremely flexible and has several booleans that allow you to manipulate the policy and run smbcontrol with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type smbcontrol_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B samba_var_t ++ ++ /var/nmbd(/.*)? ++.br ++ /var/lib/samba(/.*)? ++.br ++ /var/cache/samba(/.*)? ++.br ++ /var/spool/samba(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -84839,7 +152692,20 @@ index 0000000..1b75541 +Policy governs the access confined processes have to these files. +SELinux smbcontrol policy is very flexible allowing users to setup their smbcontrol processes in as secure a method as possible. +.PP -+The following file types are defined for smbcontrol: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the smbcontrol, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t smbcontrol_exec_t '/srv/smbcontrol/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysmbcontrol_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for smbcontrol: + + +.EX @@ -84857,22 +152723,6 @@ index 0000000..1b75541 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type smbcontrol_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B samba_var_t -+ -+ /var/lib/samba(/.*)? -+.br -+ /var/cache/samba(/.*)? -+.br -+ /var/spool/samba(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -84883,6 +152733,9 @@ index 0000000..1b75541 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -84894,13 +152747,15 @@ index 0000000..1b75541 + +.SH "SEE ALSO" +selinux(8), smbcontrol(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/smbd_selinux.8 b/man/man8/smbd_selinux.8 new file mode 100644 -index 0000000..9794fdc +index 0000000..b57db67 --- /dev/null +++ b/man/man8/smbd_selinux.8 -@@ -0,0 +1,421 @@ -+.TH "smbd_selinux" "8" "12-11-01" "smbd" "SELinux Policy documentation for smbd" +@@ -0,0 +1,396 @@ ++.TH "smbd_selinux" "8" "13-01-16" "smbd" "SELinux Policy documentation for smbd" +.SH "NAME" +smbd_selinux \- Security Enhanced Linux Policy for the smbd processes +.SH "DESCRIPTION" @@ -84916,7 +152771,9 @@ index 0000000..9794fdc + +.SH "ENTRYPOINTS" + -+The smbd_t SELinux type can be entered via the "smbd_exec_t" file type. The default entrypoint paths for the smbd_t domain are the following:" ++The smbd_t SELinux type can be entered via the \fBsmbd_exec_t\fP file type. ++ ++The default entrypoint paths for the smbd_t domain are the following: + +/usr/sbin/smbd +.SH PROCESS TYPES @@ -84934,129 +152791,233 @@ index 0000000..9794fdc +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a smbd_t ++can be used to make the process type smbd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. smbd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run smbd with the tightest access possible. + + +.PP -+If you want to allow samba to export ntfs/fusefs volumes, you must turn on the samba_share_fusefs boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P samba_share_fusefs 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow samba to share any file/directory read only, you must turn on the samba_export_all_ro boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P samba_export_all_ro 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.B setsebool -P virt_use_samba 1 ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + +.PP -+If you want to allow samba to create new home directories (e.g. via PAM), you must turn on the samba_create_home_dirs boolean. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow samba to create new home directories (e.g. via PAM), you must turn on the samba_create_home_dirs boolean. Disabled by default. + +.EX +.B setsebool -P samba_create_home_dirs 1 ++ +.EE + +.PP -+If you want to allow samba to share users home directories, you must turn on the samba_enable_home_dirs boolean. -+ -+.EX -+.B setsebool -P samba_enable_home_dirs 1 -+.EE -+ -+.PP -+If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean. -+ -+.EX -+.B setsebool -P samba_share_nfs 1 -+.EE -+ -+.PP -+If you want to allow sanlock to manage cifs files, you must turn on the sanlock_use_samba boolean. -+ -+.EX -+.B setsebool -P sanlock_use_samba 1 -+.EE -+ -+.PP -+If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean. -+ -+.EX -+.B setsebool -P samba_run_unconfined 1 -+.EE -+ -+.PP -+If you want to allow samba to act as the domain controller, add users, groups and change passwords, you must turn on the samba_domain_controller boolean. ++If you want to allow samba to act as the domain controller, add users, groups and change passwords, you must turn on the samba_domain_controller boolean. Disabled by default. + +.EX +.B setsebool -P samba_domain_controller 1 ++ +.EE + +.PP -+If you want to allow samba to share any file/directory read/write, you must turn on the samba_export_all_rw boolean. ++If you want to allow samba to share users home directories, you must turn on the samba_enable_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P samba_enable_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow samba to share any file/directory read only, you must turn on the samba_export_all_ro boolean. Disabled by default. ++ ++.EX ++.B setsebool -P samba_export_all_ro 1 ++ ++.EE ++ ++.PP ++If you want to allow samba to share any file/directory read/write, you must turn on the samba_export_all_rw boolean. Disabled by default. + +.EX +.B setsebool -P samba_export_all_rw 1 ++ +.EE + +.PP -+If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean. ++If you want to allow samba to act as a portmapper, you must turn on the samba_portmapper boolean. Disabled by default. + +.EX +.B setsebool -P samba_portmapper 1 ++ +.EE + +.PP -+If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. ++If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean. Disabled by default. + +.EX -+.B setsebool -P use_samba_home_dirs 1 ++.B setsebool -P samba_run_unconfined 1 ++ +.EE + -+.SH SHARING FILES -+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. -+.TP -+Allow smbd servers to read the /var/smbd directory by adding the public_content_t file type to the directory and by restoring the file type. +.PP -+.B -+semanage fcontext -a -t public_content_t "/var/smbd(/.*)?" ++If you want to allow samba to export ntfs/fusefs volumes, you must turn on the samba_share_fusefs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P samba_share_fusefs 1 ++ ++.EE ++ ++.PP ++If you want to allow samba to export NFS volumes, you must turn on the samba_share_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P samba_share_nfs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the smbmount_t, smbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the smbmount_t, smbd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux smbd policy is very flexible allowing users to setup their smbd processes in as secure a method as possible. ++.PP ++The following port types are defined for smbd: ++ ++.EX ++.TP 5 ++.B smbd_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 137-139,445 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type smbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ +.br -+.B restorecon -F -R -v /var/smbd -+.pp -+.TP -+Allow smbd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_smbdd_anon_write boolean to be set. -+.PP -+.B -+semanage fcontext -a -t public_content_rw_t "/var/smbd/incoming(/.*)?" ++.B non_security_file_type ++ ++ +.br -+.B restorecon -F -R -v /var/smbd/incoming ++.B user_home_type + -+ -+.PP -+If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the smbd_anon_write boolean. -+ -+.EX -+.B setsebool -P smbd_anon_write 1 -+.EE -+ -+.PP -+If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the smbd_anon_write boolean. -+ -+.EX -+.B setsebool -P smbd_anon_write 1 -+.EE ++ all user home files ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -85066,7 +153027,31 @@ index 0000000..9794fdc +Policy governs the access confined processes have to these files. +SELinux smbd policy is very flexible allowing users to setup their smbd processes in as secure a method as possible. +.PP -+The following file types are defined for smbd: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++smbd policy stores data with multiple different file context types under the /var/run/samba directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/samba /srv/samba ++.br ++.B restorecon -R -v /srv/samba ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the smbd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t smbd_exec_t '/srv/smbd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysmbd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for smbd: + + +.EX @@ -85098,8 +153083,12 @@ index 0000000..9794fdc +.B smbd_var_run_t +.EE + -+- Set files with the smbd_var_run_t type, if you want to store the smbd files under the /run directory. ++- Set files with the smbd_var_run_t type, if you want to store the smbd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/samba(/.*)?, /var/run/samba/smbd\.pid, /var/run/samba/brlock\.tdb, /var/run/samba/locking\.tdb, /var/run/samba/gencache\.tdb, /var/run/samba/sessionid\.tdb, /var/run/samba/share_info\.tdb, /var/run/samba/connections\.tdb + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -85108,189 +153097,30 @@ index 0000000..9794fdc +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. ++.SH SHARING FILES ++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. ++.TP ++Allow smbd servers to read the /var/smbd directory by adding the public_content_t file type to the directory and by restoring the file type. +.PP -+You can see the types associated with a port by using the following command: ++.B ++semanage fcontext -a -t public_content_t "/var/smbd(/.*)?" ++.br ++.B restorecon -F -R -v /var/smbd ++.pp ++.TP ++Allow smbd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_smbdd_anon_write boolean to be set. ++.PP ++.B ++semanage fcontext -a -t public_content_rw_t "/var/smbd/incoming(/.*)?" ++.br ++.B restorecon -F -R -v /var/smbd/incoming + -+.B semanage port -l + +.PP -+Policy governs the access confined processes have to these ports. -+SELinux smbd policy is very flexible allowing users to setup their smbd processes in as secure a method as possible. -+.PP -+The following port types are defined for smbd: ++If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the smbd_anon_write boolean. + +.EX -+.TP 5 -+.B smbd_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 137-139,445 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type smbd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B auth_cache_t -+ -+ /var/cache/coolkey(/.*)? -+.br -+ -+.br -+.B ctdbd_var_lib_t -+ -+ /etc/ctdb(/.*)? -+.br -+ /var/ctdb(/.*)? -+.br -+ /var/ctdbd(/.*)? -+.br -+ /var/lib/ctdbd(/.*)? -+.br -+ -+.br -+.B faillog_t -+ -+ /var/log/btmp.* -+.br -+ /var/run/faillock(/.*)? -+.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br -+ -+.br -+.B initrc_var_run_t -+ -+ /var/run/utmp -+.br -+ /var/run/random-seed -+.br -+ /var/run/runlevel\.dir -+.br -+ /var/run/setmixer_flag -+.br -+ -+.br -+.B nmbd_var_run_t -+ -+ /var/run/nmbd(/.*)? -+.br -+ /var/run/samba/nmbd(/.*)? -+.br -+ /var/run/samba/nmbd\.pid -+.br -+ /var/run/samba/messages\.tdb -+.br -+ /var/run/samba/namelist\.debug -+.br -+ /var/run/samba/unexpected\.tdb -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br -+.B samba_etc_t -+ -+ /etc/samba(/.*)? -+.br -+ -+.br -+.B samba_log_t -+ -+ /var/log/samba(/.*)? -+.br -+ -+.br -+.B samba_secrets_t -+ -+ /etc/samba/smbpasswd -+.br -+ /etc/samba/passdb\.tdb -+.br -+ /etc/samba/MACHINE\.SID -+.br -+ /etc/samba/secrets\.tdb -+.br -+ -+.br -+.B samba_share_t -+ -+ use this label for random content that will be shared using samba -+.br -+ -+.br -+.B samba_var_t -+ -+ /var/lib/samba(/.*)? -+.br -+ /var/cache/samba(/.*)? -+.br -+ /var/spool/samba(/.*)? -+.br -+ -+.br -+.B smbd_tmp_t -+ -+ -+.br -+.B smbd_var_run_t -+ -+ /var/run/samba(/.*)? -+.br -+ /var/run/samba/smbd\.pid -+.br -+ /var/run/samba/brlock\.tdb -+.br -+ /var/run/samba/locking\.tdb -+.br -+ /var/run/samba/gencache\.tdb -+.br -+ /var/run/samba/sessionid\.tdb -+.br -+ /var/run/samba/share_info\.tdb -+.br -+ /var/run/samba/connections\.tdb -+.br -+ -+.br -+.B wtmp_t -+ -+ /var/log/wtmp.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smbmount_t, smbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the smbmount_t, smbd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 ++.B setsebool -P smbd_anon_write 1 +.EE + +.SH "COMMANDS" @@ -85324,11 +153154,11 @@ index 0000000..9794fdc \ No newline at end of file diff --git a/man/man8/smbmount_selinux.8 b/man/man8/smbmount_selinux.8 new file mode 100644 -index 0000000..33aaac3 +index 0000000..1c93ffd --- /dev/null +++ b/man/man8/smbmount_selinux.8 -@@ -0,0 +1,186 @@ -+.TH "smbmount_selinux" "8" "12-11-01" "smbmount" "SELinux Policy documentation for smbmount" +@@ -0,0 +1,287 @@ ++.TH "smbmount_selinux" "8" "13-01-16" "smbmount" "SELinux Policy documentation for smbmount" +.SH "NAME" +smbmount_selinux \- Security Enhanced Linux Policy for the smbmount processes +.SH "DESCRIPTION" @@ -85344,7 +153174,9 @@ index 0000000..33aaac3 + +.SH "ENTRYPOINTS" + -+The smbmount_t SELinux type can be entered via the "smbmount_exec_t" file type. The default entrypoint paths for the smbmount_t domain are the following:" ++The smbmount_t SELinux type can be entered via the \fBsmbmount_exec_t\fP file type. ++ ++The default entrypoint paths for the smbmount_t domain are the following: + +/usr/bin/smbmnt, /usr/bin/smbmount +.SH PROCESS TYPES @@ -85362,34 +153194,100 @@ index 0000000..33aaac3 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a smbmount_t ++can be used to make the process type smbmount_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux smbmount policy is very flexible allowing users to setup their smbmount processes in as secure a method as possible. -+.PP -+The following file types are defined for smbmount: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. smbmount policy is extremely flexible and has several booleans that allow you to manipulate the policy and run smbmount with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B smbmount_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the smbmount_exec_t type, if you want to transition an executable to the smbmount_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the smbmount_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the smbmount_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -85416,10 +153314,10 @@ index 0000000..33aaac3 +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -85428,10 +153326,10 @@ index 0000000..33aaac3 +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -85470,6 +153368,8 @@ index 0000000..33aaac3 +.br +.B samba_var_t + ++ /var/nmbd(/.*)? ++.br + /var/lib/samba(/.*)? +.br + /var/cache/samba(/.*)? @@ -85477,21 +153377,48 @@ index 0000000..33aaac3 + /var/spool/samba(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux smbmount policy is very flexible allowing users to setup their smbmount processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smbmount_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the smbmount, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t smbmount_exec_t '/srv/smbmount/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysmbmount_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for smbmount: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B smbmount_exec_t +.EE + ++- Set files with the smbmount_exec_t type, if you want to transition an executable to the smbmount_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/smbmnt, /usr/bin/smbmount ++ +.PP -+If you want to allow confined applications to run with kerberos for the smbmount_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -85503,6 +153430,9 @@ index 0000000..33aaac3 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -85514,13 +153444,15 @@ index 0000000..33aaac3 + +.SH "SEE ALSO" +selinux(8), smbmount(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/smokeping_selinux.8 b/man/man8/smokeping_selinux.8 new file mode 100644 -index 0000000..63d78f7 +index 0000000..575483b --- /dev/null +++ b/man/man8/smokeping_selinux.8 -@@ -0,0 +1,140 @@ -+.TH "smokeping_selinux" "8" "12-11-01" "smokeping" "SELinux Policy documentation for smokeping" +@@ -0,0 +1,267 @@ ++.TH "smokeping_selinux" "8" "13-01-16" "smokeping" "SELinux Policy documentation for smokeping" +.SH "NAME" +smokeping_selinux \- Security Enhanced Linux Policy for the smokeping processes +.SH "DESCRIPTION" @@ -85536,7 +153468,9 @@ index 0000000..63d78f7 + +.SH "ENTRYPOINTS" + -+The smokeping_t SELinux type can be entered via the "smokeping_exec_t" file type. The default entrypoint paths for the smokeping_t domain are the following:" ++The smokeping_t SELinux type can be entered via the \fBsmokeping_exec_t\fP file type. ++ ++The default entrypoint paths for the smokeping_t domain are the following: + +/usr/sbin/smokeping +.SH PROCESS TYPES @@ -85554,8 +153488,148 @@ index 0000000..63d78f7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a smokeping_t ++can be used to make the process type smokeping_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. smokeping policy is extremely flexible and has several booleans that allow you to manipulate the policy and run smokeping with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the smokeping_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the smokeping_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type smokeping_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B smokeping_var_lib_t ++ ++ /var/lib/smokeping(/.*)? ++.br ++ ++.br ++.B smokeping_var_run_t ++ ++ /var/run/smokeping(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -85565,7 +153639,20 @@ index 0000000..63d78f7 +Policy governs the access confined processes have to these files. +SELinux smokeping policy is very flexible allowing users to setup their smokeping processes in as secure a method as possible. +.PP -+The following file types are defined for smokeping: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the smokeping, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t smokeping_exec_t '/srv/smokeping/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysmokeping_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for smokeping: + + +.EX @@ -85597,7 +153684,7 @@ index 0000000..63d78f7 +.B smokeping_var_run_t +.EE + -+- Set files with the smokeping_var_run_t type, if you want to store the smokeping files under the /run directory. ++- Set files with the smokeping_var_run_t type, if you want to store the smokeping files under the /run or /var/run directory. + + +.PP @@ -85607,38 +153694,6 @@ index 0000000..63d78f7 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type smokeping_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B smokeping_var_lib_t -+ -+ /var/lib/smokeping(/.*)? -+.br -+ -+.br -+.B smokeping_var_run_t -+ -+ /var/run/smokeping(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smokeping_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the smokeping_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -85649,6 +153704,9 @@ index 0000000..63d78f7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -85660,13 +153718,15 @@ index 0000000..63d78f7 + +.SH "SEE ALSO" +selinux(8), smokeping(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/smoltclient_selinux.8 b/man/man8/smoltclient_selinux.8 new file mode 100644 -index 0000000..088e814 +index 0000000..2c39a73 --- /dev/null +++ b/man/man8/smoltclient_selinux.8 -@@ -0,0 +1,116 @@ -+.TH "smoltclient_selinux" "8" "12-11-01" "smoltclient" "SELinux Policy documentation for smoltclient" +@@ -0,0 +1,211 @@ ++.TH "smoltclient_selinux" "8" "13-01-16" "smoltclient" "SELinux Policy documentation for smoltclient" +.SH "NAME" +smoltclient_selinux \- Security Enhanced Linux Policy for the smoltclient processes +.SH "DESCRIPTION" @@ -85682,7 +153742,9 @@ index 0000000..088e814 + +.SH "ENTRYPOINTS" + -+The smoltclient_t SELinux type can be entered via the "smoltclient_exec_t" file type. The default entrypoint paths for the smoltclient_t domain are the following:" ++The smoltclient_t SELinux type can be entered via the \fBsmoltclient_exec_t\fP file type. ++ ++The default entrypoint paths for the smoltclient_t domain are the following: + +/usr/share/smolt/client/sendProfile.py +.SH PROCESS TYPES @@ -85700,8 +153762,108 @@ index 0000000..088e814 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a smoltclient_t ++can be used to make the process type smoltclient_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. smoltclient policy is extremely flexible and has several booleans that allow you to manipulate the policy and run smoltclient with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the smoltclient_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the smoltclient_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type smoltclient_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B smoltclient_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -85711,7 +153873,20 @@ index 0000000..088e814 +Policy governs the access confined processes have to these files. +SELinux smoltclient policy is very flexible allowing users to setup their smoltclient processes in as secure a method as possible. +.PP -+The following file types are defined for smoltclient: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the smoltclient, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t smoltclient_exec_t '/srv/smoltclient/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysmoltclient_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for smoltclient: + + +.EX @@ -85737,30 +153912,6 @@ index 0000000..088e814 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type smoltclient_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B smoltclient_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smoltclient_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the smoltclient_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -85771,6 +153922,9 @@ index 0000000..088e814 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -85782,13 +153936,329 @@ index 0000000..088e814 + +.SH "SEE ALSO" +selinux(8), smoltclient(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/smsd_selinux.8 b/man/man8/smsd_selinux.8 +new file mode 100644 +index 0000000..6134f91 +--- /dev/null ++++ b/man/man8/smsd_selinux.8 +@@ -0,0 +1,307 @@ ++.TH "smsd_selinux" "8" "13-01-16" "smsd" "SELinux Policy documentation for smsd" ++.SH "NAME" ++smsd_selinux \- Security Enhanced Linux Policy for the smsd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the smsd processes via flexible mandatory access control. ++ ++The smsd processes execute with the smsd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep smsd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The smsd_t SELinux type can be entered via the \fBsmsd_exec_t\fP file type. ++ ++The default entrypoint paths for the smsd_t domain are the following: ++ ++/usr/sbin/smsd ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux smsd policy is very flexible allowing users to setup their smsd processes in as secure a method as possible. ++.PP ++The following process types are defined for smsd: ++ ++.EX ++.B smsd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a smsd_t ++can be used to make the process type smsd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. smsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run smsd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the smsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the smsd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type smsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B smsd_log_t ++ ++ /var/log/smsd(/.*)? ++.br ++ ++.br ++.B smsd_spool_t ++ ++ /var/spool/sms(/.*)? ++.br ++ ++.br ++.B smsd_tmp_t ++ ++ ++.br ++.B smsd_var_lib_t ++ ++ /var/lib/smstools(/.*)? ++.br ++ ++.br ++.B smsd_var_run_t ++ ++ /var/run/smsd(/.*)? ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux smsd policy is very flexible allowing users to setup their smsd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the smsd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t smsd_exec_t '/srv/smsd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysmsd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for smsd: ++ ++ ++.EX ++.PP ++.B smsd_exec_t ++.EE ++ ++- Set files with the smsd_exec_t type, if you want to transition an executable to the smsd_t domain. ++ ++ ++.EX ++.PP ++.B smsd_initrc_exec_t ++.EE ++ ++- Set files with the smsd_initrc_exec_t type, if you want to transition an executable to the smsd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B smsd_log_t ++.EE ++ ++- Set files with the smsd_log_t type, if you want to treat the data as smsd log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B smsd_spool_t ++.EE ++ ++- Set files with the smsd_spool_t type, if you want to store the smsd files under the /var/spool directory. ++ ++ ++.EX ++.PP ++.B smsd_tmp_t ++.EE ++ ++- Set files with the smsd_tmp_t type, if you want to store smsd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B smsd_var_lib_t ++.EE ++ ++- Set files with the smsd_var_lib_t type, if you want to store the smsd files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B smsd_var_run_t ++.EE ++ ++- Set files with the smsd_var_run_t type, if you want to store the smsd files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), smsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/snmpd_selinux.8 b/man/man8/snmpd_selinux.8 new file mode 100644 -index 0000000..2987987 +index 0000000..2f6d9bc --- /dev/null +++ b/man/man8/snmpd_selinux.8 -@@ -0,0 +1,194 @@ -+.TH "snmpd_selinux" "8" "12-11-01" "snmpd" "SELinux Policy documentation for snmpd" +@@ -0,0 +1,340 @@ ++.TH "snmpd_selinux" "8" "13-01-16" "snmpd" "SELinux Policy documentation for snmpd" +.SH "NAME" +snmpd_selinux \- Security Enhanced Linux Policy for the snmpd processes +.SH "DESCRIPTION" @@ -85804,9 +154274,11 @@ index 0000000..2987987 + +.SH "ENTRYPOINTS" + -+The snmpd_t SELinux type can be entered via the "snmpd_exec_t" file type. The default entrypoint paths for the snmpd_t domain are the following:" ++The snmpd_t SELinux type can be entered via the \fBsnmpd_exec_t\fP file type. + -+/usr/sbin/snmp(trap)?d ++The default entrypoint paths for the snmpd_t domain are the following: ++ ++/usr/sbin/snmptrap, /usr/sbin/snmptrapd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -85822,66 +154294,124 @@ index 0000000..2987987 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a snmpd_t ++can be used to make the process type snmpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible. -+.PP -+The following file types are defined for snmpd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. snmpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run snmpd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B snmpd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the snmpd_exec_t type, if you want to transition an executable to the snmpd_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B snmpd_initrc_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the snmpd_initrc_exec_t type, if you want to transition an executable to the snmpd_initrc_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B snmpd_log_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the snmpd_log_t type, if you want to treat the data as snmpd log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B snmpd_var_lib_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the snmpd_var_lib_t type, if you want to store the snmpd files under the /var/lib directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B snmpd_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the snmpd_var_run_t type, if you want to store the snmpd files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the snmpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the snmpd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -85913,9 +154443,11 @@ index 0000000..2987987 +The SELinux process type snmpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B snmpd_log_t ++.B root_t + -+ /var/log/snmpd\.log.* ++ / ++.br ++ /initrd +.br + +.br @@ -85923,6 +154455,8 @@ index 0000000..2987987 + + /var/agentx(/.*)? +.br ++ /var/net-snmp(/.*) ++.br + /var/lib/snmp(/.*)? +.br + /var/net-snmp(/.*)? @@ -85942,22 +154476,100 @@ index 0000000..2987987 + /var/run/snmpd\.pid +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux snmpd policy is very flexible allowing users to setup their snmpd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the snmpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the snmpd_t, you must turn on the kerberos_enabled boolean. ++snmpd policy stores data with multiple different file context types under the /var/run/snmpd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/snmpd /srv/snmpd ++.br ++.B restorecon -R -v /srv/snmpd ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the snmpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t snmpd_exec_t '/srv/snmpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysnmpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for snmpd: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B snmpd_exec_t +.EE + ++- Set files with the snmpd_exec_t type, if you want to transition an executable to the snmpd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/snmptrap, /usr/sbin/snmptrapd ++ ++.EX ++.PP ++.B snmpd_initrc_exec_t ++.EE ++ ++- Set files with the snmpd_initrc_exec_t type, if you want to transition an executable to the snmpd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B snmpd_log_t ++.EE ++ ++- Set files with the snmpd_log_t type, if you want to treat the data as snmpd log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B snmpd_var_lib_t ++.EE ++ ++- Set files with the snmpd_var_lib_t type, if you want to store the snmpd files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/agentx(/.*)?, /var/net-snmp(/.*), /var/lib/snmp(/.*)?, /var/net-snmp(/.*)?, /var/lib/net-snmp(/.*)?, /usr/share/snmp/mibs/\.index ++ ++.EX ++.PP ++.B snmpd_var_run_t ++.EE ++ ++- Set files with the snmpd_var_run_t type, if you want to store the snmpd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/snmpd(/.*)?, /var/run/net-snmpd(/.*)?, /var/run/snmpd\.pid ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -85971,6 +154583,9 @@ index 0000000..2987987 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -85982,13 +154597,15 @@ index 0000000..2987987 + +.SH "SEE ALSO" +selinux(8), snmpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/snort_selinux.8 b/man/man8/snort_selinux.8 new file mode 100644 -index 0000000..6c1bac3 +index 0000000..041c942 --- /dev/null +++ b/man/man8/snort_selinux.8 -@@ -0,0 +1,154 @@ -+.TH "snort_selinux" "8" "12-11-01" "snort" "SELinux Policy documentation for snort" +@@ -0,0 +1,253 @@ ++.TH "snort_selinux" "8" "13-01-16" "snort" "SELinux Policy documentation for snort" +.SH "NAME" +snort_selinux \- Security Enhanced Linux Policy for the snort processes +.SH "DESCRIPTION" @@ -86004,9 +154621,11 @@ index 0000000..6c1bac3 + +.SH "ENTRYPOINTS" + -+The snort_t SELinux type can be entered via the "snort_exec_t" file type. The default entrypoint paths for the snort_t domain are the following:" ++The snort_t SELinux type can be entered via the \fBsnort_exec_t\fP file type. + -+/usr/s?bin/snort, /usr/sbin/snort-plain ++The default entrypoint paths for the snort_t domain are the following: ++ ++/usr/bin/snort, /usr/sbin/snort, /usr/sbin/snort-plain +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -86022,8 +154641,114 @@ index 0000000..6c1bac3 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a snort_t ++can be used to make the process type snort_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. snort policy is extremely flexible and has several booleans that allow you to manipulate the policy and run snort with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type snort_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B prelude_spool_t ++ ++ /var/spool/prelude(/.*)? ++.br ++ /var/spool/prelude-manager(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B snort_tmp_t ++ ++ ++.br ++.B snort_var_run_t ++ ++ /var/run/snort.* ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -86033,7 +154758,20 @@ index 0000000..6c1bac3 +Policy governs the access confined processes have to these files. +SELinux snort policy is very flexible allowing users to setup their snort processes in as secure a method as possible. +.PP -+The following file types are defined for snort: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the snort, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t snort_etc_t '/srv/snort/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysnort_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for snort: + + +.EX @@ -86051,6 +154789,10 @@ index 0000000..6c1bac3 + +- Set files with the snort_exec_t type, if you want to transition an executable to the snort_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/snort, /usr/sbin/snort, /usr/sbin/snort-plain + +.EX +.PP @@ -86081,7 +154823,7 @@ index 0000000..6c1bac3 +.B snort_var_run_t +.EE + -+- Set files with the snort_var_run_t type, if you want to store the snort files under the /run directory. ++- Set files with the snort_var_run_t type, if you want to store the snort files under the /run or /var/run directory. + + +.PP @@ -86091,36 +154833,6 @@ index 0000000..6c1bac3 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type snort_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B prelude_spool_t -+ -+ /var/spool/prelude(/.*)? -+.br -+ /var/spool/prelude-manager(/.*)? -+.br -+ -+.br -+.B snort_log_t -+ -+ /var/log/snort(/.*)? -+.br -+ -+.br -+.B snort_tmp_t -+ -+ -+.br -+.B snort_var_run_t -+ -+ /var/run/snort.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -86131,6 +154843,9 @@ index 0000000..6c1bac3 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -86142,13 +154857,15 @@ index 0000000..6c1bac3 + +.SH "SEE ALSO" +selinux(8), snort(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/sosreport_selinux.8 b/man/man8/sosreport_selinux.8 new file mode 100644 -index 0000000..b4723c2 +index 0000000..05f6560 --- /dev/null +++ b/man/man8/sosreport_selinux.8 -@@ -0,0 +1,206 @@ -+.TH "sosreport_selinux" "8" "12-11-01" "sosreport" "SELinux Policy documentation for sosreport" +@@ -0,0 +1,383 @@ ++.TH "sosreport_selinux" "8" "13-01-16" "sosreport" "SELinux Policy documentation for sosreport" +.SH "NAME" +sosreport_selinux \- Security Enhanced Linux Policy for the sosreport processes +.SH "DESCRIPTION" @@ -86164,7 +154881,9 @@ index 0000000..b4723c2 + +.SH "ENTRYPOINTS" + -+The sosreport_t SELinux type can be entered via the "sosreport_exec_t" file type. The default entrypoint paths for the sosreport_t domain are the following:" ++The sosreport_t SELinux type can be entered via the \fBsosreport_exec_t\fP file type. ++ ++The default entrypoint paths for the sosreport_t domain are the following: + +/usr/sbin/sosreport +.SH PROCESS TYPES @@ -86182,8 +154901,272 @@ index 0000000..b4723c2 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sosreport_t ++can be used to make the process type sosreport_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sosreport policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sosreport with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sosreport_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sosreport_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sosreport_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B abrt_var_cache_t ++ ++ /var/tmp/abrt(/.*)? ++.br ++ /var/cache/abrt(/.*)? ++.br ++ /var/spool/abrt(/.*)? ++.br ++ /var/cache/abrt-di(/.*)? ++.br ++ ++.br ++.B abrt_var_run_t ++ ++ /var/run/abrt(/.*)? ++.br ++ /var/run/abrtd?\.lock ++.br ++ /var/run/abrtd?\.socket ++.br ++ /var/run/abrt\.pid ++.br ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B etc_runtime_t ++ ++ /[^/]+ ++.br ++ /etc/mtab.* ++.br ++ /etc/blkid(/.*)? ++.br ++ /etc/nologin.* ++.br ++ /etc/\.fstab\.hal\..+ ++.br ++ /halt ++.br ++ /fastboot ++.br ++ /poweroff ++.br ++ /etc/cmtab ++.br ++ /forcefsck ++.br ++ /\.autofsck ++.br ++ /\.suspended ++.br ++ /fsckoptions ++.br ++ /\.autorelabel ++.br ++ /etc/securetty ++.br ++ /etc/nohotplug ++.br ++ /etc/killpower ++.br ++ /etc/ioctl\.save ++.br ++ /etc/fstab\.REVOKE ++.br ++ /etc/network/ifstate ++.br ++ /etc/sysconfig/hwconf ++.br ++ /etc/ptal/ptal-printd-like ++.br ++ /etc/sysconfig/iptables\.save ++.br ++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf ++.br ++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B pulseaudio_home_t ++ ++ /root/\.pulse(/.*)? ++.br ++ /root/\.config/pulse(/.*)? ++.br ++ /root/\.esd_auth ++.br ++ /root/\.pulse-cookie ++.br ++ /home/[^/]*/\.pulse(/.*)? ++.br ++ /home/[^/]*/\.config/pulse(/.*)? ++.br ++ /home/[^/]*/\.esd_auth ++.br ++ /home/[^/]*/\.pulse-cookie ++.br ++ /home/pwalsh/\.pulse(/.*)? ++.br ++ /home/pwalsh/\.config/pulse(/.*)? ++.br ++ /home/pwalsh/\.esd_auth ++.br ++ /home/pwalsh/\.pulse-cookie ++.br ++ /home/dwalsh/\.pulse(/.*)? ++.br ++ /home/dwalsh/\.config/pulse(/.*)? ++.br ++ /home/dwalsh/\.esd_auth ++.br ++ /home/dwalsh/\.pulse-cookie ++.br ++ /var/lib/xguest/home/xguest/\.pulse(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config/pulse(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.esd_auth ++.br ++ /var/lib/xguest/home/xguest/\.pulse-cookie ++.br ++ ++.br ++.B sosreport_tmp_t ++ ++ /\.ismount-test-file ++.br ++ ++.br ++.B sosreport_tmpfs_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -86193,7 +155176,20 @@ index 0000000..b4723c2 +Policy governs the access confined processes have to these files. +SELinux sosreport policy is very flexible allowing users to setup their sosreport processes in as secure a method as possible. +.PP -+The following file types are defined for sosreport: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sosreport, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sosreport_exec_t '/srv/sosreport/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysosreport_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sosreport: + + +.EX @@ -86227,112 +155223,6 @@ index 0000000..b4723c2 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type sosreport_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B abrt_var_cache_t -+ -+ /var/cache/abrt(/.*)? -+.br -+ /var/spool/abrt(/.*)? -+.br -+ /var/cache/abrt-di(/.*)? -+.br -+ -+.br -+.B abrt_var_run_t -+ -+ /var/run/abrt(/.*)? -+.br -+ /var/run/abrtd?\.lock -+.br -+ /var/run/abrtd?\.socket -+.br -+ /var/run/abrt\.pid -+.br -+ -+.br -+.B etc_runtime_t -+ -+ /[^/]+ -+.br -+ /etc/mtab.* -+.br -+ /etc/blkid(/.*)? -+.br -+ /etc/nologin.* -+.br -+ /etc/\.fstab\.hal\..+ -+.br -+ /halt -+.br -+ /fastboot -+.br -+ /poweroff -+.br -+ /etc/cmtab -+.br -+ /\.autofsck -+.br -+ /forcefsck -+.br -+ /\.suspended -+.br -+ /fsckoptions -+.br -+ /\.autorelabel -+.br -+ /etc/securetty -+.br -+ /etc/killpower -+.br -+ /etc/nohotplug -+.br -+ /etc/ioctl\.save -+.br -+ /etc/fstab\.REVOKE -+.br -+ /etc/network/ifstate -+.br -+ /etc/sysconfig/hwconf -+.br -+ /etc/ptal/ptal-printd-like -+.br -+ /etc/sysconfig/iptables\.save -+.br -+ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -+.br -+ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -+.br -+ -+.br -+.B sosreport_tmp_t -+ -+ /.ismount-test-file -+.br -+ -+.br -+.B sosreport_tmpfs_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sosreport_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the sosreport_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -86343,6 +155233,9 @@ index 0000000..b4723c2 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -86354,13 +155247,15 @@ index 0000000..b4723c2 + +.SH "SEE ALSO" +selinux(8), sosreport(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/soundd_selinux.8 b/man/man8/soundd_selinux.8 new file mode 100644 -index 0000000..4f05705 +index 0000000..06d163c --- /dev/null +++ b/man/man8/soundd_selinux.8 -@@ -0,0 +1,186 @@ -+.TH "soundd_selinux" "8" "12-11-01" "soundd" "SELinux Policy documentation for soundd" +@@ -0,0 +1,291 @@ ++.TH "soundd_selinux" "8" "13-01-16" "soundd" "SELinux Policy documentation for soundd" +.SH "NAME" +soundd_selinux \- Security Enhanced Linux Policy for the soundd processes +.SH "DESCRIPTION" @@ -86376,7 +155271,9 @@ index 0000000..4f05705 + +.SH "ENTRYPOINTS" + -+The soundd_t SELinux type can be entered via the "soundd_exec_t" file type. The default entrypoint paths for the soundd_t domain are the following:" ++The soundd_t SELinux type can be entered via the \fBsoundd_exec_t\fP file type. ++ ++The default entrypoint paths for the soundd_t domain are the following: + +/usr/bin/nasd, /usr/sbin/yiff, /usr/bin/gpe-soundserver +.SH PROCESS TYPES @@ -86394,8 +155291,133 @@ index 0000000..4f05705 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a soundd_t ++can be used to make the process type soundd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. soundd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run soundd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux soundd policy is very flexible allowing users to setup their soundd processes in as secure a method as possible. ++.PP ++The following port types are defined for soundd: ++ ++.EX ++.TP 5 ++.B soundd_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 8000,9433,16001 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type soundd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B soundd_state_t ++ ++ /var/state/yiff(/.*)? ++.br ++ ++.br ++.B soundd_tmp_t ++ ++ ++.br ++.B soundd_tmpfs_t ++ ++ ++.br ++.B soundd_var_run_t ++ ++ /var/run/nasd(/.*)? ++.br ++ /var/run/yiff-[0-9]+\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -86405,7 +155427,20 @@ index 0000000..4f05705 +Policy governs the access confined processes have to these files. +SELinux soundd policy is very flexible allowing users to setup their soundd processes in as secure a method as possible. +.PP -+The following file types are defined for soundd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the soundd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t soundd_etc_t '/srv/soundd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysoundd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for soundd: + + +.EX @@ -86415,6 +155450,10 @@ index 0000000..4f05705 + +- Set files with the soundd_etc_t type, if you want to store soundd files in the /etc directories. + ++.br ++.TP 5 ++Paths: ++/etc/nas(/.*)?, /etc/yiff(/.*)? + +.EX +.PP @@ -86423,6 +155462,10 @@ index 0000000..4f05705 + +- Set files with the soundd_exec_t type, if you want to transition an executable to the soundd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/nasd, /usr/sbin/yiff, /usr/bin/gpe-soundserver + +.EX +.PP @@ -86461,8 +155504,12 @@ index 0000000..4f05705 +.B soundd_var_run_t +.EE + -+- Set files with the soundd_var_run_t type, if you want to store the soundd files under the /run directory. ++- Set files with the soundd_var_run_t type, if you want to store the soundd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/nasd(/.*)?, /var/run/yiff-[0-9]+\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -86471,57 +155518,6 @@ index 0000000..4f05705 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux soundd policy is very flexible allowing users to setup their soundd processes in as secure a method as possible. -+.PP -+The following port types are defined for soundd: -+ -+.EX -+.TP 5 -+.B soundd_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 8000,9433,16001 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type soundd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B soundd_state_t -+ -+ /var/state/yiff(/.*)? -+.br -+ -+.br -+.B soundd_tmp_t -+ -+ -+.br -+.B soundd_tmpfs_t -+ -+ -+.br -+.B soundd_var_run_t -+ -+ /var/run/nasd(/.*)? -+.br -+ /var/run/yiff-[0-9]+\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -86535,6 +155531,9 @@ index 0000000..4f05705 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -86546,13 +155545,15 @@ index 0000000..4f05705 + +.SH "SEE ALSO" +selinux(8), soundd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/spamass_milter_selinux.8 b/man/man8/spamass_milter_selinux.8 new file mode 100644 -index 0000000..8dd4096 +index 0000000..70ea51d --- /dev/null +++ b/man/man8/spamass_milter_selinux.8 -@@ -0,0 +1,132 @@ -+.TH "spamass_milter_selinux" "8" "12-11-01" "spamass_milter" "SELinux Policy documentation for spamass_milter" +@@ -0,0 +1,274 @@ ++.TH "spamass_milter_selinux" "8" "13-01-16" "spamass_milter" "SELinux Policy documentation for spamass_milter" +.SH "NAME" +spamass_milter_selinux \- Security Enhanced Linux Policy for the spamass_milter processes +.SH "DESCRIPTION" @@ -86568,7 +155569,9 @@ index 0000000..8dd4096 + +.SH "ENTRYPOINTS" + -+The spamass_milter_t SELinux type can be entered via the "spamass_milter_exec_t" file type. The default entrypoint paths for the spamass_milter_t domain are the following:" ++The spamass_milter_t SELinux type can be entered via the \fBspamass_milter_exec_t\fP file type. ++ ++The default entrypoint paths for the spamass_milter_t domain are the following: + +/usr/sbin/spamass-milter +.SH PROCESS TYPES @@ -86586,8 +155589,148 @@ index 0000000..8dd4096 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a spamass_milter_t ++can be used to make the process type spamass_milter_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. spamass_milter policy is extremely flexible and has several booleans that allow you to manipulate the policy and run spamass_milter with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the spamass_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the spamass_milter_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type spamass_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B spamass_milter_data_t ++ ++ /var/run/spamass(/.*)? ++.br ++ /var/run/spamass-milter(/.*)? ++.br ++ /var/spool/postfix/spamass(/.*)? ++.br ++ /var/run/spamass-milter\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -86597,7 +155740,31 @@ index 0000000..8dd4096 +Policy governs the access confined processes have to these files. +SELinux spamass_milter policy is very flexible allowing users to setup their spamass_milter processes in as secure a method as possible. +.PP -+The following file types are defined for spamass_milter: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++spamass_milter policy stores data with multiple different file context types under the /var/run/spamass directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/spamass /srv/spamass ++.br ++.B restorecon -R -v /srv/spamass ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the spamass_milter, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t spamass_milter_data_t '/srv/spamass_milter/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myspamass_milter_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for spamass_milter: + + +.EX @@ -86607,6 +155774,10 @@ index 0000000..8dd4096 + +- Set files with the spamass_milter_data_t type, if you want to treat the files as spamass milter content. + ++.br ++.TP 5 ++Paths: ++/var/run/spamass(/.*)?, /var/run/spamass-milter(/.*)?, /var/spool/postfix/spamass(/.*)?, /var/run/spamass-milter\.pid + +.EX +.PP @@ -86631,38 +155802,6 @@ index 0000000..8dd4096 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type spamass_milter_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B spamass_milter_data_t -+ -+ /var/run/spamass(/.*)? -+.br -+ /var/run/spamass-milter(/.*)? -+.br -+ /var/spool/postfix/spamass(/.*)? -+.br -+ /var/run/spamass-milter\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamass_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the spamass_milter_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -86673,6 +155812,9 @@ index 0000000..8dd4096 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -86684,13 +155826,15 @@ index 0000000..8dd4096 + +.SH "SEE ALSO" +selinux(8), spamass_milter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/spamc_selinux.8 b/man/man8/spamc_selinux.8 new file mode 100644 -index 0000000..ee04299 +index 0000000..7830052 --- /dev/null +++ b/man/man8/spamc_selinux.8 -@@ -0,0 +1,172 @@ -+.TH "spamc_selinux" "8" "12-11-01" "spamc" "SELinux Policy documentation for spamc" +@@ -0,0 +1,371 @@ ++.TH "spamc_selinux" "8" "13-01-16" "spamc" "SELinux Policy documentation for spamc" +.SH "NAME" +spamc_selinux \- Security Enhanced Linux Policy for the spamc processes +.SH "DESCRIPTION" @@ -86706,7 +155850,9 @@ index 0000000..ee04299 + +.SH "ENTRYPOINTS" + -+The spamc_t SELinux type can be entered via the "spamc_exec_t" file type. The default entrypoint paths for the spamc_t domain are the following:" ++The spamc_t SELinux type can be entered via the \fBspamc_exec_t\fP file type. ++ ++The default entrypoint paths for the spamc_t domain are the following: + +/usr/bin/razor.*, /usr/bin/spamc, /usr/bin/pyzor, /usr/bin/sa-learn, /usr/bin/spamassassin +.SH PROCESS TYPES @@ -86724,50 +155870,156 @@ index 0000000..ee04299 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a spamc_t ++can be used to make the process type spamc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux spamc policy is very flexible allowing users to setup their spamc processes in as secure a method as possible. -+.PP -+The following file types are defined for spamc: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. spamc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run spamc with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B spamc_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the spamc_exec_t type, if you want to transition an executable to the spamc_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B spamc_home_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the spamc_home_t type, if you want to store spamc files in the users home directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B spamc_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the spamc_tmp_t type, if you want to store spamc temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_check_spam 1 ++ ++.EE ++ ++.PP ++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_sendmail 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow user spamassassin clients to use the network, you must turn on the spamassassin_can_network boolean. Disabled by default. ++ ++.EX ++.B setsebool -P spamassassin_can_network 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the spamc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the spamc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -86780,6 +156032,38 @@ index 0000000..ee04299 +.br + +.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br +.B spamass_milter_state_t + + /var/lib/spamass-milter(/.*)? @@ -86804,6 +156088,14 @@ index 0000000..ee04299 +.br + /home/[^/]*/\.spamassassin(/.*)? +.br ++ /home/pwalsh/\.pyzor(/.*)? ++.br ++ /home/pwalsh/\.spamd(/.*)? ++.br ++ /home/pwalsh/\.razor(/.*)? ++.br ++ /home/pwalsh/\.spamassassin(/.*)? ++.br + /home/dwalsh/\.pyzor(/.*)? +.br + /home/dwalsh/\.spamd(/.*)? @@ -86825,21 +156117,68 @@ index 0000000..ee04299 +.B spamc_tmp_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux spamc policy is very flexible allowing users to setup their spamc processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the spamc, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t spamc_exec_t '/srv/spamc/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myspamc_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for spamc: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B spamc_exec_t +.EE + ++- Set files with the spamc_exec_t type, if you want to transition an executable to the spamc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/razor.*, /usr/bin/spamc, /usr/bin/pyzor, /usr/bin/sa-learn, /usr/bin/spamassassin ++ ++.EX ++.PP ++.B spamc_home_t ++.EE ++ ++- Set files with the spamc_home_t type, if you want to store spamc files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/root/\.pyzor(/.*)?, /root/\.spamd(/.*)?, /root/\.razor(/.*)?, /root/\.spamassassin(/.*)?, /home/[^/]*/\.pyzor(/.*)?, /home/[^/]*/\.spamd(/.*)?, /home/[^/]*/\.razor(/.*)?, /home/[^/]*/\.spamassassin(/.*)?, /home/pwalsh/\.pyzor(/.*)?, /home/pwalsh/\.spamd(/.*)?, /home/pwalsh/\.razor(/.*)?, /home/pwalsh/\.spamassassin(/.*)?, /home/dwalsh/\.pyzor(/.*)?, /home/dwalsh/\.spamd(/.*)?, /home/dwalsh/\.razor(/.*)?, /home/dwalsh/\.spamassassin(/.*)?, /var/lib/xguest/home/xguest/\.pyzor(/.*)?, /var/lib/xguest/home/xguest/\.spamd(/.*)?, /var/lib/xguest/home/xguest/\.razor(/.*)?, /var/lib/xguest/home/xguest/\.spamassassin(/.*)? ++ ++.EX ++.PP ++.B spamc_tmp_t ++.EE ++ ++- Set files with the spamc_tmp_t type, if you want to store spamc temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the spamc_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -86851,6 +156190,9 @@ index 0000000..ee04299 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -86862,13 +156204,15 @@ index 0000000..ee04299 + +.SH "SEE ALSO" +selinux(8), spamc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/spamd_selinux.8 b/man/man8/spamd_selinux.8 new file mode 100644 -index 0000000..11a86c5 +index 0000000..1feac25 --- /dev/null +++ b/man/man8/spamd_selinux.8 -@@ -0,0 +1,378 @@ -+.TH "spamd_selinux" "8" "12-11-01" "spamd" "SELinux Policy documentation for spamd" +@@ -0,0 +1,576 @@ ++.TH "spamd_selinux" "8" "13-01-16" "spamd" "SELinux Policy documentation for spamd" +.SH "NAME" +spamd_selinux \- Security Enhanced Linux Policy for the spamd processes +.SH "DESCRIPTION" @@ -86884,7 +156228,9 @@ index 0000000..11a86c5 + +.SH "ENTRYPOINTS" + -+The spamd_t SELinux type can be entered via the "spamd_exec_t" file type. The default entrypoint paths for the spamd_t domain are the following:" ++The spamd_t SELinux type can be entered via the \fBspamd_exec_t\fP file type. ++ ++The default entrypoint paths for the spamd_t domain are the following: + +/usr/bin/spamd, /usr/sbin/spamd, /usr/bin/pyzord, /usr/sbin/spampd, /usr/bin/mimedefang, /usr/bin/mimedefang-multiplexor +.SH PROCESS TYPES @@ -86902,152 +156248,164 @@ index 0000000..11a86c5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a spamd_t ++can be used to make the process type spamd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. spamd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run spamd with the tightest access possible. + + +.PP -+If you want to allow user spamassassin clients to use the network, you must turn on the spamassassin_can_network boolean. -+ -+.EX -+.B setsebool -P spamassassin_can_network 1 -+.EE -+ -+.PP -+If you want to allow spamd to read/write user home directories, you must turn on the spamd_enable_home_dirs boolean. ++If you want to allow spamd to read/write user home directories, you must turn on the spamd_enable_home_dirs boolean. Enabled by default. + +.EX +.B setsebool -P spamd_enable_home_dirs 1 ++ +.EE + +.PP -+If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_can_check_spam 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow user spamassassin clients to use the network, you must turn on the spamassassin_can_network boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P spamassassin_can_network 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow spamd to read/write user home directories, you must turn on the spamd_enable_home_dirs boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.B setsebool -P spamd_enable_home_dirs 1 ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + +.PP -+If you want to allow http daemon to check spam, you must turn on the httpd_can_check_spam boolean. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_can_check_spam 1 ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux spamd policy is very flexible allowing users to setup their spamd processes in as secure a method as possible. -+.PP -+The following file types are defined for spamd: -+ ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B spamd_compiled_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the spamd_compiled_t type, if you want to treat the files as spamd compiled data. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B spamd_etc_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the spamd_etc_t type, if you want to store spamd files in the /etc directories. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B spamd_exec_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the spamd_exec_t type, if you want to transition an executable to the spamd_t domain. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B spamd_initrc_exec_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the spamd_initrc_exec_t type, if you want to transition an executable to the spamd_initrc_t domain. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B spamd_log_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the spamd_log_t type, if you want to treat the data as spamd log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B spamd_spool_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the spamd_spool_t type, if you want to store the spamd files under the /var/spool directory. -+ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.PP -+.B spamd_tmp_t ++.B setsebool -P nis_enabled 1 ++ +.EE + -+- Set files with the spamd_tmp_t type, if you want to store spamd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX -+.PP -+.B spamd_update_exec_t ++.B setsebool -P nscd_use_shm 1 ++ +.EE + -+- Set files with the spamd_update_exec_t type, if you want to transition an executable to the spamd_update_t domain. -+ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. + +.EX -+.PP -+.B spamd_var_lib_t ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ +.EE + -+- Set files with the spamd_var_lib_t type, if you want to store the spamd files under the /var/lib directory. -+ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. + +.EX -+.PP -+.B spamd_var_run_t ++.B setsebool -P use_fusefs_home_dirs 1 ++ +.EE + -+- Set files with the spamd_var_run_t type, if you want to store the spamd files under the /run directory. ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. + ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the spamc_t, spamd_update_t, spamd_t, spamass_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the spamc_t, spamd_update_t, spamd_t, spamass_milter_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -87085,12 +156443,52 @@ index 0000000..11a86c5 +.br + +.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br +.B exim_spool_t + + /var/spool/exim[0-9]?(/.*)? +.br + +.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B spamass_milter_state_t + + /var/lib/spamass-milter(/.*)? @@ -87115,6 +156513,14 @@ index 0000000..11a86c5 +.br + /home/[^/]*/\.spamassassin(/.*)? +.br ++ /home/pwalsh/\.pyzor(/.*)? ++.br ++ /home/pwalsh/\.spamd(/.*)? ++.br ++ /home/pwalsh/\.razor(/.*)? ++.br ++ /home/pwalsh/\.spamassassin(/.*)? ++.br + /home/dwalsh/\.pyzor(/.*)? +.br + /home/dwalsh/\.spamd(/.*)? @@ -87151,12 +156557,12 @@ index 0000000..11a86c5 + + /var/log/spamd\.log.* +.br ++ /var/log/mimedefang.* ++.br + /var/log/pyzord\.log.* +.br + /var/log/razor-agent\.log.* +.br -+ /var/log/mimedefang -+.br + +.br +.B spamd_spool_t @@ -87197,27 +156603,163 @@ index 0000000..11a86c5 + + /home/[^/]*/.+ +.br ++ /home/pwalsh/.+ ++.br + /home/dwalsh/.+ +.br + /var/lib/xguest/home/xguest/.+ +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux spamd policy is very flexible allowing users to setup their spamd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamc_t, spamd_update_t, spamd_t, spamass_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the spamc_t, spamd_update_t, spamd_t, spamass_milter_t, you must turn on the kerberos_enabled boolean. ++spamd policy stores data with multiple different file context types under the /var/lib/spamassassin directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/spamassassin /srv/spamassassin ++.br ++.B restorecon -R -v /srv/spamassassin ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the spamd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t spamd_compiled_t '/srv/spamd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myspamd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for spamd: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B spamd_compiled_t +.EE + ++- Set files with the spamd_compiled_t type, if you want to treat the files as spamd compiled data. ++ ++ ++.EX ++.PP ++.B spamd_etc_t ++.EE ++ ++- Set files with the spamd_etc_t type, if you want to store spamd files in the /etc directories. ++ ++.br ++.TP 5 ++Paths: ++/etc/pyzor(/.*)?, /etc/razor(/.*)? ++ ++.EX ++.PP ++.B spamd_exec_t ++.EE ++ ++- Set files with the spamd_exec_t type, if you want to transition an executable to the spamd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/spamd, /usr/sbin/spamd, /usr/bin/pyzord, /usr/sbin/spampd, /usr/bin/mimedefang, /usr/bin/mimedefang-multiplexor ++ ++.EX ++.PP ++.B spamd_initrc_exec_t ++.EE ++ ++- Set files with the spamd_initrc_exec_t type, if you want to transition an executable to the spamd_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/mimedefang.*, /etc/rc\.d/init\.d/spamd, /etc/rc\.d/init\.d/spampd, /etc/rc\.d/init\.d/pyzord ++ ++.EX ++.PP ++.B spamd_log_t ++.EE ++ ++- Set files with the spamd_log_t type, if you want to treat the data as spamd log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/spamd\.log.*, /var/log/mimedefang.*, /var/log/pyzord\.log.*, /var/log/razor-agent\.log.* ++ ++.EX ++.PP ++.B spamd_spool_t ++.EE ++ ++- Set files with the spamd_spool_t type, if you want to store the spamd files under the /var/spool directory. ++ ++.br ++.TP 5 ++Paths: ++/var/spool/spamd(/.*)?, /var/spool/spampd(/.*)?, /var/spool/spamassassin(/.*)? ++ ++.EX ++.PP ++.B spamd_tmp_t ++.EE ++ ++- Set files with the spamd_tmp_t type, if you want to store spamd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B spamd_update_exec_t ++.EE ++ ++- Set files with the spamd_update_exec_t type, if you want to transition an executable to the spamd_update_t domain. ++ ++ ++.EX ++.PP ++.B spamd_var_lib_t ++.EE ++ ++- Set files with the spamd_var_lib_t type, if you want to store the spamd files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/razor(/.*)?, /var/lib/pyzord(/.*)?, /var/lib/spamassassin(/.*)? ++ ++.EX ++.PP ++.B spamd_var_run_t ++.EE ++ ++- Set files with the spamd_var_run_t type, if you want to store the spamd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/spamassassin(/.*)?, /var/spool/MIMEDefang(/.*)?, /var/spool/MD-Quarantine(/.*)? ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -87249,11 +156791,11 @@ index 0000000..11a86c5 \ No newline at end of file diff --git a/man/man8/spamd_update_selinux.8 b/man/man8/spamd_update_selinux.8 new file mode 100644 -index 0000000..099d75a +index 0000000..a3fc9dc --- /dev/null +++ b/man/man8/spamd_update_selinux.8 -@@ -0,0 +1,119 @@ -+.TH "spamd_update_selinux" "8" "12-11-01" "spamd_update" "SELinux Policy documentation for spamd_update" +@@ -0,0 +1,229 @@ ++.TH "spamd_update_selinux" "8" "13-01-16" "spamd_update" "SELinux Policy documentation for spamd_update" +.SH "NAME" +spamd_update_selinux \- Security Enhanced Linux Policy for the spamd_update processes +.SH "DESCRIPTION" @@ -87269,7 +156811,9 @@ index 0000000..099d75a + +.SH "ENTRYPOINTS" + -+The spamd_update_t SELinux type can be entered via the "spamd_update_exec_t" file type. The default entrypoint paths for the spamd_update_t domain are the following:" ++The spamd_update_t SELinux type can be entered via the \fBspamd_update_exec_t\fP file type. ++ ++The default entrypoint paths for the spamd_update_t domain are the following: + +/usr/bin/sa-update +.SH PROCESS TYPES @@ -87287,8 +156831,134 @@ index 0000000..099d75a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a spamd_update_t ++can be used to make the process type spamd_update_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. spamd_update policy is extremely flexible and has several booleans that allow you to manipulate the policy and run spamd_update with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the spamd_update_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the spamd_update_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type spamd_update_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B gpg_secret_t ++ ++ /root/\.gnupg(/.+)? ++.br ++ /etc/mail/spamassassin/sa-update-keys(/.*)? ++.br ++ /home/[^/]*/\.gnupg(/.+)? ++.br ++ /home/pwalsh/\.gnupg(/.+)? ++.br ++ /home/dwalsh/\.gnupg(/.+)? ++.br ++ /var/lib/xguest/home/xguest/\.gnupg(/.+)? ++.br ++ ++.br ++.B spamd_tmp_t ++ ++ ++.br ++.B spamd_var_lib_t ++ ++ /var/lib/razor(/.*)? ++.br ++ /var/lib/pyzord(/.*)? ++.br ++ /var/lib/spamassassin(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -87298,7 +156968,20 @@ index 0000000..099d75a +Policy governs the access confined processes have to these files. +SELinux spamd_update policy is very flexible allowing users to setup their spamd_update processes in as secure a method as possible. +.PP -+The following file types are defined for spamd_update: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the spamd_update, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t spamd_update_exec_t '/srv/spamd_update/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myspamd_update_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for spamd_update: + + +.EX @@ -87316,40 +156999,6 @@ index 0000000..099d75a +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type spamd_update_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B spamd_tmp_t -+ -+ -+.br -+.B spamd_var_lib_t -+ -+ /var/lib/razor(/.*)? -+.br -+ /var/lib/pyzord(/.*)? -+.br -+ /var/lib/spamassassin(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamd_update_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the spamd_update_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -87360,6 +157009,9 @@ index 0000000..099d75a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -87371,15 +157023,15 @@ index 0000000..099d75a + +.SH "SEE ALSO" +selinux(8), spamd_update(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, spamd_selinux(8), spamd_selinux(8) ++, setsebool(8), spamd_selinux(8), spamd_selinux(8) \ No newline at end of file diff --git a/man/man8/squid_cron_selinux.8 b/man/man8/squid_cron_selinux.8 new file mode 100644 -index 0000000..cf792c9 +index 0000000..be5c602 --- /dev/null +++ b/man/man8/squid_cron_selinux.8 -@@ -0,0 +1,103 @@ -+.TH "squid_cron_selinux" "8" "12-11-01" "squid_cron" "SELinux Policy documentation for squid_cron" +@@ -0,0 +1,195 @@ ++.TH "squid_cron_selinux" "8" "13-01-16" "squid_cron" "SELinux Policy documentation for squid_cron" +.SH "NAME" +squid_cron_selinux \- Security Enhanced Linux Policy for the squid_cron processes +.SH "DESCRIPTION" @@ -87395,7 +157047,9 @@ index 0000000..cf792c9 + +.SH "ENTRYPOINTS" + -+The squid_cron_t SELinux type can be entered via the "squid_cron_exec_t" file type. The default entrypoint paths for the squid_cron_t domain are the following:" ++The squid_cron_t SELinux type can be entered via the \fBsquid_cron_exec_t\fP file type. ++ ++The default entrypoint paths for the squid_cron_t domain are the following: + +/usr/sbin/lightparser.pl +.SH PROCESS TYPES @@ -87413,8 +157067,100 @@ index 0000000..cf792c9 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a squid_cron_t ++can be used to make the process type squid_cron_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. squid_cron policy is extremely flexible and has several booleans that allow you to manipulate the policy and run squid_cron with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type squid_cron_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B squid_cache_t ++ ++ /var/squidGuard(/.*)? ++.br ++ /var/lightsquid(/.*)? ++.br ++ /var/cache/squid(/.*)? ++.br ++ /var/spool/squid(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -87424,7 +157170,20 @@ index 0000000..cf792c9 +Policy governs the access confined processes have to these files. +SELinux squid_cron policy is very flexible allowing users to setup their squid_cron processes in as secure a method as possible. +.PP -+The following file types are defined for squid_cron: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the squid_cron, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t squid_cron_exec_t '/srv/squid_cron/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysquid_cron_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for squid_cron: + + +.EX @@ -87442,24 +157201,6 @@ index 0000000..cf792c9 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type squid_cron_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B squid_cache_t -+ -+ /var/squidGuard(/.*)? -+.br -+ /var/lightsquid(/.*)? -+.br -+ /var/cache/squid(/.*)? -+.br -+ /var/spool/squid(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -87470,6 +157211,9 @@ index 0000000..cf792c9 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -87481,15 +157225,15 @@ index 0000000..cf792c9 + +.SH "SEE ALSO" +selinux(8), squid_cron(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, squid_selinux(8), squid_selinux(8) ++, setsebool(8), squid_selinux(8), squid_selinux(8) \ No newline at end of file diff --git a/man/man8/squid_selinux.8 b/man/man8/squid_selinux.8 new file mode 100644 -index 0000000..be4c9e5 +index 0000000..37cf969 --- /dev/null +++ b/man/man8/squid_selinux.8 -@@ -0,0 +1,316 @@ -+.TH "squid_selinux" "8" "12-11-01" "squid" "SELinux Policy documentation for squid" +@@ -0,0 +1,430 @@ ++.TH "squid_selinux" "8" "13-01-16" "squid" "SELinux Policy documentation for squid" +.SH "NAME" +squid_selinux \- Security Enhanced Linux Policy for the squid processes +.SH "DESCRIPTION" @@ -87505,7 +157249,9 @@ index 0000000..be4c9e5 + +.SH "ENTRYPOINTS" + -+The squid_t SELinux type can be entered via the "squid_exec_t" file type. The default entrypoint paths for the squid_t domain are the following:" ++The squid_t SELinux type can be entered via the \fBsquid_exec_t\fP file type. ++ ++The default entrypoint paths for the squid_t domain are the following: + +/usr/sbin/squid +.SH PROCESS TYPES @@ -87523,130 +157269,140 @@ index 0000000..be4c9e5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a squid_t ++can be used to make the process type squid_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. squid policy is extremely flexible and has several booleans that allow you to manipulate the policy and run squid with the tightest access possible. + + +.PP -+If you want to allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the squid_connect_any boolean. ++If you want to determine whether squid can connect to all TCP ports, you must turn on the squid_connect_any boolean. Enabled by default. + +.EX +.B setsebool -P squid_connect_any 1 ++ +.EE + +.PP -+If you want to allow squid to run as a transparent proxy (TPROXY), you must turn on the squid_use_tproxy boolean. ++If you want to determine whether squid can run as a transparent proxy, you must turn on the squid_use_tproxy boolean. Disabled by default. + +.EX +.B setsebool -P squid_use_tproxy 1 ++ +.EE + +.PP -+If you want to allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports, you must turn on the squid_connect_any boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P squid_connect_any 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow squid to run as a transparent proxy (TPROXY), you must turn on the squid_use_tproxy boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P squid_use_tproxy 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux squid policy is very flexible allowing users to setup their squid processes in as secure a method as possible. -+.PP -+The following file types are defined for squid: -+ ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B squid_cache_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the squid_cache_t type, if you want to store the files under the /var/cache directory. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B squid_conf_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the squid_conf_t type, if you want to treat the files as squid configuration data, usually stored under the /etc directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B squid_cron_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the squid_cron_exec_t type, if you want to transition an executable to the squid_cron_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B squid_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the squid_exec_t type, if you want to transition an executable to the squid_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B squid_initrc_exec_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the squid_initrc_exec_t type, if you want to transition an executable to the squid_initrc_t domain. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B squid_log_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the squid_log_t type, if you want to treat the data as squid log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B squid_tmp_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the squid_tmp_t type, if you want to store squid temporary files in the /tmp directories. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B squid_tmpfs_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the squid_tmpfs_t type, if you want to store squid files on a tmpfs file system. -+ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.PP -+.B squid_var_run_t ++.B setsebool -P nis_enabled 1 ++ +.EE + -+- Set files with the squid_var_run_t type, if you want to store the squid files under the /run directory. ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the squid_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the squid_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -87682,12 +157438,12 @@ index 0000000..be4c9e5 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B krb5_host_rcache_t @@ -87714,17 +157470,17 @@ index 0000000..be4c9e5 +.br + +.br -+.B pcscd_var_run_t ++.B root_t + -+ /var/run/pcscd(/.*)? ++ / +.br -+ /var/run/pcscd\.events(/.*)? ++ /initrd +.br -+ /var/run/pcscd\.pid ++ +.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm ++.B security_t ++ ++ /selinux +.br + +.br @@ -87740,14 +157496,6 @@ index 0000000..be4c9e5 +.br + +.br -+.B squid_log_t -+ -+ /var/log/squid(/.*)? -+.br -+ /var/log/squidGuard(/.*)? -+.br -+ -+.br +.B squid_tmp_t + + @@ -87761,22 +157509,132 @@ index 0000000..be4c9e5 + /var/run/squid\.pid +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux squid policy is very flexible allowing users to setup their squid processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the squid_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the squid_t, you must turn on the kerberos_enabled boolean. ++squid policy stores data with multiple different file context types under the /var/log/squid directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/log/squid /srv/squid ++.br ++.B restorecon -R -v /srv/squid ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the squid, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t squid_cache_t '/srv/squid/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysquid_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for squid: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B squid_cache_t +.EE + ++- Set files with the squid_cache_t type, if you want to store the files under the /var/cache directory. ++ ++.br ++.TP 5 ++Paths: ++/var/squidGuard(/.*)?, /var/lightsquid(/.*)?, /var/cache/squid(/.*)?, /var/spool/squid(/.*)? ++ ++.EX ++.PP ++.B squid_conf_t ++.EE ++ ++- Set files with the squid_conf_t type, if you want to treat the files as squid configuration data, usually stored under the /etc directory. ++ ++.br ++.TP 5 ++Paths: ++/etc/squid(/.*)?, /etc/lightsquid(/.*)?, /usr/share/squid(/.*)? ++ ++.EX ++.PP ++.B squid_cron_exec_t ++.EE ++ ++- Set files with the squid_cron_exec_t type, if you want to transition an executable to the squid_cron_t domain. ++ ++ ++.EX ++.PP ++.B squid_exec_t ++.EE ++ ++- Set files with the squid_exec_t type, if you want to transition an executable to the squid_t domain. ++ ++ ++.EX ++.PP ++.B squid_initrc_exec_t ++.EE ++ ++- Set files with the squid_initrc_exec_t type, if you want to transition an executable to the squid_initrc_t domain. ++ ++ ++.EX ++.PP ++.B squid_log_t ++.EE ++ ++- Set files with the squid_log_t type, if you want to treat the data as squid log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/squid(/.*)?, /var/log/squidGuard(/.*)? ++ ++.EX ++.PP ++.B squid_tmp_t ++.EE ++ ++- Set files with the squid_tmp_t type, if you want to store squid temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B squid_tmpfs_t ++.EE ++ ++- Set files with the squid_tmpfs_t type, if you want to store squid files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B squid_var_run_t ++.EE ++ ++- Set files with the squid_var_run_t type, if you want to store the squid files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -87808,11 +157666,11 @@ index 0000000..be4c9e5 \ No newline at end of file diff --git a/man/man8/srvsvcd_selinux.8 b/man/man8/srvsvcd_selinux.8 new file mode 100644 -index 0000000..4699f35 +index 0000000..6d77086 --- /dev/null +++ b/man/man8/srvsvcd_selinux.8 -@@ -0,0 +1,124 @@ -+.TH "srvsvcd_selinux" "8" "12-11-01" "srvsvcd" "SELinux Policy documentation for srvsvcd" +@@ -0,0 +1,229 @@ ++.TH "srvsvcd_selinux" "8" "13-01-16" "srvsvcd" "SELinux Policy documentation for srvsvcd" +.SH "NAME" +srvsvcd_selinux \- Security Enhanced Linux Policy for the srvsvcd processes +.SH "DESCRIPTION" @@ -87828,9 +157686,11 @@ index 0000000..4699f35 + +.SH "ENTRYPOINTS" + -+The srvsvcd_t SELinux type can be entered via the "srvsvcd_exec_t" file type. The default entrypoint paths for the srvsvcd_t domain are the following:" ++The srvsvcd_t SELinux type can be entered via the \fBsrvsvcd_exec_t\fP file type. + -+/usr/sbin/srvsvcd ++The default entrypoint paths for the srvsvcd_t domain are the following: ++ ++/usr/sbin/srvsvcd, /opt/likewise/sbin/srvsvcd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -87846,8 +157706,106 @@ index 0000000..4699f35 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a srvsvcd_t ++can be used to make the process type srvsvcd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. srvsvcd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run srvsvcd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type srvsvcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B srvsvcd_var_lib_t ++ ++ ++.br ++.B srvsvcd_var_run_t ++ ++ /var/run/srvsvcd\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -87857,7 +157815,20 @@ index 0000000..4699f35 +Policy governs the access confined processes have to these files. +SELinux srvsvcd policy is very flexible allowing users to setup their srvsvcd processes in as secure a method as possible. +.PP -+The following file types are defined for srvsvcd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the srvsvcd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t srvsvcd_exec_t '/srv/srvsvcd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysrvsvcd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for srvsvcd: + + +.EX @@ -87867,6 +157838,10 @@ index 0000000..4699f35 + +- Set files with the srvsvcd_exec_t type, if you want to transition an executable to the srvsvcd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/srvsvcd, /opt/likewise/sbin/srvsvcd + +.EX +.PP @@ -87881,7 +157856,7 @@ index 0000000..4699f35 +.B srvsvcd_var_run_t +.EE + -+- Set files with the srvsvcd_var_run_t type, if you want to store the srvsvcd files under the /run directory. ++- Set files with the srvsvcd_var_run_t type, if you want to store the srvsvcd files under the /run or /var/run directory. + + +.EX @@ -87899,22 +157874,6 @@ index 0000000..4699f35 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type srvsvcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B srvsvcd_var_lib_t -+ -+ -+.br -+.B srvsvcd_var_run_t -+ -+ /var/run/srvsvcd.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -87925,6 +157884,9 @@ index 0000000..4699f35 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -87936,13 +157898,15 @@ index 0000000..4699f35 + +.SH "SEE ALSO" +selinux(8), srvsvcd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ssh_keygen_selinux.8 b/man/man8/ssh_keygen_selinux.8 new file mode 100644 -index 0000000..33a275f +index 0000000..4b20ed2 --- /dev/null +++ b/man/man8/ssh_keygen_selinux.8 -@@ -0,0 +1,155 @@ -+.TH "ssh_keygen_selinux" "8" "12-11-01" "ssh_keygen" "SELinux Policy documentation for ssh_keygen" +@@ -0,0 +1,265 @@ ++.TH "ssh_keygen_selinux" "8" "13-01-16" "ssh_keygen" "SELinux Policy documentation for ssh_keygen" +.SH "NAME" +ssh_keygen_selinux \- Security Enhanced Linux Policy for the ssh_keygen processes +.SH "DESCRIPTION" @@ -87958,7 +157922,9 @@ index 0000000..33a275f + +.SH "ENTRYPOINTS" + -+The ssh_keygen_t SELinux type can be entered via the "ssh_keygen_exec_t" file type. The default entrypoint paths for the ssh_keygen_t domain are the following:" ++The ssh_keygen_t SELinux type can be entered via the \fBssh_keygen_exec_t\fP file type. ++ ++The default entrypoint paths for the ssh_keygen_t domain are the following: + +/usr/bin/ssh-keygen +.SH PROCESS TYPES @@ -87976,44 +157942,132 @@ index 0000000..33a275f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ssh_keygen_t ++can be used to make the process type ssh_keygen_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux ssh_keygen policy is very flexible allowing users to setup their ssh_keygen processes in as secure a method as possible. -+.PP -+The following file types are defined for ssh_keygen: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ssh_keygen policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ssh_keygen with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B ssh_keygen_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the ssh_keygen_exec_t type, if you want to transition an executable to the ssh_keygen_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ssh_keygen_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ssh_keygen_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type ssh_keygen_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B nfs_t ++ ++ ++.br +.B ssh_home_t + + /root/\.ssh(/.*)? +.br ++ /var/lib/pgsql/\.ssh(/.*)? ++.br + /var/lib/openshift/[^/]+/\.ssh(/.*)? +.br + /var/lib/amanda/\.ssh(/.*)? @@ -88032,6 +158086,10 @@ index 0000000..33a275f +.br + /home/[^/]*/\.shosts +.br ++ /home/pwalsh/\.ssh(/.*)? ++.br ++ /home/pwalsh/\.shosts ++.br + /home/dwalsh/\.ssh(/.*)? +.br + /home/dwalsh/\.shosts @@ -88044,36 +158102,49 @@ index 0000000..33a275f +.br +.B sshd_key_t + -+ /etc/ssh/ssh_host_key.pub -+.br -+ /etc/ssh/ssh_host_dsa_key.pub -+.br -+ /etc/ssh/ssh_host_rsa_key.pub ++ /etc/ssh/ssh_host.*_key +.br + /etc/ssh/primes +.br -+ /etc/ssh/ssh_host_key -+.br -+ /etc/ssh/ssh_host_dsa_key -+.br -+ /etc/ssh/ssh_host_rsa_key -+.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux ssh_keygen policy is very flexible allowing users to setup their ssh_keygen processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ssh_keygen, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ssh_keygen_exec_t '/srv/ssh_keygen/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myssh_keygen_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ssh_keygen: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B ssh_keygen_exec_t +.EE + ++- Set files with the ssh_keygen_exec_t type, if you want to transition an executable to the ssh_keygen_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the ssh_keygen_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -88085,6 +158156,9 @@ index 0000000..33a275f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -88096,15 +158170,15 @@ index 0000000..33a275f + +.SH "SEE ALSO" +selinux(8), ssh_keygen(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, ssh_selinux(8), ssh_selinux(8), ssh_keysign_selinux(8), sshd_selinux(8) ++, setsebool(8), ssh_selinux(8), ssh_selinux(8), ssh_keysign_selinux(8), sshd_selinux(8), sshd_sandbox_selinux(8) \ No newline at end of file diff --git a/man/man8/ssh_keysign_selinux.8 b/man/man8/ssh_keysign_selinux.8 new file mode 100644 -index 0000000..1a657dc +index 0000000..7238660 --- /dev/null +++ b/man/man8/ssh_keysign_selinux.8 -@@ -0,0 +1,108 @@ -+.TH "ssh_keysign_selinux" "8" "12-11-01" "ssh_keysign" "SELinux Policy documentation for ssh_keysign" +@@ -0,0 +1,167 @@ ++.TH "ssh_keysign_selinux" "8" "13-01-16" "ssh_keysign" "SELinux Policy documentation for ssh_keysign" +.SH "NAME" +ssh_keysign_selinux \- Security Enhanced Linux Policy for the ssh_keysign processes +.SH "DESCRIPTION" @@ -88120,9 +158194,11 @@ index 0000000..1a657dc + +.SH "ENTRYPOINTS" + -+The ssh_keysign_t SELinux type can be entered via the "ssh_keysign_exec_t" file type. The default entrypoint paths for the ssh_keysign_t domain are the following:" ++The ssh_keysign_t SELinux type can be entered via the \fBssh_keysign_exec_t\fP file type. + -+/usr/libexec/openssh/ssh-keysign ++The default entrypoint paths for the ssh_keysign_t domain are the following: ++ ++/usr/lib/openssh/ssh-keysign, /usr/libexec/openssh/ssh-keysign +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -88138,25 +158214,67 @@ index 0000000..1a657dc +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ssh_keysign_t ++can be used to make the process type ssh_keysign_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. ssh_keysign policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ssh_keysign with the tightest access possible. + + +.PP -+If you want to allow host key based authentication, you must turn on the ssh_keysign boolean. ++If you want to allow host key based authentication, you must turn on the ssh_keysign boolean. Disabled by default. + +.EX +.B setsebool -P ssh_keysign 1 ++ +.EE + +.PP -+If you want to allow host key based authentication, you must turn on the ssh_keysign boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P ssh_keysign 1 ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ +.EE + +.SH FILE CONTEXTS @@ -88167,7 +158285,20 @@ index 0000000..1a657dc +Policy governs the access confined processes have to these files. +SELinux ssh_keysign policy is very flexible allowing users to setup their ssh_keysign processes in as secure a method as possible. +.PP -+The following file types are defined for ssh_keysign: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ssh_keysign, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ssh_keysign_exec_t '/srv/ssh_keysign/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myssh_keysign_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ssh_keysign: + + +.EX @@ -88177,6 +158308,10 @@ index 0000000..1a657dc + +- Set files with the ssh_keysign_exec_t type, if you want to transition an executable to the ssh_keysign_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/openssh/ssh-keysign, /usr/libexec/openssh/ssh-keysign + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -88185,8 +158320,6 @@ index 0000000..1a657dc +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -88211,15 +158344,15 @@ index 0000000..1a657dc + +.SH "SEE ALSO" +selinux(8), ssh_keysign(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8), ssh_selinux(8), ssh_selinux(8), ssh_keygen_selinux(8), sshd_selinux(8) ++, setsebool(8), ssh_selinux(8), ssh_selinux(8), ssh_keygen_selinux(8), sshd_selinux(8), sshd_sandbox_selinux(8) \ No newline at end of file diff --git a/man/man8/ssh_selinux.8 b/man/man8/ssh_selinux.8 new file mode 100644 -index 0000000..4f02c5d +index 0000000..f2aefda --- /dev/null +++ b/man/man8/ssh_selinux.8 -@@ -0,0 +1,400 @@ -+.TH "ssh_selinux" "8" "12-11-01" "ssh" "SELinux Policy documentation for ssh" +@@ -0,0 +1,545 @@ ++.TH "ssh_selinux" "8" "13-01-16" "ssh" "SELinux Policy documentation for ssh" +.SH "NAME" +ssh_selinux \- Security Enhanced Linux Policy for the ssh processes +.SH "DESCRIPTION" @@ -88235,7 +158368,9 @@ index 0000000..4f02c5d + +.SH "ENTRYPOINTS" + -+The ssh_t SELinux type can be entered via the "ssh_exec_t" file type. The default entrypoint paths for the ssh_t domain are the following:" ++The ssh_t SELinux type can be entered via the \fBssh_exec_t\fP file type. ++ ++The default entrypoint paths for the ssh_t domain are the following: + +/usr/bin/ssh +.SH PROCESS TYPES @@ -88253,97 +158388,332 @@ index 0000000..4f02c5d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ssh_t ++can be used to make the process type ssh_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. ssh policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ssh with the tightest access possible. + + +.PP -+If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean. -+ -+.EX -+.B setsebool -P selinuxuser_use_ssh_chroot 1 -+.EE -+ -+.PP -+If you want to allow host key based authentication, you must turn on the ssh_keysign boolean. ++If you want to allow host key based authentication, you must turn on the ssh_keysign boolean. Disabled by default. + +.EX +.B setsebool -P ssh_keysign 1 ++ +.EE + +.PP -+If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P ssh_chroot_rw_homedirs 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P fenced_can_ssh 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + +.PP -+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.B setsebool -P sftpd_write_ssh_home 1 ++.B setsebool -P domain_fd_use 1 ++ +.EE + +.PP -+If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.B setsebool -P ssh_sysadm_login 1 ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + +.PP -+If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.B setsebool -P selinuxuser_use_ssh_chroot 1 ++.B setsebool -P fips_mode 1 ++ +.EE + +.PP -+If you want to allow host key based authentication, you must turn on the ssh_keysign boolean. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.B setsebool -P ssh_keysign 1 ++.B setsebool -P global_ssp 1 ++ +.EE + +.PP -+If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean. ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.B setsebool -P ssh_chroot_rw_homedirs 1 ++.B setsebool -P kerberos_enabled 1 ++ +.EE + +.PP -+If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.B setsebool -P fenced_can_ssh 1 ++.B setsebool -P nis_enabled 1 ++ +.EE + +.PP -+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX -+.B setsebool -P sftpd_write_ssh_home 1 ++.B setsebool -P nscd_use_shm 1 ++ +.EE + +.PP -+If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. + +.EX -+.B setsebool -P ssh_sysadm_login 1 ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ +.EE + ++.PP ++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_tcp_server 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux ssh policy is very flexible allowing users to setup their ssh processes in as secure a method as possible. ++.PP ++The following port types are defined for ssh: ++ ++.EX ++.TP 5 ++.B ssh_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 22 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type ssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B ssh_home_t ++ ++ /root/\.ssh(/.*)? ++.br ++ /var/lib/pgsql/\.ssh(/.*)? ++.br ++ /var/lib/openshift/[^/]+/\.ssh(/.*)? ++.br ++ /var/lib/amanda/\.ssh(/.*)? ++.br ++ /var/lib/stickshift/[^/]+/\.ssh(/.*)? ++.br ++ /var/lib/gitolite/\.ssh(/.*)? ++.br ++ /var/lib/nocpulse/\.ssh(/.*)? ++.br ++ /var/lib/gitolite3/\.ssh(/.*)? ++.br ++ /root/\.shosts ++.br ++ /home/[^/]*/\.ssh(/.*)? ++.br ++ /home/[^/]*/\.shosts ++.br ++ /home/pwalsh/\.ssh(/.*)? ++.br ++ /home/pwalsh/\.shosts ++.br ++ /home/dwalsh/\.ssh(/.*)? ++.br ++ /home/dwalsh/\.shosts ++.br ++ /var/lib/xguest/home/xguest/\.ssh(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.shosts ++.br ++ ++.br ++.B ssh_tmpfs_t ++ ++ ++.br ++.B user_fonts_cache_t ++ ++ /root/\.fontconfig(/.*)? ++.br ++ /root/\.fonts/auto(/.*)? ++.br ++ /root/\.fonts\.cache-.* ++.br ++ /home/[^/]*/\.fontconfig(/.*)? ++.br ++ /home/[^/]*/\.fonts/auto(/.*)? ++.br ++ /home/[^/]*/\.fonts\.cache-.* ++.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br ++ /home/dwalsh/\.fontconfig(/.*)? ++.br ++ /home/dwalsh/\.fonts/auto(/.*)? ++.br ++ /home/dwalsh/\.fonts\.cache-.* ++.br ++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts\.cache-.* ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.br ++.B user_tmp_type ++ ++ all user tmp files ++.br ++ ++.br ++.B xserver_tmpfs_t ++ ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -88352,7 +158722,20 @@ index 0000000..4f02c5d +Policy governs the access confined processes have to these files. +SELinux ssh policy is very flexible allowing users to setup their ssh processes in as secure a method as possible. +.PP -+The following file types are defined for ssh: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ssh, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ssh_agent_exec_t '/srv/ssh/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myssh_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ssh: + + +.EX @@ -88386,6 +158769,10 @@ index 0000000..4f02c5d + +- Set files with the ssh_home_t type, if you want to store ssh files in the users home directory. + ++.br ++.TP 5 ++Paths: ++/root/\.ssh(/.*)?, /var/lib/pgsql/\.ssh(/.*)?, /var/lib/openshift/[^/]+/\.ssh(/.*)?, /var/lib/amanda/\.ssh(/.*)?, /var/lib/stickshift/[^/]+/\.ssh(/.*)?, /var/lib/gitolite/\.ssh(/.*)?, /var/lib/nocpulse/\.ssh(/.*)?, /var/lib/gitolite3/\.ssh(/.*)?, /root/\.shosts, /home/[^/]*/\.ssh(/.*)?, /home/[^/]*/\.shosts, /home/pwalsh/\.ssh(/.*)?, /home/pwalsh/\.shosts, /home/dwalsh/\.ssh(/.*)?, /home/dwalsh/\.shosts, /var/lib/xguest/home/xguest/\.ssh(/.*)?, /var/lib/xguest/home/xguest/\.shosts + +.EX +.PP @@ -88402,6 +158789,10 @@ index 0000000..4f02c5d + +- Set files with the ssh_keysign_exec_t type, if you want to transition an executable to the ssh_keysign_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/openssh/ssh-keysign, /usr/libexec/openssh/ssh-keysign + +.EX +.PP @@ -88418,6 +158809,10 @@ index 0000000..4f02c5d + +- Set files with the sshd_exec_t type, if you want to transition an executable to the sshd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/sshd, /usr/sbin/gsisshd + +.EX +.PP @@ -88434,6 +158829,10 @@ index 0000000..4f02c5d + +- Set files with the sshd_key_t type, if you want to treat the files as sshd key data. + ++.br ++.TP 5 ++Paths: ++/etc/ssh/ssh_host.*_key, /etc/ssh/primes + +.EX +.PP @@ -88456,8 +158855,12 @@ index 0000000..4f02c5d +.B sshd_var_run_t +.EE + -+- Set files with the sshd_var_run_t type, if you want to store the sshd files under the /run directory. ++- Set files with the sshd_var_run_t type, if you want to store the sshd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/sshd\.pid, /var/run/sshd\.init\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -88466,131 +158869,6 @@ index 0000000..4f02c5d +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux ssh policy is very flexible allowing users to setup their ssh processes in as secure a method as possible. -+.PP -+The following port types are defined for ssh: -+ -+.EX -+.TP 5 -+.B ssh_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 22 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type ssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B ssh_home_t -+ -+ /root/\.ssh(/.*)? -+.br -+ /var/lib/openshift/[^/]+/\.ssh(/.*)? -+.br -+ /var/lib/amanda/\.ssh(/.*)? -+.br -+ /var/lib/stickshift/[^/]+/\.ssh(/.*)? -+.br -+ /var/lib/gitolite/\.ssh(/.*)? -+.br -+ /var/lib/nocpulse/\.ssh(/.*)? -+.br -+ /var/lib/gitolite3/\.ssh(/.*)? -+.br -+ /root/\.shosts -+.br -+ /home/[^/]*/\.ssh(/.*)? -+.br -+ /home/[^/]*/\.shosts -+.br -+ /home/dwalsh/\.ssh(/.*)? -+.br -+ /home/dwalsh/\.shosts -+.br -+ /var/lib/xguest/home/xguest/\.ssh(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.shosts -+.br -+ -+.br -+.B ssh_tmpfs_t -+ -+ -+.br -+.B user_fonts_cache_t -+ -+ /root/\.fontconfig(/.*)? -+.br -+ /root/\.fonts/auto(/.*)? -+.br -+ /root/\.fonts\.cache-.* -+.br -+ /home/[^/]*/\.fontconfig(/.*)? -+.br -+ /home/[^/]*/\.fonts/auto(/.*)? -+.br -+ /home/[^/]*/\.fonts\.cache-.* -+.br -+ /home/dwalsh/\.fontconfig(/.*)? -+.br -+ /home/dwalsh/\.fonts/auto(/.*)? -+.br -+ /home/dwalsh/\.fonts\.cache-.* -+.br -+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.fonts\.cache-.* -+.br -+ -+.br -+.B user_tmp_t -+ -+ /var/run/user(/.*)? -+.br -+ /tmp/gconfd-.* -+.br -+ /tmp/gconfd-dwalsh -+.br -+ /tmp/gconfd-xguest -+.br -+ -+.br -+.B user_tmp_type -+ -+ all user tmp files -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -88618,15 +158896,123 @@ index 0000000..4f02c5d + +.SH "SEE ALSO" +selinux(8), ssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8), ssh_keygen_selinux(8), ssh_keysign_selinux(8), sshd_selinux(8) ++, setsebool(8), ssh_keygen_selinux(8), ssh_keysign_selinux(8), sshd_selinux(8), sshd_sandbox_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sshd_sandbox_selinux.8 b/man/man8/sshd_sandbox_selinux.8 +new file mode 100644 +index 0000000..91dca97 +--- /dev/null ++++ b/man/man8/sshd_sandbox_selinux.8 +@@ -0,0 +1,101 @@ ++.TH "sshd_sandbox_selinux" "8" "13-01-16" "sshd_sandbox" "SELinux Policy documentation for sshd_sandbox" ++.SH "NAME" ++sshd_sandbox_selinux \- Security Enhanced Linux Policy for the sshd_sandbox processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sshd_sandbox processes via flexible mandatory access control. ++ ++The sshd_sandbox processes execute with the sshd_sandbox_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sshd_sandbox_t ++ ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sshd_sandbox policy is very flexible allowing users to setup their sshd_sandbox processes in as secure a method as possible. ++.PP ++The following process types are defined for sshd_sandbox: ++ ++.EX ++.B sshd_sandbox_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sshd_sandbox_t ++can be used to make the process type sshd_sandbox_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sshd_sandbox policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sshd_sandbox with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sshd_sandbox(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), ssh_selinux(8), sshd_selinux(8), sshd_selinux(8) \ No newline at end of file diff --git a/man/man8/sshd_selinux.8 b/man/man8/sshd_selinux.8 new file mode 100644 -index 0000000..887086e +index 0000000..fdb7970 --- /dev/null +++ b/man/man8/sshd_selinux.8 -@@ -0,0 +1,508 @@ -+.TH "sshd_selinux" "8" "12-11-01" "sshd" "SELinux Policy documentation for sshd" +@@ -0,0 +1,661 @@ ++.TH "sshd_selinux" "8" "13-01-16" "sshd" "SELinux Policy documentation for sshd" +.SH "NAME" +sshd_selinux \- Security Enhanced Linux Policy for the sshd processes +.SH "DESCRIPTION" @@ -88642,9 +159028,11 @@ index 0000000..887086e + +.SH "ENTRYPOINTS" + -+The sshd_t SELinux type can be entered via the "sshd_exec_t" file type. The default entrypoint paths for the sshd_t domain are the following:" ++The sshd_t SELinux type can be entered via the \fBsshd_exec_t\fP file type. + -+/usr/sbin/sshd ++The default entrypoint paths for the sshd_t domain are the following: ++ ++/usr/sbin/sshd, /usr/sbin/gsisshd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -88660,163 +159048,197 @@ index 0000000..887086e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sshd_t ++can be used to make the process type sshd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. sshd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sshd with the tightest access possible. + + +.PP -+If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P selinuxuser_use_ssh_chroot 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow host key based authentication, you must turn on the ssh_keysign boolean. ++If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean. Disabled by default. + +.EX -+.B setsebool -P ssh_keysign 1 ++.B setsebool -P authlogin_radius 1 ++ +.EE + +.PP -+If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean. ++If you want to allow users to login using a yubikey server, you must turn on the authlogin_yubikey boolean. Disabled by default. + +.EX -+.B setsebool -P ssh_chroot_rw_homedirs 1 ++.B setsebool -P authlogin_yubikey 1 ++ +.EE + +.PP -+If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P fenced_can_ssh 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.B setsebool -P sftpd_write_ssh_home 1 ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + +.PP -+If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to enable polyinstantiated directory support, you must turn on the polyinstantiation_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P polyinstantiation_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. + +.EX +.B setsebool -P ssh_sysadm_login 1 ++ +.EE + +.PP -+If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean. ++If you want to allow a user to login as an unconfined domain, you must turn on the unconfined_login boolean. Enabled by default. + +.EX -+.B setsebool -P selinuxuser_use_ssh_chroot 1 ++.B setsebool -P unconfined_login 1 ++ +.EE + +.PP -+If you want to allow host key based authentication, you must turn on the ssh_keysign boolean. ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. + +.EX -+.B setsebool -P ssh_keysign 1 ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ +.EE + +.PP -+If you want to allow ssh with chroot env to read and write files in the user home directories, you must turn on the ssh_chroot_rw_homedirs boolean. ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. + +.EX -+.B setsebool -P ssh_chroot_rw_homedirs 1 ++.B setsebool -P use_fusefs_home_dirs 1 ++ +.EE + +.PP -+If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean. ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. + +.EX -+.B setsebool -P fenced_can_ssh 1 ++.B setsebool -P use_nfs_home_dirs 1 ++ +.EE + +.PP -+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. + +.EX -+.B setsebool -P sftpd_write_ssh_home 1 ++.B setsebool -P use_samba_home_dirs 1 ++ +.EE + ++.SH NSSWITCH DOMAIN ++ +.PP -+If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.B setsebool -P ssh_sysadm_login 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible. -+.PP -+The following file types are defined for sshd: -+ ++If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the kerberos_enabled boolean. + +.EX -+.PP -+.B sshd_exec_t ++.B setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the sshd_exec_t type, if you want to transition an executable to the sshd_t domain. -+ -+ -+.EX -+.PP -+.B sshd_initrc_exec_t -+.EE -+ -+- Set files with the sshd_initrc_exec_t type, if you want to transition an executable to the sshd_initrc_t domain. -+ -+ -+.EX -+.PP -+.B sshd_key_t -+.EE -+ -+- Set files with the sshd_key_t type, if you want to treat the files as sshd key data. -+ -+ -+.EX -+.PP -+.B sshd_keytab_t -+.EE -+ -+- Set files with the sshd_keytab_t type, if you want to treat the files as kerberos keytab files. -+ -+ -+.EX -+.PP -+.B sshd_tmpfs_t -+.EE -+ -+- Set files with the sshd_tmpfs_t type, if you want to store sshd files on a tmpfs file system. -+ -+ -+.EX -+.PP -+.B sshd_var_run_t -+.EE -+ -+- Set files with the sshd_var_run_t type, if you want to store the sshd files under the /run directory. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. +.PP @@ -88861,6 +159283,10 @@ index 0000000..887086e +.br + /home/[^/]*/\.google_authenticator~ +.br ++ /home/pwalsh/\.google_authenticator ++.br ++ /home/pwalsh/\.google_authenticator~ ++.br + /home/dwalsh/\.google_authenticator +.br + /home/dwalsh/\.google_authenticator~ @@ -88879,6 +159305,10 @@ index 0000000..887086e +.br + +.br ++.B cifs_t ++ ++ ++.br +.B condor_var_lib_t + + /var/lib/condor(/.*)? @@ -88889,20 +159319,46 @@ index 0000000..887086e +.br + +.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br +.B faillog_t + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog ++ +.br ++.B fusefs_t ++ + +.br +.B gitosis_var_lib_t + ++ /srv/lib/gitosis(/.*)? ++.br + /var/lib/gitosis(/.*)? +.br + /var/lib/gitolite(3)?(/.*)? @@ -88947,10 +159403,14 @@ index 0000000..887086e +.br +.B lastlog_t + -+ /var/log/lastlog ++ /var/log/lastlog.* +.br + +.br ++.B nfs_t ++ ++ ++.br +.B openshift_tmp_t + + /var/lib/openshift/.*/\.tmp(/.*)? @@ -88975,17 +159435,11 @@ index 0000000..887086e +.br + +.br -+.B pcscd_var_run_t ++.B root_t + -+ /var/run/pcscd(/.*)? ++ / +.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm ++ /initrd +.br + +.br @@ -88999,6 +159453,8 @@ index 0000000..887086e + + /root/\.ssh(/.*)? +.br ++ /var/lib/pgsql/\.ssh(/.*)? ++.br + /var/lib/openshift/[^/]+/\.ssh(/.*)? +.br + /var/lib/amanda/\.ssh(/.*)? @@ -89017,6 +159473,10 @@ index 0000000..887086e +.br + /home/[^/]*/\.shosts +.br ++ /home/pwalsh/\.ssh(/.*)? ++.br ++ /home/pwalsh/\.shosts ++.br + /home/dwalsh/\.ssh(/.*)? +.br + /home/dwalsh/\.shosts @@ -89053,6 +159513,8 @@ index 0000000..887086e +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest @@ -89081,6 +159543,8 @@ index 0000000..887086e +.br + /var/lib/pam_shield(/.*)? +.br ++ /var/opt/quest/vas/vasd(/.*)? ++.br + /var/lib/google-authenticator(/.*)? +.br + @@ -89090,21 +159554,96 @@ index 0000000..887086e + /var/log/wtmp.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sshd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sshd_exec_t '/srv/sshd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysshd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sshd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B sshd_exec_t +.EE + ++- Set files with the sshd_exec_t type, if you want to transition an executable to the sshd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/sshd, /usr/sbin/gsisshd ++ ++.EX ++.PP ++.B sshd_initrc_exec_t ++.EE ++ ++- Set files with the sshd_initrc_exec_t type, if you want to transition an executable to the sshd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B sshd_key_t ++.EE ++ ++- Set files with the sshd_key_t type, if you want to treat the files as sshd key data. ++ ++.br ++.TP 5 ++Paths: ++/etc/ssh/ssh_host.*_key, /etc/ssh/primes ++ ++.EX ++.PP ++.B sshd_keytab_t ++.EE ++ ++- Set files with the sshd_keytab_t type, if you want to treat the files as kerberos keytab files. ++ ++ ++.EX ++.PP ++.B sshd_tmpfs_t ++.EE ++ ++- Set files with the sshd_tmpfs_t type, if you want to store sshd files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B sshd_var_run_t ++.EE ++ ++- Set files with the sshd_var_run_t type, if you want to store the sshd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/sshd\.pid, /var/run/sshd\.init\.pid ++ +.PP -+If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -89133,15 +159672,15 @@ index 0000000..887086e + +.SH "SEE ALSO" +selinux(8), sshd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8), ssh_selinux(8), ssh_selinux(8), ssh_keygen_selinux(8), ssh_keysign_selinux(8) ++, setsebool(8), ssh_selinux(8), ssh_selinux(8), ssh_keygen_selinux(8), ssh_keysign_selinux(8), sshd_sandbox_selinux(8) \ No newline at end of file diff --git a/man/man8/sssd_selinux.8 b/man/man8/sssd_selinux.8 new file mode 100644 -index 0000000..29b2b6f +index 0000000..7ef35b3 --- /dev/null +++ b/man/man8/sssd_selinux.8 -@@ -0,0 +1,260 @@ -+.TH "sssd_selinux" "8" "12-11-01" "sssd" "SELinux Policy documentation for sssd" +@@ -0,0 +1,420 @@ ++.TH "sssd_selinux" "8" "13-01-16" "sssd" "SELinux Policy documentation for sssd" +.SH "NAME" +sssd_selinux \- Security Enhanced Linux Policy for the sssd processes +.SH "DESCRIPTION" @@ -89157,7 +159696,9 @@ index 0000000..29b2b6f + +.SH "ENTRYPOINTS" + -+The sssd_t SELinux type can be entered via the "sssd_exec_t" file type. The default entrypoint paths for the sssd_t domain are the following:" ++The sssd_t SELinux type can be entered via the \fBsssd_exec_t\fP file type. ++ ++The default entrypoint paths for the sssd_t domain are the following: + +/usr/sbin/sssd +.SH PROCESS TYPES @@ -89175,90 +159716,156 @@ index 0000000..29b2b6f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sssd_t ++can be used to make the process type sssd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux sssd policy is very flexible allowing users to setup their sssd processes in as secure a method as possible. -+.PP -+The following file types are defined for sssd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sssd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sssd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B sssd_conf_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the sssd_conf_t type, if you want to treat the files as sssd configuration data, usually stored under the /etc directory. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B sssd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the sssd_exec_t type, if you want to transition an executable to the sssd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B sssd_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the sssd_initrc_exec_t type, if you want to transition an executable to the sssd_initrc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B sssd_public_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the sssd_public_t type, if you want to treat the files as sssd public data. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B sssd_unit_file_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the sssd_unit_file_t type, if you want to treat the files as sssd unit content. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B sssd_var_lib_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the sssd_var_lib_t type, if you want to store the sssd files under the /var/lib directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B sssd_var_log_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the sssd_var_log_t type, if you want to treat the data as sssd var log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B sssd_var_run_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the sssd_var_run_t type, if you want to store the sssd files under the /run directory. ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sssd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -89275,12 +159882,12 @@ index 0000000..29b2b6f + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B krb5_host_rcache_t @@ -89307,17 +159914,11 @@ index 0000000..29b2b6f +.br + +.br -+.B pcscd_var_run_t ++.B root_t + -+ /var/run/pcscd(/.*)? ++ / +.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm ++ /initrd +.br + +.br @@ -89364,22 +159965,116 @@ index 0000000..29b2b6f + all user tmp files +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux sssd policy is very flexible allowing users to setup their sssd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the sssd_t, you must turn on the kerberos_enabled boolean. ++sssd policy stores data with multiple different file context types under the /var/lib/sss directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/sss /srv/sss ++.br ++.B restorecon -R -v /srv/sss ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sssd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sssd_conf_t '/srv/sssd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysssd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sssd: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B sssd_conf_t +.EE + ++- Set files with the sssd_conf_t type, if you want to treat the files as sssd configuration data, usually stored under the /etc directory. ++ ++ ++.EX ++.PP ++.B sssd_exec_t ++.EE ++ ++- Set files with the sssd_exec_t type, if you want to transition an executable to the sssd_t domain. ++ ++ ++.EX ++.PP ++.B sssd_initrc_exec_t ++.EE ++ ++- Set files with the sssd_initrc_exec_t type, if you want to transition an executable to the sssd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B sssd_public_t ++.EE ++ ++- Set files with the sssd_public_t type, if you want to treat the files as sssd public data. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/sss/mc(/.*)?, /var/lib/sss/pubconf(/.*)? ++ ++.EX ++.PP ++.B sssd_unit_file_t ++.EE ++ ++- Set files with the sssd_unit_file_t type, if you want to treat the files as sssd unit content. ++ ++ ++.EX ++.PP ++.B sssd_var_lib_t ++.EE ++ ++- Set files with the sssd_var_lib_t type, if you want to store the sssd files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B sssd_var_log_t ++.EE ++ ++- Set files with the sssd_var_log_t type, if you want to treat the data as sssd var log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B sssd_var_run_t ++.EE ++ ++- Set files with the sssd_var_run_t type, if you want to store the sssd files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -89390,6 +160085,9 @@ index 0000000..29b2b6f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -89401,12 +160099,1070 @@ index 0000000..29b2b6f + +.SH "SEE ALSO" +selinux(8), sssd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/staff_consolehelper_selinux.8 b/man/man8/staff_consolehelper_selinux.8 +new file mode 100644 +index 0000000..ae8dc18 +--- /dev/null ++++ b/man/man8/staff_consolehelper_selinux.8 +@@ -0,0 +1,238 @@ ++.TH "staff_consolehelper_selinux" "8" "13-01-16" "staff_consolehelper" "SELinux Policy documentation for staff_consolehelper" ++.SH "NAME" ++staff_consolehelper_selinux \- Security Enhanced Linux Policy for the staff_consolehelper processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the staff_consolehelper processes via flexible mandatory access control. ++ ++The staff_consolehelper processes execute with the staff_consolehelper_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep staff_consolehelper_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The staff_consolehelper_t SELinux type can be entered via the \fBconsolehelper_exec_t\fP file type. ++ ++The default entrypoint paths for the staff_consolehelper_t domain are the following: ++ ++/usr/bin/consolehelper ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux staff_consolehelper policy is very flexible allowing users to setup their staff_consolehelper processes in as secure a method as possible. ++.PP ++The following process types are defined for staff_consolehelper: ++ ++.EX ++.B staff_consolehelper_t ++.EE ++.PP ++Note: ++.B semanage permissive -a staff_consolehelper_t ++can be used to make the process type staff_consolehelper_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. staff_consolehelper policy is extremely flexible and has several booleans that allow you to manipulate the policy and run staff_consolehelper with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the staff_consolehelper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the staff_consolehelper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type staff_consolehelper_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B lastlog_t ++ ++ /var/log/lastlog.* ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br ++ ++.br ++.B user_tmpfs_type ++ ++ all user content in tmpfs file systems ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), staff_consolehelper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), staff_selinux(8), staff_selinux(8), staff_dbusd_selinux(8), staff_gkeyringd_selinux(8), staff_screen_selinux(8), staff_seunshare_selinux(8), staff_ssh_agent_selinux(8), staff_sudo_selinux(8), staff_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/staff_dbusd_selinux.8 b/man/man8/staff_dbusd_selinux.8 +new file mode 100644 +index 0000000..7ce9d28 +--- /dev/null ++++ b/man/man8/staff_dbusd_selinux.8 +@@ -0,0 +1,254 @@ ++.TH "staff_dbusd_selinux" "8" "13-01-16" "staff_dbusd" "SELinux Policy documentation for staff_dbusd" ++.SH "NAME" ++staff_dbusd_selinux \- Security Enhanced Linux Policy for the staff_dbusd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the staff_dbusd processes via flexible mandatory access control. ++ ++The staff_dbusd processes execute with the staff_dbusd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep staff_dbusd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The staff_dbusd_t SELinux type can be entered via the \fBdbusd_exec_t\fP file type. ++ ++The default entrypoint paths for the staff_dbusd_t domain are the following: ++ ++/usr/bin/dbus-daemon(-1)?, /bin/dbus-daemon, /lib/dbus-1/dbus-daemon-launch-helper, /usr/lib/dbus-1/dbus-daemon-launch-helper ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux staff_dbusd policy is very flexible allowing users to setup their staff_dbusd processes in as secure a method as possible. ++.PP ++The following process types are defined for staff_dbusd: ++ ++.EX ++.B staff_dbusd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a staff_dbusd_t ++can be used to make the process type staff_dbusd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. staff_dbusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run staff_dbusd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the staff_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the staff_dbusd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type staff_dbusd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B session_dbusd_tmp_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmpfs_t ++ ++ /dev/shm/mono.* ++.br ++ /dev/shm/pulse-shm.* ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), staff_dbusd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), staff_selinux(8), staff_selinux(8), staff_consolehelper_selinux(8), staff_gkeyringd_selinux(8), staff_screen_selinux(8), staff_seunshare_selinux(8), staff_ssh_agent_selinux(8), staff_sudo_selinux(8), staff_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/staff_gkeyringd_selinux.8 b/man/man8/staff_gkeyringd_selinux.8 +new file mode 100644 +index 0000000..095d7aa +--- /dev/null ++++ b/man/man8/staff_gkeyringd_selinux.8 +@@ -0,0 +1,314 @@ ++.TH "staff_gkeyringd_selinux" "8" "13-01-16" "staff_gkeyringd" "SELinux Policy documentation for staff_gkeyringd" ++.SH "NAME" ++staff_gkeyringd_selinux \- Security Enhanced Linux Policy for the staff_gkeyringd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the staff_gkeyringd processes via flexible mandatory access control. ++ ++The staff_gkeyringd processes execute with the staff_gkeyringd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep staff_gkeyringd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The staff_gkeyringd_t SELinux type can be entered via the \fBgkeyringd_exec_t\fP file type. ++ ++The default entrypoint paths for the staff_gkeyringd_t domain are the following: ++ ++/usr/bin/gnome-keyring-daemon ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux staff_gkeyringd policy is very flexible allowing users to setup their staff_gkeyringd processes in as secure a method as possible. ++.PP ++The following process types are defined for staff_gkeyringd: ++ ++.EX ++.B staff_gkeyringd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a staff_gkeyringd_t ++can be used to make the process type staff_gkeyringd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. staff_gkeyringd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run staff_gkeyringd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the staff_gkeyringd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the staff_gkeyringd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type staff_gkeyringd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cache_home_t ++ ++ /root/\.cache(/.*)? ++.br ++ /home/[^/]*/\.nv(/.*)? ++.br ++ /home/[^/]*/\.cache(/.*)? ++.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br ++ /home/dwalsh/\.nv(/.*)? ++.br ++ /home/dwalsh/\.cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.nv(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache(/.*)? ++.br ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B config_home_t ++ ++ /root/\.kde(/.*)? ++.br ++ /root/\.xine(/.*)? ++.br ++ /root/\.config(/.*)? ++.br ++ /var/run/user/[^/]*/dconf(/.*)? ++.br ++ /root/\.Xdefaults ++.br ++ /home/[^/]*/\.kde(/.*)? ++.br ++ /home/[^/]*/\.xine(/.*)? ++.br ++ /home/[^/]*/\.config(/.*)? ++.br ++ /home/[^/]*/\.Xdefaults ++.br ++ /home/pwalsh/\.kde(/.*)? ++.br ++ /home/pwalsh/\.xine(/.*)? ++.br ++ /home/pwalsh/\.config(/.*)? ++.br ++ /home/pwalsh/\.Xdefaults ++.br ++ /home/dwalsh/\.kde(/.*)? ++.br ++ /home/dwalsh/\.xine(/.*)? ++.br ++ /home/dwalsh/\.config(/.*)? ++.br ++ /home/dwalsh/\.Xdefaults ++.br ++ /var/lib/xguest/home/xguest/\.kde(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.xine(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Xdefaults ++.br ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B gkeyringd_gnome_home_t ++ ++ /root/\.gnome2/keyrings(/.*)? ++.br ++ /home/[^/]*/\.gnome2/keyrings(/.*)? ++.br ++ /home/[^/]*/\.local/share/keyrings(/.*)? ++.br ++ /home/pwalsh/\.gnome2/keyrings(/.*)? ++.br ++ /home/pwalsh/\.local/share/keyrings(/.*)? ++.br ++ /home/dwalsh/\.gnome2/keyrings(/.*)? ++.br ++ /home/dwalsh/\.local/share/keyrings(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.gnome2/keyrings(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.local/share/keyrings(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), staff_gkeyringd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), staff_selinux(8), staff_selinux(8), staff_consolehelper_selinux(8), staff_dbusd_selinux(8), staff_screen_selinux(8), staff_seunshare_selinux(8), staff_ssh_agent_selinux(8), staff_sudo_selinux(8), staff_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/staff_screen_selinux.8 b/man/man8/staff_screen_selinux.8 +new file mode 100644 +index 0000000..10c8f14 +--- /dev/null ++++ b/man/man8/staff_screen_selinux.8 +@@ -0,0 +1,222 @@ ++.TH "staff_screen_selinux" "8" "13-01-16" "staff_screen" "SELinux Policy documentation for staff_screen" ++.SH "NAME" ++staff_screen_selinux \- Security Enhanced Linux Policy for the staff_screen processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the staff_screen processes via flexible mandatory access control. ++ ++The staff_screen processes execute with the staff_screen_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep staff_screen_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The staff_screen_t SELinux type can be entered via the \fBscreen_exec_t\fP file type. ++ ++The default entrypoint paths for the staff_screen_t domain are the following: ++ ++/usr/bin/tmux, /usr/bin/screen ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux staff_screen policy is very flexible allowing users to setup their staff_screen processes in as secure a method as possible. ++.PP ++The following process types are defined for staff_screen: ++ ++.EX ++.B staff_screen_t ++.EE ++.PP ++Note: ++.B semanage permissive -a staff_screen_t ++can be used to make the process type staff_screen_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. staff_screen policy is extremely flexible and has several booleans that allow you to manipulate the policy and run staff_screen with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the staff_screen_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the staff_screen_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type staff_screen_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B user_tmp_type ++ ++ all user tmp files ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), staff_screen(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), staff_selinux(8), staff_selinux(8), staff_consolehelper_selinux(8), staff_dbusd_selinux(8), staff_gkeyringd_selinux(8), staff_seunshare_selinux(8), staff_ssh_agent_selinux(8), staff_sudo_selinux(8), staff_wine_selinux(8) +\ No newline at end of file diff --git a/man/man8/staff_selinux.8 b/man/man8/staff_selinux.8 new file mode 100644 -index 0000000..44df6b6 +index 0000000..b45773e --- /dev/null +++ b/man/man8/staff_selinux.8 -@@ -0,0 +1,583 @@ +@@ -0,0 +1,891 @@ +.TH "staff_selinux" "8" "staff" "mgrepl@redhat.com" "staff SELinux Policy documentation" +.SH "NAME" +staff_u \- \fBAdministrator's unprivileged user\fP - Security Enhanced Linux Policy @@ -89419,7 +161175,7 @@ index 0000000..44df6b6 + +The SELinux user will usually login to a system with a context that looks like: + -+.B staff_u:staff_r:staff_t:s0-s0:c0.c1023 ++.B staff_u:staff_r:staff_t:s0 - s0:c0.c1023 + +Linux users are automatically assigned an SELinux users at login. +Login programs use the SELinux User to assign initial context to the user's shell. @@ -89611,17 +161367,267 @@ index 0000000..44df6b6 + + +.PP -+If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean. ++If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean. Enabled by default. + +.EX +.B setsebool -P staff_use_svirt 1 ++ +.EE + +.PP -+If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P staff_use_svirt 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether calling user domains can execute Git daemon in the git_session_t domain, you must turn on the git_session_users boolean. Disabled by default. ++ ++.EX ++.B setsebool -P git_session_users 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_unified 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean. Disabled by default. ++ ++.EX ++.B setsebool -P polipo_session_users 1 ++ ++.EE ++ ++.PP ++If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean. Disabled by default. ++ ++.EX ++.B setsebool -P pppd_for_user 1 ++ ++.EE ++ ++.PP ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Disabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_mysql_connect_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_postgresql_connect_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_rw_noexattrfile 1 ++ ++.EE ++ ++.PP ++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_tcp_server 1 ++ ++.EE ++ ++.PP ++If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_use_ssh_chroot 1 ++ ++.EE ++ ++.PP ++If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_user_share_music 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ssh_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xdm_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ +.EE + +.SH HOME_EXEC @@ -89686,6 +161692,10 @@ index 0000000..44df6b6 + + +.br ++.B cifs_t ++ ++ ++.br +.B games_data_t + + /var/games(/.*)? @@ -89698,6 +161708,8 @@ index 0000000..44df6b6 + + /home/[^/]*/\.gnupg/log-socket +.br ++ /home/pwalsh/\.gnupg/log-socket ++.br + /home/dwalsh/\.gnupg/log-socket +.br + /var/lib/xguest/home/xguest/\.gnupg/log-socket @@ -89708,6 +161720,8 @@ index 0000000..44df6b6 + + /home/[^/]*/((www)|(web)|(public_html))(/.+)? +.br ++ /home/pwalsh/((www)|(web)|(public_html))(/.+)? ++.br + /home/dwalsh/((www)|(web)|(public_html))(/.+)? +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)? @@ -89718,6 +161732,8 @@ index 0000000..44df6b6 + + /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess +.br ++ /home/pwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess ++.br + /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess @@ -89728,6 +161744,8 @@ index 0000000..44df6b6 + + /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)? +.br ++ /home/pwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)? ++.br + /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)? +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)? @@ -89742,6 +161760,8 @@ index 0000000..44df6b6 + + /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)? +.br ++ /home/pwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)? ++.br + /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)? +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)? @@ -89758,6 +161778,10 @@ index 0000000..44df6b6 +.br + /home/[^/]*/\.ICEauthority.* +.br ++ /home/pwalsh/\.DCOP.* ++.br ++ /home/pwalsh/\.ICEauthority.* ++.br + /home/dwalsh/\.DCOP.* +.br + /home/dwalsh/\.ICEauthority.* @@ -89768,6 +161792,26 @@ index 0000000..44df6b6 +.br + +.br ++.B irc_home_t ++ ++ /home/[^/]*/\.irssi(/.*)? ++.br ++ /home/[^/]*/\.ircmotd ++.br ++ /home/pwalsh/\.irssi(/.*)? ++.br ++ /home/pwalsh/\.ircmotd ++.br ++ /home/dwalsh/\.irssi(/.*)? ++.br ++ /home/dwalsh/\.ircmotd ++.br ++ /var/lib/xguest/home/xguest/\.irssi(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ircmotd ++.br ++ ++.br +.B mail_spool_t + + /var/mail(/.*)? @@ -89814,6 +161858,10 @@ index 0000000..44df6b6 +.br + /home/[^/]*/\.screenrc +.br ++ /home/pwalsh/\.screen(/.*)? ++.br ++ /home/pwalsh/\.screenrc ++.br + /home/dwalsh/\.screen(/.*)? +.br + /home/dwalsh/\.screenrc @@ -89856,6 +161904,12 @@ index 0000000..44df6b6 +.br + /home/[^/]*/\.fonts\.cache-.* +.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br + /home/dwalsh/\.fontconfig(/.*)? +.br + /home/dwalsh/\.fonts/auto(/.*)? @@ -89878,6 +161932,8 @@ index 0000000..44df6b6 +.br + /home/[^/]*/\.fonts(/.*)? +.br ++ /home/pwalsh/\.fonts(/.*)? ++.br + /home/dwalsh/\.fonts(/.*)? +.br + /var/lib/xguest/home/xguest/\.fonts(/.*)? @@ -89934,6 +161990,14 @@ index 0000000..44df6b6 +.br + /home/[^/]*/\.Xauthority.* +.br ++ /home/pwalsh/\.xauth.* ++.br ++ /home/pwalsh/\.Xauth.* ++.br ++ /home/pwalsh/\.serverauth.* ++.br ++ /home/pwalsh/\.Xauthority.* ++.br + /home/dwalsh/\.xauth.* +.br + /home/dwalsh/\.Xauth.* @@ -89989,15 +162053,1297 @@ index 0000000..44df6b6 + +.SH "SEE ALSO" +selinux(8), staff(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8) ++, setsebool(8), staff_consolehelper_selinux(8), staff_dbusd_selinux(8), staff_gkeyringd_selinux(8), staff_screen_selinux(8), staff_seunshare_selinux(8), staff_ssh_agent_selinux(8), staff_sudo_selinux(8), staff_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/staff_seunshare_selinux.8 b/man/man8/staff_seunshare_selinux.8 +new file mode 100644 +index 0000000..bbcf00f +--- /dev/null ++++ b/man/man8/staff_seunshare_selinux.8 +@@ -0,0 +1,202 @@ ++.TH "staff_seunshare_selinux" "8" "13-01-16" "staff_seunshare" "SELinux Policy documentation for staff_seunshare" ++.SH "NAME" ++staff_seunshare_selinux \- Security Enhanced Linux Policy for the staff_seunshare processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the staff_seunshare processes via flexible mandatory access control. ++ ++The staff_seunshare processes execute with the staff_seunshare_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep staff_seunshare_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The staff_seunshare_t SELinux type can be entered via the \fBseunshare_exec_t\fP file type. ++ ++The default entrypoint paths for the staff_seunshare_t domain are the following: ++ ++/usr/sbin/seunshare ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux staff_seunshare policy is very flexible allowing users to setup their staff_seunshare processes in as secure a method as possible. ++.PP ++The following process types are defined for staff_seunshare: ++ ++.EX ++.B staff_seunshare_t ++.EE ++.PP ++Note: ++.B semanage permissive -a staff_seunshare_t ++can be used to make the process type staff_seunshare_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. staff_seunshare policy is extremely flexible and has several booleans that allow you to manipulate the policy and run staff_seunshare with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the staff_seunshare_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the staff_seunshare_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type staff_seunshare_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_tmpfs_type ++ ++ all sandbox content in tmpfs file systems ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), staff_seunshare(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), staff_selinux(8), staff_selinux(8), staff_consolehelper_selinux(8), staff_dbusd_selinux(8), staff_gkeyringd_selinux(8), staff_screen_selinux(8), staff_ssh_agent_selinux(8), staff_sudo_selinux(8), staff_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/staff_ssh_agent_selinux.8 b/man/man8/staff_ssh_agent_selinux.8 +new file mode 100644 +index 0000000..ecb8f6c +--- /dev/null ++++ b/man/man8/staff_ssh_agent_selinux.8 +@@ -0,0 +1,224 @@ ++.TH "staff_ssh_agent_selinux" "8" "13-01-16" "staff_ssh_agent" "SELinux Policy documentation for staff_ssh_agent" ++.SH "NAME" ++staff_ssh_agent_selinux \- Security Enhanced Linux Policy for the staff_ssh_agent processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the staff_ssh_agent processes via flexible mandatory access control. ++ ++The staff_ssh_agent processes execute with the staff_ssh_agent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep staff_ssh_agent_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The staff_ssh_agent_t SELinux type can be entered via the \fBssh_agent_exec_t\fP file type. ++ ++The default entrypoint paths for the staff_ssh_agent_t domain are the following: ++ ++/usr/bin/ssh-agent ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux staff_ssh_agent policy is very flexible allowing users to setup their staff_ssh_agent processes in as secure a method as possible. ++.PP ++The following process types are defined for staff_ssh_agent: ++ ++.EX ++.B staff_ssh_agent_t ++.EE ++.PP ++Note: ++.B semanage permissive -a staff_ssh_agent_t ++can be used to make the process type staff_ssh_agent_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. staff_ssh_agent policy is extremely flexible and has several booleans that allow you to manipulate the policy and run staff_ssh_agent with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the staff_ssh_agent_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the staff_ssh_agent_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type staff_ssh_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), staff_ssh_agent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), staff_selinux(8), staff_selinux(8), staff_consolehelper_selinux(8), staff_dbusd_selinux(8), staff_gkeyringd_selinux(8), staff_screen_selinux(8), staff_seunshare_selinux(8), staff_sudo_selinux(8), staff_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/staff_sudo_selinux.8 b/man/man8/staff_sudo_selinux.8 +new file mode 100644 +index 0000000..fca78b2 +--- /dev/null ++++ b/man/man8/staff_sudo_selinux.8 +@@ -0,0 +1,326 @@ ++.TH "staff_sudo_selinux" "8" "13-01-16" "staff_sudo" "SELinux Policy documentation for staff_sudo" ++.SH "NAME" ++staff_sudo_selinux \- Security Enhanced Linux Policy for the staff_sudo processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the staff_sudo processes via flexible mandatory access control. ++ ++The staff_sudo processes execute with the staff_sudo_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep staff_sudo_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The staff_sudo_t SELinux type can be entered via the \fBsudo_exec_t\fP file type. ++ ++The default entrypoint paths for the staff_sudo_t domain are the following: ++ ++/usr/bin/sudo(edit)? ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux staff_sudo policy is very flexible allowing users to setup their staff_sudo processes in as secure a method as possible. ++.PP ++The following process types are defined for staff_sudo: ++ ++.EX ++.B staff_sudo_t ++.EE ++.PP ++Note: ++.B semanage permissive -a staff_sudo_t ++can be used to make the process type staff_sudo_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. staff_sudo policy is extremely flexible and has several booleans that allow you to manipulate the policy and run staff_sudo with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the staff_sudo_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the staff_sudo_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type staff_sudo_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B pam_var_run_t ++ ++ /var/(db|lib|adm)/sudo(/.*)? ++.br ++ /var/run/sudo(/.*)? ++.br ++ /var/run/sepermit(/.*)? ++.br ++ /var/run/pam_mount(/.*)? ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B staff_sudo_tmp_t ++ ++ ++.br ++.B sudo_db_t ++ ++ /var/db/sudo(/.*)? ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), staff_sudo(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), staff_selinux(8), staff_selinux(8), staff_consolehelper_selinux(8), staff_dbusd_selinux(8), staff_gkeyringd_selinux(8), staff_screen_selinux(8), staff_seunshare_selinux(8), staff_ssh_agent_selinux(8), staff_wine_selinux(8) +\ No newline at end of file +diff --git a/man/man8/staff_wine_selinux.8 b/man/man8/staff_wine_selinux.8 +new file mode 100644 +index 0000000..689f866 +--- /dev/null ++++ b/man/man8/staff_wine_selinux.8 +@@ -0,0 +1,502 @@ ++.TH "staff_wine_selinux" "8" "13-01-16" "staff_wine" "SELinux Policy documentation for staff_wine" ++.SH "NAME" ++staff_wine_selinux \- Security Enhanced Linux Policy for the staff_wine processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the staff_wine processes via flexible mandatory access control. ++ ++The staff_wine processes execute with the staff_wine_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep staff_wine_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The staff_wine_t SELinux type can be entered via the \fBuser_home_t, wine_exec_t, xsession_exec_t\fP file types. ++ ++The default entrypoint paths for the staff_wine_t domain are the following: ++ ++/home/[^/]*/.+, /home/pwalsh/.+, /home/dwalsh/.+, /var/lib/xguest/home/xguest/.+, /usr/bin/wine.*, /opt/teamviewer(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/msiexec, /opt/google/picasa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/progman, /opt/google/picasa(/.*)?/bin/regedit, /opt/google/picasa(/.*)?/bin/regsvr32, /opt/google/picasa(/.*)?/Picasa3/.*exe, /opt/google/picasa(/.*)?/bin/uninstaller, /opt/cxoffice/bin/wine.*, /opt/picasa/wine/bin/wine.*, /usr/bin/msiexec, /usr/bin/notepad, /usr/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller, /home/[^/]*/cxoffice/bin/wine.+, /home/pwalsh/cxoffice/bin/wine.+, /home/dwalsh/cxoffice/bin/wine.+, /var/lib/xguest/home/xguest/cxoffice/bin/wine.+, /etc/gdm(3)?/Xsession, /etc/kde[34]?/kdm/Xreset, /etc/gdm(3)?/PreSession/.*, /etc/kde[34]?/kdm/Xstartup, /etc/kde[34]?/kdm/Xsession, /etc/gdm(3)?/PostSession/.*, /etc/X11/[wx]dm/Xreset.*, /etc/X11/[wxg]dm/Xsession, /etc/X11/Xsession[^/]*, /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.* ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux staff_wine policy is very flexible allowing users to setup their staff_wine processes in as secure a method as possible. ++.PP ++The following process types are defined for staff_wine: ++ ++.EX ++.B staff_wine_t ++.EE ++.PP ++Note: ++.B semanage permissive -a staff_wine_t ++can be used to make the process type staff_wine_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. staff_wine policy is extremely flexible and has several booleans that allow you to manipulate the policy and run staff_wine with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Disabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_postgresql_connect_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_rw_noexattrfile 1 ++ ++.EE ++ ++.PP ++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_tcp_server 1 ++ ++.EE ++ ++.PP ++If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_user_share_music 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ssh_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xdm_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the staff_wine_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the staff_wine_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type staff_wine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B chrome_sandbox_tmpfs_t ++ ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B games_data_t ++ ++ /var/games(/.*)? ++.br ++ /var/lib/games(/.*)? ++.br ++ ++.br ++.B gpg_agent_tmp_t ++ ++ /home/[^/]*/\.gnupg/log-socket ++.br ++ /home/pwalsh/\.gnupg/log-socket ++.br ++ /home/dwalsh/\.gnupg/log-socket ++.br ++ /var/lib/xguest/home/xguest/\.gnupg/log-socket ++.br ++ ++.br ++.B iceauth_home_t ++ ++ /root/\.DCOP.* ++.br ++ /root/\.ICEauthority.* ++.br ++ /home/[^/]*/\.DCOP.* ++.br ++ /home/[^/]*/\.ICEauthority.* ++.br ++ /home/pwalsh/\.DCOP.* ++.br ++ /home/pwalsh/\.ICEauthority.* ++.br ++ /home/dwalsh/\.DCOP.* ++.br ++ /home/dwalsh/\.ICEauthority.* ++.br ++ /var/lib/xguest/home/xguest/\.DCOP.* ++.br ++ /var/lib/xguest/home/xguest/\.ICEauthority.* ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B mqueue_spool_t ++ ++ /var/spool/(client)?mqueue(/.*)? ++.br ++ /var/spool/mqueue\.in(/.*)? ++.br ++ ++.br ++.B nfsd_rw_t ++ ++ ++.br ++.B noxattrfs ++ ++ all files on file systems which do not support extended attributes ++.br ++ ++.br ++.B usbfs_t ++ ++ ++.br ++.B user_fonts_cache_t ++ ++ /root/\.fontconfig(/.*)? ++.br ++ /root/\.fonts/auto(/.*)? ++.br ++ /root/\.fonts\.cache-.* ++.br ++ /home/[^/]*/\.fontconfig(/.*)? ++.br ++ /home/[^/]*/\.fonts/auto(/.*)? ++.br ++ /home/[^/]*/\.fonts\.cache-.* ++.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br ++ /home/dwalsh/\.fontconfig(/.*)? ++.br ++ /home/dwalsh/\.fonts/auto(/.*)? ++.br ++ /home/dwalsh/\.fonts\.cache-.* ++.br ++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts\.cache-.* ++.br ++ ++.br ++.B user_fonts_t ++ ++ /root/\.fonts(/.*)? ++.br ++ /tmp/\.font-unix(/.*)? ++.br ++ /home/[^/]*/\.fonts(/.*)? ++.br ++ /home/pwalsh/\.fonts(/.*)? ++.br ++ /home/dwalsh/\.fonts(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts(/.*)? ++.br ++ ++.br ++.B user_home_type ++ ++ all user home files ++.br ++ ++.br ++.B user_tmp_type ++ ++ all user tmp files ++.br ++ ++.br ++.B user_tmpfs_type ++ ++ all user content in tmpfs file systems ++.br ++ ++.br ++.B xauth_home_t ++ ++ /root/\.xauth.* ++.br ++ /root/\.Xauth.* ++.br ++ /root/\.serverauth.* ++.br ++ /root/\.Xauthority.* ++.br ++ /var/lib/pqsql/\.xauth.* ++.br ++ /var/lib/pqsql/\.Xauthority.* ++.br ++ /var/lib/nxserver/home/\.xauth.* ++.br ++ /var/lib/nxserver/home/\.Xauthority.* ++.br ++ /home/[^/]*/\.xauth.* ++.br ++ /home/[^/]*/\.Xauth.* ++.br ++ /home/[^/]*/\.serverauth.* ++.br ++ /home/[^/]*/\.Xauthority.* ++.br ++ /home/pwalsh/\.xauth.* ++.br ++ /home/pwalsh/\.Xauth.* ++.br ++ /home/pwalsh/\.serverauth.* ++.br ++ /home/pwalsh/\.Xauthority.* ++.br ++ /home/dwalsh/\.xauth.* ++.br ++ /home/dwalsh/\.Xauth.* ++.br ++ /home/dwalsh/\.serverauth.* ++.br ++ /home/dwalsh/\.Xauthority.* ++.br ++ /var/lib/xguest/home/xguest/\.xauth.* ++.br ++ /var/lib/xguest/home/xguest/\.Xauth.* ++.br ++ /var/lib/xguest/home/xguest/\.serverauth.* ++.br ++ /var/lib/xguest/home/xguest/\.Xauthority.* ++.br ++ ++.br ++.B xdm_tmp_t ++ ++ /tmp/\.X11-unix(/.*)? ++.br ++ /tmp/\.ICE-unix(/.*)? ++.br ++ /tmp/\.X0-lock ++.br ++ ++.br ++.B xserver_tmpfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), staff_wine(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), staff_selinux(8), staff_selinux(8), staff_consolehelper_selinux(8), staff_dbusd_selinux(8), staff_gkeyringd_selinux(8), staff_screen_selinux(8), staff_seunshare_selinux(8), staff_ssh_agent_selinux(8), staff_sudo_selinux(8) \ No newline at end of file diff --git a/man/man8/stapserver_selinux.8 b/man/man8/stapserver_selinux.8 new file mode 100644 -index 0000000..1d7061b +index 0000000..3184298 --- /dev/null +++ b/man/man8/stapserver_selinux.8 -@@ -0,0 +1,146 @@ -+.TH "stapserver_selinux" "8" "12-11-01" "stapserver" "SELinux Policy documentation for stapserver" +@@ -0,0 +1,273 @@ ++.TH "stapserver_selinux" "8" "13-01-16" "stapserver" "SELinux Policy documentation for stapserver" +.SH "NAME" +stapserver_selinux \- Security Enhanced Linux Policy for the stapserver processes +.SH "DESCRIPTION" @@ -90013,7 +163359,9 @@ index 0000000..1d7061b + +.SH "ENTRYPOINTS" + -+The stapserver_t SELinux type can be entered via the "stapserver_exec_t" file type. The default entrypoint paths for the stapserver_t domain are the following:" ++The stapserver_t SELinux type can be entered via the \fBstapserver_exec_t\fP file type. ++ ++The default entrypoint paths for the stapserver_t domain are the following: + +/usr/bin/stap-server +.SH PROCESS TYPES @@ -90031,8 +163379,154 @@ index 0000000..1d7061b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a stapserver_t ++can be used to make the process type stapserver_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. stapserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run stapserver with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the stapserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the stapserver_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type stapserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B stapserver_log_t ++ ++ /var/log/stap-server(/.*)? ++.br ++ ++.br ++.B stapserver_var_lib_t ++ ++ /var/lib/stap-server(/.*)? ++.br ++ ++.br ++.B stapserver_var_run_t ++ ++ /var/run/stap-server(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -90042,7 +163536,20 @@ index 0000000..1d7061b +Policy governs the access confined processes have to these files. +SELinux stapserver policy is very flexible allowing users to setup their stapserver processes in as secure a method as possible. +.PP -+The following file types are defined for stapserver: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the stapserver, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t stapserver_exec_t '/srv/stapserver/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mystapserver_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for stapserver: + + +.EX @@ -90074,7 +163581,7 @@ index 0000000..1d7061b +.B stapserver_var_run_t +.EE + -+- Set files with the stapserver_var_run_t type, if you want to store the stapserver files under the /run directory. ++- Set files with the stapserver_var_run_t type, if you want to store the stapserver files under the /run or /var/run directory. + + +.PP @@ -90084,44 +163591,6 @@ index 0000000..1d7061b +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type stapserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B stapserver_log_t -+ -+ /var/log/stap-server(/.*)? -+.br -+ -+.br -+.B stapserver_var_lib_t -+ -+ /var/lib/stap-server(/.*)? -+.br -+ -+.br -+.B stapserver_var_run_t -+ -+ /var/run/stap-server(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the stapserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the stapserver_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -90132,6 +163601,9 @@ index 0000000..1d7061b +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -90143,13 +163615,15 @@ index 0000000..1d7061b + +.SH "SEE ALSO" +selinux(8), stapserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/stunnel_selinux.8 b/man/man8/stunnel_selinux.8 new file mode 100644 -index 0000000..feb8ccd +index 0000000..79ab5a9 --- /dev/null +++ b/man/man8/stunnel_selinux.8 -@@ -0,0 +1,160 @@ -+.TH "stunnel_selinux" "8" "12-11-01" "stunnel" "SELinux Policy documentation for stunnel" +@@ -0,0 +1,291 @@ ++.TH "stunnel_selinux" "8" "13-01-16" "stunnel" "SELinux Policy documentation for stunnel" +.SH "NAME" +stunnel_selinux \- Security Enhanced Linux Policy for the stunnel processes +.SH "DESCRIPTION" @@ -90165,7 +163639,9 @@ index 0000000..feb8ccd + +.SH "ENTRYPOINTS" + -+The stunnel_t SELinux type can be entered via the "stunnel_exec_t" file type. The default entrypoint paths for the stunnel_t domain are the following:" ++The stunnel_t SELinux type can be entered via the \fBstunnel_exec_t\fP file type. ++ ++The default entrypoint paths for the stunnel_t domain are the following: + +/usr/bin/stunnel, /usr/sbin/stunnel +.SH PROCESS TYPES @@ -90183,58 +163659,124 @@ index 0000000..feb8ccd +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a stunnel_t ++can be used to make the process type stunnel_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux stunnel policy is very flexible allowing users to setup their stunnel processes in as secure a method as possible. -+.PP -+The following file types are defined for stunnel: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. stunnel policy is extremely flexible and has several booleans that allow you to manipulate the policy and run stunnel with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B stunnel_etc_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the stunnel_etc_t type, if you want to store stunnel files in the /etc directories. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B stunnel_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the stunnel_exec_t type, if you want to transition an executable to the stunnel_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B stunnel_tmp_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the stunnel_tmp_t type, if you want to store stunnel temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B stunnel_var_run_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the stunnel_var_run_t type, if you want to store the stunnel files under the /run directory. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the stunnel_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the stunnel_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -90260,6 +163802,14 @@ index 0000000..feb8ccd +The SELinux process type stunnel_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B stunnel_tmp_t + + @@ -90269,21 +163819,72 @@ index 0000000..feb8ccd + /var/run/stunnel(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux stunnel policy is very flexible allowing users to setup their stunnel processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the stunnel_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the stunnel, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t stunnel_etc_t '/srv/stunnel/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mystunnel_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for stunnel: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B stunnel_etc_t +.EE + ++- Set files with the stunnel_etc_t type, if you want to store stunnel files in the /etc directories. ++ ++ ++.EX ++.PP ++.B stunnel_exec_t ++.EE ++ ++- Set files with the stunnel_exec_t type, if you want to transition an executable to the stunnel_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/stunnel, /usr/sbin/stunnel ++ ++.EX ++.PP ++.B stunnel_tmp_t ++.EE ++ ++- Set files with the stunnel_tmp_t type, if you want to store stunnel temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B stunnel_var_run_t ++.EE ++ ++- Set files with the stunnel_var_run_t type, if you want to store the stunnel files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the stunnel_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -90298,6 +163899,9 @@ index 0000000..feb8ccd +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -90309,13 +163913,15 @@ index 0000000..feb8ccd + +.SH "SEE ALSO" +selinux(8), stunnel(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/sulogin_selinux.8 b/man/man8/sulogin_selinux.8 new file mode 100644 -index 0000000..debe287 +index 0000000..4f35204 --- /dev/null +++ b/man/man8/sulogin_selinux.8 -@@ -0,0 +1,110 @@ -+.TH "sulogin_selinux" "8" "12-11-01" "sulogin" "SELinux Policy documentation for sulogin" +@@ -0,0 +1,225 @@ ++.TH "sulogin_selinux" "8" "13-01-16" "sulogin" "SELinux Policy documentation for sulogin" +.SH "NAME" +sulogin_selinux \- Security Enhanced Linux Policy for the sulogin processes +.SH "DESCRIPTION" @@ -90331,7 +163937,9 @@ index 0000000..debe287 + +.SH "ENTRYPOINTS" + -+The sulogin_t SELinux type can be entered via the "sulogin_exec_t" file type. The default entrypoint paths for the sulogin_t domain are the following:" ++The sulogin_t SELinux type can be entered via the \fBsulogin_exec_t\fP file type. ++ ++The default entrypoint paths for the sulogin_t domain are the following: + +/sbin/sulogin, /sbin/sushell, /usr/sbin/sulogin, /usr/sbin/sushell +.SH PROCESS TYPES @@ -90349,49 +163957,105 @@ index 0000000..debe287 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sulogin_t ++can be used to make the process type sulogin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux sulogin policy is very flexible allowing users to setup their sulogin processes in as secure a method as possible. -+.PP -+The following file types are defined for sulogin: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sulogin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sulogin with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B sulogin_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the sulogin_exec_t type, if you want to transition an executable to the sulogin_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + -+.SH "MANAGED FILES" ++.EX ++.B setsebool -P deny_ptrace 1 + -+The SELinux process type sulogin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++.EE + -+.br -+.B security_t ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + -+ /selinux -+.br ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow a user to login as an unconfined domain, you must turn on the unconfined_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P unconfined_login 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sulogin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sulogin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -90404,6 +164068,59 @@ index 0000000..debe287 +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH "MANAGED FILES" ++ ++The SELinux process type sulogin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux sulogin policy is very flexible allowing users to setup their sulogin processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sulogin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sulogin_exec_t '/srv/sulogin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysulogin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sulogin: ++ ++ ++.EX ++.PP ++.B sulogin_exec_t ++.EE ++ ++- Set files with the sulogin_exec_t type, if you want to transition an executable to the sulogin_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/sulogin, /sbin/sushell, /usr/sbin/sulogin, /usr/sbin/sushell ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -90414,6 +164131,9 @@ index 0000000..debe287 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -90425,13 +164145,15 @@ index 0000000..debe287 + +.SH "SEE ALSO" +selinux(8), sulogin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/svc_multilog_selinux.8 b/man/man8/svc_multilog_selinux.8 new file mode 100644 -index 0000000..723cd0c +index 0000000..2e9b5dc --- /dev/null +++ b/man/man8/svc_multilog_selinux.8 -@@ -0,0 +1,155 @@ -+.TH "svc_multilog_selinux" "8" "12-11-01" "svc_multilog" "SELinux Policy documentation for svc_multilog" +@@ -0,0 +1,213 @@ ++.TH "svc_multilog_selinux" "8" "13-01-16" "svc_multilog" "SELinux Policy documentation for svc_multilog" +.SH "NAME" +svc_multilog_selinux \- Security Enhanced Linux Policy for the svc_multilog processes +.SH "DESCRIPTION" @@ -90447,7 +164169,9 @@ index 0000000..723cd0c + +.SH "ENTRYPOINTS" + -+The svc_multilog_t SELinux type can be entered via the "svc_multilog_exec_t" file type. The default entrypoint paths for the svc_multilog_t domain are the following:" ++The svc_multilog_t SELinux type can be entered via the \fBsvc_multilog_exec_t\fP file type. ++ ++The default entrypoint paths for the svc_multilog_t domain are the following: + +/usr/bin/multilog +.SH PROCESS TYPES @@ -90465,34 +164189,52 @@ index 0000000..723cd0c +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a svc_multilog_t ++can be used to make the process type svc_multilog_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux svc_multilog policy is very flexible allowing users to setup their svc_multilog processes in as secure a method as possible. -+.PP -+The following file types are defined for svc_multilog: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. svc_multilog policy is extremely flexible and has several booleans that allow you to manipulate the policy and run svc_multilog with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B svc_multilog_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the svc_multilog_exec_t type, if you want to transition an executable to the svc_multilog_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -90525,8 +164267,6 @@ index 0000000..723cd0c +.br + /var/webmin(/.*)? +.br -+ /var/log/cron[^/]* -+.br + /var/log/secure[^/]* +.br + /opt/zimbra/log(/.*)? @@ -90562,7 +164302,44 @@ index 0000000..723cd0c + /var/named/chroot/var/log +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux svc_multilog policy is very flexible allowing users to setup their svc_multilog processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the svc_multilog, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t svc_multilog_exec_t '/srv/svc_multilog/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysvc_multilog_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for svc_multilog: ++ ++ ++.EX ++.PP ++.B svc_multilog_exec_t ++.EE ++ ++- Set files with the svc_multilog_exec_t type, if you want to transition an executable to the svc_multilog_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -90574,6 +164351,9 @@ index 0000000..723cd0c +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -90585,15 +164365,15 @@ index 0000000..723cd0c + +.SH "SEE ALSO" +selinux(8), svc_multilog(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, svc_run_selinux(8), svc_start_selinux(8) ++, setsebool(8), svc_run_selinux(8), svc_start_selinux(8) \ No newline at end of file diff --git a/man/man8/svc_run_selinux.8 b/man/man8/svc_run_selinux.8 new file mode 100644 -index 0000000..81dbe8e +index 0000000..dc13d69 --- /dev/null +++ b/man/man8/svc_run_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "svc_run_selinux" "8" "12-11-01" "svc_run" "SELinux Policy documentation for svc_run" +@@ -0,0 +1,151 @@ ++.TH "svc_run_selinux" "8" "13-01-16" "svc_run" "SELinux Policy documentation for svc_run" +.SH "NAME" +svc_run_selinux \- Security Enhanced Linux Policy for the svc_run processes +.SH "DESCRIPTION" @@ -90609,7 +164389,9 @@ index 0000000..81dbe8e + +.SH "ENTRYPOINTS" + -+The svc_run_t SELinux type can be entered via the "svc_run_exec_t" file type. The default entrypoint paths for the svc_run_t domain are the following:" ++The svc_run_t SELinux type can be entered via the \fBsvc_run_exec_t\fP file type. ++ ++The default entrypoint paths for the svc_run_t domain are the following: + +/var/service/.*/run.*, /var/service/.*/log/run, /var/qmail/supervise/.*/run, /var/qmail/supervise/.*/log/run, /usr/bin/envdir, /usr/bin/fghack, /usr/bin/setlock, /var/axfrdns/run, /var/tinydns/run, /usr/bin/pgrphack, /var/dnscache/run, /usr/bin/envuidgid, /usr/bin/setuidgid, /usr/bin/softlimit, /var/axfrdns/log/run, /var/tinydns/log/run, /var/dnscache/log/run +.SH PROCESS TYPES @@ -90627,8 +164409,52 @@ index 0000000..81dbe8e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a svc_run_t ++can be used to make the process type svc_run_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. svc_run policy is extremely flexible and has several booleans that allow you to manipulate the policy and run svc_run with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -90638,7 +164464,20 @@ index 0000000..81dbe8e +Policy governs the access confined processes have to these files. +SELinux svc_run policy is very flexible allowing users to setup their svc_run processes in as secure a method as possible. +.PP -+The following file types are defined for svc_run: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the svc_run, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t svc_run_exec_t '/srv/svc_run/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysvc_run_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for svc_run: + + +.EX @@ -90648,6 +164487,10 @@ index 0000000..81dbe8e + +- Set files with the svc_run_exec_t type, if you want to transition an executable to the svc_run_t domain. + ++.br ++.TP 5 ++Paths: ++/var/service/.*/run.*, /var/service/.*/log/run, /var/qmail/supervise/.*/run, /var/qmail/supervise/.*/log/run, /usr/bin/envdir, /usr/bin/fghack, /usr/bin/setlock, /var/axfrdns/run, /var/tinydns/run, /usr/bin/pgrphack, /var/dnscache/run, /usr/bin/envuidgid, /usr/bin/setuidgid, /usr/bin/softlimit, /var/axfrdns/log/run, /var/tinydns/log/run, /var/dnscache/log/run + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -90656,8 +164499,6 @@ index 0000000..81dbe8e +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -90668,6 +164509,9 @@ index 0000000..81dbe8e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -90679,15 +164523,15 @@ index 0000000..81dbe8e + +.SH "SEE ALSO" +selinux(8), svc_run(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, svc_multilog_selinux(8), svc_start_selinux(8) ++, setsebool(8), svc_multilog_selinux(8), svc_start_selinux(8) \ No newline at end of file diff --git a/man/man8/svc_start_selinux.8 b/man/man8/svc_start_selinux.8 new file mode 100644 -index 0000000..bada5e7 +index 0000000..b1f56ce --- /dev/null +++ b/man/man8/svc_start_selinux.8 -@@ -0,0 +1,109 @@ -+.TH "svc_start_selinux" "8" "12-11-01" "svc_start" "SELinux Policy documentation for svc_start" +@@ -0,0 +1,181 @@ ++.TH "svc_start_selinux" "8" "13-01-16" "svc_start" "SELinux Policy documentation for svc_start" +.SH "NAME" +svc_start_selinux \- Security Enhanced Linux Policy for the svc_start processes +.SH "DESCRIPTION" @@ -90703,7 +164547,9 @@ index 0000000..bada5e7 + +.SH "ENTRYPOINTS" + -+The svc_start_t SELinux type can be entered via the "svc_start_exec_t" file type. The default entrypoint paths for the svc_start_t domain are the following:" ++The svc_start_t SELinux type can be entered via the \fBsvc_start_exec_t\fP file type. ++ ++The default entrypoint paths for the svc_start_t domain are the following: + +/usr/bin/svc, /usr/bin/svok, /usr/bin/svscan, /usr/bin/supervise, /usr/bin/svscanboot +.SH PROCESS TYPES @@ -90721,34 +164567,60 @@ index 0000000..bada5e7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a svc_start_t ++can be used to make the process type svc_start_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux svc_start policy is very flexible allowing users to setup their svc_start processes in as secure a method as possible. -+.PP -+The following file types are defined for svc_start: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. svc_start policy is extremely flexible and has several booleans that allow you to manipulate the policy and run svc_start with the tightest access possible. + + ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ +.EX -+.PP -+.B svc_start_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the svc_start_exec_t type, if you want to transition an executable to the svc_start_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -90772,7 +164644,48 @@ index 0000000..bada5e7 + /service +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux svc_start policy is very flexible allowing users to setup their svc_start processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the svc_start, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t svc_start_exec_t '/srv/svc_start/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysvc_start_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for svc_start: ++ ++ ++.EX ++.PP ++.B svc_start_exec_t ++.EE ++ ++- Set files with the svc_start_exec_t type, if you want to transition an executable to the svc_start_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/svc, /usr/bin/svok, /usr/bin/svscan, /usr/bin/supervise, /usr/bin/svscanboot ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -90784,6 +164697,9 @@ index 0000000..bada5e7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -90795,15 +164711,879 @@ index 0000000..bada5e7 + +.SH "SEE ALSO" +selinux(8), svc_start(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, svc_multilog_selinux(8), svc_run_selinux(8) ++, setsebool(8), svc_multilog_selinux(8), svc_run_selinux(8) +\ No newline at end of file +diff --git a/man/man8/svirt_lxc_net_selinux.8 b/man/man8/svirt_lxc_net_selinux.8 +new file mode 100644 +index 0000000..3808193 +--- /dev/null ++++ b/man/man8/svirt_lxc_net_selinux.8 +@@ -0,0 +1,172 @@ ++.TH "svirt_lxc_net_selinux" "8" "13-01-16" "svirt_lxc_net" "SELinux Policy documentation for svirt_lxc_net" ++.SH "NAME" ++svirt_lxc_net_selinux \- Security Enhanced Linux Policy for the svirt_lxc_net processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the svirt_lxc_net processes via flexible mandatory access control. ++ ++The svirt_lxc_net processes execute with the svirt_lxc_net_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep svirt_lxc_net_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The svirt_lxc_net_t SELinux type can be entered via the \fBfile_type\fP file type. ++ ++The default entrypoint paths for the svirt_lxc_net_t domain are the following: ++ ++all files on the system ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux svirt_lxc_net policy is very flexible allowing users to setup their svirt_lxc_net processes in as secure a method as possible. ++.PP ++The following process types are defined for svirt_lxc_net: ++ ++.EX ++.B svirt_lxc_net_t ++.EE ++.PP ++Note: ++.B semanage permissive -a svirt_lxc_net_t ++can be used to make the process type svirt_lxc_net_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. svirt_lxc_net policy is extremely flexible and has several booleans that allow you to manipulate the policy and run svirt_lxc_net with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the svirt_lxc_net_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the svirt_lxc_net_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type svirt_lxc_net_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B svirt_lxc_file_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), svirt_lxc_net(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), svirt_selinux(8), svirt_selinux(8), svirt_tcg_selinux(8) +\ No newline at end of file +diff --git a/man/man8/svirt_selinux.8 b/man/man8/svirt_selinux.8 +new file mode 100644 +index 0000000..84fabef +--- /dev/null ++++ b/man/man8/svirt_selinux.8 +@@ -0,0 +1,389 @@ ++.TH "svirt_selinux" "8" "13-01-16" "svirt" "SELinux Policy documentation for svirt" ++.SH "NAME" ++svirt_selinux \- Security Enhanced Linux Policy for the svirt processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the svirt processes via flexible mandatory access control. ++ ++The svirt processes execute with the svirt_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep svirt_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The svirt_t SELinux type can be entered via the \fBqemu_exec_t\fP file type. ++ ++The default entrypoint paths for the svirt_t domain are the following: ++ ++/usr/libexec/qemu.*, /usr/bin/qemu-system-.*, /usr/bin/qemu, /usr/bin/qemu-kvm ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux svirt policy is very flexible allowing users to setup their svirt processes in as secure a method as possible. ++.PP ++The following process types are defined for svirt: ++ ++.EX ++.B svirt_lxc_net_t, svirt_tcg_t, svirt_t ++.EE ++.PP ++Note: ++.B semanage permissive -a svirt_t ++can be used to make the process type svirt_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. svirt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run svirt with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to use serial/parallel communication ports, you must turn on the virt_use_comm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_comm 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to use executable memory and executable stack, you must turn on the virt_use_execmem boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to read fuse files, you must turn on the virt_use_fusefs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_fusefs 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_nfs 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to interact with rawip sockets, you must turn on the virt_use_rawip boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_rawip 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_samba 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_sanlock 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to use usb devices, you must turn on the virt_use_usb boolean. Enabled by default. ++ ++.EX ++.B setsebool -P virt_use_usb 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_xserver 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the svirt_lxc_net_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the svirt_lxc_net_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type svirt_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B dosfs_t ++ ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B qemu_var_run_t ++ ++ /var/lib/libvirt/qemu(/.*)? ++.br ++ /var/run/libvirt/qemu(/.*)? ++.br ++ ++.br ++.B svirt_home_t ++ ++ /home/[^/]*/\.libvirt/qemu(/.*)? ++.br ++ /home/[^/]*/\.cache/libvirt/qemu(/.*)? ++.br ++ /home/[^/]*/\.config/libvirt/qemu(/.*)? ++.br ++ /home/[^/]*/\.local/share/gnome-boxes/images(/.*)? ++.br ++ /home/pwalsh/\.libvirt/qemu(/.*)? ++.br ++ /home/pwalsh/\.cache/libvirt/qemu(/.*)? ++.br ++ /home/pwalsh/\.config/libvirt/qemu(/.*)? ++.br ++ /home/pwalsh/\.local/share/gnome-boxes/images(/.*)? ++.br ++ /home/dwalsh/\.libvirt/qemu(/.*)? ++.br ++ /home/dwalsh/\.cache/libvirt/qemu(/.*)? ++.br ++ /home/dwalsh/\.config/libvirt/qemu(/.*)? ++.br ++ /home/dwalsh/\.local/share/gnome-boxes/images(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.libvirt/qemu(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache/libvirt/qemu(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config/libvirt/qemu(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.local/share/gnome-boxes/images(/.*)? ++.br ++ ++.br ++.B svirt_image_t ++ ++ ++.br ++.B svirt_tmp_t ++ ++ ++.br ++.B svirt_tmpfs_t ++ ++ ++.br ++.B tmpfs_t ++ ++ /dev/shm ++.br ++ /lib/udev/devices/shm ++.br ++ /usr/lib/udev/devices/shm ++.br ++ ++.br ++.B usbfs_t ++ ++ ++.br ++.B virt_cache_t ++ ++ /var/cache/oz(/.*)? ++.br ++ /var/cache/libvirt(/.*)? ++.br ++ ++.br ++.B xen_image_t ++ ++ /xen(/.*)? ++.br ++ /var/lib/xen/images(/.*)? ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux svirt policy is very flexible allowing users to setup their svirt processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the svirt, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t svirt_home_t '/srv/svirt/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysvirt_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for svirt: ++ ++ ++.EX ++.PP ++.B svirt_home_t ++.EE ++ ++- Set files with the svirt_home_t type, if you want to store svirt files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.libvirt/qemu(/.*)?, /home/[^/]*/\.cache/libvirt/qemu(/.*)?, /home/[^/]*/\.config/libvirt/qemu(/.*)?, /home/[^/]*/\.local/share/gnome-boxes/images(/.*)?, /home/pwalsh/\.libvirt/qemu(/.*)?, /home/pwalsh/\.cache/libvirt/qemu(/.*)?, /home/pwalsh/\.config/libvirt/qemu(/.*)?, /home/pwalsh/\.local/share/gnome-boxes/images(/.*)?, /home/dwalsh/\.libvirt/qemu(/.*)?, /home/dwalsh/\.cache/libvirt/qemu(/.*)?, /home/dwalsh/\.config/libvirt/qemu(/.*)?, /home/dwalsh/\.local/share/gnome-boxes/images(/.*)?, /var/lib/xguest/home/xguest/\.libvirt/qemu(/.*)?, /var/lib/xguest/home/xguest/\.cache/libvirt/qemu(/.*)?, /var/lib/xguest/home/xguest/\.config/libvirt/qemu(/.*)?, /var/lib/xguest/home/xguest/\.local/share/gnome-boxes/images(/.*)? ++ ++.EX ++.PP ++.B svirt_image_t ++.EE ++ ++- Set files with the svirt_image_t type, if you want to treat the files as svirt image data. ++ ++ ++.EX ++.PP ++.B svirt_lxc_file_t ++.EE ++ ++- Set files with the svirt_lxc_file_t type, if you want to treat the files as svirt lxc content. ++ ++ ++.EX ++.PP ++.B svirt_tmp_t ++.EE ++ ++- Set files with the svirt_tmp_t type, if you want to store svirt temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B svirt_tmpfs_t ++.EE ++ ++- Set files with the svirt_tmpfs_t type, if you want to store svirt files on a tmpfs file system. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), svirt(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), svirt_lxc_net_selinux(8), svirt_tcg_selinux(8) +\ No newline at end of file +diff --git a/man/man8/svirt_tcg_selinux.8 b/man/man8/svirt_tcg_selinux.8 +new file mode 100644 +index 0000000..51eac1e +--- /dev/null ++++ b/man/man8/svirt_tcg_selinux.8 +@@ -0,0 +1,282 @@ ++.TH "svirt_tcg_selinux" "8" "13-01-16" "svirt_tcg" "SELinux Policy documentation for svirt_tcg" ++.SH "NAME" ++svirt_tcg_selinux \- Security Enhanced Linux Policy for the svirt_tcg processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the svirt_tcg processes via flexible mandatory access control. ++ ++The svirt_tcg processes execute with the svirt_tcg_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep svirt_tcg_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The svirt_tcg_t SELinux type can be entered via the \fBqemu_exec_t\fP file type. ++ ++The default entrypoint paths for the svirt_tcg_t domain are the following: ++ ++/usr/libexec/qemu.*, /usr/bin/qemu-system-.*, /usr/bin/qemu, /usr/bin/qemu-kvm ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux svirt_tcg policy is very flexible allowing users to setup their svirt_tcg processes in as secure a method as possible. ++.PP ++The following process types are defined for svirt_tcg: ++ ++.EX ++.B svirt_tcg_t ++.EE ++.PP ++Note: ++.B semanage permissive -a svirt_tcg_t ++can be used to make the process type svirt_tcg_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. svirt_tcg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run svirt_tcg with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to use serial/parallel communication ports, you must turn on the virt_use_comm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_comm 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to use executable memory and executable stack, you must turn on the virt_use_execmem boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to read fuse files, you must turn on the virt_use_fusefs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_fusefs 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_nfs 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to interact with rawip sockets, you must turn on the virt_use_rawip boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_rawip 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_samba 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_sanlock 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to use usb devices, you must turn on the virt_use_usb boolean. Enabled by default. ++ ++.EX ++.B setsebool -P virt_use_usb 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_xserver 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type svirt_tcg_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B dosfs_t ++ ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B qemu_var_run_t ++ ++ /var/lib/libvirt/qemu(/.*)? ++.br ++ /var/run/libvirt/qemu(/.*)? ++.br ++ ++.br ++.B svirt_home_t ++ ++ /home/[^/]*/\.libvirt/qemu(/.*)? ++.br ++ /home/[^/]*/\.cache/libvirt/qemu(/.*)? ++.br ++ /home/[^/]*/\.config/libvirt/qemu(/.*)? ++.br ++ /home/[^/]*/\.local/share/gnome-boxes/images(/.*)? ++.br ++ /home/pwalsh/\.libvirt/qemu(/.*)? ++.br ++ /home/pwalsh/\.cache/libvirt/qemu(/.*)? ++.br ++ /home/pwalsh/\.config/libvirt/qemu(/.*)? ++.br ++ /home/pwalsh/\.local/share/gnome-boxes/images(/.*)? ++.br ++ /home/dwalsh/\.libvirt/qemu(/.*)? ++.br ++ /home/dwalsh/\.cache/libvirt/qemu(/.*)? ++.br ++ /home/dwalsh/\.config/libvirt/qemu(/.*)? ++.br ++ /home/dwalsh/\.local/share/gnome-boxes/images(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.libvirt/qemu(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache/libvirt/qemu(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config/libvirt/qemu(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.local/share/gnome-boxes/images(/.*)? ++.br ++ ++.br ++.B svirt_image_t ++ ++ ++.br ++.B svirt_tmp_t ++ ++ ++.br ++.B svirt_tmpfs_t ++ ++ ++.br ++.B tmpfs_t ++ ++ /dev/shm ++.br ++ /lib/udev/devices/shm ++.br ++ /usr/lib/udev/devices/shm ++.br ++ ++.br ++.B usbfs_t ++ ++ ++.br ++.B virt_cache_t ++ ++ /var/cache/oz(/.*)? ++.br ++ /var/cache/libvirt(/.*)? ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), svirt_tcg(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), svirt_selinux(8), svirt_selinux(8), svirt_lxc_net_selinux(8) \ No newline at end of file diff --git a/man/man8/svnserve_selinux.8 b/man/man8/svnserve_selinux.8 new file mode 100644 -index 0000000..19003a2 +index 0000000..ee6447f --- /dev/null +++ b/man/man8/svnserve_selinux.8 -@@ -0,0 +1,138 @@ -+.TH "svnserve_selinux" "8" "12-11-01" "svnserve" "SELinux Policy documentation for svnserve" +@@ -0,0 +1,262 @@ ++.TH "svnserve_selinux" "8" "13-01-16" "svnserve" "SELinux Policy documentation for svnserve" +.SH "NAME" +svnserve_selinux \- Security Enhanced Linux Policy for the svnserve processes +.SH "DESCRIPTION" @@ -90819,7 +165599,9 @@ index 0000000..19003a2 + +.SH "ENTRYPOINTS" + -+The svnserve_t SELinux type can be entered via the "svnserve_exec_t" file type. The default entrypoint paths for the svnserve_t domain are the following:" ++The svnserve_t SELinux type can be entered via the \fBsvnserve_exec_t\fP file type. ++ ++The default entrypoint paths for the svnserve_t domain are the following: + +/usr/bin/svnserve +.SH PROCESS TYPES @@ -90837,8 +165619,112 @@ index 0000000..19003a2 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a svnserve_t ++can be used to make the process type svnserve_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. svnserve policy is extremely flexible and has several booleans that allow you to manipulate the policy and run svnserve with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type svnserve_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B svnserve_content_t ++ ++ /var/subversion/repo(/.*)? ++.br ++ /var/lib/subversion/repo(/.*)? ++.br ++ ++.br ++.B svnserve_var_run_t ++ ++ /var/run/svnserve.pid ++.br ++ /var/run/svnserve(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -90848,7 +165734,31 @@ index 0000000..19003a2 +Policy governs the access confined processes have to these files. +SELinux svnserve policy is very flexible allowing users to setup their svnserve processes in as secure a method as possible. +.PP -+The following file types are defined for svnserve: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++svnserve policy stores data with multiple different file context types under the /var/run/svnserve directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/svnserve /srv/svnserve ++.br ++.B restorecon -R -v /srv/svnserve ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the svnserve, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t svnserve_content_t '/srv/svnserve/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysvnserve_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for svnserve: + + +.EX @@ -90858,6 +165768,10 @@ index 0000000..19003a2 + +- Set files with the svnserve_content_t type, if you want to treat the files as svnserve content. + ++.br ++.TP 5 ++Paths: ++/var/subversion/repo(/.*)?, /var/lib/subversion/repo(/.*)? + +.EX +.PP @@ -90882,14 +165796,22 @@ index 0000000..19003a2 + +- Set files with the svnserve_unit_file_t type, if you want to treat the files as svnserve unit content. + ++.br ++.TP 5 ++Paths: ++/lib/systemd/system/svnserve\.service, /usr/lib/systemd/system/svnserve\.service + +.EX +.PP +.B svnserve_var_run_t +.EE + -+- Set files with the svnserve_var_run_t type, if you want to store the svnserve files under the /run directory. ++- Set files with the svnserve_var_run_t type, if you want to store the svnserve files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/svnserve.pid, /var/run/svnserve(/.*)? + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -90898,28 +165820,6 @@ index 0000000..19003a2 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type svnserve_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B svnserve_content_t -+ -+ /var/subversion/repo(/.*)? -+.br -+ /var/lib/subversion/repo(/.*)? -+.br -+ -+.br -+.B svnserve_var_run_t -+ -+ /var/run/svnserve.pid -+.br -+ /var/run/svnserve(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -90930,6 +165830,9 @@ index 0000000..19003a2 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -90941,13 +165844,15 @@ index 0000000..19003a2 + +.SH "SEE ALSO" +selinux(8), svnserve(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/swat_selinux.8 b/man/man8/swat_selinux.8 new file mode 100644 -index 0000000..7533603 +index 0000000..277eb39 --- /dev/null +++ b/man/man8/swat_selinux.8 -@@ -0,0 +1,214 @@ -+.TH "swat_selinux" "8" "12-11-01" "swat" "SELinux Policy documentation for swat" +@@ -0,0 +1,297 @@ ++.TH "swat_selinux" "8" "13-01-16" "swat" "SELinux Policy documentation for swat" +.SH "NAME" +swat_selinux \- Security Enhanced Linux Policy for the swat processes +.SH "DESCRIPTION" @@ -90963,7 +165868,9 @@ index 0000000..7533603 + +.SH "ENTRYPOINTS" + -+The swat_t SELinux type can be entered via the "swat_exec_t" file type. The default entrypoint paths for the swat_t domain are the following:" ++The swat_t SELinux type can be entered via the \fBswat_exec_t\fP file type. ++ ++The default entrypoint paths for the swat_t domain are the following: + +/usr/sbin/swat +.SH PROCESS TYPES @@ -90981,50 +165888,100 @@ index 0000000..7533603 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a swat_t ++can be used to make the process type swat_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux swat policy is very flexible allowing users to setup their swat processes in as secure a method as possible. -+.PP -+The following file types are defined for swat: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. swat policy is extremely flexible and has several booleans that allow you to manipulate the policy and run swat with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B swat_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the swat_exec_t type, if you want to transition an executable to the swat_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B swat_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the swat_tmp_t type, if you want to store swat temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B swat_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the swat_var_run_t type, if you want to store the swat files under the /run directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the swat_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the swat_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -91058,26 +166015,12 @@ index 0000000..7533603 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br -+ -+.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br + +.br +.B samba_etc_t @@ -91106,6 +166049,8 @@ index 0000000..7533603 +.br +.B samba_var_t + ++ /var/nmbd(/.*)? ++.br + /var/lib/samba(/.*)? +.br + /var/cache/samba(/.*)? @@ -91121,21 +166066,60 @@ index 0000000..7533603 +.B swat_var_run_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux swat policy is very flexible allowing users to setup their swat processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the swat_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the swat, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t swat_exec_t '/srv/swat/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myswat_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for swat: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B swat_exec_t +.EE + ++- Set files with the swat_exec_t type, if you want to transition an executable to the swat_t domain. ++ ++ ++.EX ++.PP ++.B swat_tmp_t ++.EE ++ ++- Set files with the swat_tmp_t type, if you want to store swat temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B swat_var_run_t ++.EE ++ ++- Set files with the swat_var_run_t type, if you want to store the swat files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the swat_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -91150,6 +166134,9 @@ index 0000000..7533603 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -91161,12 +166148,717 @@ index 0000000..7533603 + +.SH "SEE ALSO" +selinux(8), swat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/sysadm_dbusd_selinux.8 b/man/man8/sysadm_dbusd_selinux.8 +new file mode 100644 +index 0000000..9bfe22a +--- /dev/null ++++ b/man/man8/sysadm_dbusd_selinux.8 +@@ -0,0 +1,254 @@ ++.TH "sysadm_dbusd_selinux" "8" "13-01-16" "sysadm_dbusd" "SELinux Policy documentation for sysadm_dbusd" ++.SH "NAME" ++sysadm_dbusd_selinux \- Security Enhanced Linux Policy for the sysadm_dbusd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sysadm_dbusd processes via flexible mandatory access control. ++ ++The sysadm_dbusd processes execute with the sysadm_dbusd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sysadm_dbusd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sysadm_dbusd_t SELinux type can be entered via the \fBdbusd_exec_t\fP file type. ++ ++The default entrypoint paths for the sysadm_dbusd_t domain are the following: ++ ++/usr/bin/dbus-daemon(-1)?, /bin/dbus-daemon, /lib/dbus-1/dbus-daemon-launch-helper, /usr/lib/dbus-1/dbus-daemon-launch-helper ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sysadm_dbusd policy is very flexible allowing users to setup their sysadm_dbusd processes in as secure a method as possible. ++.PP ++The following process types are defined for sysadm_dbusd: ++ ++.EX ++.B sysadm_dbusd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sysadm_dbusd_t ++can be used to make the process type sysadm_dbusd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sysadm_dbusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sysadm_dbusd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sysadm_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sysadm_dbusd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sysadm_dbusd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B session_dbusd_tmp_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmpfs_t ++ ++ /dev/shm/mono.* ++.br ++ /dev/shm/pulse-shm.* ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sysadm_dbusd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sysadm_selinux(8), sysadm_selinux(8), sysadm_passwd_selinux(8), sysadm_screen_selinux(8), sysadm_seunshare_selinux(8), sysadm_ssh_agent_selinux(8), sysadm_su_selinux(8), sysadm_sudo_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sysadm_passwd_selinux.8 b/man/man8/sysadm_passwd_selinux.8 +new file mode 100644 +index 0000000..7ef47c9 +--- /dev/null ++++ b/man/man8/sysadm_passwd_selinux.8 +@@ -0,0 +1,206 @@ ++.TH "sysadm_passwd_selinux" "8" "13-01-16" "sysadm_passwd" "SELinux Policy documentation for sysadm_passwd" ++.SH "NAME" ++sysadm_passwd_selinux \- Security Enhanced Linux Policy for the sysadm_passwd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sysadm_passwd processes via flexible mandatory access control. ++ ++The sysadm_passwd processes execute with the sysadm_passwd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sysadm_passwd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sysadm_passwd_t SELinux type can be entered via the \fBadmin_passwd_exec_t\fP file type. ++ ++The default entrypoint paths for the sysadm_passwd_t domain are the following: ++ ++/usr/bin/vigr, /usr/bin/vipw, /usr/sbin/vigr, /usr/sbin/vipw, /usr/sbin/pwconv, /usr/sbin/grpconv, /usr/sbin/pwunconv, /usr/sbin/grpunconv ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sysadm_passwd policy is very flexible allowing users to setup their sysadm_passwd processes in as secure a method as possible. ++.PP ++The following process types are defined for sysadm_passwd: ++ ++.EX ++.B sysadm_passwd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sysadm_passwd_t ++can be used to make the process type sysadm_passwd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sysadm_passwd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sysadm_passwd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sysadm_passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sysadm_passwd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sysadm_passwd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B passwd_file_t ++ ++ /etc/group[-\+]? ++.br ++ /etc/passwd[-\+]? ++.br ++ /etc/passwd\.adjunct.* ++.br ++ /etc/ptmptmp ++.br ++ /etc/\.pwd\.lock ++.br ++ /etc/group\.lock ++.br ++ /etc/passwd\.OLD ++.br ++ /etc/passwd\.lock ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B shadow_t ++ ++ /etc/shadow.* ++.br ++ /etc/gshadow.* ++.br ++ /etc/nshadow.* ++.br ++ /var/db/shadow.* ++.br ++ /etc/security/opasswd ++.br ++ /etc/security/opasswd\.old ++.br ++ ++.br ++.B sysadm_passwd_tmp_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sysadm_passwd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sysadm_selinux(8), sysadm_selinux(8), sysadm_dbusd_selinux(8), sysadm_screen_selinux(8), sysadm_seunshare_selinux(8), sysadm_ssh_agent_selinux(8), sysadm_su_selinux(8), sysadm_sudo_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sysadm_screen_selinux.8 b/man/man8/sysadm_screen_selinux.8 +new file mode 100644 +index 0000000..eda9699 +--- /dev/null ++++ b/man/man8/sysadm_screen_selinux.8 +@@ -0,0 +1,222 @@ ++.TH "sysadm_screen_selinux" "8" "13-01-16" "sysadm_screen" "SELinux Policy documentation for sysadm_screen" ++.SH "NAME" ++sysadm_screen_selinux \- Security Enhanced Linux Policy for the sysadm_screen processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sysadm_screen processes via flexible mandatory access control. ++ ++The sysadm_screen processes execute with the sysadm_screen_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sysadm_screen_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sysadm_screen_t SELinux type can be entered via the \fBscreen_exec_t\fP file type. ++ ++The default entrypoint paths for the sysadm_screen_t domain are the following: ++ ++/usr/bin/tmux, /usr/bin/screen ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sysadm_screen policy is very flexible allowing users to setup their sysadm_screen processes in as secure a method as possible. ++.PP ++The following process types are defined for sysadm_screen: ++ ++.EX ++.B sysadm_screen_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sysadm_screen_t ++can be used to make the process type sysadm_screen_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sysadm_screen policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sysadm_screen with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sysadm_screen_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sysadm_screen_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sysadm_screen_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B user_tmp_type ++ ++ all user tmp files ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sysadm_screen(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sysadm_selinux(8), sysadm_selinux(8), sysadm_dbusd_selinux(8), sysadm_passwd_selinux(8), sysadm_seunshare_selinux(8), sysadm_ssh_agent_selinux(8), sysadm_su_selinux(8), sysadm_sudo_selinux(8) +\ No newline at end of file diff --git a/man/man8/sysadm_selinux.8 b/man/man8/sysadm_selinux.8 new file mode 100644 -index 0000000..a815869 +index 0000000..3011326 --- /dev/null +++ b/man/man8/sysadm_selinux.8 -@@ -0,0 +1,532 @@ +@@ -0,0 +1,810 @@ +.TH "sysadm_selinux" "8" "sysadm" "mgrepl@redhat.com" "sysadm SELinux Policy documentation" +.SH "NAME" +sysadm_u \- \fBGeneral system administration role\fP - Security Enhanced Linux Policy @@ -91179,7 +166871,7 @@ index 0000000..a815869 + +The SELinux user will usually login to a system with a context that looks like: + -+.B sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 ++.B sysadm_u:sysadm_r:sysadm_t:s0 - s0:c0.c1023 + +Linux users are automatically assigned an SELinux users at login. +Login programs use the SELinux User to assign initial context to the user's shell. @@ -91324,31 +167016,235 @@ index 0000000..a815869 + + +.PP -+If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether calling user domains can execute Git daemon in the git_session_t domain, you must turn on the git_session_users boolean. Enabled by default. ++ ++.EX ++.B setsebool -P git_session_users 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean. Disabled by default. ++ ++.EX ++.B setsebool -P polipo_session_users 1 ++ ++.EE ++ ++.PP ++If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P postgresql_selinux_unconfined_dbadm 1 ++ ++.EE ++ ++.PP ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_policyload 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_mysql_connect_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_postgresql_connect_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_rw_noexattrfile 1 ++ ++.EE ++ ++.PP ++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_tcp_server 1 ++ ++.EE ++ ++.PP ++If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_use_ssh_chroot 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. + +.EX +.B setsebool -P ssh_sysadm_login 1 ++ +.EE + +.PP -+If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Disabled by default. + +.EX +.B setsebool -P xdm_sysadm_login 1 ++ +.EE + +.PP -+If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. + +.EX -+.B setsebool -P ssh_sysadm_login 1 ++.B setsebool -P xserver_clients_write_xshm 1 ++ +.EE + +.PP -+If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. + +.EX -+.B setsebool -P xdm_sysadm_login 1 ++.B setsebool -P xserver_object_manager 1 ++ +.EE + +.SH HOME_EXEC @@ -91401,6 +167297,10 @@ index 0000000..a815869 + + +.br ++.B cifs_t ++ ++ ++.br +.B etc_runtime_t + + /[^/]+ @@ -91421,10 +167321,10 @@ index 0000000..a815869 +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -91433,10 +167333,10 @@ index 0000000..a815869 +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -91465,6 +167365,10 @@ index 0000000..a815869 +.br + /home/[^/]*/\.ICEauthority.* +.br ++ /home/pwalsh/\.DCOP.* ++.br ++ /home/pwalsh/\.ICEauthority.* ++.br + /home/dwalsh/\.DCOP.* +.br + /home/dwalsh/\.ICEauthority.* @@ -91475,6 +167379,26 @@ index 0000000..a815869 +.br + +.br ++.B irc_home_t ++ ++ /home/[^/]*/\.irssi(/.*)? ++.br ++ /home/[^/]*/\.ircmotd ++.br ++ /home/pwalsh/\.irssi(/.*)? ++.br ++ /home/pwalsh/\.ircmotd ++.br ++ /home/dwalsh/\.irssi(/.*)? ++.br ++ /home/dwalsh/\.ircmotd ++.br ++ /var/lib/xguest/home/xguest/\.irssi(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ircmotd ++.br ++ ++.br +.B krb5_host_rcache_t + + /var/cache/krb5rcache(/.*)? @@ -91519,6 +167443,10 @@ index 0000000..a815869 +.br + +.br ++.B postfix_spool_type ++ ++ ++.br +.B screen_home_t + + /root/\.screen(/.*)? @@ -91527,6 +167455,10 @@ index 0000000..a815869 +.br + /home/[^/]*/\.screenrc +.br ++ /home/pwalsh/\.screen(/.*)? ++.br ++ /home/pwalsh/\.screenrc ++.br + /home/dwalsh/\.screen(/.*)? +.br + /home/dwalsh/\.screenrc @@ -91571,6 +167503,12 @@ index 0000000..a815869 +.br + /home/[^/]*/\.fonts\.cache-.* +.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br + /home/dwalsh/\.fontconfig(/.*)? +.br + /home/dwalsh/\.fonts/auto(/.*)? @@ -91593,6 +167531,8 @@ index 0000000..a815869 +.br + /home/[^/]*/\.fonts(/.*)? +.br ++ /home/pwalsh/\.fonts(/.*)? ++.br + /home/dwalsh/\.fonts(/.*)? +.br + /var/lib/xguest/home/xguest/\.fonts(/.*)? @@ -91603,6 +167543,8 @@ index 0000000..a815869 + + /home/[^/]*/.+ +.br ++ /home/pwalsh/.+ ++.br + /home/dwalsh/.+ +.br + /var/lib/xguest/home/xguest/.+ @@ -91627,6 +167569,26 @@ index 0000000..a815869 +.br + +.br ++.B vmware_conf_t ++ ++ /home/[^/]*/\.vmware[^/]*/.*\.cfg ++.br ++ /home/pwalsh/\.vmware[^/]*/.*\.cfg ++.br ++ /home/dwalsh/\.vmware[^/]*/.*\.cfg ++.br ++ /var/lib/xguest/home/xguest/\.vmware[^/]*/.*\.cfg ++.br ++ ++.br ++.B vmware_tmp_t ++ ++ ++.br ++.B vmware_tmpfs_t ++ ++ ++.br +.B xauth_home_t + + /root/\.xauth.* @@ -91653,6 +167615,14 @@ index 0000000..a815869 +.br + /home/[^/]*/\.Xauthority.* +.br ++ /home/pwalsh/\.xauth.* ++.br ++ /home/pwalsh/\.Xauth.* ++.br ++ /home/pwalsh/\.serverauth.* ++.br ++ /home/pwalsh/\.Xauthority.* ++.br + /home/dwalsh/\.xauth.* +.br + /home/dwalsh/\.Xauth.* @@ -91698,15 +167668,1039 @@ index 0000000..a815869 + +.SH "SEE ALSO" +selinux(8), sysadm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8) ++, setsebool(8), sysadm_dbusd_selinux(8), sysadm_passwd_selinux(8), sysadm_screen_selinux(8), sysadm_seunshare_selinux(8), sysadm_ssh_agent_selinux(8), sysadm_su_selinux(8), sysadm_sudo_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sysadm_seunshare_selinux.8 b/man/man8/sysadm_seunshare_selinux.8 +new file mode 100644 +index 0000000..78f78f1 +--- /dev/null ++++ b/man/man8/sysadm_seunshare_selinux.8 +@@ -0,0 +1,202 @@ ++.TH "sysadm_seunshare_selinux" "8" "13-01-16" "sysadm_seunshare" "SELinux Policy documentation for sysadm_seunshare" ++.SH "NAME" ++sysadm_seunshare_selinux \- Security Enhanced Linux Policy for the sysadm_seunshare processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sysadm_seunshare processes via flexible mandatory access control. ++ ++The sysadm_seunshare processes execute with the sysadm_seunshare_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sysadm_seunshare_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sysadm_seunshare_t SELinux type can be entered via the \fBseunshare_exec_t\fP file type. ++ ++The default entrypoint paths for the sysadm_seunshare_t domain are the following: ++ ++/usr/sbin/seunshare ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sysadm_seunshare policy is very flexible allowing users to setup their sysadm_seunshare processes in as secure a method as possible. ++.PP ++The following process types are defined for sysadm_seunshare: ++ ++.EX ++.B sysadm_seunshare_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sysadm_seunshare_t ++can be used to make the process type sysadm_seunshare_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sysadm_seunshare policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sysadm_seunshare with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sysadm_seunshare_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sysadm_seunshare_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sysadm_seunshare_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_tmpfs_type ++ ++ all sandbox content in tmpfs file systems ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sysadm_seunshare(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sysadm_selinux(8), sysadm_selinux(8), sysadm_dbusd_selinux(8), sysadm_passwd_selinux(8), sysadm_screen_selinux(8), sysadm_ssh_agent_selinux(8), sysadm_su_selinux(8), sysadm_sudo_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sysadm_ssh_agent_selinux.8 b/man/man8/sysadm_ssh_agent_selinux.8 +new file mode 100644 +index 0000000..0d49f97 +--- /dev/null ++++ b/man/man8/sysadm_ssh_agent_selinux.8 +@@ -0,0 +1,224 @@ ++.TH "sysadm_ssh_agent_selinux" "8" "13-01-16" "sysadm_ssh_agent" "SELinux Policy documentation for sysadm_ssh_agent" ++.SH "NAME" ++sysadm_ssh_agent_selinux \- Security Enhanced Linux Policy for the sysadm_ssh_agent processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sysadm_ssh_agent processes via flexible mandatory access control. ++ ++The sysadm_ssh_agent processes execute with the sysadm_ssh_agent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sysadm_ssh_agent_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sysadm_ssh_agent_t SELinux type can be entered via the \fBssh_agent_exec_t\fP file type. ++ ++The default entrypoint paths for the sysadm_ssh_agent_t domain are the following: ++ ++/usr/bin/ssh-agent ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sysadm_ssh_agent policy is very flexible allowing users to setup their sysadm_ssh_agent processes in as secure a method as possible. ++.PP ++The following process types are defined for sysadm_ssh_agent: ++ ++.EX ++.B sysadm_ssh_agent_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sysadm_ssh_agent_t ++can be used to make the process type sysadm_ssh_agent_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sysadm_ssh_agent policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sysadm_ssh_agent with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sysadm_ssh_agent_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sysadm_ssh_agent_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sysadm_ssh_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sysadm_ssh_agent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sysadm_selinux(8), sysadm_selinux(8), sysadm_dbusd_selinux(8), sysadm_passwd_selinux(8), sysadm_screen_selinux(8), sysadm_seunshare_selinux(8), sysadm_su_selinux(8), sysadm_sudo_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sysadm_su_selinux.8 b/man/man8/sysadm_su_selinux.8 +new file mode 100644 +index 0000000..e843008 +--- /dev/null ++++ b/man/man8/sysadm_su_selinux.8 +@@ -0,0 +1,244 @@ ++.TH "sysadm_su_selinux" "8" "13-01-16" "sysadm_su" "SELinux Policy documentation for sysadm_su" ++.SH "NAME" ++sysadm_su_selinux \- Security Enhanced Linux Policy for the sysadm_su processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sysadm_su processes via flexible mandatory access control. ++ ++The sysadm_su processes execute with the sysadm_su_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sysadm_su_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sysadm_su_t SELinux type can be entered via the \fBsu_exec_t\fP file type. ++ ++The default entrypoint paths for the sysadm_su_t domain are the following: ++ ++/usr/(local/)?bin/ksu, /bin/su, /usr/bin/su, /usr/bin/kdesu ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sysadm_su policy is very flexible allowing users to setup their sysadm_su processes in as secure a method as possible. ++.PP ++The following process types are defined for sysadm_su: ++ ++.EX ++.B sysadm_su_t, sysadm_sudo_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sysadm_su_t ++can be used to make the process type sysadm_su_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sysadm_su policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sysadm_su with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to enable polyinstantiated directory support, you must turn on the polyinstantiation_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P polyinstantiation_enabled 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sysadm_su_t, sysadm_sudo_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sysadm_su_t, sysadm_sudo_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sysadm_su_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B lastlog_t ++ ++ /var/log/lastlog.* ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sysadm_su(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sysadm_selinux(8), sysadm_selinux(8), sysadm_dbusd_selinux(8), sysadm_passwd_selinux(8), sysadm_screen_selinux(8), sysadm_seunshare_selinux(8), sysadm_ssh_agent_selinux(8), sysadm_sudo_selinux(8) +\ No newline at end of file +diff --git a/man/man8/sysadm_sudo_selinux.8 b/man/man8/sysadm_sudo_selinux.8 +new file mode 100644 +index 0000000..b5f93cb +--- /dev/null ++++ b/man/man8/sysadm_sudo_selinux.8 +@@ -0,0 +1,326 @@ ++.TH "sysadm_sudo_selinux" "8" "13-01-16" "sysadm_sudo" "SELinux Policy documentation for sysadm_sudo" ++.SH "NAME" ++sysadm_sudo_selinux \- Security Enhanced Linux Policy for the sysadm_sudo processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the sysadm_sudo processes via flexible mandatory access control. ++ ++The sysadm_sudo processes execute with the sysadm_sudo_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep sysadm_sudo_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The sysadm_sudo_t SELinux type can be entered via the \fBsudo_exec_t\fP file type. ++ ++The default entrypoint paths for the sysadm_sudo_t domain are the following: ++ ++/usr/bin/sudo(edit)? ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux sysadm_sudo policy is very flexible allowing users to setup their sysadm_sudo processes in as secure a method as possible. ++.PP ++The following process types are defined for sysadm_sudo: ++ ++.EX ++.B sysadm_sudo_t ++.EE ++.PP ++Note: ++.B semanage permissive -a sysadm_sudo_t ++can be used to make the process type sysadm_sudo_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sysadm_sudo policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sysadm_sudo with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sysadm_sudo_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sysadm_sudo_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type sysadm_sudo_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B pam_var_run_t ++ ++ /var/(db|lib|adm)/sudo(/.*)? ++.br ++ /var/run/sudo(/.*)? ++.br ++ /var/run/sepermit(/.*)? ++.br ++ /var/run/pam_mount(/.*)? ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B sudo_db_t ++ ++ /var/db/sudo(/.*)? ++.br ++ ++.br ++.B sysadm_sudo_tmp_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sysadm_sudo(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), sysadm_selinux(8), sysadm_selinux(8), sysadm_dbusd_selinux(8), sysadm_passwd_selinux(8), sysadm_screen_selinux(8), sysadm_seunshare_selinux(8), sysadm_ssh_agent_selinux(8), sysadm_su_selinux(8), sysadm_su_selinux(8) \ No newline at end of file diff --git a/man/man8/syslogd_selinux.8 b/man/man8/syslogd_selinux.8 new file mode 100644 -index 0000000..6ebf4fa +index 0000000..353f786 --- /dev/null +++ b/man/man8/syslogd_selinux.8 -@@ -0,0 +1,286 @@ -+.TH "syslogd_selinux" "8" "12-11-01" "syslogd" "SELinux Policy documentation for syslogd" +@@ -0,0 +1,437 @@ ++.TH "syslogd_selinux" "8" "13-01-16" "syslogd" "SELinux Policy documentation for syslogd" +.SH "NAME" +syslogd_selinux \- Security Enhanced Linux Policy for the syslogd processes +.SH "DESCRIPTION" @@ -91722,7 +168716,9 @@ index 0000000..6ebf4fa + +.SH "ENTRYPOINTS" + -+The syslogd_t SELinux type can be entered via the "syslogd_exec_t" file type. The default entrypoint paths for the syslogd_t domain are the following:" ++The syslogd_t SELinux type can be entered via the \fBsyslogd_exec_t\fP file type. ++ ++The default entrypoint paths for the syslogd_t domain are the following: + +/sbin/syslogd, /sbin/minilogd, /sbin/rsyslogd, /sbin/syslog-ng, /usr/sbin/metalog, /usr/sbin/syslogd, /usr/sbin/minilogd, /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-journald, /usr/lib/systemd/systemd-kmsg-syslogd +.SH PROCESS TYPES @@ -91740,107 +168736,141 @@ index 0000000..6ebf4fa +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a syslogd_t ++can be used to make the process type syslogd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. syslogd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run syslogd with the tightest access possible. + + +.PP -+If you want to allow syslogd the ability to read/write terminals, you must turn on the logging_syslogd_use_tty boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P logging_syslogd_use_tty 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean. Disabled by default. + +.EX +.B setsebool -P logging_syslogd_can_sendmail 1 ++ +.EE + +.PP -+If you want to allow syslogd the ability to read/write terminals, you must turn on the logging_syslogd_use_tty boolean. ++If you want to allow syslogd the ability to read/write terminals, you must turn on the logging_syslogd_use_tty boolean. Disabled by default. + +.EX +.B setsebool -P logging_syslogd_use_tty 1 ++ +.EE + +.PP -+If you want to allow syslogd daemon to send mail, you must turn on the logging_syslogd_can_sendmail boolean. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.B setsebool -P logging_syslogd_can_sendmail 1 ++.B setsebool -P nis_enabled 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux syslogd policy is very flexible allowing users to setup their syslogd processes in as secure a method as possible. -+.PP -+The following file types are defined for syslogd: -+ ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX -+.PP -+.B syslogd_exec_t ++.B setsebool -P nscd_use_shm 1 ++ +.EE + -+- Set files with the syslogd_exec_t type, if you want to transition an executable to the syslogd_t domain. ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the syslogd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B syslogd_initrc_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the syslogd_initrc_exec_t type, if you want to transition an executable to the syslogd_initrc_t domain. -+ ++.PP ++If you want to allow confined applications to run with kerberos for the syslogd_t, you must turn on the kerberos_enabled boolean. + +.EX -+.PP -+.B syslogd_keytab_t ++.B setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the syslogd_keytab_t type, if you want to treat the files as kerberos keytab files. -+ -+ -+.EX -+.PP -+.B syslogd_tmp_t -+.EE -+ -+- Set files with the syslogd_tmp_t type, if you want to store syslogd temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B syslogd_var_lib_t -+.EE -+ -+- Set files with the syslogd_var_lib_t type, if you want to store the syslogd files under the /var/lib directory. -+ -+ -+.EX -+.PP -+.B syslogd_var_run_t -+.EE -+ -+- Set files with the syslogd_var_run_t type, if you want to store the syslogd files under the /run directory. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. +.PP @@ -91856,7 +168886,7 @@ index 0000000..6ebf4fa + +.EX +.TP 5 -+.B syslogd_port_t ++.B syslog_tls_port_t +.TP 10 +.EE + @@ -91864,7 +168894,18 @@ index 0000000..6ebf4fa +Default Defined Ports: +tcp 6514 +.EE -+udp 514,6514 ++udp 6514 ++.EE ++ ++.EX ++.TP 5 ++.B syslogd_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++udp 514 +.EE +.SH "MANAGED FILES" + @@ -91901,6 +168942,14 @@ index 0000000..6ebf4fa +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux @@ -91919,6 +168968,8 @@ index 0000000..6ebf4fa +.br + /var/lib/syslog-ng.persist +.br ++ /var/lib/misc/syslog-ng.persist-? ++.br + +.br +.B syslogd_var_run_t @@ -91948,22 +168999,116 @@ index 0000000..6ebf4fa + /usr/lib/udev/devices/shm +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux syslogd policy is very flexible allowing users to setup their syslogd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the syslogd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the syslogd_t, you must turn on the kerberos_enabled boolean. ++syslogd policy stores data with multiple different file context types under the /var/run/syslog-ng directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/syslog-ng /srv/syslog-ng ++.br ++.B restorecon -R -v /srv/syslog-ng ++.PP ++ ++.PP ++syslogd policy stores data with multiple different file context types under the /var/lib/syslog-ng directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/syslog-ng /srv/syslog-ng ++.br ++.B restorecon -R -v /srv/syslog-ng ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the syslogd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t syslogd_exec_t '/srv/syslogd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysyslogd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for syslogd: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B syslogd_exec_t +.EE + ++- Set files with the syslogd_exec_t type, if you want to transition an executable to the syslogd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/syslogd, /sbin/minilogd, /sbin/rsyslogd, /sbin/syslog-ng, /usr/sbin/metalog, /usr/sbin/syslogd, /usr/sbin/minilogd, /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-journald, /usr/lib/systemd/systemd-kmsg-syslogd ++ ++.EX ++.PP ++.B syslogd_initrc_exec_t ++.EE ++ ++- Set files with the syslogd_initrc_exec_t type, if you want to transition an executable to the syslogd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B syslogd_keytab_t ++.EE ++ ++- Set files with the syslogd_keytab_t type, if you want to treat the files as kerberos keytab files. ++ ++ ++.EX ++.PP ++.B syslogd_tmp_t ++.EE ++ ++- Set files with the syslogd_tmp_t type, if you want to store syslogd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B syslogd_var_lib_t ++.EE ++ ++- Set files with the syslogd_var_lib_t type, if you want to store the syslogd files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/r?syslog(/.*)?, /var/lib/syslog-ng(/.*)?, /var/lib/syslog-ng.persist, /var/lib/misc/syslog-ng.persist-? ++ ++.EX ++.PP ++.B syslogd_var_run_t ++.EE ++ ++- Set files with the syslogd_var_run_t type, if you want to store the syslogd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/log(/.*)?, /var/run/syslog-ng.ctl, /var/log/syslog-ng(/.*)?, /var/run/syslog-ng(/.*)?, /var/run/systemd/journal(/.*)?, /var/run/metalog\.pid, /var/run/syslogd\.pid ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -91995,11 +169140,11 @@ index 0000000..6ebf4fa \ No newline at end of file diff --git a/man/man8/sysstat_selinux.8 b/man/man8/sysstat_selinux.8 new file mode 100644 -index 0000000..a41e354 +index 0000000..3d38904 --- /dev/null +++ b/man/man8/sysstat_selinux.8 -@@ -0,0 +1,124 @@ -+.TH "sysstat_selinux" "8" "12-11-01" "sysstat" "SELinux Policy documentation for sysstat" +@@ -0,0 +1,227 @@ ++.TH "sysstat_selinux" "8" "13-01-16" "sysstat" "SELinux Policy documentation for sysstat" +.SH "NAME" +sysstat_selinux \- Security Enhanced Linux Policy for the sysstat processes +.SH "DESCRIPTION" @@ -92015,7 +169160,9 @@ index 0000000..a41e354 + +.SH "ENTRYPOINTS" + -+The sysstat_t SELinux type can be entered via the "sysstat_exec_t" file type. The default entrypoint paths for the sysstat_t domain are the following:" ++The sysstat_t SELinux type can be entered via the \fBsysstat_exec_t\fP file type. ++ ++The default entrypoint paths for the sysstat_t domain are the following: + +/usr/lib/sa/sa.*, /usr/lib/atsar/atsa.*, /usr/lib/sysstat/sa.* +.SH PROCESS TYPES @@ -92033,8 +169180,108 @@ index 0000000..a41e354 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a sysstat_t ++can be used to make the process type sysstat_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sysstat policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sysstat with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the sysstat_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sysstat_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -92044,7 +169291,20 @@ index 0000000..a41e354 +Policy governs the access confined processes have to these files. +SELinux sysstat policy is very flexible allowing users to setup their sysstat processes in as secure a method as possible. +.PP -+The following file types are defined for sysstat: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the sysstat, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t sysstat_exec_t '/srv/sysstat/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysysstat_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for sysstat: + + +.EX @@ -92054,6 +169314,18 @@ index 0000000..a41e354 + +- Set files with the sysstat_exec_t type, if you want to transition an executable to the sysstat_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/lib/sa/sa.*, /usr/lib/atsar/atsa.*, /usr/lib/sysstat/sa.* ++ ++.EX ++.PP ++.B sysstat_initrc_exec_t ++.EE ++ ++- Set files with the sysstat_initrc_exec_t type, if you want to transition an executable to the sysstat_initrc_t domain. ++ + +.EX +.PP @@ -92062,6 +169334,10 @@ index 0000000..a41e354 + +- Set files with the sysstat_log_t type, if you want to treat the data as sysstat log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/sa(/.*)?, /opt/sartest(/.*)?, /var/log/atsar(/.*)?, /var/log/sysstat(/.*)? + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -92070,9 +169346,398 @@ index 0000000..a41e354 +.B restorecon +to apply the labels. + ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), sysstat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/system_cronjob_selinux.8 b/man/man8/system_cronjob_selinux.8 +new file mode 100644 +index 0000000..103dda3 +--- /dev/null ++++ b/man/man8/system_cronjob_selinux.8 +@@ -0,0 +1,440 @@ ++.TH "system_cronjob_selinux" "8" "13-01-16" "system_cronjob" "SELinux Policy documentation for system_cronjob" ++.SH "NAME" ++system_cronjob_selinux \- Security Enhanced Linux Policy for the system_cronjob processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the system_cronjob processes via flexible mandatory access control. ++ ++The system_cronjob processes execute with the system_cronjob_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep system_cronjob_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The system_cronjob_t SELinux type can be entered via the \fBsystem_cron_spool_t, shell_exec_t, anacron_exec_t\fP file types. ++ ++The default entrypoint paths for the system_cronjob_t domain are the following: ++ ++/etc/cron\.d(/.*)?, /var/spool/anacron(/.*)?, /etc/crontab, /var/spool/fcron/systab, /var/spool/fcron/new\.systab, /var/spool/fcron/systab\.orig, /bin/d?ash, /bin/zsh.*, /bin/ksh.*, /usr/bin/d?ash, /usr/bin/ksh.*, /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash, /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/fish, /usr/bin/bash, /usr/bin/mksh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-shell, /usr/libexec/git-core/git-shell, /usr/sbin/anacron ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux system_cronjob policy is very flexible allowing users to setup their system_cronjob processes in as secure a method as possible. ++.PP ++The following process types are defined for system_cronjob: ++ ++.EX ++.B system_cronjob_t ++.EE ++.PP ++Note: ++.B semanage permissive -a system_cronjob_t ++can be used to make the process type system_cronjob_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. system_cronjob policy is extremely flexible and has several booleans that allow you to manipulate the policy and run system_cronjob with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow system cron jobs to relabel filesystem for restoring file contexts, you must turn on the cron_can_relabel boolean. Enabled by default. ++ ++.EX ++.B setsebool -P cron_can_relabel 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the system_cronjob_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the system_cronjob_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ +.SH "MANAGED FILES" + -+The SELinux process type sysstat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++The SELinux process type system_cronjob_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cron_log_t ++ ++ /var/log/rpmpkgs.* ++.br ++ ++.br ++.B cron_spool_t ++ ++ /var/spool/fcron ++.br ++ /var/spool/cron/crontabs ++.br ++ ++.br ++.B cron_var_lib_t ++ ++ /var/lib/glpi/files(/.*)? ++.br ++ ++.br ++.B cron_var_run_t ++ ++ ++.br ++.B cyrus_var_lib_t ++ ++ /var/imap(/.*)? ++.br ++ /var/lib/imap(/.*)? ++.br ++ ++.br ++.B etc_runtime_t ++ ++ /[^/]+ ++.br ++ /etc/mtab.* ++.br ++ /etc/blkid(/.*)? ++.br ++ /etc/nologin.* ++.br ++ /etc/\.fstab\.hal\..+ ++.br ++ /halt ++.br ++ /fastboot ++.br ++ /poweroff ++.br ++ /etc/cmtab ++.br ++ /forcefsck ++.br ++ /\.autofsck ++.br ++ /\.suspended ++.br ++ /fsckoptions ++.br ++ /\.autorelabel ++.br ++ /etc/securetty ++.br ++ /etc/nohotplug ++.br ++ /etc/killpower ++.br ++ /etc/ioctl\.save ++.br ++ /etc/fstab\.REVOKE ++.br ++ /etc/network/ifstate ++.br ++ /etc/sysconfig/hwconf ++.br ++ /etc/ptal/ptal-printd-like ++.br ++ /etc/sysconfig/iptables\.save ++.br ++ /etc/xorg\.conf\.d/00-system-setup-keyboard\.conf ++.br ++ /etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf ++.br ++ ++.br ++.B innd_log_t ++ ++ /var/log/news.* ++.br ++ ++.br ++.B innd_var_run_t ++ ++ /var/run/innd(/.*)? ++.br ++ /var/run/news(/.*)? ++.br ++ /var/run/innd\.pid ++.br ++ /var/run/news\.pid ++.br ++ ++.br ++.B prelink_log_t ++ ++ /var/log/prelink(/.*)? ++.br ++ /var/log/prelink\.log.* ++.br ++ ++.br ++.B prelink_var_lib_t ++ ++ /var/lib/prelink(/.*)? ++.br ++ /var/lib/misc/prelink.* ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B rpm_log_t ++ ++ /var/log/yum\.log.* ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B spamc_home_t ++ ++ /root/\.pyzor(/.*)? ++.br ++ /root/\.spamd(/.*)? ++.br ++ /root/\.razor(/.*)? ++.br ++ /root/\.spamassassin(/.*)? ++.br ++ /home/[^/]*/\.pyzor(/.*)? ++.br ++ /home/[^/]*/\.spamd(/.*)? ++.br ++ /home/[^/]*/\.razor(/.*)? ++.br ++ /home/[^/]*/\.spamassassin(/.*)? ++.br ++ /home/pwalsh/\.pyzor(/.*)? ++.br ++ /home/pwalsh/\.spamd(/.*)? ++.br ++ /home/pwalsh/\.razor(/.*)? ++.br ++ /home/pwalsh/\.spamassassin(/.*)? ++.br ++ /home/dwalsh/\.pyzor(/.*)? ++.br ++ /home/dwalsh/\.spamd(/.*)? ++.br ++ /home/dwalsh/\.razor(/.*)? ++.br ++ /home/dwalsh/\.spamassassin(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.pyzor(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.spamd(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.razor(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.spamassassin(/.*)? ++.br ++ ++.br ++.B spamd_var_lib_t ++ ++ /var/lib/razor(/.*)? ++.br ++ /var/lib/pyzord(/.*)? ++.br ++ /var/lib/spamassassin(/.*)? ++.br + +.br +.B sysstat_log_t @@ -92086,21 +169751,47 @@ index 0000000..a41e354 + /var/log/sysstat(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B system_cron_spool_t + -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sysstat_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ /etc/cron\.d(/.*)? ++.br ++ /var/spool/anacron(/.*)? ++.br ++ /etc/crontab ++.br ++ /var/spool/fcron/systab ++.br ++ /var/spool/fcron/new\.systab ++.br ++ /var/spool/fcron/systab\.orig ++.br + -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.br ++.B system_cronjob_lock_t + -+.PP -+If you want to allow confined applications to run with kerberos for the sysstat_t, you must turn on the kerberos_enabled boolean. + -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++.br ++.B system_cronjob_tmp_t ++ ++ ++.br ++.B system_cronjob_var_lib_t ++ ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br ++ ++.br ++.B var_spool_t ++ ++ /var/spool(/.*)? ++.br + +.SH "COMMANDS" +.B semanage fcontext @@ -92112,6 +169803,9 @@ index 0000000..a41e354 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -92122,14 +169816,641 @@ index 0000000..a41e354 +by Dan Walsh. + +.SH "SEE ALSO" -+selinux(8), sysstat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++selinux(8), system_cronjob(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), system_dbusd_selinux(8), system_mail_selinux(8), system_munin_plugin_selinux(8), systemd_hostnamed_selinux(8), systemd_localed_selinux(8), systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_timedated_selinux(8), systemd_tmpfiles_selinux(8) +\ No newline at end of file +diff --git a/man/man8/system_dbusd_selinux.8 b/man/man8/system_dbusd_selinux.8 +new file mode 100644 +index 0000000..b610585 +--- /dev/null ++++ b/man/man8/system_dbusd_selinux.8 +@@ -0,0 +1,285 @@ ++.TH "system_dbusd_selinux" "8" "13-01-16" "system_dbusd" "SELinux Policy documentation for system_dbusd" ++.SH "NAME" ++system_dbusd_selinux \- Security Enhanced Linux Policy for the system_dbusd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the system_dbusd processes via flexible mandatory access control. ++ ++The system_dbusd processes execute with the system_dbusd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep system_dbusd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The system_dbusd_t SELinux type can be entered via the \fBdbusd_exec_t\fP file type. ++ ++The default entrypoint paths for the system_dbusd_t domain are the following: ++ ++/usr/bin/dbus-daemon(-1)?, /bin/dbus-daemon, /lib/dbus-1/dbus-daemon-launch-helper, /usr/lib/dbus-1/dbus-daemon-launch-helper ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux system_dbusd policy is very flexible allowing users to setup their system_dbusd processes in as secure a method as possible. ++.PP ++The following process types are defined for system_dbusd: ++ ++.EX ++.B system_dbusd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a system_dbusd_t ++can be used to make the process type system_dbusd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. system_dbusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run system_dbusd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the system_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the system_dbusd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type system_dbusd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B system_dbusd_tmp_t ++ ++ ++.br ++.B system_dbusd_var_run_t ++ ++ /var/run/dbus(/.*)? ++.br ++ /var/named/chroot/var/run/dbus(/.*)? ++.br ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux system_dbusd policy is very flexible allowing users to setup their system_dbusd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the system_dbusd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t system_dbusd_tmp_t '/srv/system_dbusd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysystem_dbusd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for system_dbusd: ++ ++ ++.EX ++.PP ++.B system_dbusd_tmp_t ++.EE ++ ++- Set files with the system_dbusd_tmp_t type, if you want to store system dbusd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B system_dbusd_var_lib_t ++.EE ++ ++- Set files with the system_dbusd_var_lib_t type, if you want to store the system dbusd files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B system_dbusd_var_run_t ++.EE ++ ++- Set files with the system_dbusd_var_run_t type, if you want to store the system dbusd files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/dbus(/.*)?, /var/named/chroot/var/run/dbus(/.*)? ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), system_dbusd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), system_cronjob_selinux(8), system_mail_selinux(8), system_munin_plugin_selinux(8), systemd_hostnamed_selinux(8), systemd_localed_selinux(8), systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_timedated_selinux(8), systemd_tmpfiles_selinux(8) +\ No newline at end of file +diff --git a/man/man8/system_mail_selinux.8 b/man/man8/system_mail_selinux.8 +new file mode 100644 +index 0000000..382e87b +--- /dev/null ++++ b/man/man8/system_mail_selinux.8 +@@ -0,0 +1,326 @@ ++.TH "system_mail_selinux" "8" "13-01-16" "system_mail" "SELinux Policy documentation for system_mail" ++.SH "NAME" ++system_mail_selinux \- Security Enhanced Linux Policy for the system_mail processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the system_mail processes via flexible mandatory access control. ++ ++The system_mail processes execute with the system_mail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep system_mail_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The system_mail_t SELinux type can be entered via the \fBmta_exec_type, sendmail_exec_t\fP file types. ++ ++The default entrypoint paths for the system_mail_t domain are the following: ++ ++/bin/mail(x)?, /usr/bin/mail(x)?, /usr/sbin/sendmail(\.sendmail)?, /usr/bin/esmtp, /usr/sbin/rmail, /usr/sbin/ssmtp, /usr/lib/sendmail, /var/qmail/bin/sendmail, /usr/sbin/sendmail\.postfix, /usr/lib/courier/bin/sendmail ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux system_mail policy is very flexible allowing users to setup their system_mail processes in as secure a method as possible. ++.PP ++The following process types are defined for system_mail: ++ ++.EX ++.B system_mail_t ++.EE ++.PP ++Note: ++.B semanage permissive -a system_mail_t ++can be used to make the process type system_mail_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. system_mail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run system_mail with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to determine whether Gitosis can send mail, you must turn on the gitosis_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P gitosis_can_sendmail 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow http daemon to send mail, you must turn on the httpd_can_sendmail boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_can_sendmail 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the system_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the system_mail_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type system_mail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B arpwatch_tmp_t ++ ++ ++.br ++.B courier_spool_t ++ ++ /var/spool/courier(/.*)? ++.br ++ /var/spool/authdaemon(/.*)? ++.br ++ ++.br ++.B etc_aliases_t ++ ++ /etc/mail/aliases.* ++.br ++ /etc/postfix/aliases.* ++.br ++ /etc/aliases ++.br ++ /etc/aliases\.db ++.br ++ ++.br ++.B exim_log_t ++ ++ /var/log/exim[0-9]?(/.*)? ++.br ++ ++.br ++.B exim_spool_t ++ ++ /var/spool/exim[0-9]?(/.*)? ++.br ++ ++.br ++.B mail_home_rw_t ++ ++ /root/Maildir(/.*)? ++.br ++ /home/[^/]*/.maildir(/.*)? ++.br ++ /home/[^/]*/Maildir(/.*)? ++.br ++ /home/pwalsh/.maildir(/.*)? ++.br ++ /home/pwalsh/Maildir(/.*)? ++.br ++ /home/dwalsh/.maildir(/.*)? ++.br ++ /home/dwalsh/Maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/.maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/Maildir(/.*)? ++.br ++ ++.br ++.B mail_home_t ++ ++ /root/\.mailrc ++.br ++ /root/\.forward ++.br ++ /root/dead\.letter ++.br ++ /root/\.esmtp_queue ++.br ++ /home/[^/]*/\.forward[^/]* ++.br ++ /home/[^/]*/\.mailrc ++.br ++ /home/[^/]*/dead\.letter ++.br ++ /home/[^/]*/\.esmtp_queue ++.br ++ /home/pwalsh/\.forward[^/]* ++.br ++ /home/pwalsh/\.mailrc ++.br ++ /home/pwalsh/dead\.letter ++.br ++ /home/pwalsh/\.esmtp_queue ++.br ++ /home/dwalsh/\.forward[^/]* ++.br ++ /home/dwalsh/\.mailrc ++.br ++ /home/dwalsh/dead\.letter ++.br ++ /home/dwalsh/\.esmtp_queue ++.br ++ /var/lib/xguest/home/xguest/\.forward[^/]* ++.br ++ /var/lib/xguest/home/xguest/\.mailrc ++.br ++ /var/lib/xguest/home/xguest/dead\.letter ++.br ++ /var/lib/xguest/home/xguest/\.esmtp_queue ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B mqueue_spool_t ++ ++ /var/spool/(client)?mqueue(/.*)? ++.br ++ /var/spool/mqueue\.in(/.*)? ++.br ++ ++.br ++.B qmail_spool_t ++ ++ /var/qmail/queue(/.*)? ++.br ++ ++.br ++.B sendmail_log_t ++ ++ /var/log/mail(/.*)? ++.br ++ /var/log/sendmail\.st.* ++.br ++ ++.br ++.B system_mail_tmp_t ++ ++ ++.br ++.B uucpd_spool_t ++ ++ /var/spool/uucp(/.*)? ++.br ++ /var/spool/uucppublic(/.*)? ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), system_mail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), system_cronjob_selinux(8), system_dbusd_selinux(8), system_munin_plugin_selinux(8), systemd_hostnamed_selinux(8), systemd_localed_selinux(8), systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_timedated_selinux(8), systemd_tmpfiles_selinux(8) +\ No newline at end of file diff --git a/man/man8/system_munin_plugin_selinux.8 b/man/man8/system_munin_plugin_selinux.8 new file mode 100644 -index 0000000..1b3a9b7 +index 0000000..7ea3a04 --- /dev/null +++ b/man/man8/system_munin_plugin_selinux.8 -@@ -0,0 +1,115 @@ -+.TH "system_munin_plugin_selinux" "8" "12-11-01" "system_munin_plugin" "SELinux Policy documentation for system_munin_plugin" +@@ -0,0 +1,187 @@ ++.TH "system_munin_plugin_selinux" "8" "13-01-16" "system_munin_plugin" "SELinux Policy documentation for system_munin_plugin" +.SH "NAME" +system_munin_plugin_selinux \- Security Enhanced Linux Policy for the system_munin_plugin processes +.SH "DESCRIPTION" @@ -92145,9 +170466,11 @@ index 0000000..1b3a9b7 + +.SH "ENTRYPOINTS" + -+The system_munin_plugin_t SELinux type can be entered via the "system_munin_plugin_exec_t" file type. The default entrypoint paths for the system_munin_plugin_t domain are the following:" ++The system_munin_plugin_t SELinux type can be entered via the \fBsystem_munin_plugin_exec_t\fP file type. + -+/usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/load, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/users, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/open_files ++The default entrypoint paths for the system_munin_plugin_t domain are the following: ++ ++/usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/load, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/users, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/unbound, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/open_files +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -92163,42 +170486,60 @@ index 0000000..1b3a9b7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a system_munin_plugin_t ++can be used to make the process type system_munin_plugin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux system_munin_plugin policy is very flexible allowing users to setup their system_munin_plugin processes in as secure a method as possible. -+.PP -+The following file types are defined for system_munin_plugin: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. system_munin_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run system_munin_plugin with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B system_munin_plugin_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the system_munin_plugin_exec_t type, if you want to transition an executable to the system_munin_plugin_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B system_munin_plugin_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the system_munin_plugin_tmp_t type, if you want to store system munin plugin temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -92220,7 +170561,56 @@ index 0000000..1b3a9b7 +.B system_munin_plugin_tmp_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux system_munin_plugin policy is very flexible allowing users to setup their system_munin_plugin processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the system_munin_plugin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t system_munin_plugin_exec_t '/srv/system_munin_plugin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysystem_munin_plugin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for system_munin_plugin: ++ ++ ++.EX ++.PP ++.B system_munin_plugin_exec_t ++.EE ++ ++- Set files with the system_munin_plugin_exec_t type, if you want to transition an executable to the system_munin_plugin_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/load, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/users, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/unbound, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/open_files ++ ++.EX ++.PP ++.B system_munin_plugin_tmp_t ++.EE ++ ++- Set files with the system_munin_plugin_tmp_t type, if you want to store system munin plugin temporary files in the /tmp directories. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -92232,6 +170622,9 @@ index 0000000..1b3a9b7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -92243,15 +170636,423 @@ index 0000000..1b3a9b7 + +.SH "SEE ALSO" +selinux(8), system_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8) ++, setsebool(8), system_cronjob_selinux(8), system_dbusd_selinux(8), system_mail_selinux(8), systemd_hostnamed_selinux(8), systemd_localed_selinux(8), systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_timedated_selinux(8), systemd_tmpfiles_selinux(8) +\ No newline at end of file +diff --git a/man/man8/systemd_hostnamed_selinux.8 b/man/man8/systemd_hostnamed_selinux.8 +new file mode 100644 +index 0000000..1fcad98 +--- /dev/null ++++ b/man/man8/systemd_hostnamed_selinux.8 +@@ -0,0 +1,183 @@ ++.TH "systemd_hostnamed_selinux" "8" "13-01-16" "systemd_hostnamed" "SELinux Policy documentation for systemd_hostnamed" ++.SH "NAME" ++systemd_hostnamed_selinux \- Security Enhanced Linux Policy for the systemd_hostnamed processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the systemd_hostnamed processes via flexible mandatory access control. ++ ++The systemd_hostnamed processes execute with the systemd_hostnamed_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep systemd_hostnamed_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The systemd_hostnamed_t SELinux type can be entered via the \fBsystemd_hostnamed_exec_t\fP file type. ++ ++The default entrypoint paths for the systemd_hostnamed_t domain are the following: ++ ++/usr/lib/systemd/systemd-hostnamed ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux systemd_hostnamed policy is very flexible allowing users to setup their systemd_hostnamed processes in as secure a method as possible. ++.PP ++The following process types are defined for systemd_hostnamed: ++ ++.EX ++.B systemd_hostnamed_t ++.EE ++.PP ++Note: ++.B semanage permissive -a systemd_hostnamed_t ++can be used to make the process type systemd_hostnamed_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. systemd_hostnamed policy is extremely flexible and has several booleans that allow you to manipulate the policy and run systemd_hostnamed with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type systemd_hostnamed_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux systemd_hostnamed policy is very flexible allowing users to setup their systemd_hostnamed processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the systemd_hostnamed, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t systemd_hostnamed_exec_t '/srv/systemd_hostnamed/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysystemd_hostnamed_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for systemd_hostnamed: ++ ++ ++.EX ++.PP ++.B systemd_hostnamed_exec_t ++.EE ++ ++- Set files with the systemd_hostnamed_exec_t type, if you want to transition an executable to the systemd_hostnamed_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), systemd_hostnamed(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), systemd_localed_selinux(8), systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_timedated_selinux(8), systemd_tmpfiles_selinux(8) +\ No newline at end of file +diff --git a/man/man8/systemd_localed_selinux.8 b/man/man8/systemd_localed_selinux.8 +new file mode 100644 +index 0000000..c3134fd +--- /dev/null ++++ b/man/man8/systemd_localed_selinux.8 +@@ -0,0 +1,211 @@ ++.TH "systemd_localed_selinux" "8" "13-01-16" "systemd_localed" "SELinux Policy documentation for systemd_localed" ++.SH "NAME" ++systemd_localed_selinux \- Security Enhanced Linux Policy for the systemd_localed processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the systemd_localed processes via flexible mandatory access control. ++ ++The systemd_localed processes execute with the systemd_localed_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep systemd_localed_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The systemd_localed_t SELinux type can be entered via the \fBsystemd_localed_exec_t\fP file type. ++ ++The default entrypoint paths for the systemd_localed_t domain are the following: ++ ++/usr/lib/systemd/systemd-localed ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux systemd_localed policy is very flexible allowing users to setup their systemd_localed processes in as secure a method as possible. ++.PP ++The following process types are defined for systemd_localed: ++ ++.EX ++.B systemd_localed_t ++.EE ++.PP ++Note: ++.B semanage permissive -a systemd_localed_t ++can be used to make the process type systemd_localed_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. systemd_localed policy is extremely flexible and has several booleans that allow you to manipulate the policy and run systemd_localed with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type systemd_localed_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B locale_t ++ ++ /etc/locale.conf ++.br ++ /etc/vconsole.conf ++.br ++ /usr/lib/locale(/.*)? ++.br ++ /usr/share/locale(/.*)? ++.br ++ /usr/share/zoneinfo(/.*)? ++.br ++ /usr/share/X11/locale(/.*)? ++.br ++ /etc/timezone ++.br ++ /etc/localtime ++.br ++ /etc/sysconfig/clock ++.br ++ /etc/avahi/etc/localtime ++.br ++ /var/empty/sshd/etc/localtime ++.br ++ /var/spool/postfix/etc/localtime ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux systemd_localed policy is very flexible allowing users to setup their systemd_localed processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the systemd_localed, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t systemd_localed_exec_t '/srv/systemd_localed/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysystemd_localed_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for systemd_localed: ++ ++ ++.EX ++.PP ++.B systemd_localed_exec_t ++.EE ++ ++- Set files with the systemd_localed_exec_t type, if you want to transition an executable to the systemd_localed_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), systemd_localed(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), systemd_hostnamed_selinux(8), systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_timedated_selinux(8), systemd_tmpfiles_selinux(8) \ No newline at end of file diff --git a/man/man8/systemd_logger_selinux.8 b/man/man8/systemd_logger_selinux.8 new file mode 100644 -index 0000000..b8b6a98 +index 0000000..2b10037 --- /dev/null +++ b/man/man8/systemd_logger_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "systemd_logger_selinux" "8" "12-11-01" "systemd_logger" "SELinux Policy documentation for systemd_logger" +@@ -0,0 +1,231 @@ ++.TH "systemd_logger_selinux" "8" "13-01-16" "systemd_logger" "SELinux Policy documentation for systemd_logger" +.SH "NAME" +systemd_logger_selinux \- Security Enhanced Linux Policy for the systemd_logger processes +.SH "DESCRIPTION" @@ -92267,7 +171068,9 @@ index 0000000..b8b6a98 + +.SH "ENTRYPOINTS" + -+The systemd_logger_t SELinux type can be entered via the "systemd_logger_exec_t" file type. The default entrypoint paths for the systemd_logger_t domain are the following:" ++The systemd_logger_t SELinux type can be entered via the \fBsystemd_logger_exec_t\fP file type. ++ ++The default entrypoint paths for the systemd_logger_t domain are the following: + +/usr/lib/systemd/systemd-logger +.SH PROCESS TYPES @@ -92285,8 +171088,136 @@ index 0000000..b8b6a98 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a systemd_logger_t ++can be used to make the process type systemd_logger_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. systemd_logger policy is extremely flexible and has several booleans that allow you to manipulate the policy and run systemd_logger with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the systemd_logger_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the systemd_logger_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type systemd_logger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -92296,7 +171227,20 @@ index 0000000..b8b6a98 +Policy governs the access confined processes have to these files. +SELinux systemd_logger policy is very flexible allowing users to setup their systemd_logger processes in as secure a method as possible. +.PP -+The following file types are defined for systemd_logger: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the systemd_logger, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t systemd_logger_exec_t '/srv/systemd_logger/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysystemd_logger_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for systemd_logger: + + +.EX @@ -92314,22 +171258,6 @@ index 0000000..b8b6a98 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_logger_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the systemd_logger_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -92340,6 +171268,9 @@ index 0000000..b8b6a98 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -92351,15 +171282,15 @@ index 0000000..b8b6a98 + +.SH "SEE ALSO" +selinux(8), systemd_logger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8) ++, setsebool(8), systemd_hostnamed_selinux(8), systemd_localed_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_timedated_selinux(8), systemd_tmpfiles_selinux(8) \ No newline at end of file diff --git a/man/man8/systemd_logind_selinux.8 b/man/man8/systemd_logind_selinux.8 new file mode 100644 -index 0000000..d2912c3 +index 0000000..c48c412 --- /dev/null +++ b/man/man8/systemd_logind_selinux.8 -@@ -0,0 +1,249 @@ -+.TH "systemd_logind_selinux" "8" "12-11-01" "systemd_logind" "SELinux Policy documentation for systemd_logind" +@@ -0,0 +1,383 @@ ++.TH "systemd_logind_selinux" "8" "13-01-16" "systemd_logind" "SELinux Policy documentation for systemd_logind" +.SH "NAME" +systemd_logind_selinux \- Security Enhanced Linux Policy for the systemd_logind processes +.SH "DESCRIPTION" @@ -92375,7 +171306,9 @@ index 0000000..d2912c3 + +.SH "ENTRYPOINTS" + -+The systemd_logind_t SELinux type can be entered via the "systemd_logind_exec_t" file type. The default entrypoint paths for the systemd_logind_t domain are the following:" ++The systemd_logind_t SELinux type can be entered via the \fBsystemd_logind_exec_t\fP file type. ++ ++The default entrypoint paths for the systemd_logind_t domain are the following: + +/usr/lib/systemd/systemd-logind +.SH PROCESS TYPES @@ -92393,58 +171326,124 @@ index 0000000..d2912c3 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a systemd_logind_t ++can be used to make the process type systemd_logind_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux systemd_logind policy is very flexible allowing users to setup their systemd_logind processes in as secure a method as possible. -+.PP -+The following file types are defined for systemd_logind: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. systemd_logind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run systemd_logind with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B systemd_logind_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the systemd_logind_exec_t type, if you want to transition an executable to the systemd_logind_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B systemd_logind_inhibit_var_run_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the systemd_logind_inhibit_var_run_t type, if you want to store the systemd logind inhibit files under the /run directory. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B systemd_logind_sessions_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the systemd_logind_sessions_t type, if you want to treat the files as systemd logind sessions data. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B systemd_logind_var_run_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the systemd_logind_var_run_t type, if you want to store the systemd logind files under the /run directory. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the systemd_logind_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the systemd_logind_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -92479,6 +171478,14 @@ index 0000000..d2912c3 +.br + /home/[^/]*/\.Xdefaults +.br ++ /home/pwalsh/\.kde(/.*)? ++.br ++ /home/pwalsh/\.xine(/.*)? ++.br ++ /home/pwalsh/\.config(/.*)? ++.br ++ /home/pwalsh/\.Xdefaults ++.br + /home/dwalsh/\.kde(/.*)? +.br + /home/dwalsh/\.xine(/.*)? @@ -92497,6 +171504,14 @@ index 0000000..d2912c3 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B sysfs_t + + /sys(/.*)? @@ -92539,15 +171554,9 @@ index 0000000..d2912c3 +.br + +.br -+.B user_tmp_t ++.B user_tmp_type + -+ /var/run/user(/.*)? -+.br -+ /tmp/gconfd-.* -+.br -+ /tmp/gconfd-dwalsh -+.br -+ /tmp/gconfd-xguest ++ all user tmp files +.br + +.br @@ -92567,24 +171576,77 @@ index 0000000..d2912c3 +.br + /var/lib/pam_shield(/.*)? +.br ++ /var/opt/quest/vas/vasd(/.*)? ++.br + /var/lib/google-authenticator(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux systemd_logind policy is very flexible allowing users to setup their systemd_logind processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_logind_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the systemd_logind, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t systemd_logind_exec_t '/srv/systemd_logind/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysystemd_logind_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for systemd_logind: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B systemd_logind_exec_t +.EE + ++- Set files with the systemd_logind_exec_t type, if you want to transition an executable to the systemd_logind_t domain. ++ ++ ++.EX ++.PP ++.B systemd_logind_inhibit_var_run_t ++.EE ++ ++- Set files with the systemd_logind_inhibit_var_run_t type, if you want to store the systemd logind inhibit files under the /run or /var/run directory. ++ ++ ++.EX ++.PP ++.B systemd_logind_sessions_t ++.EE ++ ++- Set files with the systemd_logind_sessions_t type, if you want to treat the files as systemd logind sessions data. ++ ++ ++.EX ++.PP ++.B systemd_logind_var_run_t ++.EE ++ ++- Set files with the systemd_logind_var_run_t type, if you want to store the systemd logind files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/systemd/seats(/.*)?, /var/run/systemd/users(/.*)?, /var/run/nologin ++ +.PP -+If you want to allow confined applications to run with kerberos for the systemd_logind_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -92596,6 +171658,9 @@ index 0000000..d2912c3 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -92607,15 +171672,15 @@ index 0000000..d2912c3 + +.SH "SEE ALSO" +selinux(8), systemd_logind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, systemd_logger_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8) ++, setsebool(8), systemd_hostnamed_selinux(8), systemd_localed_selinux(8), systemd_logger_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_timedated_selinux(8), systemd_tmpfiles_selinux(8) \ No newline at end of file diff --git a/man/man8/systemd_notify_selinux.8 b/man/man8/systemd_notify_selinux.8 new file mode 100644 -index 0000000..6a06f93 +index 0000000..0cd7441 --- /dev/null +++ b/man/man8/systemd_notify_selinux.8 -@@ -0,0 +1,113 @@ -+.TH "systemd_notify_selinux" "8" "12-11-01" "systemd_notify" "SELinux Policy documentation for systemd_notify" +@@ -0,0 +1,243 @@ ++.TH "systemd_notify_selinux" "8" "13-01-16" "systemd_notify" "SELinux Policy documentation for systemd_notify" +.SH "NAME" +systemd_notify_selinux \- Security Enhanced Linux Policy for the systemd_notify processes +.SH "DESCRIPTION" @@ -92631,7 +171696,9 @@ index 0000000..6a06f93 + +.SH "ENTRYPOINTS" + -+The systemd_notify_t SELinux type can be entered via the "systemd_notify_exec_t" file type. The default entrypoint paths for the systemd_notify_t domain are the following:" ++The systemd_notify_t SELinux type can be entered via the \fBsystemd_notify_exec_t\fP file type. ++ ++The default entrypoint paths for the systemd_notify_t domain are the following: + +/bin/systemd-notify, /usr/bin/systemd-notify +.SH PROCESS TYPES @@ -92649,34 +171716,124 @@ index 0000000..6a06f93 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a systemd_notify_t ++can be used to make the process type systemd_notify_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux systemd_notify policy is very flexible allowing users to setup their systemd_notify processes in as secure a method as possible. -+.PP -+The following file types are defined for systemd_notify: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. systemd_notify policy is extremely flexible and has several booleans that allow you to manipulate the policy and run systemd_notify with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B systemd_notify_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the systemd_notify_exec_t type, if you want to transition an executable to the systemd_notify_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the systemd_notify_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the systemd_notify_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -92690,21 +171847,56 @@ index 0000000..6a06f93 + /var/run/systemd/readahead(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux systemd_notify policy is very flexible allowing users to setup their systemd_notify processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_notify_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the systemd_notify, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t systemd_notify_exec_t '/srv/systemd_notify/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysystemd_notify_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for systemd_notify: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B systemd_notify_exec_t +.EE + ++- Set files with the systemd_notify_exec_t type, if you want to transition an executable to the systemd_notify_t domain. ++ ++.br ++.TP 5 ++Paths: ++/bin/systemd-notify, /usr/bin/systemd-notify ++ +.PP -+If you want to allow confined applications to run with kerberos for the systemd_notify_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -92716,6 +171908,9 @@ index 0000000..6a06f93 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -92727,15 +171922,15 @@ index 0000000..6a06f93 + +.SH "SEE ALSO" +selinux(8), systemd_notify(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8) ++, setsebool(8), systemd_hostnamed_selinux(8), systemd_localed_selinux(8), systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_passwd_agent_selinux(8), systemd_timedated_selinux(8), systemd_tmpfiles_selinux(8) \ No newline at end of file diff --git a/man/man8/systemd_passwd_agent_selinux.8 b/man/man8/systemd_passwd_agent_selinux.8 new file mode 100644 -index 0000000..e32dad2 +index 0000000..5dff212 --- /dev/null +++ b/man/man8/systemd_passwd_agent_selinux.8 -@@ -0,0 +1,113 @@ -+.TH "systemd_passwd_agent_selinux" "8" "12-11-01" "systemd_passwd_agent" "SELinux Policy documentation for systemd_passwd_agent" +@@ -0,0 +1,243 @@ ++.TH "systemd_passwd_agent_selinux" "8" "13-01-16" "systemd_passwd_agent" "SELinux Policy documentation for systemd_passwd_agent" +.SH "NAME" +systemd_passwd_agent_selinux \- Security Enhanced Linux Policy for the systemd_passwd_agent processes +.SH "DESCRIPTION" @@ -92751,7 +171946,9 @@ index 0000000..e32dad2 + +.SH "ENTRYPOINTS" + -+The systemd_passwd_agent_t SELinux type can be entered via the "systemd_passwd_agent_exec_t" file type. The default entrypoint paths for the systemd_passwd_agent_t domain are the following:" ++The systemd_passwd_agent_t SELinux type can be entered via the \fBsystemd_passwd_agent_exec_t\fP file type. ++ ++The default entrypoint paths for the systemd_passwd_agent_t domain are the following: + +/bin/systemd-tty-ask-password-agent, /usr/bin/systemd-tty-ask-password-agent, /usr/bin/systemd-gnome-ask-password-agent +.SH PROCESS TYPES @@ -92769,51 +171966,113 @@ index 0000000..e32dad2 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a systemd_passwd_agent_t ++can be used to make the process type systemd_passwd_agent_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux systemd_passwd_agent policy is very flexible allowing users to setup their systemd_passwd_agent processes in as secure a method as possible. -+.PP -+The following file types are defined for systemd_passwd_agent: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. systemd_passwd_agent policy is extremely flexible and has several booleans that allow you to manipulate the policy and run systemd_passwd_agent with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B systemd_passwd_agent_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the systemd_passwd_agent_exec_t type, if you want to transition an executable to the systemd_passwd_agent_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + -+.SH "MANAGED FILES" ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 + -+The SELinux process type systemd_passwd_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++.EE + -+.br -+.B systemd_passwd_var_run_t ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + -+ /var/run/systemd/ask-password(/.*)? -+.br -+ /var/run/systemd/ask-password-block(/.*)? -+.br ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_passwd_agent_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the systemd_passwd_agent_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -92826,6 +172085,69 @@ index 0000000..e32dad2 +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH "MANAGED FILES" ++ ++The SELinux process type systemd_passwd_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux systemd_passwd_agent policy is very flexible allowing users to setup their systemd_passwd_agent processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the systemd_passwd_agent, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t systemd_passwd_agent_exec_t '/srv/systemd_passwd_agent/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysystemd_passwd_agent_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for systemd_passwd_agent: ++ ++ ++.EX ++.PP ++.B systemd_passwd_agent_exec_t ++.EE ++ ++- Set files with the systemd_passwd_agent_exec_t type, if you want to transition an executable to the systemd_passwd_agent_t domain. ++ ++.br ++.TP 5 ++Paths: ++/bin/systemd-tty-ask-password-agent, /usr/bin/systemd-tty-ask-password-agent, /usr/bin/systemd-gnome-ask-password-agent ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -92836,6 +172158,9 @@ index 0000000..e32dad2 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -92847,15 +172172,341 @@ index 0000000..e32dad2 + +.SH "SEE ALSO" +selinux(8), systemd_passwd_agent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_tmpfiles_selinux(8) ++, setsebool(8), systemd_hostnamed_selinux(8), systemd_localed_selinux(8), systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_timedated_selinux(8), systemd_tmpfiles_selinux(8) +\ No newline at end of file +diff --git a/man/man8/systemd_timedated_selinux.8 b/man/man8/systemd_timedated_selinux.8 +new file mode 100644 +index 0000000..34b1471 +--- /dev/null ++++ b/man/man8/systemd_timedated_selinux.8 +@@ -0,0 +1,319 @@ ++.TH "systemd_timedated_selinux" "8" "13-01-16" "systemd_timedated" "SELinux Policy documentation for systemd_timedated" ++.SH "NAME" ++systemd_timedated_selinux \- Security Enhanced Linux Policy for the systemd_timedated processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the systemd_timedated processes via flexible mandatory access control. ++ ++The systemd_timedated processes execute with the systemd_timedated_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep systemd_timedated_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The systemd_timedated_t SELinux type can be entered via the \fBsystemd_timedated_exec_t\fP file type. ++ ++The default entrypoint paths for the systemd_timedated_t domain are the following: ++ ++/usr/lib/systemd/systemd-timedated ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux systemd_timedated policy is very flexible allowing users to setup their systemd_timedated processes in as secure a method as possible. ++.PP ++The following process types are defined for systemd_timedated: ++ ++.EX ++.B systemd_timedated_t ++.EE ++.PP ++Note: ++.B semanage permissive -a systemd_timedated_t ++can be used to make the process type systemd_timedated_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. systemd_timedated policy is extremely flexible and has several booleans that allow you to manipulate the policy and run systemd_timedated with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the systemd_timedated_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the systemd_timedated_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type systemd_timedated_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B config_home_t ++ ++ /root/\.kde(/.*)? ++.br ++ /root/\.xine(/.*)? ++.br ++ /root/\.config(/.*)? ++.br ++ /var/run/user/[^/]*/dconf(/.*)? ++.br ++ /root/\.Xdefaults ++.br ++ /home/[^/]*/\.kde(/.*)? ++.br ++ /home/[^/]*/\.xine(/.*)? ++.br ++ /home/[^/]*/\.config(/.*)? ++.br ++ /home/[^/]*/\.Xdefaults ++.br ++ /home/pwalsh/\.kde(/.*)? ++.br ++ /home/pwalsh/\.xine(/.*)? ++.br ++ /home/pwalsh/\.config(/.*)? ++.br ++ /home/pwalsh/\.Xdefaults ++.br ++ /home/dwalsh/\.kde(/.*)? ++.br ++ /home/dwalsh/\.xine(/.*)? ++.br ++ /home/dwalsh/\.config(/.*)? ++.br ++ /home/dwalsh/\.Xdefaults ++.br ++ /var/lib/xguest/home/xguest/\.kde(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.xine(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Xdefaults ++.br ++ ++.br ++.B config_usr_t ++ ++ /usr/share/config(/.*)? ++.br ++ ++.br ++.B locale_t ++ ++ /etc/locale.conf ++.br ++ /etc/vconsole.conf ++.br ++ /usr/lib/locale(/.*)? ++.br ++ /usr/share/locale(/.*)? ++.br ++ /usr/share/zoneinfo(/.*)? ++.br ++ /usr/share/X11/locale(/.*)? ++.br ++ /etc/timezone ++.br ++ /etc/localtime ++.br ++ /etc/sysconfig/clock ++.br ++ /etc/avahi/etc/localtime ++.br ++ /var/empty/sshd/etc/localtime ++.br ++ /var/spool/postfix/etc/localtime ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux systemd_timedated policy is very flexible allowing users to setup their systemd_timedated processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the systemd_timedated, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t systemd_timedated_exec_t '/srv/systemd_timedated/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysystemd_timedated_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for systemd_timedated: ++ ++ ++.EX ++.PP ++.B systemd_timedated_exec_t ++.EE ++ ++- Set files with the systemd_timedated_exec_t type, if you want to transition an executable to the systemd_timedated_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), systemd_timedated(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), systemd_hostnamed_selinux(8), systemd_localed_selinux(8), systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_tmpfiles_selinux(8) \ No newline at end of file diff --git a/man/man8/systemd_tmpfiles_selinux.8 b/man/man8/systemd_tmpfiles_selinux.8 new file mode 100644 -index 0000000..de442a9 +index 0000000..5315dea --- /dev/null +++ b/man/man8/systemd_tmpfiles_selinux.8 -@@ -0,0 +1,187 @@ -+.TH "systemd_tmpfiles_selinux" "8" "12-11-01" "systemd_tmpfiles" "SELinux Policy documentation for systemd_tmpfiles" +@@ -0,0 +1,327 @@ ++.TH "systemd_tmpfiles_selinux" "8" "13-01-16" "systemd_tmpfiles" "SELinux Policy documentation for systemd_tmpfiles" +.SH "NAME" +systemd_tmpfiles_selinux \- Security Enhanced Linux Policy for the systemd_tmpfiles processes +.SH "DESCRIPTION" @@ -92871,7 +172522,9 @@ index 0000000..de442a9 + +.SH "ENTRYPOINTS" + -+The systemd_tmpfiles_t SELinux type can be entered via the "systemd_tmpfiles_exec_t" file type. The default entrypoint paths for the systemd_tmpfiles_t domain are the following:" ++The systemd_tmpfiles_t SELinux type can be entered via the \fBsystemd_tmpfiles_exec_t\fP file type. ++ ++The default entrypoint paths for the systemd_tmpfiles_t domain are the following: + +/bin/systemd-tmpfiles, /usr/bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles +.SH PROCESS TYPES @@ -92889,34 +172542,124 @@ index 0000000..de442a9 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a systemd_tmpfiles_t ++can be used to make the process type systemd_tmpfiles_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux systemd_tmpfiles policy is very flexible allowing users to setup their systemd_tmpfiles processes in as secure a method as possible. -+.PP -+The following file types are defined for systemd_tmpfiles: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. systemd_tmpfiles policy is extremely flexible and has several booleans that allow you to manipulate the policy and run systemd_tmpfiles with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B systemd_tmpfiles_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the systemd_tmpfiles_exec_t type, if you want to transition an executable to the systemd_tmpfiles_t domain. ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the systemd_tmpfiles_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the systemd_tmpfiles_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -92927,18 +172670,22 @@ index 0000000..de442a9 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B lockfile + + +.br ++.B man_cache_t ++ ++ ++.br +.B man_t + + /opt/(.*/)?man(/.*)? @@ -92957,6 +172704,14 @@ index 0000000..de442a9 + + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B sysfs_t + + /sys(/.*)? @@ -92975,6 +172730,10 @@ index 0000000..de442a9 +.br + /usr/tmp +.br ++ /tmp-inst ++.br ++ /var/tmp-inst ++.br + /var/tmp/vi\.recover +.br + @@ -92995,6 +172754,8 @@ index 0000000..de442a9 +.br + /var/lib/pam_shield(/.*)? +.br ++ /var/opt/quest/vas/vasd(/.*)? ++.br + /var/lib/google-authenticator(/.*)? +.br + @@ -93004,21 +172765,48 @@ index 0000000..de442a9 + /var/log/wtmp.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux systemd_tmpfiles policy is very flexible allowing users to setup their systemd_tmpfiles processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the systemd_tmpfiles_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the systemd_tmpfiles, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t systemd_tmpfiles_exec_t '/srv/systemd_tmpfiles/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mysystemd_tmpfiles_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for systemd_tmpfiles: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B systemd_tmpfiles_exec_t +.EE + ++- Set files with the systemd_tmpfiles_exec_t type, if you want to transition an executable to the systemd_tmpfiles_t domain. ++ ++.br ++.TP 5 ++Paths: ++/bin/systemd-tmpfiles, /usr/bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles ++ +.PP -+If you want to allow confined applications to run with kerberos for the systemd_tmpfiles_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -93030,6 +172818,9 @@ index 0000000..de442a9 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -93041,15 +172832,15 @@ index 0000000..de442a9 + +.SH "SEE ALSO" +selinux(8), systemd_tmpfiles(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8) ++, setsebool(8), systemd_hostnamed_selinux(8), systemd_localed_selinux(8), systemd_logger_selinux(8), systemd_logind_selinux(8), systemd_notify_selinux(8), systemd_passwd_agent_selinux(8), systemd_timedated_selinux(8) \ No newline at end of file diff --git a/man/man8/tcpd_selinux.8 b/man/man8/tcpd_selinux.8 new file mode 100644 -index 0000000..42ef6d7 +index 0000000..9d7fff2 --- /dev/null +++ b/man/man8/tcpd_selinux.8 -@@ -0,0 +1,152 @@ -+.TH "tcpd_selinux" "8" "12-11-01" "tcpd" "SELinux Policy documentation for tcpd" +@@ -0,0 +1,171 @@ ++.TH "tcpd_selinux" "8" "13-01-16" "tcpd" "SELinux Policy documentation for tcpd" +.SH "NAME" +tcpd_selinux \- Security Enhanced Linux Policy for the tcpd processes +.SH "DESCRIPTION" @@ -93065,7 +172856,9 @@ index 0000000..42ef6d7 + +.SH "ENTRYPOINTS" + -+The tcpd_t SELinux type can be entered via the "tcpd_exec_t" file type. The default entrypoint paths for the tcpd_t domain are the following:" ++The tcpd_t SELinux type can be entered via the \fBtcpd_exec_t\fP file type. ++ ++The default entrypoint paths for the tcpd_t domain are the following: + +/usr/sbin/tcpd +.SH PROCESS TYPES @@ -93083,55 +172876,69 @@ index 0000000..42ef6d7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a tcpd_t ++can be used to make the process type tcpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. tcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tcpd with the tightest access possible. + + +.PP -+If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P daemons_use_tcp_wrapper 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + +.PP -+If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.B setsebool -P selinuxuser_tcp_server 1 ++.B setsebool -P domain_fd_use 1 ++ +.EE + +.PP -+If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.B setsebool -P telepathy_tcp_connect_generic_network_ports 1 ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + +.PP -+If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.B setsebool -P daemons_use_tcp_wrapper 1 ++.B setsebool -P fips_mode 1 ++ +.EE + +.PP -+If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.B setsebool -P selinuxuser_tcp_server 1 ++.B setsebool -P global_ssp 1 ++ +.EE + +.PP -+If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.B setsebool -P telepathy_tcp_connect_generic_network_ports 1 ++.B setsebool -P nis_enabled 1 ++ +.EE + ++.SH "MANAGED FILES" ++ ++The SELinux process type tcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B tcpd_tmp_t ++ ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -93140,7 +172947,20 @@ index 0000000..42ef6d7 +Policy governs the access confined processes have to these files. +SELinux tcpd policy is very flexible allowing users to setup their tcpd processes in as secure a method as possible. +.PP -+The following file types are defined for tcpd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the tcpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t tcpd_exec_t '/srv/tcpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytcpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for tcpd: + + +.EX @@ -93166,16 +172986,6 @@ index 0000000..42ef6d7 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type tcpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B tcpd_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -93204,11 +173014,11 @@ index 0000000..42ef6d7 \ No newline at end of file diff --git a/man/man8/tcsd_selinux.8 b/man/man8/tcsd_selinux.8 new file mode 100644 -index 0000000..f4bc953 +index 0000000..93bb72a --- /dev/null +++ b/man/man8/tcsd_selinux.8 -@@ -0,0 +1,152 @@ -+.TH "tcsd_selinux" "8" "12-11-01" "tcsd" "SELinux Policy documentation for tcsd" +@@ -0,0 +1,283 @@ ++.TH "tcsd_selinux" "8" "13-01-16" "tcsd" "SELinux Policy documentation for tcsd" +.SH "NAME" +tcsd_selinux \- Security Enhanced Linux Policy for the tcsd processes +.SH "DESCRIPTION" @@ -93224,7 +173034,9 @@ index 0000000..f4bc953 + +.SH "ENTRYPOINTS" + -+The tcsd_t SELinux type can be entered via the "tcsd_exec_t" file type. The default entrypoint paths for the tcsd_t domain are the following:" ++The tcsd_t SELinux type can be entered via the \fBtcsd_exec_t\fP file type. ++ ++The default entrypoint paths for the tcsd_t domain are the following: + +/usr/sbin/tcsd +.SH PROCESS TYPES @@ -93242,50 +173054,124 @@ index 0000000..f4bc953 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a tcsd_t ++can be used to make the process type tcsd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux tcsd policy is very flexible allowing users to setup their tcsd processes in as secure a method as possible. -+.PP -+The following file types are defined for tcsd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. tcsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tcsd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B tcsd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the tcsd_exec_t type, if you want to transition an executable to the tcsd_t domain. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B tcsd_initrc_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the tcsd_initrc_exec_t type, if you want to transition an executable to the tcsd_initrc_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B tcsd_var_lib_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the tcsd_var_lib_t type, if you want to store the tcsd files under the /var/lib directory. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the tcsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the tcsd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -93315,26 +173201,77 @@ index 0000000..f4bc953 +The SELinux process type tcsd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B tcsd_var_lib_t + + /var/lib/tpm(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux tcsd policy is very flexible allowing users to setup their tcsd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tcsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the tcsd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t tcsd_exec_t '/srv/tcsd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytcsd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for tcsd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B tcsd_exec_t +.EE + ++- Set files with the tcsd_exec_t type, if you want to transition an executable to the tcsd_t domain. ++ ++ ++.EX ++.PP ++.B tcsd_initrc_exec_t ++.EE ++ ++- Set files with the tcsd_initrc_exec_t type, if you want to transition an executable to the tcsd_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/tcsd, /etc/rc\.d/init\.d/trousers ++ ++.EX ++.PP ++.B tcsd_var_lib_t ++.EE ++ ++- Set files with the tcsd_var_lib_t type, if you want to store the tcsd files under the /var/lib directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the tcsd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -93349,6 +173286,9 @@ index 0000000..f4bc953 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -93360,13 +173300,15 @@ index 0000000..f4bc953 + +.SH "SEE ALSO" +selinux(8), tcsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/telepathy_gabble_selinux.8 b/man/man8/telepathy_gabble_selinux.8 new file mode 100644 -index 0000000..a1ba3c0 +index 0000000..aa0d78b --- /dev/null +++ b/man/man8/telepathy_gabble_selinux.8 -@@ -0,0 +1,193 @@ -+.TH "telepathy_gabble_selinux" "8" "12-11-01" "telepathy_gabble" "SELinux Policy documentation for telepathy_gabble" +@@ -0,0 +1,387 @@ ++.TH "telepathy_gabble_selinux" "8" "13-01-16" "telepathy_gabble" "SELinux Policy documentation for telepathy_gabble" +.SH "NAME" +telepathy_gabble_selinux \- Security Enhanced Linux Policy for the telepathy_gabble processes +.SH "DESCRIPTION" @@ -93382,7 +173324,9 @@ index 0000000..a1ba3c0 + +.SH "ENTRYPOINTS" + -+The telepathy_gabble_t SELinux type can be entered via the "telepathy_gabble_exec_t" file type. The default entrypoint paths for the telepathy_gabble_t domain are the following:" ++The telepathy_gabble_t SELinux type can be entered via the \fBtelepathy_gabble_exec_t\fP file type. ++ ++The default entrypoint paths for the telepathy_gabble_t domain are the following: + +/usr/libexec/telepathy-gabble +.SH PROCESS TYPES @@ -93400,8 +173344,272 @@ index 0000000..a1ba3c0 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a telepathy_gabble_t ++can be used to make the process type telepathy_gabble_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. telepathy_gabble policy is extremely flexible and has several booleans that allow you to manipulate the policy and run telepathy_gabble with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow the Telepathy connection managers to connect to any network port, you must turn on the telepathy_connect_all_ports boolean. Disabled by default. ++ ++.EX ++.B setsebool -P telepathy_connect_all_ports 1 ++ ++.EE ++ ++.PP ++If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean. Enabled by default. ++ ++.EX ++.B setsebool -P telepathy_tcp_connect_generic_network_ports 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the telepathy_gabble_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the telepathy_gabble_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type telepathy_gabble_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cache_home_t ++ ++ /root/\.cache(/.*)? ++.br ++ /home/[^/]*/\.nv(/.*)? ++.br ++ /home/[^/]*/\.cache(/.*)? ++.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br ++ /home/dwalsh/\.nv(/.*)? ++.br ++ /home/dwalsh/\.cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.nv(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache(/.*)? ++.br ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B config_home_t ++ ++ /root/\.kde(/.*)? ++.br ++ /root/\.xine(/.*)? ++.br ++ /root/\.config(/.*)? ++.br ++ /var/run/user/[^/]*/dconf(/.*)? ++.br ++ /root/\.Xdefaults ++.br ++ /home/[^/]*/\.kde(/.*)? ++.br ++ /home/[^/]*/\.xine(/.*)? ++.br ++ /home/[^/]*/\.config(/.*)? ++.br ++ /home/[^/]*/\.Xdefaults ++.br ++ /home/pwalsh/\.kde(/.*)? ++.br ++ /home/pwalsh/\.xine(/.*)? ++.br ++ /home/pwalsh/\.config(/.*)? ++.br ++ /home/pwalsh/\.Xdefaults ++.br ++ /home/dwalsh/\.kde(/.*)? ++.br ++ /home/dwalsh/\.xine(/.*)? ++.br ++ /home/dwalsh/\.config(/.*)? ++.br ++ /home/dwalsh/\.Xdefaults ++.br ++ /var/lib/xguest/home/xguest/\.kde(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.xine(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Xdefaults ++.br ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B telepathy_gabble_cache_home_t ++ ++ /home/[^/]*/\.cache/wocky(/.*)? ++.br ++ /home/[^/]*/\.cache/telepathy/gabble(/.*)? ++.br ++ /home/pwalsh/\.cache/wocky(/.*)? ++.br ++ /home/pwalsh/\.cache/telepathy/gabble(/.*)? ++.br ++ /home/dwalsh/\.cache/wocky(/.*)? ++.br ++ /home/dwalsh/\.cache/telepathy/gabble(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache/wocky(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache/telepathy/gabble(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -93411,7 +173619,20 @@ index 0000000..a1ba3c0 +Policy governs the access confined processes have to these files. +SELinux telepathy_gabble policy is very flexible allowing users to setup their telepathy_gabble processes in as secure a method as possible. +.PP -+The following file types are defined for telepathy_gabble: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the telepathy_gabble, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t telepathy_gabble_cache_home_t '/srv/telepathy_gabble/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytelepathy_gabble_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for telepathy_gabble: + + +.EX @@ -93421,6 +173642,10 @@ index 0000000..a1ba3c0 + +- Set files with the telepathy_gabble_cache_home_t type, if you want to store telepathy gabble cache files in the users home directory. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.cache/wocky(/.*)?, /home/[^/]*/\.cache/telepathy/gabble(/.*)?, /home/pwalsh/\.cache/wocky(/.*)?, /home/pwalsh/\.cache/telepathy/gabble(/.*)?, /home/dwalsh/\.cache/wocky(/.*)?, /home/dwalsh/\.cache/telepathy/gabble(/.*)?, /var/lib/xguest/home/xguest/\.cache/wocky(/.*)?, /var/lib/xguest/home/xguest/\.cache/telepathy/gabble(/.*)? + +.EX +.PP @@ -93445,98 +173670,6 @@ index 0000000..a1ba3c0 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type telepathy_gabble_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cache_home_t -+ -+ /root/\.cache(/.*)? -+.br -+ /home/[^/]*/\.nv(/.*)? -+.br -+ /home/[^/]*/\.cache(/.*)? -+.br -+ /home/dwalsh/\.nv(/.*)? -+.br -+ /home/dwalsh/\.cache(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.nv(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.cache(/.*)? -+.br -+ -+.br -+.B config_home_t -+ -+ /root/\.kde(/.*)? -+.br -+ /root/\.xine(/.*)? -+.br -+ /root/\.config(/.*)? -+.br -+ /var/run/user/[^/]*/dconf(/.*)? -+.br -+ /root/\.Xdefaults -+.br -+ /home/[^/]*/\.kde(/.*)? -+.br -+ /home/[^/]*/\.xine(/.*)? -+.br -+ /home/[^/]*/\.config(/.*)? -+.br -+ /home/[^/]*/\.Xdefaults -+.br -+ /home/dwalsh/\.kde(/.*)? -+.br -+ /home/dwalsh/\.xine(/.*)? -+.br -+ /home/dwalsh/\.config(/.*)? -+.br -+ /home/dwalsh/\.Xdefaults -+.br -+ /var/lib/xguest/home/xguest/\.kde(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.xine(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.config(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.Xdefaults -+.br -+ -+.br -+.B telepathy_gabble_cache_home_t -+ -+ /home/[^/]*/\.cache/wocky(/.*)? -+.br -+ /home/[^/]*/\.cache/telepathy/gabble(/.*)? -+.br -+ /home/dwalsh/\.cache/wocky(/.*)? -+.br -+ /home/dwalsh/\.cache/telepathy/gabble(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.cache/wocky(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.cache/telepathy/gabble(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_gabble_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the telepathy_gabble_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -93547,6 +173680,9 @@ index 0000000..a1ba3c0 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -93558,15 +173694,15 @@ index 0000000..a1ba3c0 + +.SH "SEE ALSO" +selinux(8), telepathy_gabble(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8) ++, setsebool(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8) \ No newline at end of file diff --git a/man/man8/telepathy_idle_selinux.8 b/man/man8/telepathy_idle_selinux.8 new file mode 100644 -index 0000000..dd6fb69 +index 0000000..2a83785 --- /dev/null +++ b/man/man8/telepathy_idle_selinux.8 -@@ -0,0 +1,131 @@ -+.TH "telepathy_idle_selinux" "8" "12-11-01" "telepathy_idle" "SELinux Policy documentation for telepathy_idle" +@@ -0,0 +1,245 @@ ++.TH "telepathy_idle_selinux" "8" "13-01-16" "telepathy_idle" "SELinux Policy documentation for telepathy_idle" +.SH "NAME" +telepathy_idle_selinux \- Security Enhanced Linux Policy for the telepathy_idle processes +.SH "DESCRIPTION" @@ -93582,7 +173718,9 @@ index 0000000..dd6fb69 + +.SH "ENTRYPOINTS" + -+The telepathy_idle_t SELinux type can be entered via the "telepathy_idle_exec_t" file type. The default entrypoint paths for the telepathy_idle_t domain are the following:" ++The telepathy_idle_t SELinux type can be entered via the \fBtelepathy_idle_exec_t\fP file type. ++ ++The default entrypoint paths for the telepathy_idle_t domain are the following: + +/usr/libexec/telepathy-idle +.SH PROCESS TYPES @@ -93600,8 +173738,142 @@ index 0000000..dd6fb69 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a telepathy_idle_t ++can be used to make the process type telepathy_idle_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. telepathy_idle policy is extremely flexible and has several booleans that allow you to manipulate the policy and run telepathy_idle with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow the Telepathy connection managers to connect to any network port, you must turn on the telepathy_connect_all_ports boolean. Disabled by default. ++ ++.EX ++.B setsebool -P telepathy_connect_all_ports 1 ++ ++.EE ++ ++.PP ++If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean. Enabled by default. ++ ++.EX ++.B setsebool -P telepathy_tcp_connect_generic_network_ports 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the telepathy_idle_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the telepathy_idle_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type telepathy_idle_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cache_home_t ++ ++ /root/\.cache(/.*)? ++.br ++ /home/[^/]*/\.nv(/.*)? ++.br ++ /home/[^/]*/\.cache(/.*)? ++.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br ++ /home/dwalsh/\.nv(/.*)? ++.br ++ /home/dwalsh/\.cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.nv(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -93611,7 +173883,20 @@ index 0000000..dd6fb69 +Policy governs the access confined processes have to these files. +SELinux telepathy_idle policy is very flexible allowing users to setup their telepathy_idle processes in as secure a method as possible. +.PP -+The following file types are defined for telepathy_idle: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the telepathy_idle, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t telepathy_idle_exec_t '/srv/telepathy_idle/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytelepathy_idle_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for telepathy_idle: + + +.EX @@ -93637,44 +173922,6 @@ index 0000000..dd6fb69 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type telepathy_idle_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cache_home_t -+ -+ /root/\.cache(/.*)? -+.br -+ /home/[^/]*/\.nv(/.*)? -+.br -+ /home/[^/]*/\.cache(/.*)? -+.br -+ /home/dwalsh/\.nv(/.*)? -+.br -+ /home/dwalsh/\.cache(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.nv(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.cache(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_idle_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the telepathy_idle_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -93685,6 +173932,9 @@ index 0000000..dd6fb69 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -93696,15 +173946,15 @@ index 0000000..dd6fb69 + +.SH "SEE ALSO" +selinux(8), telepathy_idle(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, telepathy_gabble_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8) ++, setsebool(8), telepathy_gabble_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8) \ No newline at end of file diff --git a/man/man8/telepathy_logger_selinux.8 b/man/man8/telepathy_logger_selinux.8 new file mode 100644 -index 0000000..e218a21 +index 0000000..fc59669 --- /dev/null +++ b/man/man8/telepathy_logger_selinux.8 -@@ -0,0 +1,205 @@ -+.TH "telepathy_logger_selinux" "8" "12-11-01" "telepathy_logger" "SELinux Policy documentation for telepathy_logger" +@@ -0,0 +1,387 @@ ++.TH "telepathy_logger_selinux" "8" "13-01-16" "telepathy_logger" "SELinux Policy documentation for telepathy_logger" +.SH "NAME" +telepathy_logger_selinux \- Security Enhanced Linux Policy for the telepathy_logger processes +.SH "DESCRIPTION" @@ -93720,7 +173970,9 @@ index 0000000..e218a21 + +.SH "ENTRYPOINTS" + -+The telepathy_logger_t SELinux type can be entered via the "telepathy_logger_exec_t" file type. The default entrypoint paths for the telepathy_logger_t domain are the following:" ++The telepathy_logger_t SELinux type can be entered via the \fBtelepathy_logger_exec_t\fP file type. ++ ++The default entrypoint paths for the telepathy_logger_t domain are the following: + +/usr/libexec/telepathy-logger +.SH PROCESS TYPES @@ -93738,8 +173990,260 @@ index 0000000..e218a21 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a telepathy_logger_t ++can be used to make the process type telepathy_logger_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. telepathy_logger policy is extremely flexible and has several booleans that allow you to manipulate the policy and run telepathy_logger with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the telepathy_logger_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the telepathy_logger_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type telepathy_logger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cache_home_t ++ ++ /root/\.cache(/.*)? ++.br ++ /home/[^/]*/\.nv(/.*)? ++.br ++ /home/[^/]*/\.cache(/.*)? ++.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br ++ /home/dwalsh/\.nv(/.*)? ++.br ++ /home/dwalsh/\.cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.nv(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache(/.*)? ++.br ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B config_home_t ++ ++ /root/\.kde(/.*)? ++.br ++ /root/\.xine(/.*)? ++.br ++ /root/\.config(/.*)? ++.br ++ /var/run/user/[^/]*/dconf(/.*)? ++.br ++ /root/\.Xdefaults ++.br ++ /home/[^/]*/\.kde(/.*)? ++.br ++ /home/[^/]*/\.xine(/.*)? ++.br ++ /home/[^/]*/\.config(/.*)? ++.br ++ /home/[^/]*/\.Xdefaults ++.br ++ /home/pwalsh/\.kde(/.*)? ++.br ++ /home/pwalsh/\.xine(/.*)? ++.br ++ /home/pwalsh/\.config(/.*)? ++.br ++ /home/pwalsh/\.Xdefaults ++.br ++ /home/dwalsh/\.kde(/.*)? ++.br ++ /home/dwalsh/\.xine(/.*)? ++.br ++ /home/dwalsh/\.config(/.*)? ++.br ++ /home/dwalsh/\.Xdefaults ++.br ++ /var/lib/xguest/home/xguest/\.kde(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.xine(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Xdefaults ++.br ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B telepathy_logger_cache_home_t ++ ++ /home/[^/]*/\.cache/telepathy/logger(/.*)? ++.br ++ /home/pwalsh/\.cache/telepathy/logger(/.*)? ++.br ++ /home/dwalsh/\.cache/telepathy/logger(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache/telepathy/logger(/.*)? ++.br ++ ++.br ++.B telepathy_logger_data_home_t ++ ++ /home/[^/]*/\.local/share/TpLogger(/.*)? ++.br ++ /home/pwalsh/\.local/share/TpLogger(/.*)? ++.br ++ /home/dwalsh/\.local/share/TpLogger(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.local/share/TpLogger(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -93749,7 +174253,20 @@ index 0000000..e218a21 +Policy governs the access confined processes have to these files. +SELinux telepathy_logger policy is very flexible allowing users to setup their telepathy_logger processes in as secure a method as possible. +.PP -+The following file types are defined for telepathy_logger: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the telepathy_logger, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t telepathy_logger_cache_home_t '/srv/telepathy_logger/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytelepathy_logger_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for telepathy_logger: + + +.EX @@ -93759,6 +174276,10 @@ index 0000000..e218a21 + +- Set files with the telepathy_logger_cache_home_t type, if you want to store telepathy logger cache files in the users home directory. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.cache/telepathy/logger(/.*)?, /home/pwalsh/\.cache/telepathy/logger(/.*)?, /home/dwalsh/\.cache/telepathy/logger(/.*)?, /var/lib/xguest/home/xguest/\.cache/telepathy/logger(/.*)? + +.EX +.PP @@ -93767,6 +174288,10 @@ index 0000000..e218a21 + +- Set files with the telepathy_logger_data_home_t type, if you want to store telepathy logger data files in the users home directory. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.local/share/TpLogger(/.*)?, /home/pwalsh/\.local/share/TpLogger(/.*)?, /home/dwalsh/\.local/share/TpLogger(/.*)?, /var/lib/xguest/home/xguest/\.local/share/TpLogger(/.*)? + +.EX +.PP @@ -93791,102 +174316,6 @@ index 0000000..e218a21 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type telepathy_logger_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cache_home_t -+ -+ /root/\.cache(/.*)? -+.br -+ /home/[^/]*/\.nv(/.*)? -+.br -+ /home/[^/]*/\.cache(/.*)? -+.br -+ /home/dwalsh/\.nv(/.*)? -+.br -+ /home/dwalsh/\.cache(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.nv(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.cache(/.*)? -+.br -+ -+.br -+.B config_home_t -+ -+ /root/\.kde(/.*)? -+.br -+ /root/\.xine(/.*)? -+.br -+ /root/\.config(/.*)? -+.br -+ /var/run/user/[^/]*/dconf(/.*)? -+.br -+ /root/\.Xdefaults -+.br -+ /home/[^/]*/\.kde(/.*)? -+.br -+ /home/[^/]*/\.xine(/.*)? -+.br -+ /home/[^/]*/\.config(/.*)? -+.br -+ /home/[^/]*/\.Xdefaults -+.br -+ /home/dwalsh/\.kde(/.*)? -+.br -+ /home/dwalsh/\.xine(/.*)? -+.br -+ /home/dwalsh/\.config(/.*)? -+.br -+ /home/dwalsh/\.Xdefaults -+.br -+ /var/lib/xguest/home/xguest/\.kde(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.xine(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.config(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.Xdefaults -+.br -+ -+.br -+.B telepathy_logger_cache_home_t -+ -+ /home/[^/]*/\.cache/telepathy/logger(/.*)? -+.br -+ /home/dwalsh/\.cache/telepathy/logger(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.cache/telepathy/logger(/.*)? -+.br -+ -+.br -+.B telepathy_logger_data_home_t -+ -+ /home/[^/]*/\.local/share/TpLogger(/.*)? -+.br -+ /home/dwalsh/\.local/share/TpLogger(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.local/share/TpLogger(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_logger_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the telepathy_logger_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -93897,6 +174326,9 @@ index 0000000..e218a21 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -93908,15 +174340,15 @@ index 0000000..e218a21 + +.SH "SEE ALSO" +selinux(8), telepathy_logger(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8) ++, setsebool(8), telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8) \ No newline at end of file diff --git a/man/man8/telepathy_mission_control_selinux.8 b/man/man8/telepathy_mission_control_selinux.8 new file mode 100644 -index 0000000..6367510 +index 0000000..ee2648f --- /dev/null +++ b/man/man8/telepathy_mission_control_selinux.8 -@@ -0,0 +1,223 @@ -+.TH "telepathy_mission_control_selinux" "8" "12-11-01" "telepathy_mission_control" "SELinux Policy documentation for telepathy_mission_control" +@@ -0,0 +1,411 @@ ++.TH "telepathy_mission_control_selinux" "8" "13-01-16" "telepathy_mission_control" "SELinux Policy documentation for telepathy_mission_control" +.SH "NAME" +telepathy_mission_control_selinux \- Security Enhanced Linux Policy for the telepathy_mission_control processes +.SH "DESCRIPTION" @@ -93932,7 +174364,9 @@ index 0000000..6367510 + +.SH "ENTRYPOINTS" + -+The telepathy_mission_control_t SELinux type can be entered via the "telepathy_mission_control_exec_t" file type. The default entrypoint paths for the telepathy_mission_control_t domain are the following:" ++The telepathy_mission_control_t SELinux type can be entered via the \fBtelepathy_mission_control_exec_t\fP file type. ++ ++The default entrypoint paths for the telepathy_mission_control_t domain are the following: + +/usr/libexec/mission-control-5 +.SH PROCESS TYPES @@ -93950,66 +174384,132 @@ index 0000000..6367510 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a telepathy_mission_control_t ++can be used to make the process type telepathy_mission_control_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux telepathy_mission_control policy is very flexible allowing users to setup their telepathy_mission_control processes in as secure a method as possible. -+.PP -+The following file types are defined for telepathy_mission_control: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. telepathy_mission_control policy is extremely flexible and has several booleans that allow you to manipulate the policy and run telepathy_mission_control with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B telepathy_mission_control_cache_home_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the telepathy_mission_control_cache_home_t type, if you want to store telepathy mission control cache files in the users home directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B telepathy_mission_control_data_home_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the telepathy_mission_control_data_home_t type, if you want to store telepathy mission control data files in the users home directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B telepathy_mission_control_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the telepathy_mission_control_exec_t type, if you want to transition an executable to the telepathy_mission_control_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B telepathy_mission_control_home_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the telepathy_mission_control_home_t type, if you want to store telepathy mission control files in the users home directory. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B telepathy_mission_control_tmp_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the telepathy_mission_control_tmp_t type, if you want to store telepathy mission control temporary files in the /tmp directories. ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the telepathy_mission_control_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the telepathy_mission_control_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -94024,6 +174524,10 @@ index 0000000..6367510 +.br + /home/[^/]*/\.cache(/.*)? +.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br + /home/dwalsh/\.nv(/.*)? +.br + /home/dwalsh/\.cache(/.*)? @@ -94034,6 +174538,10 @@ index 0000000..6367510 +.br + +.br ++.B cifs_t ++ ++ ++.br +.B config_home_t + + /root/\.kde(/.*)? @@ -94054,6 +174562,14 @@ index 0000000..6367510 +.br + /home/[^/]*/\.Xdefaults +.br ++ /home/pwalsh/\.kde(/.*)? ++.br ++ /home/pwalsh/\.xine(/.*)? ++.br ++ /home/pwalsh/\.config(/.*)? ++.br ++ /home/pwalsh/\.Xdefaults ++.br + /home/dwalsh/\.kde(/.*)? +.br + /home/dwalsh/\.xine(/.*)? @@ -94072,10 +174588,40 @@ index 0000000..6367510 +.br + +.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br +.B telepathy_mission_control_cache_home_t + + /home/[^/]*/\.cache/\.mc_connections +.br ++ /home/pwalsh/\.cache/\.mc_connections ++.br + /home/dwalsh/\.cache/\.mc_connections +.br + /var/lib/xguest/home/xguest/\.cache/\.mc_connections @@ -94086,6 +174632,8 @@ index 0000000..6367510 + + /home/[^/]*/\.local/share/telepathy/mission-control(/.*)? +.br ++ /home/pwalsh/\.local/share/telepathy/mission-control(/.*)? ++.br + /home/dwalsh/\.local/share/telepathy/mission-control(/.*)? +.br + /var/lib/xguest/home/xguest/\.local/share/telepathy/mission-control(/.*)? @@ -94096,26 +174644,95 @@ index 0000000..6367510 + + /home/[^/]*/\.mission-control(/.*)? +.br ++ /home/pwalsh/\.mission-control(/.*)? ++.br + /home/dwalsh/\.mission-control(/.*)? +.br + /var/lib/xguest/home/xguest/\.mission-control(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux telepathy_mission_control policy is very flexible allowing users to setup their telepathy_mission_control processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_mission_control_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the telepathy_mission_control, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t telepathy_mission_control_cache_home_t '/srv/telepathy_mission_control/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytelepathy_mission_control_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for telepathy_mission_control: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B telepathy_mission_control_cache_home_t +.EE + ++- Set files with the telepathy_mission_control_cache_home_t type, if you want to store telepathy mission control cache files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.cache/\.mc_connections, /home/pwalsh/\.cache/\.mc_connections, /home/dwalsh/\.cache/\.mc_connections, /var/lib/xguest/home/xguest/\.cache/\.mc_connections ++ ++.EX ++.PP ++.B telepathy_mission_control_data_home_t ++.EE ++ ++- Set files with the telepathy_mission_control_data_home_t type, if you want to store telepathy mission control data files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.local/share/telepathy/mission-control(/.*)?, /home/pwalsh/\.local/share/telepathy/mission-control(/.*)?, /home/dwalsh/\.local/share/telepathy/mission-control(/.*)?, /var/lib/xguest/home/xguest/\.local/share/telepathy/mission-control(/.*)? ++ ++.EX ++.PP ++.B telepathy_mission_control_exec_t ++.EE ++ ++- Set files with the telepathy_mission_control_exec_t type, if you want to transition an executable to the telepathy_mission_control_t domain. ++ ++ ++.EX ++.PP ++.B telepathy_mission_control_home_t ++.EE ++ ++- Set files with the telepathy_mission_control_home_t type, if you want to store telepathy mission control files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.mission-control(/.*)?, /home/pwalsh/\.mission-control(/.*)?, /home/dwalsh/\.mission-control(/.*)?, /var/lib/xguest/home/xguest/\.mission-control(/.*)? ++ ++.EX ++.PP ++.B telepathy_mission_control_tmp_t ++.EE ++ ++- Set files with the telepathy_mission_control_tmp_t type, if you want to store telepathy mission control temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the telepathy_mission_control_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -94127,6 +174744,9 @@ index 0000000..6367510 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -94138,15 +174758,15 @@ index 0000000..6367510 + +.SH "SEE ALSO" +selinux(8), telepathy_mission_control(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8) ++, setsebool(8), telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8) \ No newline at end of file diff --git a/man/man8/telepathy_msn_selinux.8 b/man/man8/telepathy_msn_selinux.8 new file mode 100644 -index 0000000..69bc52e +index 0000000..a9da2c3 --- /dev/null +++ b/man/man8/telepathy_msn_selinux.8 -@@ -0,0 +1,135 @@ -+.TH "telepathy_msn_selinux" "8" "12-11-01" "telepathy_msn" "SELinux Policy documentation for telepathy_msn" +@@ -0,0 +1,253 @@ ++.TH "telepathy_msn_selinux" "8" "13-01-16" "telepathy_msn" "SELinux Policy documentation for telepathy_msn" +.SH "NAME" +telepathy_msn_selinux \- Security Enhanced Linux Policy for the telepathy_msn processes +.SH "DESCRIPTION" @@ -94162,7 +174782,9 @@ index 0000000..69bc52e + +.SH "ENTRYPOINTS" + -+The telepathy_msn_t SELinux type can be entered via the "telepathy_msn_exec_t" file type. The default entrypoint paths for the telepathy_msn_t domain are the following:" ++The telepathy_msn_t SELinux type can be entered via the \fBtelepathy_msn_exec_t\fP file type. ++ ++The default entrypoint paths for the telepathy_msn_t domain are the following: + +/usr/libexec/telepathy-haze, /usr/libexec/telepathy-butterfly +.SH PROCESS TYPES @@ -94180,8 +174802,146 @@ index 0000000..69bc52e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a telepathy_msn_t ++can be used to make the process type telepathy_msn_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. telepathy_msn policy is extremely flexible and has several booleans that allow you to manipulate the policy and run telepathy_msn with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow the Telepathy connection managers to connect to any network port, you must turn on the telepathy_connect_all_ports boolean. Disabled by default. ++ ++.EX ++.B setsebool -P telepathy_connect_all_ports 1 ++ ++.EE ++ ++.PP ++If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean. Enabled by default. ++ ++.EX ++.B setsebool -P telepathy_tcp_connect_generic_network_ports 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the telepathy_msn_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the telepathy_msn_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type telepathy_msn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cache_home_t ++ ++ /root/\.cache(/.*)? ++.br ++ /home/[^/]*/\.nv(/.*)? ++.br ++ /home/[^/]*/\.cache(/.*)? ++.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br ++ /home/dwalsh/\.nv(/.*)? ++.br ++ /home/dwalsh/\.cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.nv(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache(/.*)? ++.br ++ ++.br ++.B telepathy_msn_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -94191,7 +174951,20 @@ index 0000000..69bc52e +Policy governs the access confined processes have to these files. +SELinux telepathy_msn policy is very flexible allowing users to setup their telepathy_msn processes in as secure a method as possible. +.PP -+The following file types are defined for telepathy_msn: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the telepathy_msn, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t telepathy_msn_exec_t '/srv/telepathy_msn/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytelepathy_msn_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for telepathy_msn: + + +.EX @@ -94201,6 +174974,10 @@ index 0000000..69bc52e + +- Set files with the telepathy_msn_exec_t type, if you want to transition an executable to the telepathy_msn_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/libexec/telepathy-haze, /usr/libexec/telepathy-butterfly + +.EX +.PP @@ -94217,48 +174994,6 @@ index 0000000..69bc52e +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type telepathy_msn_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cache_home_t -+ -+ /root/\.cache(/.*)? -+.br -+ /home/[^/]*/\.nv(/.*)? -+.br -+ /home/[^/]*/\.cache(/.*)? -+.br -+ /home/dwalsh/\.nv(/.*)? -+.br -+ /home/dwalsh/\.cache(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.nv(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.cache(/.*)? -+.br -+ -+.br -+.B telepathy_msn_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_msn_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the telepathy_msn_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -94269,6 +175004,9 @@ index 0000000..69bc52e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -94280,15 +175018,15 @@ index 0000000..69bc52e + +.SH "SEE ALSO" +selinux(8), telepathy_msn(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8) ++, setsebool(8), telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8) \ No newline at end of file diff --git a/man/man8/telepathy_salut_selinux.8 b/man/man8/telepathy_salut_selinux.8 new file mode 100644 -index 0000000..b680807 +index 0000000..d8e17a8 --- /dev/null +++ b/man/man8/telepathy_salut_selinux.8 -@@ -0,0 +1,131 @@ -+.TH "telepathy_salut_selinux" "8" "12-11-01" "telepathy_salut" "SELinux Policy documentation for telepathy_salut" +@@ -0,0 +1,245 @@ ++.TH "telepathy_salut_selinux" "8" "13-01-16" "telepathy_salut" "SELinux Policy documentation for telepathy_salut" +.SH "NAME" +telepathy_salut_selinux \- Security Enhanced Linux Policy for the telepathy_salut processes +.SH "DESCRIPTION" @@ -94304,7 +175042,9 @@ index 0000000..b680807 + +.SH "ENTRYPOINTS" + -+The telepathy_salut_t SELinux type can be entered via the "telepathy_salut_exec_t" file type. The default entrypoint paths for the telepathy_salut_t domain are the following:" ++The telepathy_salut_t SELinux type can be entered via the \fBtelepathy_salut_exec_t\fP file type. ++ ++The default entrypoint paths for the telepathy_salut_t domain are the following: + +/usr/libexec/telepathy-salut +.SH PROCESS TYPES @@ -94322,8 +175062,142 @@ index 0000000..b680807 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a telepathy_salut_t ++can be used to make the process type telepathy_salut_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. telepathy_salut policy is extremely flexible and has several booleans that allow you to manipulate the policy and run telepathy_salut with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow the Telepathy connection managers to connect to any network port, you must turn on the telepathy_connect_all_ports boolean. Disabled by default. ++ ++.EX ++.B setsebool -P telepathy_connect_all_ports 1 ++ ++.EE ++ ++.PP ++If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean. Enabled by default. ++ ++.EX ++.B setsebool -P telepathy_tcp_connect_generic_network_ports 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the telepathy_salut_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the telepathy_salut_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type telepathy_salut_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cache_home_t ++ ++ /root/\.cache(/.*)? ++.br ++ /home/[^/]*/\.nv(/.*)? ++.br ++ /home/[^/]*/\.cache(/.*)? ++.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br ++ /home/dwalsh/\.nv(/.*)? ++.br ++ /home/dwalsh/\.cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.nv(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -94333,7 +175207,20 @@ index 0000000..b680807 +Policy governs the access confined processes have to these files. +SELinux telepathy_salut policy is very flexible allowing users to setup their telepathy_salut processes in as secure a method as possible. +.PP -+The following file types are defined for telepathy_salut: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the telepathy_salut, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t telepathy_salut_exec_t '/srv/telepathy_salut/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytelepathy_salut_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for telepathy_salut: + + +.EX @@ -94359,44 +175246,6 @@ index 0000000..b680807 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type telepathy_salut_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cache_home_t -+ -+ /root/\.cache(/.*)? -+.br -+ /home/[^/]*/\.nv(/.*)? -+.br -+ /home/[^/]*/\.cache(/.*)? -+.br -+ /home/dwalsh/\.nv(/.*)? -+.br -+ /home/dwalsh/\.cache(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.nv(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.cache(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_salut_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the telepathy_salut_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -94407,6 +175256,9 @@ index 0000000..b680807 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -94418,15 +175270,15 @@ index 0000000..b680807 + +.SH "SEE ALSO" +selinux(8), telepathy_salut(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8) ++, setsebool(8), telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8) \ No newline at end of file diff --git a/man/man8/telepathy_sofiasip_selinux.8 b/man/man8/telepathy_sofiasip_selinux.8 new file mode 100644 -index 0000000..7a6973e +index 0000000..db1b7ce --- /dev/null +++ b/man/man8/telepathy_sofiasip_selinux.8 -@@ -0,0 +1,131 @@ -+.TH "telepathy_sofiasip_selinux" "8" "12-11-01" "telepathy_sofiasip" "SELinux Policy documentation for telepathy_sofiasip" +@@ -0,0 +1,245 @@ ++.TH "telepathy_sofiasip_selinux" "8" "13-01-16" "telepathy_sofiasip" "SELinux Policy documentation for telepathy_sofiasip" +.SH "NAME" +telepathy_sofiasip_selinux \- Security Enhanced Linux Policy for the telepathy_sofiasip processes +.SH "DESCRIPTION" @@ -94442,7 +175294,9 @@ index 0000000..7a6973e + +.SH "ENTRYPOINTS" + -+The telepathy_sofiasip_t SELinux type can be entered via the "telepathy_sofiasip_exec_t" file type. The default entrypoint paths for the telepathy_sofiasip_t domain are the following:" ++The telepathy_sofiasip_t SELinux type can be entered via the \fBtelepathy_sofiasip_exec_t\fP file type. ++ ++The default entrypoint paths for the telepathy_sofiasip_t domain are the following: + +/usr/libexec/telepathy-sofiasip +.SH PROCESS TYPES @@ -94460,8 +175314,142 @@ index 0000000..7a6973e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a telepathy_sofiasip_t ++can be used to make the process type telepathy_sofiasip_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. telepathy_sofiasip policy is extremely flexible and has several booleans that allow you to manipulate the policy and run telepathy_sofiasip with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow the Telepathy connection managers to connect to any network port, you must turn on the telepathy_connect_all_ports boolean. Disabled by default. ++ ++.EX ++.B setsebool -P telepathy_connect_all_ports 1 ++ ++.EE ++ ++.PP ++If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean. Enabled by default. ++ ++.EX ++.B setsebool -P telepathy_tcp_connect_generic_network_ports 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the telepathy_sofiasip_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the telepathy_sofiasip_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type telepathy_sofiasip_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cache_home_t ++ ++ /root/\.cache(/.*)? ++.br ++ /home/[^/]*/\.nv(/.*)? ++.br ++ /home/[^/]*/\.cache(/.*)? ++.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br ++ /home/dwalsh/\.nv(/.*)? ++.br ++ /home/dwalsh/\.cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.nv(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -94471,7 +175459,20 @@ index 0000000..7a6973e +Policy governs the access confined processes have to these files. +SELinux telepathy_sofiasip policy is very flexible allowing users to setup their telepathy_sofiasip processes in as secure a method as possible. +.PP -+The following file types are defined for telepathy_sofiasip: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the telepathy_sofiasip, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t telepathy_sofiasip_exec_t '/srv/telepathy_sofiasip/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytelepathy_sofiasip_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for telepathy_sofiasip: + + +.EX @@ -94497,44 +175498,6 @@ index 0000000..7a6973e +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type telepathy_sofiasip_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cache_home_t -+ -+ /root/\.cache(/.*)? -+.br -+ /home/[^/]*/\.nv(/.*)? -+.br -+ /home/[^/]*/\.cache(/.*)? -+.br -+ /home/dwalsh/\.nv(/.*)? -+.br -+ /home/dwalsh/\.cache(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.nv(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.cache(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_sofiasip_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the telepathy_sofiasip_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -94545,6 +175508,9 @@ index 0000000..7a6973e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -94556,15 +175522,15 @@ index 0000000..7a6973e + +.SH "SEE ALSO" +selinux(8), telepathy_sofiasip(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8) ++, setsebool(8), telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_stream_engine_selinux(8), telepathy_sunshine_selinux(8) \ No newline at end of file diff --git a/man/man8/telepathy_stream_engine_selinux.8 b/man/man8/telepathy_stream_engine_selinux.8 new file mode 100644 -index 0000000..dafb6b0 +index 0000000..6b041cf --- /dev/null +++ b/man/man8/telepathy_stream_engine_selinux.8 -@@ -0,0 +1,131 @@ -+.TH "telepathy_stream_engine_selinux" "8" "12-11-01" "telepathy_stream_engine" "SELinux Policy documentation for telepathy_stream_engine" +@@ -0,0 +1,229 @@ ++.TH "telepathy_stream_engine_selinux" "8" "13-01-16" "telepathy_stream_engine" "SELinux Policy documentation for telepathy_stream_engine" +.SH "NAME" +telepathy_stream_engine_selinux \- Security Enhanced Linux Policy for the telepathy_stream_engine processes +.SH "DESCRIPTION" @@ -94580,7 +175546,9 @@ index 0000000..dafb6b0 + +.SH "ENTRYPOINTS" + -+The telepathy_stream_engine_t SELinux type can be entered via the "telepathy_stream_engine_exec_t" file type. The default entrypoint paths for the telepathy_stream_engine_t domain are the following:" ++The telepathy_stream_engine_t SELinux type can be entered via the \fBtelepathy_stream_engine_exec_t\fP file type. ++ ++The default entrypoint paths for the telepathy_stream_engine_t domain are the following: + +/usr/libexec/telepathy-stream-engine +.SH PROCESS TYPES @@ -94598,8 +175566,126 @@ index 0000000..dafb6b0 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a telepathy_stream_engine_t ++can be used to make the process type telepathy_stream_engine_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. telepathy_stream_engine policy is extremely flexible and has several booleans that allow you to manipulate the policy and run telepathy_stream_engine with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the telepathy_stream_engine_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the telepathy_stream_engine_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type telepathy_stream_engine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cache_home_t ++ ++ /root/\.cache(/.*)? ++.br ++ /home/[^/]*/\.nv(/.*)? ++.br ++ /home/[^/]*/\.cache(/.*)? ++.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br ++ /home/dwalsh/\.nv(/.*)? ++.br ++ /home/dwalsh/\.cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.nv(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -94609,7 +175695,20 @@ index 0000000..dafb6b0 +Policy governs the access confined processes have to these files. +SELinux telepathy_stream_engine policy is very flexible allowing users to setup their telepathy_stream_engine processes in as secure a method as possible. +.PP -+The following file types are defined for telepathy_stream_engine: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the telepathy_stream_engine, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t telepathy_stream_engine_exec_t '/srv/telepathy_stream_engine/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytelepathy_stream_engine_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for telepathy_stream_engine: + + +.EX @@ -94635,44 +175734,6 @@ index 0000000..dafb6b0 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type telepathy_stream_engine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cache_home_t -+ -+ /root/\.cache(/.*)? -+.br -+ /home/[^/]*/\.nv(/.*)? -+.br -+ /home/[^/]*/\.cache(/.*)? -+.br -+ /home/dwalsh/\.nv(/.*)? -+.br -+ /home/dwalsh/\.cache(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.nv(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.cache(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_stream_engine_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the telepathy_stream_engine_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -94683,6 +175744,9 @@ index 0000000..dafb6b0 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -94694,15 +175758,15 @@ index 0000000..dafb6b0 + +.SH "SEE ALSO" +selinux(8), telepathy_stream_engine(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_sunshine_selinux(8) ++, setsebool(8), telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_sunshine_selinux(8) \ No newline at end of file diff --git a/man/man8/telepathy_sunshine_selinux.8 b/man/man8/telepathy_sunshine_selinux.8 new file mode 100644 -index 0000000..96616f7 +index 0000000..bc2ffc7 --- /dev/null +++ b/man/man8/telepathy_sunshine_selinux.8 -@@ -0,0 +1,153 @@ -+.TH "telepathy_sunshine_selinux" "8" "12-11-01" "telepathy_sunshine" "SELinux Policy documentation for telepathy_sunshine" +@@ -0,0 +1,257 @@ ++.TH "telepathy_sunshine_selinux" "8" "13-01-16" "telepathy_sunshine" "SELinux Policy documentation for telepathy_sunshine" +.SH "NAME" +telepathy_sunshine_selinux \- Security Enhanced Linux Policy for the telepathy_sunshine processes +.SH "DESCRIPTION" @@ -94718,7 +175782,9 @@ index 0000000..96616f7 + +.SH "ENTRYPOINTS" + -+The telepathy_sunshine_t SELinux type can be entered via the "telepathy_sunshine_exec_t" file type. The default entrypoint paths for the telepathy_sunshine_t domain are the following:" ++The telepathy_sunshine_t SELinux type can be entered via the \fBtelepathy_sunshine_exec_t\fP file type. ++ ++The default entrypoint paths for the telepathy_sunshine_t domain are the following: + +/usr/libexec/telepathy-sunshine +.SH PROCESS TYPES @@ -94736,8 +175802,142 @@ index 0000000..96616f7 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a telepathy_sunshine_t ++can be used to make the process type telepathy_sunshine_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. telepathy_sunshine policy is extremely flexible and has several booleans that allow you to manipulate the policy and run telepathy_sunshine with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the telepathy_sunshine_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the telepathy_sunshine_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type telepathy_sunshine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cache_home_t ++ ++ /root/\.cache(/.*)? ++.br ++ /home/[^/]*/\.nv(/.*)? ++.br ++ /home/[^/]*/\.cache(/.*)? ++.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br ++ /home/dwalsh/\.nv(/.*)? ++.br ++ /home/dwalsh/\.cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.nv(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache(/.*)? ++.br ++ ++.br ++.B telepathy_sunshine_home_t ++ ++ /home/[^/]*/\.telepathy-sunshine(/.*)? ++.br ++ /home/pwalsh/\.telepathy-sunshine(/.*)? ++.br ++ /home/dwalsh/\.telepathy-sunshine(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.telepathy-sunshine(/.*)? ++.br ++ ++.br ++.B telepathy_sunshine_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -94747,7 +175947,20 @@ index 0000000..96616f7 +Policy governs the access confined processes have to these files. +SELinux telepathy_sunshine policy is very flexible allowing users to setup their telepathy_sunshine processes in as secure a method as possible. +.PP -+The following file types are defined for telepathy_sunshine: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the telepathy_sunshine, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t telepathy_sunshine_exec_t '/srv/telepathy_sunshine/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytelepathy_sunshine_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for telepathy_sunshine: + + +.EX @@ -94765,6 +175978,10 @@ index 0000000..96616f7 + +- Set files with the telepathy_sunshine_home_t type, if you want to store telepathy sunshine files in the users home directory. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.telepathy-sunshine(/.*)?, /home/pwalsh/\.telepathy-sunshine(/.*)?, /home/dwalsh/\.telepathy-sunshine(/.*)?, /var/lib/xguest/home/xguest/\.telepathy-sunshine(/.*)? + +.EX +.PP @@ -94781,58 +175998,6 @@ index 0000000..96616f7 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type telepathy_sunshine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B cache_home_t -+ -+ /root/\.cache(/.*)? -+.br -+ /home/[^/]*/\.nv(/.*)? -+.br -+ /home/[^/]*/\.cache(/.*)? -+.br -+ /home/dwalsh/\.nv(/.*)? -+.br -+ /home/dwalsh/\.cache(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.nv(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.cache(/.*)? -+.br -+ -+.br -+.B telepathy_sunshine_home_t -+ -+ /home/[^/]*/\.telepathy-sunshine(/.*)? -+.br -+ /home/dwalsh/\.telepathy-sunshine(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.telepathy-sunshine(/.*)? -+.br -+ -+.br -+.B telepathy_sunshine_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_sunshine_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the telepathy_sunshine_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -94843,6 +176008,9 @@ index 0000000..96616f7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -94854,15 +176022,15 @@ index 0000000..96616f7 + +.SH "SEE ALSO" +selinux(8), telepathy_sunshine(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8) ++, setsebool(8), telepathy_gabble_selinux(8), telepathy_idle_selinux(8), telepathy_logger_selinux(8), telepathy_mission_control_selinux(8), telepathy_msn_selinux(8), telepathy_salut_selinux(8), telepathy_sofiasip_selinux(8), telepathy_stream_engine_selinux(8) \ No newline at end of file diff --git a/man/man8/telnetd_selinux.8 b/man/man8/telnetd_selinux.8 new file mode 100644 -index 0000000..955a5aa +index 0000000..67d9557 --- /dev/null +++ b/man/man8/telnetd_selinux.8 -@@ -0,0 +1,222 @@ -+.TH "telnetd_selinux" "8" "12-11-01" "telnetd" "SELinux Policy documentation for telnetd" +@@ -0,0 +1,339 @@ ++.TH "telnetd_selinux" "8" "13-01-16" "telnetd" "SELinux Policy documentation for telnetd" +.SH "NAME" +telnetd_selinux \- Security Enhanced Linux Policy for the telnetd processes +.SH "DESCRIPTION" @@ -94878,7 +176046,9 @@ index 0000000..955a5aa + +.SH "ENTRYPOINTS" + -+The telnetd_t SELinux type can be entered via the "telnetd_exec_t" file type. The default entrypoint paths for the telnetd_t domain are the following:" ++The telnetd_t SELinux type can be entered via the \fBtelnetd_exec_t\fP file type. ++ ++The default entrypoint paths for the telnetd_t domain are the following: + +/usr/sbin/in\.telnetd, /usr/kerberos/sbin/telnetd +.SH PROCESS TYPES @@ -94896,58 +176066,116 @@ index 0000000..955a5aa +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a telnetd_t ++can be used to make the process type telnetd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux telnetd policy is very flexible allowing users to setup their telnetd processes in as secure a method as possible. -+.PP -+The following file types are defined for telnetd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. telnetd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run telnetd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B telnetd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the telnetd_exec_t type, if you want to transition an executable to the telnetd_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B telnetd_keytab_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the telnetd_keytab_t type, if you want to treat the files as kerberos keytab files. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B telnetd_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the telnetd_tmp_t type, if you want to store telnetd temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B telnetd_var_run_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the telnetd_var_run_t type, if you want to store the telnetd files under the /run directory. ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the telnetd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the telnetd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -95033,6 +176261,8 @@ index 0000000..955a5aa +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest @@ -95044,21 +176274,72 @@ index 0000000..955a5aa + /var/log/wtmp.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux telnetd policy is very flexible allowing users to setup their telnetd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telnetd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the telnetd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t telnetd_exec_t '/srv/telnetd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytelnetd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for telnetd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B telnetd_exec_t +.EE + ++- Set files with the telnetd_exec_t type, if you want to transition an executable to the telnetd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/in\.telnetd, /usr/kerberos/sbin/telnetd ++ ++.EX ++.PP ++.B telnetd_keytab_t ++.EE ++ ++- Set files with the telnetd_keytab_t type, if you want to treat the files as kerberos keytab files. ++ ++ ++.EX ++.PP ++.B telnetd_tmp_t ++.EE ++ ++- Set files with the telnetd_tmp_t type, if you want to store telnetd temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B telnetd_var_run_t ++.EE ++ ++- Set files with the telnetd_var_run_t type, if you want to store the telnetd files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the telnetd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -95073,6 +176354,9 @@ index 0000000..955a5aa +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -95084,13 +176368,15 @@ index 0000000..955a5aa + +.SH "SEE ALSO" +selinux(8), telnetd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/tftpd_selinux.8 b/man/man8/tftpd_selinux.8 new file mode 100644 -index 0000000..9909eeb +index 0000000..08f6dae --- /dev/null +++ b/man/man8/tftpd_selinux.8 -@@ -0,0 +1,227 @@ -+.TH "tftpd_selinux" "8" "12-11-01" "tftpd" "SELinux Policy documentation for tftpd" +@@ -0,0 +1,377 @@ ++.TH "tftpd_selinux" "8" "13-01-16" "tftpd" "SELinux Policy documentation for tftpd" +.SH "NAME" +tftpd_selinux \- Security Enhanced Linux Policy for the tftpd processes +.SH "DESCRIPTION" @@ -95106,7 +176392,9 @@ index 0000000..9909eeb + +.SH "ENTRYPOINTS" + -+The tftpd_t SELinux type can be entered via the "tftpd_exec_t" file type. The default entrypoint paths for the tftpd_t domain are the following:" ++The tftpd_t SELinux type can be entered via the \fBtftpd_exec_t\fP file type. ++ ++The default entrypoint paths for the tftpd_t domain are the following: + +/usr/sbin/atftpd, /usr/sbin/in\.tftpd +.SH PROCESS TYPES @@ -95124,118 +176412,149 @@ index 0000000..9909eeb +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a tftpd_t ++can be used to make the process type tftpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. tftpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tftpd with the tightest access possible. + + +.PP -+If you want to allow tftp to read and write files in the user home directories, you must turn on the tftp_home_dir boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow tftp to read and write files in the user home directories, you must turn on the tftp_home_dir boolean. Disabled by default. + +.EX +.B setsebool -P tftp_home_dir 1 ++ +.EE + +.PP -+If you want to allow tftp to read and write files in the user home directories, you must turn on the tftp_home_dir boolean. ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Disabled by default. + +.EX -+.B setsebool -P tftp_home_dir 1 ++.B setsebool -P use_nfs_home_dirs 1 ++ +.EE + -+.SH SHARING FILES -+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. -+.TP -+Allow tftpd servers to read the /var/tftpd directory by adding the public_content_t file type to the directory and by restoring the file type. +.PP -+.B -+semanage fcontext -a -t public_content_t "/var/tftpd(/.*)?" -+.br -+.B restorecon -F -R -v /var/tftpd -+.pp -+.TP -+Allow tftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_tftpdd_anon_write boolean to be set. -+.PP -+.B -+semanage fcontext -a -t public_content_rw_t "/var/tftpd/incoming(/.*)?" -+.br -+.B restorecon -F -R -v /var/tftpd/incoming -+ -+ -+.PP -+If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean. ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. + +.EX -+.B setsebool -P tftp_anon_write 1 ++.B setsebool -P use_samba_home_dirs 1 ++ +.EE + ++.SH NSSWITCH DOMAIN ++ +.PP -+If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the tftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.B setsebool -P tftp_anon_write 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux tftpd policy is very flexible allowing users to setup their tftpd processes in as secure a method as possible. -+.PP -+The following file types are defined for tftpd: -+ ++If you want to allow confined applications to run with kerberos for the tftpd_t, you must turn on the kerberos_enabled boolean. + +.EX -+.PP -+.B tftpd_etc_t ++.B setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the tftpd_etc_t type, if you want to store tftpd files in the /etc directories. -+ -+ -+.EX -+.PP -+.B tftpd_exec_t -+.EE -+ -+- Set files with the tftpd_exec_t type, if you want to transition an executable to the tftpd_t domain. -+ -+ -+.EX -+.PP -+.B tftpd_var_run_t -+.EE -+ -+- Set files with the tftpd_var_run_t type, if you want to store the tftpd files under the /run directory. -+ -+ -+.EX -+.PP -+.B tftpdir_rw_t -+.EE -+ -+- Set files with the tftpdir_rw_t type, if you want to treat the files as tftpdir read/write content. -+ -+ -+.EX -+.PP -+.B tftpdir_t -+.EE -+ -+- Set files with the tftpdir_t type, if you want to treat the files as tftpdir data. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. +.PP @@ -95264,6 +176583,28 @@ index 0000000..9909eeb +The SELinux process type tftpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B public_content_rw_t ++ ++ /var/spool/abrt-upload(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B tftpd_var_run_t + + @@ -95273,20 +176614,115 @@ index 0000000..9909eeb + /var/lib/tftpboot(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B user_home_type ++ ++ all user home files ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux tftpd policy is very flexible allowing users to setup their tftpd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the tftpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t tftpd_etc_t '/srv/tftpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytftpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for tftpd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B tftpd_etc_t +.EE + -+.PP -+If you want to allow confined applications to run with kerberos for the tftpd_t, you must turn on the kerberos_enabled boolean. ++- Set files with the tftpd_etc_t type, if you want to store tftpd files in the /etc directories. ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B tftpd_exec_t ++.EE ++ ++- Set files with the tftpd_exec_t type, if you want to transition an executable to the tftpd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/atftpd, /usr/sbin/in\.tftpd ++ ++.EX ++.PP ++.B tftpd_var_run_t ++.EE ++ ++- Set files with the tftpd_var_run_t type, if you want to store the tftpd files under the /run or /var/run directory. ++ ++ ++.EX ++.PP ++.B tftpdir_rw_t ++.EE ++ ++- Set files with the tftpdir_rw_t type, if you want to treat the files as tftpdir read/write content. ++ ++ ++.EX ++.PP ++.B tftpdir_t ++.EE ++ ++- Set files with the tftpdir_t type, if you want to treat the files as tftpdir data. ++ ++.br ++.TP 5 ++Paths: ++/tftpboot/.*, /tftpboot ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH SHARING FILES ++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. ++.TP ++Allow tftpd servers to read the /var/tftpd directory by adding the public_content_t file type to the directory and by restoring the file type. ++.PP ++.B ++semanage fcontext -a -t public_content_t "/var/tftpd(/.*)?" ++.br ++.B restorecon -F -R -v /var/tftpd ++.pp ++.TP ++Allow tftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_tftpdd_anon_write boolean to be set. ++.PP ++.B ++semanage fcontext -a -t public_content_rw_t "/var/tftpd/incoming(/.*)?" ++.br ++.B restorecon -F -R -v /var/tftpd/incoming ++ ++ ++.PP ++If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean. ++ ++.EX ++.B setsebool -P tftp_anon_write 1 +.EE + +.SH "COMMANDS" @@ -95320,11 +176756,11 @@ index 0000000..9909eeb \ No newline at end of file diff --git a/man/man8/tgtd_selinux.8 b/man/man8/tgtd_selinux.8 new file mode 100644 -index 0000000..e0da88e +index 0000000..85d5331 --- /dev/null +++ b/man/man8/tgtd_selinux.8 -@@ -0,0 +1,146 @@ -+.TH "tgtd_selinux" "8" "12-11-01" "tgtd" "SELinux Policy documentation for tgtd" +@@ -0,0 +1,239 @@ ++.TH "tgtd_selinux" "8" "13-01-16" "tgtd" "SELinux Policy documentation for tgtd" +.SH "NAME" +tgtd_selinux \- Security Enhanced Linux Policy for the tgtd processes +.SH "DESCRIPTION" @@ -95340,7 +176776,9 @@ index 0000000..e0da88e + +.SH "ENTRYPOINTS" + -+The tgtd_t SELinux type can be entered via the "tgtd_exec_t" file type. The default entrypoint paths for the tgtd_t domain are the following:" ++The tgtd_t SELinux type can be entered via the \fBtgtd_exec_t\fP file type. ++ ++The default entrypoint paths for the tgtd_t domain are the following: + +/usr/sbin/tgtd +.SH PROCESS TYPES @@ -95358,8 +176796,104 @@ index 0000000..e0da88e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a tgtd_t ++can be used to make the process type tgtd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. tgtd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tgtd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type tgtd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B tgtd_tmpfs_t ++ ++ ++.br ++.B tgtd_var_lib_t ++ ++ /var/lib/tgtd(/.*)? ++.br ++ ++.br ++.B tgtd_var_run_t ++ ++ /var/run/tgtd.* ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -95369,7 +176903,20 @@ index 0000000..e0da88e +Policy governs the access confined processes have to these files. +SELinux tgtd policy is very flexible allowing users to setup their tgtd processes in as secure a method as possible. +.PP -+The following file types are defined for tgtd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the tgtd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t tgtd_exec_t '/srv/tgtd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytgtd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for tgtd: + + +.EX @@ -95417,7 +176964,7 @@ index 0000000..e0da88e +.B tgtd_var_run_t +.EE + -+- Set files with the tgtd_var_run_t type, if you want to store the tgtd files under the /run directory. ++- Set files with the tgtd_var_run_t type, if you want to store the tgtd files under the /run or /var/run directory. + + +.PP @@ -95427,28 +176974,6 @@ index 0000000..e0da88e +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type tgtd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B tgtd_tmpfs_t -+ -+ -+.br -+.B tgtd_var_lib_t -+ -+ /var/lib/tgtd(/.*)? -+.br -+ -+.br -+.B tgtd_var_run_t -+ -+ /var/run/tgtd.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -95459,6 +176984,9 @@ index 0000000..e0da88e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -95470,13 +176998,15 @@ index 0000000..e0da88e + +.SH "SEE ALSO" +selinux(8), tgtd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/thin_aeolus_configserver_selinux.8 b/man/man8/thin_aeolus_configserver_selinux.8 new file mode 100644 -index 0000000..66344ef +index 0000000..bf0f82b --- /dev/null +++ b/man/man8/thin_aeolus_configserver_selinux.8 -@@ -0,0 +1,133 @@ -+.TH "thin_aeolus_configserver_selinux" "8" "12-11-01" "thin_aeolus_configserver" "SELinux Policy documentation for thin_aeolus_configserver" +@@ -0,0 +1,225 @@ ++.TH "thin_aeolus_configserver_selinux" "8" "13-01-16" "thin_aeolus_configserver" "SELinux Policy documentation for thin_aeolus_configserver" +.SH "NAME" +thin_aeolus_configserver_selinux \- Security Enhanced Linux Policy for the thin_aeolus_configserver processes +.SH "DESCRIPTION" @@ -95492,7 +177022,9 @@ index 0000000..66344ef + +.SH "ENTRYPOINTS" + -+The thin_aeolus_configserver_t SELinux type can be entered via the "thin_aeolus_configserver_exec_t" file type. The default entrypoint paths for the thin_aeolus_configserver_t domain are the following:" ++The thin_aeolus_configserver_t SELinux type can be entered via the \fBthin_aeolus_configserver_exec_t\fP file type. ++ ++The default entrypoint paths for the thin_aeolus_configserver_t domain are the following: + +/usr/bin/aeolus-configserver-thinwrapper +.SH PROCESS TYPES @@ -95510,64 +177042,90 @@ index 0000000..66344ef +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a thin_aeolus_configserver_t ++can be used to make the process type thin_aeolus_configserver_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux thin_aeolus_configserver policy is very flexible allowing users to setup their thin_aeolus_configserver processes in as secure a method as possible. -+.PP -+The following file types are defined for thin_aeolus_configserver: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. thin_aeolus_configserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run thin_aeolus_configserver with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B thin_aeolus_configserver_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the thin_aeolus_configserver_exec_t type, if you want to transition an executable to the thin_aeolus_configserver_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B thin_aeolus_configserver_lib_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the thin_aeolus_configserver_lib_t type, if you want to treat the files as thin aeolus configserver lib data. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B thin_aeolus_configserver_log_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the thin_aeolus_configserver_log_t type, if you want to treat the data as thin aeolus configserver log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B thin_aeolus_configserver_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the thin_aeolus_configserver_var_run_t type, if you want to store the thin aeolus configserver files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + +The SELinux process type thin_aeolus_configserver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B thin_aeolus_configserver_lib_t + + /var/lib/aeolus-configserver(/.*)? @@ -95585,83 +177143,28 @@ index 0000000..66344ef + /var/run/aeolus-configserver(/.*)? +.br + -+.SH NSSWITCH DOMAIN -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was auto-generated using -+.B "sepolicy manpage" -+by Dan Walsh. -+ -+.SH "SEE ALSO" -+selinux(8), thin_aeolus_configserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, thin_selinux(8), thin_selinux(8) -\ No newline at end of file -diff --git a/man/man8/thin_selinux.8 b/man/man8/thin_selinux.8 -new file mode 100644 -index 0000000..dbab03d ---- /dev/null -+++ b/man/man8/thin_selinux.8 -@@ -0,0 +1,151 @@ -+.TH "thin_selinux" "8" "12-11-01" "thin" "SELinux Policy documentation for thin" -+.SH "NAME" -+thin_selinux \- Security Enhanced Linux Policy for the thin processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the thin processes via flexible mandatory access control. -+ -+The thin processes execute with the thin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. -+ -+For example: -+ -+.B ps -eZ | grep thin_t -+ -+ -+.SH "ENTRYPOINTS" -+ -+The thin_t SELinux type can be entered via the "thin_exec_t" file type. The default entrypoint paths for the thin_t domain are the following:" -+ -+/usr/bin/thin -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux thin policy is very flexible allowing users to setup their thin processes in as secure a method as possible. -+.PP -+The following process types are defined for thin: -+ -+.EX -+.B thin_t, thin_aeolus_configserver_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP +You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP +Policy governs the access confined processes have to these files. -+SELinux thin policy is very flexible allowing users to setup their thin processes in as secure a method as possible. ++SELinux thin_aeolus_configserver policy is very flexible allowing users to setup their thin_aeolus_configserver processes in as secure a method as possible. +.PP -+The following file types are defined for thin: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the thin_aeolus_configserver, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t thin_aeolus_configserver_exec_t '/srv/thin_aeolus_configserver/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mythin_aeolus_configserver_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for thin_aeolus_configserver: + + +.EX @@ -95693,7 +177196,233 @@ index 0000000..dbab03d +.B thin_aeolus_configserver_var_run_t +.EE + -+- Set files with the thin_aeolus_configserver_var_run_t type, if you want to store the thin aeolus configserver files under the /run directory. ++- Set files with the thin_aeolus_configserver_var_run_t type, if you want to store the thin aeolus configserver files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), thin_aeolus_configserver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), thin_selinux(8), thin_selinux(8) +\ No newline at end of file +diff --git a/man/man8/thin_selinux.8 b/man/man8/thin_selinux.8 +new file mode 100644 +index 0000000..e049147 +--- /dev/null ++++ b/man/man8/thin_selinux.8 +@@ -0,0 +1,243 @@ ++.TH "thin_selinux" "8" "13-01-16" "thin" "SELinux Policy documentation for thin" ++.SH "NAME" ++thin_selinux \- Security Enhanced Linux Policy for the thin processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the thin processes via flexible mandatory access control. ++ ++The thin processes execute with the thin_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep thin_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The thin_t SELinux type can be entered via the \fBthin_exec_t\fP file type. ++ ++The default entrypoint paths for the thin_t domain are the following: ++ ++/usr/bin/thin ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux thin policy is very flexible allowing users to setup their thin processes in as secure a method as possible. ++.PP ++The following process types are defined for thin: ++ ++.EX ++.B thin_t, thin_aeolus_configserver_t ++.EE ++.PP ++Note: ++.B semanage permissive -a thin_t ++can be used to make the process type thin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. thin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run thin with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type thin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B thin_log_t ++ ++ /var/log/thin\.log.* ++.br ++ ++.br ++.B thin_var_run_t ++ ++ /var/run/aeolus/thin\.pid ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux thin policy is very flexible allowing users to setup their thin processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the thin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t thin_aeolus_configserver_exec_t '/srv/thin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mythin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for thin: ++ ++ ++.EX ++.PP ++.B thin_aeolus_configserver_exec_t ++.EE ++ ++- Set files with the thin_aeolus_configserver_exec_t type, if you want to transition an executable to the thin_aeolus_configserver_t domain. ++ ++ ++.EX ++.PP ++.B thin_aeolus_configserver_lib_t ++.EE ++ ++- Set files with the thin_aeolus_configserver_lib_t type, if you want to treat the files as thin aeolus configserver lib data. ++ ++ ++.EX ++.PP ++.B thin_aeolus_configserver_log_t ++.EE ++ ++- Set files with the thin_aeolus_configserver_log_t type, if you want to treat the data as thin aeolus configserver log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B thin_aeolus_configserver_var_run_t ++.EE ++ ++- Set files with the thin_aeolus_configserver_var_run_t type, if you want to store the thin aeolus configserver files under the /run or /var/run directory. + + +.EX @@ -95717,7 +177446,7 @@ index 0000000..dbab03d +.B thin_var_run_t +.EE + -+- Set files with the thin_var_run_t type, if you want to store the thin files under the /run directory. ++- Set files with the thin_var_run_t type, if you want to store the thin files under the /run or /var/run directory. + + +.PP @@ -95727,24 +177456,6 @@ index 0000000..dbab03d +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type thin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B thin_log_t -+ -+ /var/log/thin\.log.* -+.br -+ -+.br -+.B thin_var_run_t -+ -+ /var/run/aeolus/thin\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -95755,6 +177466,9 @@ index 0000000..dbab03d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -95766,15 +177480,15 @@ index 0000000..dbab03d + +.SH "SEE ALSO" +selinux(8), thin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, thin_aeolus_configserver_selinux(8) ++, setsebool(8), thin_aeolus_configserver_selinux(8) \ No newline at end of file diff --git a/man/man8/thumb_selinux.8 b/man/man8/thumb_selinux.8 new file mode 100644 -index 0000000..0983a25 +index 0000000..a86242a --- /dev/null +++ b/man/man8/thumb_selinux.8 -@@ -0,0 +1,236 @@ -+.TH "thumb_selinux" "8" "12-11-01" "thumb" "SELinux Policy documentation for thumb" +@@ -0,0 +1,405 @@ ++.TH "thumb_selinux" "8" "13-01-16" "thumb" "SELinux Policy documentation for thumb" +.SH "NAME" +thumb_selinux \- Security Enhanced Linux Policy for the thumb processes +.SH "DESCRIPTION" @@ -95790,7 +177504,9 @@ index 0000000..0983a25 + +.SH "ENTRYPOINTS" + -+The thumb_t SELinux type can be entered via the "thumb_exec_t" file type. The default entrypoint paths for the thumb_t domain are the following:" ++The thumb_t SELinux type can be entered via the \fBthumb_exec_t\fP file type. ++ ++The default entrypoint paths for the thumb_t domain are the following: + +/usr/bin/[^/]*thumbnailer, /usr/bin/gnome-[^/]*-thumbnailer(.sh)?, /usr/lib/tumbler[^/]*/tumblerd, /usr/bin/raw-thumbnailer, /usr/bin/whaaw-thumbnailer, /usr/bin/ffmpegthumbnailer, /usr/bin/evince-thumbnailer, /usr/bin/gnome-thumbnail-font, /usr/bin/gsf-office-thumbnailer, /usr/bin/totem-video-thumbnailer, /usr/bin/shotwell-video-thumbnailer +.SH PROCESS TYPES @@ -95808,84 +177524,172 @@ index 0000000..0983a25 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a thumb_t ++can be used to make the process type thumb_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux thumb policy is very flexible allowing users to setup their thumb processes in as secure a method as possible. -+.PP -+The following file types are defined for thumb: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. thumb policy is extremely flexible and has several booleans that allow you to manipulate the policy and run thumb with the tightest access possible. + + ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ +.EX -+.PP -+.B thumb_exec_t ++.B setsebool -P deny_execmem 1 ++ +.EE + -+- Set files with the thumb_exec_t type, if you want to transition an executable to the thumb_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B thumb_home_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the thumb_home_t type, if you want to store thumb files in the users home directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B thumb_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the thumb_tmp_t type, if you want to store thumb temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B thumb_tmpfs_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the thumb_tmpfs_t type, if you want to store thumb files on a tmpfs file system. ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE + +.SH "MANAGED FILES" + +The SELinux process type thumb_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br +.B gstreamer_home_t + + /var/run/user/[^/]*/\.orc(/.*)? +.br + /root/\.gstreamer-.* +.br ++ /root/\.cache/gstreamer-.* ++.br + /home/[^/]*/\.orc(/.*)? +.br + /home/[^/]*/\.gstreamer-.* +.br ++ /home/[^/]*/\.cache/gstreamer-.* ++.br + /home/[^/]*/\.grl-bookmarks +.br + /home/[^/]*/\.grl-bookmarks +.br + /home/[^/]*/\.grl-metadata-store +.br ++ /home/pwalsh/\.orc(/.*)? ++.br ++ /home/pwalsh/\.gstreamer-.* ++.br ++ /home/pwalsh/\.cache/gstreamer-.* ++.br ++ /home/pwalsh/\.grl-bookmarks ++.br ++ /home/pwalsh/\.grl-bookmarks ++.br ++ /home/pwalsh/\.grl-metadata-store ++.br + /home/dwalsh/\.orc(/.*)? +.br + /home/dwalsh/\.gstreamer-.* +.br ++ /home/dwalsh/\.cache/gstreamer-.* ++.br + /home/dwalsh/\.grl-bookmarks +.br + /home/dwalsh/\.grl-bookmarks @@ -95896,6 +177700,8 @@ index 0000000..0983a25 +.br + /var/lib/xguest/home/xguest/\.gstreamer-.* +.br ++ /var/lib/xguest/home/xguest/\.cache/gstreamer-.* ++.br + /var/lib/xguest/home/xguest/\.grl-bookmarks +.br + /var/lib/xguest/home/xguest/\.grl-bookmarks @@ -95904,6 +177710,10 @@ index 0000000..0983a25 +.br + +.br ++.B nfs_t ++ ++ ++.br +.B thumb_home_t + + /home/[^/]*/\.thumbnails(/.*)? @@ -95912,6 +177722,12 @@ index 0000000..0983a25 +.br + /home/[^/]*/\.cache/thumbnails(/.*)? +.br ++ /home/pwalsh/\.thumbnails(/.*)? ++.br ++ /home/pwalsh/missfont\.log.* ++.br ++ /home/pwalsh/\.cache/thumbnails(/.*)? ++.br + /home/dwalsh/\.thumbnails(/.*)? +.br + /home/dwalsh/missfont\.log.* @@ -95948,6 +177764,12 @@ index 0000000..0983a25 +.br + /home/[^/]*/\.fonts\.cache-.* +.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br + /home/dwalsh/\.fontconfig(/.*)? +.br + /home/dwalsh/\.fonts/auto(/.*)? @@ -95968,26 +177790,83 @@ index 0000000..0983a25 +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux thumb policy is very flexible allowing users to setup their thumb processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the thumb_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the thumb, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t thumb_exec_t '/srv/thumb/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mythumb_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for thumb: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B thumb_exec_t +.EE + ++- Set files with the thumb_exec_t type, if you want to transition an executable to the thumb_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/[^/]*thumbnailer, /usr/bin/gnome-[^/]*-thumbnailer(.sh)?, /usr/lib/tumbler[^/]*/tumblerd, /usr/bin/raw-thumbnailer, /usr/bin/whaaw-thumbnailer, /usr/bin/ffmpegthumbnailer, /usr/bin/evince-thumbnailer, /usr/bin/gnome-thumbnail-font, /usr/bin/gsf-office-thumbnailer, /usr/bin/totem-video-thumbnailer, /usr/bin/shotwell-video-thumbnailer ++ ++.EX ++.PP ++.B thumb_home_t ++.EE ++ ++- Set files with the thumb_home_t type, if you want to store thumb files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.thumbnails(/.*)?, /home/[^/]*/missfont\.log.*, /home/[^/]*/\.cache/thumbnails(/.*)?, /home/pwalsh/\.thumbnails(/.*)?, /home/pwalsh/missfont\.log.*, /home/pwalsh/\.cache/thumbnails(/.*)?, /home/dwalsh/\.thumbnails(/.*)?, /home/dwalsh/missfont\.log.*, /home/dwalsh/\.cache/thumbnails(/.*)?, /var/lib/xguest/home/xguest/\.thumbnails(/.*)?, /var/lib/xguest/home/xguest/missfont\.log.*, /var/lib/xguest/home/xguest/\.cache/thumbnails(/.*)? ++ ++.EX ++.PP ++.B thumb_tmp_t ++.EE ++ ++- Set files with the thumb_tmp_t type, if you want to store thumb temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B thumb_tmpfs_t ++.EE ++ ++- Set files with the thumb_tmpfs_t type, if you want to store thumb files on a tmpfs file system. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the thumb_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -95999,6 +177878,9 @@ index 0000000..0983a25 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -96010,13 +177892,15 @@ index 0000000..0983a25 + +.SH "SEE ALSO" +selinux(8), thumb(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/tmpreaper_selinux.8 b/man/man8/tmpreaper_selinux.8 new file mode 100644 -index 0000000..1f3820f +index 0000000..35bea26 --- /dev/null +++ b/man/man8/tmpreaper_selinux.8 -@@ -0,0 +1,136 @@ -+.TH "tmpreaper_selinux" "8" "12-11-01" "tmpreaper" "SELinux Policy documentation for tmpreaper" +@@ -0,0 +1,233 @@ ++.TH "tmpreaper_selinux" "8" "13-01-16" "tmpreaper" "SELinux Policy documentation for tmpreaper" +.SH "NAME" +tmpreaper_selinux \- Security Enhanced Linux Policy for the tmpreaper processes +.SH "DESCRIPTION" @@ -96032,9 +177916,11 @@ index 0000000..1f3820f + +.SH "ENTRYPOINTS" + -+The tmpreaper_t SELinux type can be entered via the "tmpreaper_exec_t" file type. The default entrypoint paths for the tmpreaper_t domain are the following:" ++The tmpreaper_t SELinux type can be entered via the \fBtmpreaper_exec_t\fP file type. + -+/usr/sbin/tmpwatch, /usr/sbin/tmpreaper ++The default entrypoint paths for the tmpreaper_t domain are the following: ++ ++/etc/rc\.d/init\.d/mountall-bootclean.sh, /etc/rc\.d/init\.d/mountnfs-bootclean.sh, /usr/sbin/tmpwatch, /usr/sbin/tmpreaper +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -96050,34 +177936,108 @@ index 0000000..1f3820f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a tmpreaper_t ++can be used to make the process type tmpreaper_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux tmpreaper policy is very flexible allowing users to setup their tmpreaper processes in as secure a method as possible. -+.PP -+The following file types are defined for tmpreaper: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. tmpreaper policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tmpreaper with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B tmpreaper_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the tmpreaper_exec_t type, if you want to transition an executable to the tmpreaper_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the tmpreaper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the tmpreaper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -96096,16 +178056,6 @@ index 0000000..1f3820f +.br + +.br -+.B print_spool_t -+ -+ /var/spool/lpd(/.*)? -+.br -+ /var/spool/cups(/.*)? -+.br -+ /var/spool/cups-pdf(/.*)? -+.br -+ -+.br +.B rpm_var_cache_t + + /var/cache/yum(/.*)? @@ -96115,21 +178065,48 @@ index 0000000..1f3820f + /var/cache/PackageKit(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux tmpreaper policy is very flexible allowing users to setup their tmpreaper processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tmpreaper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the tmpreaper, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t tmpreaper_exec_t '/srv/tmpreaper/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytmpreaper_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for tmpreaper: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B tmpreaper_exec_t +.EE + ++- Set files with the tmpreaper_exec_t type, if you want to transition an executable to the tmpreaper_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/mountall-bootclean.sh, /etc/rc\.d/init\.d/mountnfs-bootclean.sh, /usr/sbin/tmpwatch, /usr/sbin/tmpreaper ++ +.PP -+If you want to allow confined applications to run with kerberos for the tmpreaper_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -96141,6 +178118,9 @@ index 0000000..1f3820f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -96152,13 +178132,15 @@ index 0000000..1f3820f + +.SH "SEE ALSO" +selinux(8), tmpreaper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/tomcat_selinux.8 b/man/man8/tomcat_selinux.8 new file mode 100644 -index 0000000..c89378e +index 0000000..6bbef82 --- /dev/null +++ b/man/man8/tomcat_selinux.8 -@@ -0,0 +1,166 @@ -+.TH "tomcat_selinux" "8" "12-11-01" "tomcat" "SELinux Policy documentation for tomcat" +@@ -0,0 +1,267 @@ ++.TH "tomcat_selinux" "8" "13-01-16" "tomcat" "SELinux Policy documentation for tomcat" +.SH "NAME" +tomcat_selinux \- Security Enhanced Linux Policy for the tomcat processes +.SH "DESCRIPTION" @@ -96174,7 +178156,9 @@ index 0000000..c89378e + +.SH "ENTRYPOINTS" + -+The tomcat_t SELinux type can be entered via the "tomcat_exec_t" file type. The default entrypoint paths for the tomcat_t domain are the following:" ++The tomcat_t SELinux type can be entered via the \fBtomcat_exec_t\fP file type. ++ ++The default entrypoint paths for the tomcat_t domain are the following: + +/usr/sbin/tomcat(6)? +.SH PROCESS TYPES @@ -96192,8 +178176,124 @@ index 0000000..c89378e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a tomcat_t ++can be used to make the process type tomcat_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. tomcat policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tomcat with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type tomcat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B tomcat_cache_t ++ ++ /var/cache/tomcat6?(/.*)? ++.br ++ ++.br ++.B tomcat_log_t ++ ++ /var/log/tomcat6?(/.*)? ++.br ++ ++.br ++.B tomcat_tmp_t ++ ++ ++.br ++.B tomcat_var_lib_t ++ ++ /var/lib/tomcat6?(/.*)? ++.br ++ ++.br ++.B tomcat_var_run_t ++ ++ /var/run/tomcat6?\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -96203,7 +178303,20 @@ index 0000000..c89378e +Policy governs the access confined processes have to these files. +SELinux tomcat policy is very flexible allowing users to setup their tomcat processes in as secure a method as possible. +.PP -+The following file types are defined for tomcat: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the tomcat, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t tomcat_cache_t '/srv/tomcat/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytomcat_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for tomcat: + + +.EX @@ -96259,7 +178372,7 @@ index 0000000..c89378e +.B tomcat_var_run_t +.EE + -+- Set files with the tomcat_var_run_t type, if you want to store the tomcat files under the /run directory. ++- Set files with the tomcat_var_run_t type, if you want to store the tomcat files under the /run or /var/run directory. + + +.PP @@ -96269,40 +178382,6 @@ index 0000000..c89378e +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type tomcat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B tomcat_cache_t -+ -+ /var/cache/tomcat6?(/.*)? -+.br -+ -+.br -+.B tomcat_log_t -+ -+ /var/log/tomcat6?(/.*)? -+.br -+ -+.br -+.B tomcat_tmp_t -+ -+ -+.br -+.B tomcat_var_lib_t -+ -+ /var/lib/tomcat6?(/.*)? -+.br -+ -+.br -+.B tomcat_var_run_t -+ -+ /var/run/tomcat6?\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -96313,6 +178392,9 @@ index 0000000..c89378e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -96324,13 +178406,15 @@ index 0000000..c89378e + +.SH "SEE ALSO" +selinux(8), tomcat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/tor_selinux.8 b/man/man8/tor_selinux.8 new file mode 100644 -index 0000000..2274d81 +index 0000000..9864e00 --- /dev/null +++ b/man/man8/tor_selinux.8 -@@ -0,0 +1,231 @@ -+.TH "tor_selinux" "8" "12-11-01" "tor" "SELinux Policy documentation for tor" +@@ -0,0 +1,354 @@ ++.TH "tor_selinux" "8" "13-01-16" "tor" "SELinux Policy documentation for tor" +.SH "NAME" +tor_selinux \- Security Enhanced Linux Policy for the tor processes +.SH "DESCRIPTION" @@ -96346,7 +178430,9 @@ index 0000000..2274d81 + +.SH "ENTRYPOINTS" + -+The tor_t SELinux type can be entered via the "tor_exec_t" file type. The default entrypoint paths for the tor_t domain are the following:" ++The tor_t SELinux type can be entered via the \fBtor_exec_t\fP file type. ++ ++The default entrypoint paths for the tor_t domain are the following: + +/usr/bin/tor, /usr/sbin/tor +.SH PROCESS TYPES @@ -96364,27 +178450,190 @@ index 0000000..2274d81 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a tor_t ++can be used to make the process type tor_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. tor policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tor with the tightest access possible. + + +.PP -+If you want to allow tor daemon to bind tcp sockets to all unreserved ports, you must turn on the tor_bind_all_unreserved_ports boolean. ++If you want to determine whether tor can bind tcp sockets to all unreserved ports, you must turn on the tor_bind_all_unreserved_ports boolean. Disabled by default. + +.EX +.B setsebool -P tor_bind_all_unreserved_ports 1 ++ +.EE + +.PP -+If you want to allow tor daemon to bind tcp sockets to all unreserved ports, you must turn on the tor_bind_all_unreserved_ports boolean. ++If you want to allow tor to act as a relay, you must turn on the tor_can_network_relay boolean. Disabled by default. + +.EX -+.B setsebool -P tor_bind_all_unreserved_ports 1 ++.B setsebool -P tor_can_network_relay 1 ++ +.EE + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the tor_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the tor_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux tor policy is very flexible allowing users to setup their tor processes in as secure a method as possible. ++.PP ++The following port types are defined for tor: ++ ++.EX ++.TP 5 ++.B tor_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 6969,9001,9030,9050,9051 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type tor_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B tor_var_lib_t ++ ++ /var/lib/tor(/.*)? ++.br ++ /var/lib/tor-data(/.*)? ++.br ++ ++.br ++.B tor_var_run_t ++ ++ /var/run/tor(/.*)? ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -96393,7 +178642,31 @@ index 0000000..2274d81 +Policy governs the access confined processes have to these files. +SELinux tor policy is very flexible allowing users to setup their tor processes in as secure a method as possible. +.PP -+The following file types are defined for tor: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++tor policy stores data with multiple different file context types under the /var/lib/tor directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/tor /srv/tor ++.br ++.B restorecon -R -v /srv/tor ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the tor, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t tor_etc_t '/srv/tor/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytor_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for tor: + + +.EX @@ -96411,6 +178684,10 @@ index 0000000..2274d81 + +- Set files with the tor_exec_t type, if you want to transition an executable to the tor_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/tor, /usr/sbin/tor + +.EX +.PP @@ -96435,6 +178712,10 @@ index 0000000..2274d81 + +- Set files with the tor_var_lib_t type, if you want to store the tor files under the /var/lib directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/tor(/.*)?, /var/lib/tor-data(/.*)? + +.EX +.PP @@ -96449,7 +178730,7 @@ index 0000000..2274d81 +.B tor_var_run_t +.EE + -+- Set files with the tor_var_run_t type, if you want to store the tor files under the /run directory. ++- Set files with the tor_var_run_t type, if you want to store the tor files under the /run or /var/run directory. + + +.PP @@ -96459,80 +178740,6 @@ index 0000000..2274d81 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux tor policy is very flexible allowing users to setup their tor processes in as secure a method as possible. -+.PP -+The following port types are defined for tor: -+ -+.EX -+.TP 5 -+.B tor_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 6969,9001,9030,9051 -+.EE -+ -+.EX -+.TP 5 -+.B tor_socks_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 9050 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type tor_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B tor_var_lib_t -+ -+ /var/lib/tor(/.*)? -+.br -+ /var/lib/tor-data(/.*)? -+.br -+ -+.br -+.B tor_var_log_t -+ -+ /var/log/tor(/.*)? -+.br -+ -+.br -+.B tor_var_run_t -+ -+ /var/run/tor(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tor_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the tor_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -96564,11 +178771,11 @@ index 0000000..2274d81 \ No newline at end of file diff --git a/man/man8/traceroute_selinux.8 b/man/man8/traceroute_selinux.8 new file mode 100644 -index 0000000..00db217 +index 0000000..dff8341 --- /dev/null +++ b/man/man8/traceroute_selinux.8 -@@ -0,0 +1,126 @@ -+.TH "traceroute_selinux" "8" "12-11-01" "traceroute" "SELinux Policy documentation for traceroute" +@@ -0,0 +1,241 @@ ++.TH "traceroute_selinux" "8" "13-01-16" "traceroute" "SELinux Policy documentation for traceroute" +.SH "NAME" +traceroute_selinux \- Security Enhanced Linux Policy for the traceroute processes +.SH "DESCRIPTION" @@ -96584,7 +178791,9 @@ index 0000000..00db217 + +.SH "ENTRYPOINTS" + -+The traceroute_t SELinux type can be entered via the "traceroute_exec_t" file type. The default entrypoint paths for the traceroute_t domain are the following:" ++The traceroute_t SELinux type can be entered via the \fBtraceroute_exec_t\fP file type. ++ ++The default entrypoint paths for the traceroute_t domain are the following: + +/bin/tracepath.*, /bin/traceroute.*, /usr/bin/tracepath.*, /usr/bin/traceroute.*, /usr/sbin/traceroute.*, /usr/bin/lft, /usr/bin/mtr, /usr/bin/nmap, /usr/sbin/mtr +.SH PROCESS TYPES @@ -96602,34 +178811,116 @@ index 0000000..00db217 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a traceroute_t ++can be used to make the process type traceroute_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux traceroute policy is very flexible allowing users to setup their traceroute processes in as secure a method as possible. -+.PP -+The following file types are defined for traceroute: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. traceroute policy is extremely flexible and has several booleans that allow you to manipulate the policy and run traceroute with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B traceroute_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the traceroute_exec_t type, if you want to transition an executable to the traceroute_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_ping 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the traceroute_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the traceroute_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -96654,21 +178945,48 @@ index 0000000..00db217 +Default Defined Ports: +udp 64000-64010 +.EE -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux traceroute policy is very flexible allowing users to setup their traceroute processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the traceroute_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the traceroute, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t traceroute_exec_t '/srv/traceroute/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytraceroute_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for traceroute: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B traceroute_exec_t +.EE + ++- Set files with the traceroute_exec_t type, if you want to transition an executable to the traceroute_t domain. ++ ++.br ++.TP 5 ++Paths: ++/bin/tracepath.*, /bin/traceroute.*, /usr/bin/tracepath.*, /usr/bin/traceroute.*, /usr/sbin/traceroute.*, /usr/bin/lft, /usr/bin/mtr, /usr/bin/nmap, /usr/sbin/mtr ++ +.PP -+If you want to allow confined applications to run with kerberos for the traceroute_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -96683,6 +179001,9 @@ index 0000000..00db217 +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -96694,13 +179015,15 @@ index 0000000..00db217 + +.SH "SEE ALSO" +selinux(8), traceroute(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/tuned_selinux.8 b/man/man8/tuned_selinux.8 new file mode 100644 -index 0000000..31c8195 +index 0000000..807aeac --- /dev/null +++ b/man/man8/tuned_selinux.8 -@@ -0,0 +1,172 @@ -+.TH "tuned_selinux" "8" "12-11-01" "tuned" "SELinux Policy documentation for tuned" +@@ -0,0 +1,318 @@ ++.TH "tuned_selinux" "8" "13-01-16" "tuned" "SELinux Policy documentation for tuned" +.SH "NAME" +tuned_selinux \- Security Enhanced Linux Policy for the tuned processes +.SH "DESCRIPTION" @@ -96716,7 +179039,9 @@ index 0000000..31c8195 + +.SH "ENTRYPOINTS" + -+The tuned_t SELinux type can be entered via the "tuned_exec_t" file type. The default entrypoint paths for the tuned_t domain are the following:" ++The tuned_t SELinux type can be entered via the \fBtuned_exec_t\fP file type. ++ ++The default entrypoint paths for the tuned_t domain are the following: + +/usr/sbin/tuned +.SH PROCESS TYPES @@ -96734,8 +179059,156 @@ index 0000000..31c8195 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a tuned_t ++can be used to make the process type tuned_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. tuned policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tuned with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the tuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the tuned_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type tuned_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sysfs_t ++ ++ /sys(/.*)? ++.br ++ ++.br ++.B tuned_rw_etc_t ++ ++ /etc/tuned/active_profile ++.br ++ ++.br ++.B tuned_var_run_t ++ ++ /var/run/tuned(/.*)? ++.br ++ /var/run/tuned\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -96745,7 +179218,39 @@ index 0000000..31c8195 +Policy governs the access confined processes have to these files. +SELinux tuned policy is very flexible allowing users to setup their tuned processes in as secure a method as possible. +.PP -+The following file types are defined for tuned: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++tuned policy stores data with multiple different file context types under the /var/log/tuned directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/log/tuned /srv/tuned ++.br ++.B restorecon -R -v /srv/tuned ++.PP ++ ++.PP ++tuned policy stores data with multiple different file context types under the /var/run/tuned directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/tuned /srv/tuned ++.br ++.B restorecon -R -v /srv/tuned ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the tuned, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t tuned_etc_t '/srv/tuned/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytuned_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for tuned: + + +.EX @@ -96779,6 +179284,10 @@ index 0000000..31c8195 + +- Set files with the tuned_log_t type, if you want to treat the data as tuned log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/tuned(/.*)?, /var/log/tuned\.log.* + +.EX +.PP @@ -96793,8 +179302,12 @@ index 0000000..31c8195 +.B tuned_var_run_t +.EE + -+- Set files with the tuned_var_run_t type, if you want to store the tuned files under the /run directory. ++- Set files with the tuned_var_run_t type, if you want to store the tuned files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/tuned(/.*)?, /var/run/tuned\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -96803,54 +179316,6 @@ index 0000000..31c8195 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type tuned_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B sysfs_t -+ -+ /sys(/.*)? -+.br -+ -+.br -+.B tuned_log_t -+ -+ /var/log/tuned(/.*)? -+.br -+ /var/log/tuned\.log.* -+.br -+ -+.br -+.B tuned_rw_etc_t -+ -+ /etc/tuned/active_profile -+.br -+ -+.br -+.B tuned_var_run_t -+ -+ /var/run/tuned(/.*)? -+.br -+ /var/run/tuned\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the tuned_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -96861,6 +179326,9 @@ index 0000000..31c8195 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -96872,13 +179340,15 @@ index 0000000..31c8195 + +.SH "SEE ALSO" +selinux(8), tuned(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/tvtime_selinux.8 b/man/man8/tvtime_selinux.8 new file mode 100644 -index 0000000..f52edbe +index 0000000..ca3c798 --- /dev/null +++ b/man/man8/tvtime_selinux.8 -@@ -0,0 +1,154 @@ -+.TH "tvtime_selinux" "8" "12-11-01" "tvtime" "SELinux Policy documentation for tvtime" +@@ -0,0 +1,373 @@ ++.TH "tvtime_selinux" "8" "13-01-16" "tvtime" "SELinux Policy documentation for tvtime" +.SH "NAME" +tvtime_selinux \- Security Enhanced Linux Policy for the tvtime processes +.SH "DESCRIPTION" @@ -96894,7 +179364,9 @@ index 0000000..f52edbe + +.SH "ENTRYPOINTS" + -+The tvtime_t SELinux type can be entered via the "tvtime_exec_t" file type. The default entrypoint paths for the tvtime_t domain are the following:" ++The tvtime_t SELinux type can be entered via the \fBtvtime_exec_t\fP file type. ++ ++The default entrypoint paths for the tvtime_t domain are the following: + +/usr/bin/tvtime +.SH PROCESS TYPES @@ -96912,66 +179384,204 @@ index 0000000..f52edbe +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a tvtime_t ++can be used to make the process type tvtime_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux tvtime policy is very flexible allowing users to setup their tvtime processes in as secure a method as possible. -+.PP -+The following file types are defined for tvtime: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. tvtime policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tvtime with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B tvtime_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the tvtime_exec_t type, if you want to transition an executable to the tvtime_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B tvtime_home_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the tvtime_home_t type, if you want to store tvtime files in the users home directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B tvtime_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the tvtime_tmp_t type, if you want to store tvtime temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B tvtime_tmpfs_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the tvtime_tmpfs_t type, if you want to store tvtime files on a tmpfs file system. ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the tvtime_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the tvtime_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type tvtime_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br +.B tvtime_home_t + ++ /home/[^/]*/\.tvtime(/.*)? ++.br ++ /home/pwalsh/\.tvtime(/.*)? ++.br ++ /home/dwalsh/\.tvtime(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.tvtime(/.*)? ++.br + +.br +.B tvtime_tmp_t @@ -96996,6 +179606,12 @@ index 0000000..f52edbe +.br + /home/[^/]*/\.fonts\.cache-.* +.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br + /home/dwalsh/\.fontconfig(/.*)? +.br + /home/dwalsh/\.fonts/auto(/.*)? @@ -97009,7 +179625,76 @@ index 0000000..f52edbe + /var/lib/xguest/home/xguest/\.fonts\.cache-.* +.br + -+.SH NSSWITCH DOMAIN ++.br ++.B xserver_tmpfs_t ++ ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux tvtime policy is very flexible allowing users to setup their tvtime processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the tvtime, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t tvtime_exec_t '/srv/tvtime/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mytvtime_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for tvtime: ++ ++ ++.EX ++.PP ++.B tvtime_exec_t ++.EE ++ ++- Set files with the tvtime_exec_t type, if you want to transition an executable to the tvtime_t domain. ++ ++ ++.EX ++.PP ++.B tvtime_home_t ++.EE ++ ++- Set files with the tvtime_home_t type, if you want to store tvtime files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.tvtime(/.*)?, /home/pwalsh/\.tvtime(/.*)?, /home/dwalsh/\.tvtime(/.*)?, /var/lib/xguest/home/xguest/\.tvtime(/.*)? ++ ++.EX ++.PP ++.B tvtime_tmp_t ++.EE ++ ++- Set files with the tvtime_tmp_t type, if you want to store tvtime temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B tvtime_tmpfs_t ++.EE ++ ++- Set files with the tvtime_tmpfs_t type, if you want to store tvtime files on a tmpfs file system. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -97021,6 +179706,9 @@ index 0000000..f52edbe +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -97032,13 +179720,15 @@ index 0000000..f52edbe + +.SH "SEE ALSO" +selinux(8), tvtime(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/udev_selinux.8 b/man/man8/udev_selinux.8 new file mode 100644 -index 0000000..8e9a765 +index 0000000..2ece171 --- /dev/null +++ b/man/man8/udev_selinux.8 -@@ -0,0 +1,328 @@ -+.TH "udev_selinux" "8" "12-11-01" "udev" "SELinux Policy documentation for udev" +@@ -0,0 +1,471 @@ ++.TH "udev_selinux" "8" "13-01-16" "udev" "SELinux Policy documentation for udev" +.SH "NAME" +udev_selinux \- Security Enhanced Linux Policy for the udev processes +.SH "DESCRIPTION" @@ -97054,7 +179744,9 @@ index 0000000..8e9a765 + +.SH "ENTRYPOINTS" + -+The udev_t SELinux type can be entered via the "udev_exec_t,udev_helper_exec_t" file types. The default entrypoint paths for the udev_t domain are the following:" ++The udev_t SELinux type can be entered via the \fBudev_exec_t, udev_helper_exec_t\fP file types. ++ ++The default entrypoint paths for the udev_t domain are the following: + +/sbin/udev, /sbin/udevd, /bin/udevadm, /sbin/udevadm, /sbin/udevsend, /usr/sbin/udev, /lib/udev/udevd, /sbin/udevstart, /usr/sbin/udevd, /sbin/start_udev, /usr/bin/udevadm, /usr/bin/udevinfo, /usr/sbin/udevadm, /lib/udev/udev-acl, /usr/sbin/udevsend, /usr/sbin/udevstart, /usr/lib/udev/udevd, /sbin/wait_for_sysfs, /usr/sbin/start_udev, /usr/lib/udev/udev-acl, /usr/sbin/wait_for_sysfs, /usr/lib/systemd/systemd-udevd, /etc/dev\.d/.+, /etc/udev/scripts/.+, /etc/hotplug\.d/default/udev.* +.SH PROCESS TYPES @@ -97072,66 +179764,132 @@ index 0000000..8e9a765 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a udev_t ++can be used to make the process type udev_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux udev policy is very flexible allowing users to setup their udev processes in as secure a method as possible. -+.PP -+The following file types are defined for udev: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. udev policy is extremely flexible and has several booleans that allow you to manipulate the policy and run udev with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B udev_etc_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the udev_etc_t type, if you want to store udev files in the /etc directories. -+ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.PP -+.B udev_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the udev_exec_t type, if you want to transition an executable to the udev_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B udev_helper_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the udev_helper_exec_t type, if you want to transition an executable to the udev_helper_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B udev_rules_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the udev_rules_t type, if you want to treat the files as udev rules data. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B udev_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the udev_var_run_t type, if you want to store the udev files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_insmod 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the udev_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the udev_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -97212,8 +179970,6 @@ index 0000000..8e9a765 +.br +.B net_conf_t + -+ /etc/ntpd?\.conf.* -+.br + /etc/hosts[^/]* +.br + /etc/yp\.conf.* @@ -97224,8 +179980,6 @@ index 0000000..8e9a765 +.br + /etc/resolv\.conf.* +.br -+ /etc/ntp/step-tickers.* -+.br + /etc/sysconfig/networking(/.*)? +.br + /etc/sysconfig/network-scripts(/.*)? @@ -97236,6 +179990,14 @@ index 0000000..8e9a765 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux @@ -97329,21 +180091,88 @@ index 0000000..8e9a765 + /var/log/xen-hotplug\.log.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux udev policy is very flexible allowing users to setup their udev processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the udev_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the udev, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t udev_etc_t '/srv/udev/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myudev_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for udev: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B udev_etc_t +.EE + ++- Set files with the udev_etc_t type, if you want to store udev files in the /etc directories. ++ ++ ++.EX ++.PP ++.B udev_exec_t ++.EE ++ ++- Set files with the udev_exec_t type, if you want to transition an executable to the udev_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/udev, /sbin/udevd, /bin/udevadm, /sbin/udevadm, /sbin/udevsend, /usr/sbin/udev, /lib/udev/udevd, /sbin/udevstart, /usr/sbin/udevd, /sbin/start_udev, /usr/bin/udevadm, /usr/bin/udevinfo, /usr/sbin/udevadm, /lib/udev/udev-acl, /usr/sbin/udevsend, /usr/sbin/udevstart, /usr/lib/udev/udevd, /sbin/wait_for_sysfs, /usr/sbin/start_udev, /usr/lib/udev/udev-acl, /usr/sbin/wait_for_sysfs, /usr/lib/systemd/systemd-udevd ++ ++.EX ++.PP ++.B udev_helper_exec_t ++.EE ++ ++- Set files with the udev_helper_exec_t type, if you want to transition an executable to the udev_helper_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/dev\.d/.+, /etc/udev/scripts/.+, /etc/hotplug\.d/default/udev.* ++ ++.EX ++.PP ++.B udev_rules_t ++.EE ++ ++- Set files with the udev_rules_t type, if you want to treat the files as udev rules data. ++ ++ ++.EX ++.PP ++.B udev_var_run_t ++.EE ++ ++- Set files with the udev_var_run_t type, if you want to store the udev files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/dev/\.udev(/.*)?, /var/run/udev(/.*)?, /var/run/libgpod(/.*)?, /var/run/PackageKit/udev(/.*)?, /dev/\.udevdb, /dev/udev\.tbl ++ +.PP -+If you want to allow confined applications to run with kerberos for the udev_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -97355,6 +180184,9 @@ index 0000000..8e9a765 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -97366,13 +180198,15 @@ index 0000000..8e9a765 + +.SH "SEE ALSO" +selinux(8), udev(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ulogd_selinux.8 b/man/man8/ulogd_selinux.8 new file mode 100644 -index 0000000..3953cf8 +index 0000000..af4132e --- /dev/null +++ b/man/man8/ulogd_selinux.8 -@@ -0,0 +1,128 @@ -+.TH "ulogd_selinux" "8" "12-11-01" "ulogd" "SELinux Policy documentation for ulogd" +@@ -0,0 +1,223 @@ ++.TH "ulogd_selinux" "8" "13-01-16" "ulogd" "SELinux Policy documentation for ulogd" +.SH "NAME" +ulogd_selinux \- Security Enhanced Linux Policy for the ulogd processes +.SH "DESCRIPTION" @@ -97388,7 +180222,9 @@ index 0000000..3953cf8 + +.SH "ENTRYPOINTS" + -+The ulogd_t SELinux type can be entered via the "ulogd_exec_t" file type. The default entrypoint paths for the ulogd_t domain are the following:" ++The ulogd_t SELinux type can be entered via the \fBulogd_exec_t\fP file type. ++ ++The default entrypoint paths for the ulogd_t domain are the following: + +/usr/sbin/ulogd +.SH PROCESS TYPES @@ -97406,8 +180242,96 @@ index 0000000..3953cf8 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ulogd_t ++can be used to make the process type ulogd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ulogd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ulogd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type ulogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -97417,7 +180341,20 @@ index 0000000..3953cf8 +Policy governs the access confined processes have to these files. +SELinux ulogd policy is very flexible allowing users to setup their ulogd processes in as secure a method as possible. +.PP -+The following file types are defined for ulogd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ulogd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ulogd_etc_t '/srv/ulogd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myulogd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ulogd: + + +.EX @@ -97467,18 +180404,6 @@ index 0000000..3953cf8 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type ulogd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B ulogd_var_log_t -+ -+ /var/log/ulogd(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -97489,6 +180414,9 @@ index 0000000..3953cf8 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -97500,13 +180428,15 @@ index 0000000..3953cf8 + +.SH "SEE ALSO" +selinux(8), ulogd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/uml_selinux.8 b/man/man8/uml_selinux.8 new file mode 100644 -index 0000000..5629dd2 +index 0000000..dd95053 --- /dev/null +++ b/man/man8/uml_selinux.8 -@@ -0,0 +1,157 @@ -+.TH "uml_selinux" "8" "12-11-01" "uml" "SELinux Policy documentation for uml" +@@ -0,0 +1,295 @@ ++.TH "uml_selinux" "8" "13-01-16" "uml" "SELinux Policy documentation for uml" +.SH "NAME" +uml_selinux \- Security Enhanced Linux Policy for the uml processes +.SH "DESCRIPTION" @@ -97522,7 +180452,9 @@ index 0000000..5629dd2 + +.SH "ENTRYPOINTS" + -+The uml_t SELinux type can be entered via the "uml_exec_t" file type. The default entrypoint paths for the uml_t domain are the following:" ++The uml_t SELinux type can be entered via the \fBuml_exec_t\fP file type. ++ ++The default entrypoint paths for the uml_t domain are the following: + + +.SH PROCESS TYPES @@ -97540,8 +180472,148 @@ index 0000000..5629dd2 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a uml_t ++can be used to make the process type uml_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. uml policy is extremely flexible and has several booleans that allow you to manipulate the policy and run uml with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the uml_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the uml_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type uml_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B uml_rw_t ++ ++ /home/[^/]*/\.uml(/.*)? ++.br ++ /home/pwalsh/\.uml(/.*)? ++.br ++ /home/dwalsh/\.uml(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.uml(/.*)? ++.br ++ ++.br ++.B uml_tmp_t ++ ++ ++.br ++.B uml_tmpfs_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -97551,7 +180623,20 @@ index 0000000..5629dd2 +Policy governs the access confined processes have to these files. +SELinux uml policy is very flexible allowing users to setup their uml processes in as secure a method as possible. +.PP -+The following file types are defined for uml: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the uml, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t uml_exec_t '/srv/uml/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myuml_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for uml: + + +.EX @@ -97577,6 +180662,10 @@ index 0000000..5629dd2 + +- Set files with the uml_rw_t type, if you want to treat the files as uml read/write content. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.uml(/.*)?, /home/pwalsh/\.uml(/.*)?, /home/dwalsh/\.uml(/.*)?, /var/lib/xguest/home/xguest/\.uml(/.*)? + +.EX +.PP @@ -97591,7 +180680,7 @@ index 0000000..5629dd2 +.B uml_switch_var_run_t +.EE + -+- Set files with the uml_switch_var_run_t type, if you want to store the uml switch files under the /run directory. ++- Set files with the uml_switch_var_run_t type, if you want to store the uml switch files under the /run or /var/run directory. + + +.EX @@ -97617,30 +180706,6 @@ index 0000000..5629dd2 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type uml_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B uml_rw_t -+ -+ /home/[^/]*/\.uml(/.*)? -+.br -+ /home/dwalsh/\.uml(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.uml(/.*)? -+.br -+ -+.br -+.B uml_tmp_t -+ -+ -+.br -+.B uml_tmpfs_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -97651,6 +180716,9 @@ index 0000000..5629dd2 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -97662,15 +180730,15 @@ index 0000000..5629dd2 + +.SH "SEE ALSO" +selinux(8), uml(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, uml_switch_selinux(8) ++, setsebool(8), uml_switch_selinux(8) \ No newline at end of file diff --git a/man/man8/uml_switch_selinux.8 b/man/man8/uml_switch_selinux.8 new file mode 100644 -index 0000000..e67ca95 +index 0000000..54d99d7 --- /dev/null +++ b/man/man8/uml_switch_selinux.8 -@@ -0,0 +1,105 @@ -+.TH "uml_switch_selinux" "8" "12-11-01" "uml_switch" "SELinux Policy documentation for uml_switch" +@@ -0,0 +1,197 @@ ++.TH "uml_switch_selinux" "8" "13-01-16" "uml_switch" "SELinux Policy documentation for uml_switch" +.SH "NAME" +uml_switch_selinux \- Security Enhanced Linux Policy for the uml_switch processes +.SH "DESCRIPTION" @@ -97686,7 +180754,9 @@ index 0000000..e67ca95 + +.SH "ENTRYPOINTS" + -+The uml_switch_t SELinux type can be entered via the "uml_switch_exec_t" file type. The default entrypoint paths for the uml_switch_t domain are the following:" ++The uml_switch_t SELinux type can be entered via the \fBuml_switch_exec_t\fP file type. ++ ++The default entrypoint paths for the uml_switch_t domain are the following: + +/usr/bin/uml_switch +.SH PROCESS TYPES @@ -97704,8 +180774,94 @@ index 0000000..e67ca95 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a uml_switch_t ++can be used to make the process type uml_switch_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. uml_switch policy is extremely flexible and has several booleans that allow you to manipulate the policy and run uml_switch with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type uml_switch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B uml_switch_var_run_t ++ ++ /var/run/uml-utilities(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -97715,7 +180871,20 @@ index 0000000..e67ca95 +Policy governs the access confined processes have to these files. +SELinux uml_switch policy is very flexible allowing users to setup their uml_switch processes in as secure a method as possible. +.PP -+The following file types are defined for uml_switch: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the uml_switch, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t uml_switch_exec_t '/srv/uml_switch/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myuml_switch_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for uml_switch: + + +.EX @@ -97731,7 +180900,7 @@ index 0000000..e67ca95 +.B uml_switch_var_run_t +.EE + -+- Set files with the uml_switch_var_run_t type, if you want to store the uml switch files under the /run directory. ++- Set files with the uml_switch_var_run_t type, if you want to store the uml switch files under the /run or /var/run directory. + + +.PP @@ -97741,18 +180910,6 @@ index 0000000..e67ca95 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type uml_switch_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B uml_switch_var_run_t -+ -+ /var/run/uml-utilities(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -97763,6 +180920,9 @@ index 0000000..e67ca95 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -97774,15 +180934,384 @@ index 0000000..e67ca95 + +.SH "SEE ALSO" +selinux(8), uml_switch(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, uml_selinux(8), uml_selinux(8) ++, setsebool(8), uml_selinux(8), uml_selinux(8) +\ No newline at end of file +diff --git a/man/man8/unconfined_cronjob_selinux.8 b/man/man8/unconfined_cronjob_selinux.8 +new file mode 100644 +index 0000000..8644b10 +--- /dev/null ++++ b/man/man8/unconfined_cronjob_selinux.8 +@@ -0,0 +1,101 @@ ++.TH "unconfined_cronjob_selinux" "8" "13-01-16" "unconfined_cronjob" "SELinux Policy documentation for unconfined_cronjob" ++.SH "NAME" ++unconfined_cronjob_selinux \- Security Enhanced Linux Policy for the unconfined_cronjob processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the unconfined_cronjob processes via flexible mandatory access control. ++ ++The unconfined_cronjob processes execute with the unconfined_cronjob_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep unconfined_cronjob_t ++ ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux unconfined_cronjob policy is very flexible allowing users to setup their unconfined_cronjob processes in as secure a method as possible. ++.PP ++The following process types are defined for unconfined_cronjob: ++ ++.EX ++.B unconfined_cronjob_t ++.EE ++.PP ++Note: ++.B semanage permissive -a unconfined_cronjob_t ++can be used to make the process type unconfined_cronjob_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. unconfined_cronjob policy is extremely flexible and has several booleans that allow you to manipulate the policy and run unconfined_cronjob with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), unconfined_cronjob(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), unconfined_selinux(8), unconfined_selinux(8), unconfined_dbusd_selinux(8), unconfined_munin_plugin_selinux(8) +\ No newline at end of file +diff --git a/man/man8/unconfined_dbusd_selinux.8 b/man/man8/unconfined_dbusd_selinux.8 +new file mode 100644 +index 0000000..c485834 +--- /dev/null ++++ b/man/man8/unconfined_dbusd_selinux.8 +@@ -0,0 +1,254 @@ ++.TH "unconfined_dbusd_selinux" "8" "13-01-16" "unconfined_dbusd" "SELinux Policy documentation for unconfined_dbusd" ++.SH "NAME" ++unconfined_dbusd_selinux \- Security Enhanced Linux Policy for the unconfined_dbusd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the unconfined_dbusd processes via flexible mandatory access control. ++ ++The unconfined_dbusd processes execute with the unconfined_dbusd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep unconfined_dbusd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The unconfined_dbusd_t SELinux type can be entered via the \fBdbusd_exec_t\fP file type. ++ ++The default entrypoint paths for the unconfined_dbusd_t domain are the following: ++ ++/usr/bin/dbus-daemon(-1)?, /bin/dbus-daemon, /lib/dbus-1/dbus-daemon-launch-helper, /usr/lib/dbus-1/dbus-daemon-launch-helper ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux unconfined_dbusd policy is very flexible allowing users to setup their unconfined_dbusd processes in as secure a method as possible. ++.PP ++The following process types are defined for unconfined_dbusd: ++ ++.EX ++.B unconfined_dbusd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a unconfined_dbusd_t ++can be used to make the process type unconfined_dbusd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. unconfined_dbusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run unconfined_dbusd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the unconfined_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the unconfined_dbusd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type unconfined_dbusd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B session_dbusd_tmp_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmpfs_t ++ ++ /dev/shm/mono.* ++.br ++ /dev/shm/pulse-shm.* ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), unconfined_dbusd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), unconfined_selinux(8), unconfined_selinux(8), unconfined_cronjob_selinux(8), unconfined_munin_plugin_selinux(8) \ No newline at end of file diff --git a/man/man8/unconfined_munin_plugin_selinux.8 b/man/man8/unconfined_munin_plugin_selinux.8 new file mode 100644 -index 0000000..0eca181 +index 0000000..63cb433 --- /dev/null +++ b/man/man8/unconfined_munin_plugin_selinux.8 -@@ -0,0 +1,109 @@ -+.TH "unconfined_munin_plugin_selinux" "8" "12-11-01" "unconfined_munin_plugin" "SELinux Policy documentation for unconfined_munin_plugin" +@@ -0,0 +1,177 @@ ++.TH "unconfined_munin_plugin_selinux" "8" "13-01-16" "unconfined_munin_plugin" "SELinux Policy documentation for unconfined_munin_plugin" +.SH "NAME" +unconfined_munin_plugin_selinux \- Security Enhanced Linux Policy for the unconfined_munin_plugin processes +.SH "DESCRIPTION" @@ -97798,9 +181327,11 @@ index 0000000..0eca181 + +.SH "ENTRYPOINTS" + -+The unconfined_munin_plugin_t SELinux type can be entered via the "unconfined_munin_plugin_exec_t" file type. The default entrypoint paths for the unconfined_munin_plugin_t domain are the following:" ++The unconfined_munin_plugin_t SELinux type can be entered via the \fBunconfined_munin_plugin_exec_t\fP file type. + ++The default entrypoint paths for the unconfined_munin_plugin_t domain are the following: + ++/usr/share/munin/plugins/.* +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -97816,8 +181347,74 @@ index 0000000..0eca181 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a unconfined_munin_plugin_t ++can be used to make the process type unconfined_munin_plugin_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. unconfined_munin_plugin policy is extremely flexible and has several booleans that allow you to manipulate the policy and run unconfined_munin_plugin with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type unconfined_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B munin_plugin_state_t ++ ++ /var/lib/munin/plugin-state(/.*)? ++.br ++ ++.br ++.B unconfined_munin_plugin_tmp_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -97827,7 +181424,20 @@ index 0000000..0eca181 +Policy governs the access confined processes have to these files. +SELinux unconfined_munin_plugin policy is very flexible allowing users to setup their unconfined_munin_plugin processes in as secure a method as possible. +.PP -+The following file types are defined for unconfined_munin_plugin: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the unconfined_munin_plugin, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t unconfined_munin_plugin_exec_t '/srv/unconfined_munin_plugin/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myunconfined_munin_plugin_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for unconfined_munin_plugin: + + +.EX @@ -97853,22 +181463,6 @@ index 0000000..0eca181 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type unconfined_munin_plugin_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B munin_plugin_state_t -+ -+ /var/lib/munin/plugin-state(/.*)? -+.br -+ -+.br -+.B unconfined_munin_plugin_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -97879,6 +181473,9 @@ index 0000000..0eca181 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -97890,14 +181487,14 @@ index 0000000..0eca181 + +.SH "SEE ALSO" +selinux(8), unconfined_munin_plugin(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, unconfined_selinux(8), unconfined_selinux(8) ++, setsebool(8), unconfined_selinux(8), unconfined_selinux(8), unconfined_cronjob_selinux(8), unconfined_dbusd_selinux(8) \ No newline at end of file diff --git a/man/man8/unconfined_selinux.8 b/man/man8/unconfined_selinux.8 new file mode 100644 -index 0000000..da88b6e +index 0000000..e6f4441 --- /dev/null +++ b/man/man8/unconfined_selinux.8 -@@ -0,0 +1,165 @@ +@@ -0,0 +1,297 @@ +.TH "unconfined_selinux" "8" "unconfined" "mgrepl@redhat.com" "unconfined SELinux Policy documentation" +.SH "NAME" +unconfined_r \- \fBUnconfiend user role\fP - Security Enhanced Linux Policy @@ -97945,87 +181542,219 @@ index 0000000..da88b6e + + +.PP -+If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean. -+ -+.EX -+.B setsebool -P postgresql_selinux_unconfined_dbadm 1 -+.EE -+ -+.PP -+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean. ++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean. Enabled by default. + +.EX +.B setsebool -P unconfined_chrome_sandbox_transition 1 ++ +.EE + +.PP -+If you want to allow a user to login as an unconfined domain, you must turn on the unconfined_login boolean. ++If you want to allow a user to login as an unconfined domain, you must turn on the unconfined_login boolean. Enabled by default. + +.EX +.B setsebool -P unconfined_login 1 ++ +.EE + +.PP -+If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean. -+ -+.EX -+.B setsebool -P samba_run_unconfined 1 -+.EE -+ -+.PP -+If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean. -+ -+.EX -+.B setsebool -P unconfined_mplayer 1 -+.EE -+ -+.PP -+If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean. ++If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean. Enabled by default. + +.EX +.B setsebool -P unconfined_mozilla_plugin_transition 1 ++ +.EE + +.PP -+If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P postgresql_selinux_unconfined_dbadm 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox, you must turn on the unconfined_chrome_sandbox_transition boolean. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.B setsebool -P unconfined_chrome_sandbox_transition 1 ++.B setsebool -P daemons_use_tty 1 ++ +.EE + +.PP -+If you want to allow a user to login as an unconfined domain, you must turn on the unconfined_login boolean. ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. + +.EX -+.B setsebool -P unconfined_login 1 ++.B setsebool -P deny_execmem 1 ++ +.EE + +.PP -+If you want to allow samba to run unconfined scripts, you must turn on the samba_run_unconfined boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P samba_run_unconfined 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + +.PP -+If you want to allow video playing tools to run unconfined, you must turn on the unconfined_mplayer boolean. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.B setsebool -P unconfined_mplayer 1 ++.B setsebool -P domain_fd_use 1 ++ +.EE + +.PP -+If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.B setsebool -P unconfined_mozilla_plugin_transition 1 ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Disabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.PP ++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_insmod 1 ++ ++.EE ++ ++.PP ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode_policyload 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execheap 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ssh_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xdm_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ +.EE + +.SH "MANAGED FILES" @@ -98062,15 +181791,15 @@ index 0000000..da88b6e + +.SH "SEE ALSO" +selinux(8), unconfined(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8), unconfined_munin_plugin_selinux(8) ++, setsebool(8), unconfined_cronjob_selinux(8), unconfined_dbusd_selinux(8), unconfined_munin_plugin_selinux(8) \ No newline at end of file diff --git a/man/man8/update_modules_selinux.8 b/man/man8/update_modules_selinux.8 new file mode 100644 -index 0000000..733d361 +index 0000000..d76f4d2 --- /dev/null +++ b/man/man8/update_modules_selinux.8 -@@ -0,0 +1,122 @@ -+.TH "update_modules_selinux" "8" "12-11-01" "update_modules" "SELinux Policy documentation for update_modules" +@@ -0,0 +1,195 @@ ++.TH "update_modules_selinux" "8" "13-01-16" "update_modules" "SELinux Policy documentation for update_modules" +.SH "NAME" +update_modules_selinux \- Security Enhanced Linux Policy for the update_modules processes +.SH "DESCRIPTION" @@ -98086,7 +181815,9 @@ index 0000000..733d361 + +.SH "ENTRYPOINTS" + -+The update_modules_t SELinux type can be entered via the "update_modules_exec_t" file type. The default entrypoint paths for the update_modules_t domain are the following:" ++The update_modules_t SELinux type can be entered via the \fBupdate_modules_exec_t\fP file type. ++ ++The default entrypoint paths for the update_modules_t domain are the following: + +/sbin/modules-update, /sbin/update-modules, /usr/sbin/modules-update, /usr/sbin/update-modules, /sbin/generate-modprobe\.conf, /usr/sbin/generate-modprobe\.conf +.SH PROCESS TYPES @@ -98104,42 +181835,60 @@ index 0000000..733d361 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a update_modules_t ++can be used to make the process type update_modules_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux update_modules policy is very flexible allowing users to setup their update_modules processes in as secure a method as possible. -+.PP -+The following file types are defined for update_modules: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. update_modules policy is extremely flexible and has several booleans that allow you to manipulate the policy and run update_modules with the tightest access possible. + + ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ +.EX -+.PP -+.B update_modules_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the update_modules_exec_t type, if you want to transition an executable to the update_modules_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B update_modules_tmp_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the update_modules_tmp_t type, if you want to store update modules temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -98169,7 +181918,56 @@ index 0000000..733d361 +.B update_modules_tmp_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux update_modules policy is very flexible allowing users to setup their update_modules processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the update_modules, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t update_modules_exec_t '/srv/update_modules/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myupdate_modules_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for update_modules: ++ ++ ++.EX ++.PP ++.B update_modules_exec_t ++.EE ++ ++- Set files with the update_modules_exec_t type, if you want to transition an executable to the update_modules_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/modules-update, /sbin/update-modules, /usr/sbin/modules-update, /usr/sbin/update-modules, /sbin/generate-modprobe\.conf, /usr/sbin/generate-modprobe\.conf ++ ++.EX ++.PP ++.B update_modules_tmp_t ++.EE ++ ++- Set files with the update_modules_tmp_t type, if you want to store update modules temporary files in the /tmp directories. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -98181,6 +181979,9 @@ index 0000000..733d361 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -98192,13 +181993,15 @@ index 0000000..733d361 + +.SH "SEE ALSO" +selinux(8), update_modules(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/updfstab_selinux.8 b/man/man8/updfstab_selinux.8 new file mode 100644 -index 0000000..9bf36a1 +index 0000000..5305c8e --- /dev/null +++ b/man/man8/updfstab_selinux.8 -@@ -0,0 +1,168 @@ -+.TH "updfstab_selinux" "8" "12-11-01" "updfstab" "SELinux Policy documentation for updfstab" +@@ -0,0 +1,275 @@ ++.TH "updfstab_selinux" "8" "13-01-16" "updfstab" "SELinux Policy documentation for updfstab" +.SH "NAME" +updfstab_selinux \- Security Enhanced Linux Policy for the updfstab processes +.SH "DESCRIPTION" @@ -98214,7 +182017,9 @@ index 0000000..9bf36a1 + +.SH "ENTRYPOINTS" + -+The updfstab_t SELinux type can be entered via the "updfstab_exec_t" file type. The default entrypoint paths for the updfstab_t domain are the following:" ++The updfstab_t SELinux type can be entered via the \fBupdfstab_exec_t\fP file type. ++ ++The default entrypoint paths for the updfstab_t domain are the following: + +/usr/sbin/updfstab, /usr/sbin/fstab-sync +.SH PROCESS TYPES @@ -98232,34 +182037,108 @@ index 0000000..9bf36a1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a updfstab_t ++can be used to make the process type updfstab_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux updfstab policy is very flexible allowing users to setup their updfstab processes in as secure a method as possible. -+.PP -+The following file types are defined for updfstab: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. updfstab policy is extremely flexible and has several booleans that allow you to manipulate the policy and run updfstab with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B updfstab_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the updfstab_exec_t type, if you want to transition an executable to the updfstab_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the updfstab_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the updfstab_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -98329,21 +182208,48 @@ index 0000000..9bf36a1 + /selinux +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux updfstab policy is very flexible allowing users to setup their updfstab processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the updfstab_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the updfstab, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t updfstab_exec_t '/srv/updfstab/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myupdfstab_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for updfstab: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B updfstab_exec_t +.EE + ++- Set files with the updfstab_exec_t type, if you want to transition an executable to the updfstab_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/updfstab, /usr/sbin/fstab-sync ++ +.PP -+If you want to allow confined applications to run with kerberos for the updfstab_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -98355,6 +182261,9 @@ index 0000000..9bf36a1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -98366,13 +182275,15 @@ index 0000000..9bf36a1 + +.SH "SEE ALSO" +selinux(8), updfstab(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/updpwd_selinux.8 b/man/man8/updpwd_selinux.8 new file mode 100644 -index 0000000..158653a +index 0000000..2fab8b9 --- /dev/null +++ b/man/man8/updpwd_selinux.8 -@@ -0,0 +1,170 @@ -+.TH "updpwd_selinux" "8" "12-11-01" "updpwd" "SELinux Policy documentation for updpwd" +@@ -0,0 +1,279 @@ ++.TH "updpwd_selinux" "8" "13-01-16" "updpwd" "SELinux Policy documentation for updpwd" +.SH "NAME" +updpwd_selinux \- Security Enhanced Linux Policy for the updpwd processes +.SH "DESCRIPTION" @@ -98388,7 +182299,9 @@ index 0000000..158653a + +.SH "ENTRYPOINTS" + -+The updpwd_t SELinux type can be entered via the "updpwd_exec_t" file type. The default entrypoint paths for the updpwd_t domain are the following:" ++The updpwd_t SELinux type can be entered via the \fBupdpwd_exec_t\fP file type. ++ ++The default entrypoint paths for the updpwd_t domain are the following: + +/sbin/unix_update, /usr/sbin/unix_update +.SH PROCESS TYPES @@ -98406,34 +182319,108 @@ index 0000000..158653a +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a updpwd_t ++can be used to make the process type updpwd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux updpwd policy is very flexible allowing users to setup their updpwd processes in as secure a method as possible. -+.PP -+The following file types are defined for updpwd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. updpwd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run updpwd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B updpwd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the updpwd_exec_t type, if you want to transition an executable to the updpwd_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow Apache to use mod_auth_pam, you must turn on the httpd_mod_auth_pam boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_mod_auth_pam 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the updpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the updpwd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -98498,6 +182485,8 @@ index 0000000..158653a +.br + /etc/gshadow.* +.br ++ /etc/nshadow.* ++.br + /var/db/shadow.* +.br + /etc/security/opasswd @@ -98505,21 +182494,48 @@ index 0000000..158653a + /etc/security/opasswd\.old +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux updpwd policy is very flexible allowing users to setup their updpwd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the updpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the updpwd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t updpwd_exec_t '/srv/updpwd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myupdpwd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for updpwd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B updpwd_exec_t +.EE + ++- Set files with the updpwd_exec_t type, if you want to transition an executable to the updpwd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/unix_update, /usr/sbin/unix_update ++ +.PP -+If you want to allow confined applications to run with kerberos for the updpwd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -98531,6 +182547,9 @@ index 0000000..158653a +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -98542,13 +182561,15 @@ index 0000000..158653a + +.SH "SEE ALSO" +selinux(8), updpwd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/usbmodules_selinux.8 b/man/man8/usbmodules_selinux.8 new file mode 100644 -index 0000000..39fd388 +index 0000000..229369f --- /dev/null +++ b/man/man8/usbmodules_selinux.8 -@@ -0,0 +1,94 @@ -+.TH "usbmodules_selinux" "8" "12-11-01" "usbmodules" "SELinux Policy documentation for usbmodules" +@@ -0,0 +1,167 @@ ++.TH "usbmodules_selinux" "8" "13-01-16" "usbmodules" "SELinux Policy documentation for usbmodules" +.SH "NAME" +usbmodules_selinux \- Security Enhanced Linux Policy for the usbmodules processes +.SH "DESCRIPTION" @@ -98564,7 +182585,9 @@ index 0000000..39fd388 + +.SH "ENTRYPOINTS" + -+The usbmodules_t SELinux type can be entered via the "usbmodules_exec_t" file type. The default entrypoint paths for the usbmodules_t domain are the following:" ++The usbmodules_t SELinux type can be entered via the \fBusbmodules_exec_t\fP file type. ++ ++The default entrypoint paths for the usbmodules_t domain are the following: + +/sbin/usbmodules, /usr/sbin/usbmodules +.SH PROCESS TYPES @@ -98582,34 +182605,60 @@ index 0000000..39fd388 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a usbmodules_t ++can be used to make the process type usbmodules_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux usbmodules policy is very flexible allowing users to setup their usbmodules processes in as secure a method as possible. -+.PP -+The following file types are defined for usbmodules: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. usbmodules policy is extremely flexible and has several booleans that allow you to manipulate the policy and run usbmodules with the tightest access possible. + + ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ +.EX -+.PP -+.B usbmodules_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the usbmodules_exec_t type, if you want to transition an executable to the usbmodules_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -98619,7 +182668,48 @@ index 0000000..39fd388 +.B usbfs_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux usbmodules policy is very flexible allowing users to setup their usbmodules processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the usbmodules, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t usbmodules_exec_t '/srv/usbmodules/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myusbmodules_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for usbmodules: ++ ++ ++.EX ++.PP ++.B usbmodules_exec_t ++.EE ++ ++- Set files with the usbmodules_exec_t type, if you want to transition an executable to the usbmodules_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/usbmodules, /usr/sbin/usbmodules ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -98631,6 +182721,9 @@ index 0000000..39fd388 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -98642,13 +182735,15 @@ index 0000000..39fd388 + +.SH "SEE ALSO" +selinux(8), usbmodules(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/usbmuxd_selinux.8 b/man/man8/usbmuxd_selinux.8 new file mode 100644 -index 0000000..66ed42f +index 0000000..e9d38d5 --- /dev/null +++ b/man/man8/usbmuxd_selinux.8 -@@ -0,0 +1,126 @@ -+.TH "usbmuxd_selinux" "8" "12-11-01" "usbmuxd" "SELinux Policy documentation for usbmuxd" +@@ -0,0 +1,229 @@ ++.TH "usbmuxd_selinux" "8" "13-01-16" "usbmuxd" "SELinux Policy documentation for usbmuxd" +.SH "NAME" +usbmuxd_selinux \- Security Enhanced Linux Policy for the usbmuxd processes +.SH "DESCRIPTION" @@ -98664,7 +182759,9 @@ index 0000000..66ed42f + +.SH "ENTRYPOINTS" + -+The usbmuxd_t SELinux type can be entered via the "usbmuxd_exec_t" file type. The default entrypoint paths for the usbmuxd_t domain are the following:" ++The usbmuxd_t SELinux type can be entered via the \fBusbmuxd_exec_t\fP file type. ++ ++The default entrypoint paths for the usbmuxd_t domain are the following: + +/usr/sbin/usbmuxd +.SH PROCESS TYPES @@ -98682,8 +182779,118 @@ index 0000000..66ed42f +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a usbmuxd_t ++can be used to make the process type usbmuxd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. usbmuxd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run usbmuxd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the usbmuxd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the usbmuxd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type usbmuxd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B usbmuxd_var_run_t ++ ++ /var/run/usbmuxd.* ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -98693,7 +182900,20 @@ index 0000000..66ed42f +Policy governs the access confined processes have to these files. +SELinux usbmuxd policy is very flexible allowing users to setup their usbmuxd processes in as secure a method as possible. +.PP -+The following file types are defined for usbmuxd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the usbmuxd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t usbmuxd_exec_t '/srv/usbmuxd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myusbmuxd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for usbmuxd: + + +.EX @@ -98717,7 +182937,7 @@ index 0000000..66ed42f +.B usbmuxd_var_run_t +.EE + -+- Set files with the usbmuxd_var_run_t type, if you want to store the usbmuxd files under the /run directory. ++- Set files with the usbmuxd_var_run_t type, if you want to store the usbmuxd files under the /run or /var/run directory. + + +.PP @@ -98727,32 +182947,6 @@ index 0000000..66ed42f +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type usbmuxd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B usbmuxd_var_run_t -+ -+ /var/run/usbmuxd.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the usbmuxd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the usbmuxd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -98763,6 +182957,9 @@ index 0000000..66ed42f +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -98774,9 +182971,1107 @@ index 0000000..66ed42f + +.SH "SEE ALSO" +selinux(8), usbmuxd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/user_dbusd_selinux.8 b/man/man8/user_dbusd_selinux.8 +new file mode 100644 +index 0000000..c276d70 +--- /dev/null ++++ b/man/man8/user_dbusd_selinux.8 +@@ -0,0 +1,254 @@ ++.TH "user_dbusd_selinux" "8" "13-01-16" "user_dbusd" "SELinux Policy documentation for user_dbusd" ++.SH "NAME" ++user_dbusd_selinux \- Security Enhanced Linux Policy for the user_dbusd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the user_dbusd processes via flexible mandatory access control. ++ ++The user_dbusd processes execute with the user_dbusd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep user_dbusd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The user_dbusd_t SELinux type can be entered via the \fBdbusd_exec_t\fP file type. ++ ++The default entrypoint paths for the user_dbusd_t domain are the following: ++ ++/usr/bin/dbus-daemon(-1)?, /bin/dbus-daemon, /lib/dbus-1/dbus-daemon-launch-helper, /usr/lib/dbus-1/dbus-daemon-launch-helper ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux user_dbusd policy is very flexible allowing users to setup their user_dbusd processes in as secure a method as possible. ++.PP ++The following process types are defined for user_dbusd: ++ ++.EX ++.B user_dbusd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a user_dbusd_t ++can be used to make the process type user_dbusd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. user_dbusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run user_dbusd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the user_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the user_dbusd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type user_dbusd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B session_dbusd_tmp_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmpfs_t ++ ++ /dev/shm/mono.* ++.br ++ /dev/shm/pulse-shm.* ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), user_dbusd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), user_selinux(8), user_selinux(8), user_gkeyringd_selinux(8), user_mail_selinux(8), user_screen_selinux(8), user_seunshare_selinux(8), user_ssh_agent_selinux(8), user_wine_selinux(8), useradd_selinux(8), usernetctl_selinux(8) +\ No newline at end of file +diff --git a/man/man8/user_gkeyringd_selinux.8 b/man/man8/user_gkeyringd_selinux.8 +new file mode 100644 +index 0000000..8428f3c +--- /dev/null ++++ b/man/man8/user_gkeyringd_selinux.8 +@@ -0,0 +1,314 @@ ++.TH "user_gkeyringd_selinux" "8" "13-01-16" "user_gkeyringd" "SELinux Policy documentation for user_gkeyringd" ++.SH "NAME" ++user_gkeyringd_selinux \- Security Enhanced Linux Policy for the user_gkeyringd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the user_gkeyringd processes via flexible mandatory access control. ++ ++The user_gkeyringd processes execute with the user_gkeyringd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep user_gkeyringd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The user_gkeyringd_t SELinux type can be entered via the \fBgkeyringd_exec_t\fP file type. ++ ++The default entrypoint paths for the user_gkeyringd_t domain are the following: ++ ++/usr/bin/gnome-keyring-daemon ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux user_gkeyringd policy is very flexible allowing users to setup their user_gkeyringd processes in as secure a method as possible. ++.PP ++The following process types are defined for user_gkeyringd: ++ ++.EX ++.B user_gkeyringd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a user_gkeyringd_t ++can be used to make the process type user_gkeyringd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. user_gkeyringd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run user_gkeyringd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the user_gkeyringd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the user_gkeyringd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type user_gkeyringd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cache_home_t ++ ++ /root/\.cache(/.*)? ++.br ++ /home/[^/]*/\.nv(/.*)? ++.br ++ /home/[^/]*/\.cache(/.*)? ++.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br ++ /home/dwalsh/\.nv(/.*)? ++.br ++ /home/dwalsh/\.cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.nv(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache(/.*)? ++.br ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B config_home_t ++ ++ /root/\.kde(/.*)? ++.br ++ /root/\.xine(/.*)? ++.br ++ /root/\.config(/.*)? ++.br ++ /var/run/user/[^/]*/dconf(/.*)? ++.br ++ /root/\.Xdefaults ++.br ++ /home/[^/]*/\.kde(/.*)? ++.br ++ /home/[^/]*/\.xine(/.*)? ++.br ++ /home/[^/]*/\.config(/.*)? ++.br ++ /home/[^/]*/\.Xdefaults ++.br ++ /home/pwalsh/\.kde(/.*)? ++.br ++ /home/pwalsh/\.xine(/.*)? ++.br ++ /home/pwalsh/\.config(/.*)? ++.br ++ /home/pwalsh/\.Xdefaults ++.br ++ /home/dwalsh/\.kde(/.*)? ++.br ++ /home/dwalsh/\.xine(/.*)? ++.br ++ /home/dwalsh/\.config(/.*)? ++.br ++ /home/dwalsh/\.Xdefaults ++.br ++ /var/lib/xguest/home/xguest/\.kde(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.xine(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Xdefaults ++.br ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B gkeyringd_gnome_home_t ++ ++ /root/\.gnome2/keyrings(/.*)? ++.br ++ /home/[^/]*/\.gnome2/keyrings(/.*)? ++.br ++ /home/[^/]*/\.local/share/keyrings(/.*)? ++.br ++ /home/pwalsh/\.gnome2/keyrings(/.*)? ++.br ++ /home/pwalsh/\.local/share/keyrings(/.*)? ++.br ++ /home/dwalsh/\.gnome2/keyrings(/.*)? ++.br ++ /home/dwalsh/\.local/share/keyrings(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.gnome2/keyrings(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.local/share/keyrings(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), user_gkeyringd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), user_selinux(8), user_selinux(8), user_dbusd_selinux(8), user_mail_selinux(8), user_screen_selinux(8), user_seunshare_selinux(8), user_ssh_agent_selinux(8), user_wine_selinux(8), useradd_selinux(8), usernetctl_selinux(8) +\ No newline at end of file +diff --git a/man/man8/user_mail_selinux.8 b/man/man8/user_mail_selinux.8 +new file mode 100644 +index 0000000..caada36 +--- /dev/null ++++ b/man/man8/user_mail_selinux.8 +@@ -0,0 +1,278 @@ ++.TH "user_mail_selinux" "8" "13-01-16" "user_mail" "SELinux Policy documentation for user_mail" ++.SH "NAME" ++user_mail_selinux \- Security Enhanced Linux Policy for the user_mail processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the user_mail processes via flexible mandatory access control. ++ ++The user_mail processes execute with the user_mail_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep user_mail_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The user_mail_t SELinux type can be entered via the \fBmta_exec_type, sendmail_exec_t\fP file types. ++ ++The default entrypoint paths for the user_mail_t domain are the following: ++ ++/bin/mail(x)?, /usr/bin/mail(x)?, /usr/sbin/sendmail(\.sendmail)?, /usr/bin/esmtp, /usr/sbin/rmail, /usr/sbin/ssmtp, /usr/lib/sendmail, /var/qmail/bin/sendmail, /usr/sbin/sendmail\.postfix, /usr/lib/courier/bin/sendmail ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux user_mail policy is very flexible allowing users to setup their user_mail processes in as secure a method as possible. ++.PP ++The following process types are defined for user_mail: ++ ++.EX ++.B user_mail_t ++.EE ++.PP ++Note: ++.B semanage permissive -a user_mail_t ++can be used to make the process type user_mail_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. user_mail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run user_mail with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the user_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the user_mail_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type user_mail_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B courier_spool_t ++ ++ /var/spool/courier(/.*)? ++.br ++ /var/spool/authdaemon(/.*)? ++.br ++ ++.br ++.B exim_log_t ++ ++ /var/log/exim[0-9]?(/.*)? ++.br ++ ++.br ++.B exim_spool_t ++ ++ /var/spool/exim[0-9]?(/.*)? ++.br ++ ++.br ++.B mail_home_rw_t ++ ++ /root/Maildir(/.*)? ++.br ++ /home/[^/]*/.maildir(/.*)? ++.br ++ /home/[^/]*/Maildir(/.*)? ++.br ++ /home/pwalsh/.maildir(/.*)? ++.br ++ /home/pwalsh/Maildir(/.*)? ++.br ++ /home/dwalsh/.maildir(/.*)? ++.br ++ /home/dwalsh/Maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/.maildir(/.*)? ++.br ++ /var/lib/xguest/home/xguest/Maildir(/.*)? ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B mqueue_spool_t ++ ++ /var/spool/(client)?mqueue(/.*)? ++.br ++ /var/spool/mqueue\.in(/.*)? ++.br ++ ++.br ++.B sendmail_log_t ++ ++ /var/log/mail(/.*)? ++.br ++ /var/log/sendmail\.st.* ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_mail_tmp_t ++ ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.br ++.B uucpd_spool_t ++ ++ /var/spool/uucp(/.*)? ++.br ++ /var/spool/uucppublic(/.*)? ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), user_mail(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), user_selinux(8), user_selinux(8), user_dbusd_selinux(8), user_gkeyringd_selinux(8), user_screen_selinux(8), user_seunshare_selinux(8), user_ssh_agent_selinux(8), user_wine_selinux(8), useradd_selinux(8), usernetctl_selinux(8) +\ No newline at end of file +diff --git a/man/man8/user_screen_selinux.8 b/man/man8/user_screen_selinux.8 +new file mode 100644 +index 0000000..5f5ba86 +--- /dev/null ++++ b/man/man8/user_screen_selinux.8 +@@ -0,0 +1,222 @@ ++.TH "user_screen_selinux" "8" "13-01-16" "user_screen" "SELinux Policy documentation for user_screen" ++.SH "NAME" ++user_screen_selinux \- Security Enhanced Linux Policy for the user_screen processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the user_screen processes via flexible mandatory access control. ++ ++The user_screen processes execute with the user_screen_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep user_screen_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The user_screen_t SELinux type can be entered via the \fBscreen_exec_t\fP file type. ++ ++The default entrypoint paths for the user_screen_t domain are the following: ++ ++/usr/bin/tmux, /usr/bin/screen ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux user_screen policy is very flexible allowing users to setup their user_screen processes in as secure a method as possible. ++.PP ++The following process types are defined for user_screen: ++ ++.EX ++.B user_screen_t ++.EE ++.PP ++Note: ++.B semanage permissive -a user_screen_t ++can be used to make the process type user_screen_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. user_screen policy is extremely flexible and has several booleans that allow you to manipulate the policy and run user_screen with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the user_screen_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the user_screen_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type user_screen_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B initrc_var_run_t ++ ++ /var/run/utmp ++.br ++ /var/run/random-seed ++.br ++ /var/run/runlevel\.dir ++.br ++ /var/run/setmixer_flag ++.br ++ ++.br ++.B user_tmp_type ++ ++ all user tmp files ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), user_screen(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), user_selinux(8), user_selinux(8), user_dbusd_selinux(8), user_gkeyringd_selinux(8), user_mail_selinux(8), user_seunshare_selinux(8), user_ssh_agent_selinux(8), user_wine_selinux(8), useradd_selinux(8), usernetctl_selinux(8) +\ No newline at end of file diff --git a/man/man8/user_selinux.8 b/man/man8/user_selinux.8 new file mode 100644 -index 0000000..1106e32 +index 0000000..336d2ca --- /dev/null +++ b/man/man8/user_selinux.8 @@ -0,0 +1,763 @@ @@ -98792,7 +184087,7 @@ index 0000000..1106e32 + +The SELinux user will usually login to a system with a context that looks like: + -+.B user_u:user_r:user_t:s0-s0:c0.c1023 ++.B user_u:user_r:user_t:s0 + +Linux users are automatically assigned an SELinux users at login. +Login programs use the SELinux User to assign initial context to the user's shell. @@ -98842,10 +184137,10 @@ index 0000000..1106e32 +.TP +The SELinux user user_u is able to listen on the following udp ports. + -+.B all ports with out defined types -+ +.B ephemeral_port_t: 32768-61000 + ++.B all ports with out defined types ++ +.TP +The SELinux user user_u is able to connect to the following tcp ports. + @@ -98856,339 +184151,275 @@ index 0000000..1106e32 + + +.PP -+If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P selinuxuser_execstack 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean. ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. + +.EX -+.B setsebool -P selinuxuser_use_ssh_chroot 1 ++.B setsebool -P deny_execmem 1 ++ +.EE + +.PP -+If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P polipo_session_users 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + +.PP -+If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.B setsebool -P selinuxuser_ping 1 ++.B setsebool -P domain_fd_use 1 ++ +.EE + +.PP -+If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.B setsebool -P selinuxuser_user_share_music 1 ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + +.PP -+If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.B setsebool -P unprivuser_use_svirt 1 ++.B setsebool -P fips_mode 1 ++ +.EE + +.PP -+If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. -+ -+.EX -+.B setsebool -P selinuxuser_direct_dri_enabled 1 -+.EE -+ -+.PP -+If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean. -+ -+.EX -+.B setsebool -P selinuxuser_tcp_server 1 -+.EE -+ -+.PP -+If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean. -+ -+.EX -+.B setsebool -P selinuxuser_execheap 1 -+.EE -+ -+.PP -+If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean. -+ -+.EX -+.B setsebool -P selinuxuser_postgresql_connect_enabled 1 -+.EE -+ -+.PP -+If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean. -+ -+.EX -+.B setsebool -P selinuxuser_rw_noexattrfile 1 -+.EE -+ -+.PP -+If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean. -+ -+.EX -+.B setsebool -P httpd_read_user_content 1 -+.EE -+ -+.PP -+If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean. -+ -+.EX -+.B setsebool -P postgresql_selinux_users_ddl 1 -+.EE -+ -+.PP -+If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. -+ -+.EX -+.B setsebool -P selinuxuser_execmod 1 -+.EE -+ -+.PP -+If you want to allow webadm to manage files in users home directories, you must turn on the webadm_manage_user_files boolean. -+ -+.EX -+.B setsebool -P webadm_manage_user_files 1 -+.EE -+ -+.PP -+If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean. -+ -+.EX -+.B setsebool -P pppd_for_user 1 -+.EE -+ -+.PP -+If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean. -+ -+.EX -+.B setsebool -P selinuxuser_mysql_connect_enabled 1 -+.EE -+ -+.PP -+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean. -+ -+.EX -+.B setsebool -P clamscan_read_user_content 1 -+.EE -+ -+.PP -+If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean. -+ -+.EX -+.B setsebool -P dbadm_manage_user_files 1 -+.EE -+ -+.PP -+If you want to allow exim to create, read, write, and delete unprivileged user files, you must turn on the exim_manage_user_files boolean. -+ -+.EX -+.B setsebool -P exim_manage_user_files 1 -+.EE -+ -+.PP -+If you want to determine whether calling user domains can execute Git daemon in the git_session_t domain, you must turn on the git_session_users boolean. ++If you want to determine whether calling user domains can execute Git daemon in the git_session_t domain, you must turn on the git_session_users boolean. Disabled by default. + +.EX +.B setsebool -P git_session_users 1 ++ +.EE + +.PP -+If you want to allow dbadm to read files in users home directories, you must turn on the dbadm_read_user_files boolean. ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.B setsebool -P dbadm_read_user_files 1 ++.B setsebool -P global_ssp 1 ++ +.EE + +.PP -+If you want to allow exim to read unprivileged user files, you must turn on the exim_read_user_files boolean. ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Enabled by default. + +.EX -+.B setsebool -P exim_read_user_files 1 ++.B setsebool -P httpd_enable_cgi 1 ++ +.EE + +.PP -+If you want to allow webadm to read files in users home directories, you must turn on the webadm_read_user_files boolean. ++If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean. Disabled by default. + +.EX -+.B setsebool -P webadm_read_user_files 1 ++.B setsebool -P httpd_unified 1 ++ +.EE + +.PP -+If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.B setsebool -P selinuxuser_execstack 1 ++.B setsebool -P kerberos_enabled 1 ++ +.EE + +.PP -+If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean. ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. + +.EX -+.B setsebool -P selinuxuser_use_ssh_chroot 1 ++.B setsebool -P login_console_enabled 1 ++ +.EE + +.PP -+If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to determine whether calling user domains can execute Polipo daemon in the polipo_session_t domain, you must turn on the polipo_session_users boolean. Disabled by default. + +.EX +.B setsebool -P polipo_session_users 1 ++ +.EE + +.PP -+If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean. -+ -+.EX -+.B setsebool -P selinuxuser_ping 1 -+.EE -+ -+.PP -+If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean. -+ -+.EX -+.B setsebool -P selinuxuser_user_share_music 1 -+.EE -+ -+.PP -+If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean. -+ -+.EX -+.B setsebool -P unprivuser_use_svirt 1 -+.EE -+ -+.PP -+If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. -+ -+.EX -+.B setsebool -P selinuxuser_direct_dri_enabled 1 -+.EE -+ -+.PP -+If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean. -+ -+.EX -+.B setsebool -P selinuxuser_tcp_server 1 -+.EE -+ -+.PP -+If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execheap boolean. -+ -+.EX -+.B setsebool -P selinuxuser_execheap 1 -+.EE -+ -+.PP -+If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean. -+ -+.EX -+.B setsebool -P selinuxuser_postgresql_connect_enabled 1 -+.EE -+ -+.PP -+If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean. -+ -+.EX -+.B setsebool -P selinuxuser_rw_noexattrfile 1 -+.EE -+ -+.PP -+If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean. -+ -+.EX -+.B setsebool -P httpd_read_user_content 1 -+.EE -+ -+.PP -+If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean. -+ -+.EX -+.B setsebool -P postgresql_selinux_users_ddl 1 -+.EE -+ -+.PP -+If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. -+ -+.EX -+.B setsebool -P selinuxuser_execmod 1 -+.EE -+ -+.PP -+If you want to allow webadm to manage files in users home directories, you must turn on the webadm_manage_user_files boolean. -+ -+.EX -+.B setsebool -P webadm_manage_user_files 1 -+.EE -+ -+.PP -+If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean. ++If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean. Disabled by default. + +.EX +.B setsebool -P pppd_for_user 1 ++ +.EE + +.PP -+If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean. ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Disabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to allow users to connect to the local mysql server, you must turn on the selinuxuser_mysql_connect_enabled boolean. Disabled by default. + +.EX +.B setsebool -P selinuxuser_mysql_connect_enabled 1 ++ +.EE + +.PP -+If you want to allow clamscan to read user content, you must turn on the clamscan_read_user_content boolean. ++If you want to allow confined users the ability to execute the ping and traceroute commands, you must turn on the selinuxuser_ping boolean. Enabled by default. + +.EX -+.B setsebool -P clamscan_read_user_content 1 ++.B setsebool -P selinuxuser_ping 1 ++ +.EE + +.PP -+If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean. ++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean. Disabled by default. + +.EX -+.B setsebool -P dbadm_manage_user_files 1 ++.B setsebool -P selinuxuser_postgresql_connect_enabled 1 ++ +.EE + +.PP -+If you want to allow exim to create, read, write, and delete unprivileged user files, you must turn on the exim_manage_user_files boolean. ++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean. Enabled by default. + +.EX -+.B setsebool -P exim_manage_user_files 1 ++.B setsebool -P selinuxuser_rw_noexattrfile 1 ++ +.EE + +.PP -+If you want to determine whether calling user domains can execute Git daemon in the git_session_t domain, you must turn on the git_session_users boolean. ++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean. Disabled by default. + +.EX -+.B setsebool -P git_session_users 1 ++.B setsebool -P selinuxuser_tcp_server 1 ++ +.EE + +.PP -+If you want to allow dbadm to read files in users home directories, you must turn on the dbadm_read_user_files boolean. ++If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean. Disabled by default. + +.EX -+.B setsebool -P dbadm_read_user_files 1 ++.B setsebool -P selinuxuser_use_ssh_chroot 1 ++ +.EE + +.PP -+If you want to allow exim to read unprivileged user files, you must turn on the exim_read_user_files boolean. ++If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean. Disabled by default. + +.EX -+.B setsebool -P exim_read_user_files 1 ++.B setsebool -P selinuxuser_user_share_music 1 ++ +.EE + +.PP -+If you want to allow webadm to read files in users home directories, you must turn on the webadm_read_user_files boolean. ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. + +.EX -+.B setsebool -P webadm_read_user_files 1 ++.B setsebool -P ssh_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean. Disabled by default. ++ ++.EX ++.B setsebool -P unprivuser_use_svirt 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xdm_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ +.EE + +.SH HOME_EXEC @@ -99253,6 +184484,10 @@ index 0000000..1106e32 + + +.br ++.B cifs_t ++ ++ ++.br +.B games_data_t + + /var/games(/.*)? @@ -99265,6 +184500,8 @@ index 0000000..1106e32 + + /home/[^/]*/\.gnupg/log-socket +.br ++ /home/pwalsh/\.gnupg/log-socket ++.br + /home/dwalsh/\.gnupg/log-socket +.br + /var/lib/xguest/home/xguest/\.gnupg/log-socket @@ -99275,6 +184512,8 @@ index 0000000..1106e32 + + /home/[^/]*/((www)|(web)|(public_html))(/.+)? +.br ++ /home/pwalsh/((www)|(web)|(public_html))(/.+)? ++.br + /home/dwalsh/((www)|(web)|(public_html))(/.+)? +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)? @@ -99285,6 +184524,8 @@ index 0000000..1106e32 + + /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess +.br ++ /home/pwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess ++.br + /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess @@ -99295,6 +184536,8 @@ index 0000000..1106e32 + + /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)? +.br ++ /home/pwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)? ++.br + /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)? +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)? @@ -99309,6 +184552,8 @@ index 0000000..1106e32 + + /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)? +.br ++ /home/pwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)? ++.br + /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)? +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)? @@ -99325,6 +184570,10 @@ index 0000000..1106e32 +.br + /home/[^/]*/\.ICEauthority.* +.br ++ /home/pwalsh/\.DCOP.* ++.br ++ /home/pwalsh/\.ICEauthority.* ++.br + /home/dwalsh/\.DCOP.* +.br + /home/dwalsh/\.ICEauthority.* @@ -99335,6 +184584,26 @@ index 0000000..1106e32 +.br + +.br ++.B irc_home_t ++ ++ /home/[^/]*/\.irssi(/.*)? ++.br ++ /home/[^/]*/\.ircmotd ++.br ++ /home/pwalsh/\.irssi(/.*)? ++.br ++ /home/pwalsh/\.ircmotd ++.br ++ /home/dwalsh/\.irssi(/.*)? ++.br ++ /home/dwalsh/\.ircmotd ++.br ++ /var/lib/xguest/home/xguest/\.irssi(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ircmotd ++.br ++ ++.br +.B mail_spool_t + + /var/mail(/.*)? @@ -99381,6 +184650,10 @@ index 0000000..1106e32 +.br + /home/[^/]*/\.screenrc +.br ++ /home/pwalsh/\.screen(/.*)? ++.br ++ /home/pwalsh/\.screenrc ++.br + /home/dwalsh/\.screen(/.*)? +.br + /home/dwalsh/\.screenrc @@ -99415,6 +184688,12 @@ index 0000000..1106e32 +.br + /home/[^/]*/\.fonts\.cache-.* +.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br + /home/dwalsh/\.fontconfig(/.*)? +.br + /home/dwalsh/\.fonts/auto(/.*)? @@ -99437,6 +184716,8 @@ index 0000000..1106e32 +.br + /home/[^/]*/\.fonts(/.*)? +.br ++ /home/pwalsh/\.fonts(/.*)? ++.br + /home/dwalsh/\.fonts(/.*)? +.br + /var/lib/xguest/home/xguest/\.fonts(/.*)? @@ -99461,6 +184742,12 @@ index 0000000..1106e32 +.br + +.br ++.B virt_image_type ++ ++ all virtual image files ++.br ++ ++.br +.B xauth_home_t + + /root/\.xauth.* @@ -99487,6 +184774,14 @@ index 0000000..1106e32 +.br + /home/[^/]*/\.Xauthority.* +.br ++ /home/pwalsh/\.xauth.* ++.br ++ /home/pwalsh/\.Xauth.* ++.br ++ /home/pwalsh/\.serverauth.* ++.br ++ /home/pwalsh/\.Xauthority.* ++.br + /home/dwalsh/\.xauth.* +.br + /home/dwalsh/\.Xauth.* @@ -99542,15 +184837,964 @@ index 0000000..1106e32 + +.SH "SEE ALSO" +selinux(8), user(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8), useradd_selinux(8), usernetctl_selinux(8) ++, setsebool(8), user_dbusd_selinux(8), user_gkeyringd_selinux(8), user_mail_selinux(8), user_screen_selinux(8), user_seunshare_selinux(8), user_ssh_agent_selinux(8), user_wine_selinux(8), useradd_selinux(8), usernetctl_selinux(8) +\ No newline at end of file +diff --git a/man/man8/user_seunshare_selinux.8 b/man/man8/user_seunshare_selinux.8 +new file mode 100644 +index 0000000..391cda2 +--- /dev/null ++++ b/man/man8/user_seunshare_selinux.8 +@@ -0,0 +1,202 @@ ++.TH "user_seunshare_selinux" "8" "13-01-16" "user_seunshare" "SELinux Policy documentation for user_seunshare" ++.SH "NAME" ++user_seunshare_selinux \- Security Enhanced Linux Policy for the user_seunshare processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the user_seunshare processes via flexible mandatory access control. ++ ++The user_seunshare processes execute with the user_seunshare_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep user_seunshare_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The user_seunshare_t SELinux type can be entered via the \fBseunshare_exec_t\fP file type. ++ ++The default entrypoint paths for the user_seunshare_t domain are the following: ++ ++/usr/sbin/seunshare ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux user_seunshare policy is very flexible allowing users to setup their user_seunshare processes in as secure a method as possible. ++.PP ++The following process types are defined for user_seunshare: ++ ++.EX ++.B user_seunshare_t ++.EE ++.PP ++Note: ++.B semanage permissive -a user_seunshare_t ++can be used to make the process type user_seunshare_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. user_seunshare policy is extremely flexible and has several booleans that allow you to manipulate the policy and run user_seunshare with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the user_seunshare_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the user_seunshare_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type user_seunshare_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B sandbox_file_t ++ ++ ++.br ++.B sandbox_tmpfs_type ++ ++ all sandbox content in tmpfs file systems ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), user_seunshare(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), user_selinux(8), user_selinux(8), user_dbusd_selinux(8), user_gkeyringd_selinux(8), user_mail_selinux(8), user_screen_selinux(8), user_ssh_agent_selinux(8), user_wine_selinux(8), useradd_selinux(8), usernetctl_selinux(8) +\ No newline at end of file +diff --git a/man/man8/user_ssh_agent_selinux.8 b/man/man8/user_ssh_agent_selinux.8 +new file mode 100644 +index 0000000..c0c02b3 +--- /dev/null ++++ b/man/man8/user_ssh_agent_selinux.8 +@@ -0,0 +1,224 @@ ++.TH "user_ssh_agent_selinux" "8" "13-01-16" "user_ssh_agent" "SELinux Policy documentation for user_ssh_agent" ++.SH "NAME" ++user_ssh_agent_selinux \- Security Enhanced Linux Policy for the user_ssh_agent processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the user_ssh_agent processes via flexible mandatory access control. ++ ++The user_ssh_agent processes execute with the user_ssh_agent_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep user_ssh_agent_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The user_ssh_agent_t SELinux type can be entered via the \fBssh_agent_exec_t\fP file type. ++ ++The default entrypoint paths for the user_ssh_agent_t domain are the following: ++ ++/usr/bin/ssh-agent ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux user_ssh_agent policy is very flexible allowing users to setup their user_ssh_agent processes in as secure a method as possible. ++.PP ++The following process types are defined for user_ssh_agent: ++ ++.EX ++.B user_ssh_agent_t ++.EE ++.PP ++Note: ++.B semanage permissive -a user_ssh_agent_t ++can be used to make the process type user_ssh_agent_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. user_ssh_agent policy is extremely flexible and has several booleans that allow you to manipulate the policy and run user_ssh_agent with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the user_ssh_agent_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the user_ssh_agent_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type user_ssh_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), user_ssh_agent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), user_selinux(8), user_selinux(8), user_dbusd_selinux(8), user_gkeyringd_selinux(8), user_mail_selinux(8), user_screen_selinux(8), user_seunshare_selinux(8), user_wine_selinux(8), useradd_selinux(8), usernetctl_selinux(8) +\ No newline at end of file +diff --git a/man/man8/user_wine_selinux.8 b/man/man8/user_wine_selinux.8 +new file mode 100644 +index 0000000..854bcd2 +--- /dev/null ++++ b/man/man8/user_wine_selinux.8 +@@ -0,0 +1,502 @@ ++.TH "user_wine_selinux" "8" "13-01-16" "user_wine" "SELinux Policy documentation for user_wine" ++.SH "NAME" ++user_wine_selinux \- Security Enhanced Linux Policy for the user_wine processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the user_wine processes via flexible mandatory access control. ++ ++The user_wine processes execute with the user_wine_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep user_wine_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The user_wine_t SELinux type can be entered via the \fBuser_home_t, wine_exec_t, xsession_exec_t\fP file types. ++ ++The default entrypoint paths for the user_wine_t domain are the following: ++ ++/home/[^/]*/.+, /home/pwalsh/.+, /home/dwalsh/.+, /var/lib/xguest/home/xguest/.+, /usr/bin/wine.*, /opt/teamviewer(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/msiexec, /opt/google/picasa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/progman, /opt/google/picasa(/.*)?/bin/regedit, /opt/google/picasa(/.*)?/bin/regsvr32, /opt/google/picasa(/.*)?/Picasa3/.*exe, /opt/google/picasa(/.*)?/bin/uninstaller, /opt/cxoffice/bin/wine.*, /opt/picasa/wine/bin/wine.*, /usr/bin/msiexec, /usr/bin/notepad, /usr/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller, /home/[^/]*/cxoffice/bin/wine.+, /home/pwalsh/cxoffice/bin/wine.+, /home/dwalsh/cxoffice/bin/wine.+, /var/lib/xguest/home/xguest/cxoffice/bin/wine.+, /etc/gdm(3)?/Xsession, /etc/kde[34]?/kdm/Xreset, /etc/gdm(3)?/PreSession/.*, /etc/kde[34]?/kdm/Xstartup, /etc/kde[34]?/kdm/Xsession, /etc/gdm(3)?/PostSession/.*, /etc/X11/[wx]dm/Xreset.*, /etc/X11/[wxg]dm/Xsession, /etc/X11/Xsession[^/]*, /etc/X11/wdm/Xsetup.*, /etc/X11/wdm/Xstartup.* ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux user_wine policy is very flexible allowing users to setup their user_wine processes in as secure a method as possible. ++.PP ++The following process types are defined for user_wine: ++ ++.EX ++.B user_wine_t ++.EE ++.PP ++Note: ++.B semanage permissive -a user_wine_t ++can be used to make the process type user_wine_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. user_wine policy is extremely flexible and has several booleans that allow you to manipulate the policy and run user_wine with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Disabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow users to connect to PostgreSQL, you must turn on the selinuxuser_postgresql_connect_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_postgresql_connect_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_rw_noexattrfile 1 ++ ++.EE ++ ++.PP ++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the selinuxuser_tcp_server boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_tcp_server 1 ++ ++.EE ++ ++.PP ++If you want to allow user music sharing, you must turn on the selinuxuser_user_share_music boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_user_share_music 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ssh_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xdm_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the user_wine_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the user_wine_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type user_wine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B cgroup_t ++ ++ /cgroup ++.br ++ /sys/fs/cgroup ++.br ++ ++.br ++.B chrome_sandbox_tmpfs_t ++ ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B games_data_t ++ ++ /var/games(/.*)? ++.br ++ /var/lib/games(/.*)? ++.br ++ ++.br ++.B gpg_agent_tmp_t ++ ++ /home/[^/]*/\.gnupg/log-socket ++.br ++ /home/pwalsh/\.gnupg/log-socket ++.br ++ /home/dwalsh/\.gnupg/log-socket ++.br ++ /var/lib/xguest/home/xguest/\.gnupg/log-socket ++.br ++ ++.br ++.B iceauth_home_t ++ ++ /root/\.DCOP.* ++.br ++ /root/\.ICEauthority.* ++.br ++ /home/[^/]*/\.DCOP.* ++.br ++ /home/[^/]*/\.ICEauthority.* ++.br ++ /home/pwalsh/\.DCOP.* ++.br ++ /home/pwalsh/\.ICEauthority.* ++.br ++ /home/dwalsh/\.DCOP.* ++.br ++ /home/dwalsh/\.ICEauthority.* ++.br ++ /var/lib/xguest/home/xguest/\.DCOP.* ++.br ++ /var/lib/xguest/home/xguest/\.ICEauthority.* ++.br ++ ++.br ++.B mail_spool_t ++ ++ /var/mail(/.*)? ++.br ++ /var/spool/imap(/.*)? ++.br ++ /var/spool/mail(/.*)? ++.br ++ ++.br ++.B mqueue_spool_t ++ ++ /var/spool/(client)?mqueue(/.*)? ++.br ++ /var/spool/mqueue\.in(/.*)? ++.br ++ ++.br ++.B nfsd_rw_t ++ ++ ++.br ++.B noxattrfs ++ ++ all files on file systems which do not support extended attributes ++.br ++ ++.br ++.B usbfs_t ++ ++ ++.br ++.B user_fonts_cache_t ++ ++ /root/\.fontconfig(/.*)? ++.br ++ /root/\.fonts/auto(/.*)? ++.br ++ /root/\.fonts\.cache-.* ++.br ++ /home/[^/]*/\.fontconfig(/.*)? ++.br ++ /home/[^/]*/\.fonts/auto(/.*)? ++.br ++ /home/[^/]*/\.fonts\.cache-.* ++.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br ++ /home/dwalsh/\.fontconfig(/.*)? ++.br ++ /home/dwalsh/\.fonts/auto(/.*)? ++.br ++ /home/dwalsh/\.fonts\.cache-.* ++.br ++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts\.cache-.* ++.br ++ ++.br ++.B user_fonts_t ++ ++ /root/\.fonts(/.*)? ++.br ++ /tmp/\.font-unix(/.*)? ++.br ++ /home/[^/]*/\.fonts(/.*)? ++.br ++ /home/pwalsh/\.fonts(/.*)? ++.br ++ /home/dwalsh/\.fonts(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts(/.*)? ++.br ++ ++.br ++.B user_home_type ++ ++ all user home files ++.br ++ ++.br ++.B user_tmp_type ++ ++ all user tmp files ++.br ++ ++.br ++.B user_tmpfs_type ++ ++ all user content in tmpfs file systems ++.br ++ ++.br ++.B xauth_home_t ++ ++ /root/\.xauth.* ++.br ++ /root/\.Xauth.* ++.br ++ /root/\.serverauth.* ++.br ++ /root/\.Xauthority.* ++.br ++ /var/lib/pqsql/\.xauth.* ++.br ++ /var/lib/pqsql/\.Xauthority.* ++.br ++ /var/lib/nxserver/home/\.xauth.* ++.br ++ /var/lib/nxserver/home/\.Xauthority.* ++.br ++ /home/[^/]*/\.xauth.* ++.br ++ /home/[^/]*/\.Xauth.* ++.br ++ /home/[^/]*/\.serverauth.* ++.br ++ /home/[^/]*/\.Xauthority.* ++.br ++ /home/pwalsh/\.xauth.* ++.br ++ /home/pwalsh/\.Xauth.* ++.br ++ /home/pwalsh/\.serverauth.* ++.br ++ /home/pwalsh/\.Xauthority.* ++.br ++ /home/dwalsh/\.xauth.* ++.br ++ /home/dwalsh/\.Xauth.* ++.br ++ /home/dwalsh/\.serverauth.* ++.br ++ /home/dwalsh/\.Xauthority.* ++.br ++ /var/lib/xguest/home/xguest/\.xauth.* ++.br ++ /var/lib/xguest/home/xguest/\.Xauth.* ++.br ++ /var/lib/xguest/home/xguest/\.serverauth.* ++.br ++ /var/lib/xguest/home/xguest/\.Xauthority.* ++.br ++ ++.br ++.B xdm_tmp_t ++ ++ /tmp/\.X11-unix(/.*)? ++.br ++ /tmp/\.ICE-unix(/.*)? ++.br ++ /tmp/\.X0-lock ++.br ++ ++.br ++.B xserver_tmpfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), user_wine(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), user_selinux(8), user_selinux(8), user_dbusd_selinux(8), user_gkeyringd_selinux(8), user_mail_selinux(8), user_screen_selinux(8), user_seunshare_selinux(8), user_ssh_agent_selinux(8), useradd_selinux(8), usernetctl_selinux(8) \ No newline at end of file diff --git a/man/man8/useradd_selinux.8 b/man/man8/useradd_selinux.8 new file mode 100644 -index 0000000..81ee3be +index 0000000..75ecf53 --- /dev/null +++ b/man/man8/useradd_selinux.8 -@@ -0,0 +1,311 @@ -+.TH "useradd_selinux" "8" "12-11-01" "useradd" "SELinux Policy documentation for useradd" +@@ -0,0 +1,437 @@ ++.TH "useradd_selinux" "8" "13-01-16" "useradd" "SELinux Policy documentation for useradd" +.SH "NAME" +useradd_selinux \- Security Enhanced Linux Policy for the useradd processes +.SH "DESCRIPTION" @@ -99566,9 +185810,11 @@ index 0000000..81ee3be + +.SH "ENTRYPOINTS" + -+The useradd_t SELinux type can be entered via the "useradd_exec_t,user_home_t" file types. The default entrypoint paths for the useradd_t domain are the following:" ++The useradd_t SELinux type can be entered via the \fBuser_home_t, useradd_exec_t\fP file types. + -+/usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/newusers, /home/[^/]*/.+, /home/dwalsh/.+, /var/lib/xguest/home/xguest/.+ ++The default entrypoint paths for the useradd_t domain are the following: ++ ++/home/[^/]*/.+, /home/pwalsh/.+, /home/dwalsh/.+, /var/lib/xguest/home/xguest/.+, /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/newusers +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -99584,40 +185830,142 @@ index 0000000..81ee3be +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a useradd_t ++can be used to make the process type useradd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux useradd policy is very flexible allowing users to setup their useradd processes in as secure a method as possible. -+.PP -+The following file types are defined for useradd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. useradd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run useradd with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B useradd_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the useradd_exec_t type, if you want to transition an executable to the useradd_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow samba to act as the domain controller, add users, groups and change passwords, you must turn on the samba_domain_controller boolean. Disabled by default. ++ ++.EX ++.B setsebool -P samba_domain_controller 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the useradd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the useradd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type useradd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br +.B default_context_t + + /etc/selinux/([^/]*/)?contexts(/.*)? @@ -99662,12 +186010,12 @@ index 0000000..81ee3be + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B file_context_t @@ -99698,7 +186046,7 @@ index 0000000..81ee3be +.br +.B lastlog_t + -+ /var/log/lastlog ++ /var/log/lastlog.* +.br + +.br @@ -99712,6 +186060,10 @@ index 0000000..81ee3be +.br + +.br ++.B nfs_t ++ ++ ++.br +.B passwd_file_t + + /etc/group[-\+]? @@ -99732,20 +186084,6 @@ index 0000000..81ee3be +.br + +.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br +.B security_t + + /selinux @@ -99804,6 +186142,8 @@ index 0000000..81ee3be +.br + /etc/gshadow.* +.br ++ /etc/nshadow.* ++.br + /var/db/shadow.* +.br + /etc/security/opasswd @@ -99823,21 +186163,48 @@ index 0000000..81ee3be + all user home files +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux useradd policy is very flexible allowing users to setup their useradd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the useradd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the useradd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t useradd_exec_t '/srv/useradd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myuseradd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for useradd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B useradd_exec_t +.EE + ++- Set files with the useradd_exec_t type, if you want to transition an executable to the useradd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/newusers ++ +.PP -+If you want to allow confined applications to run with kerberos for the useradd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -99849,6 +186216,9 @@ index 0000000..81ee3be +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -99860,15 +186230,15 @@ index 0000000..81ee3be + +.SH "SEE ALSO" +selinux(8), useradd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, user_selinux(8) ++, setsebool(8), user_selinux(8) \ No newline at end of file diff --git a/man/man8/usernetctl_selinux.8 b/man/man8/usernetctl_selinux.8 new file mode 100644 -index 0000000..cb4d1bf +index 0000000..f82b3d8 --- /dev/null +++ b/man/man8/usernetctl_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "usernetctl_selinux" "8" "12-11-01" "usernetctl" "SELinux Policy documentation for usernetctl" +@@ -0,0 +1,195 @@ ++.TH "usernetctl_selinux" "8" "13-01-16" "usernetctl" "SELinux Policy documentation for usernetctl" +.SH "NAME" +usernetctl_selinux \- Security Enhanced Linux Policy for the usernetctl processes +.SH "DESCRIPTION" @@ -99884,7 +186254,9 @@ index 0000000..cb4d1bf + +.SH "ENTRYPOINTS" + -+The usernetctl_t SELinux type can be entered via the "usernetctl_exec_t" file type. The default entrypoint paths for the usernetctl_t domain are the following:" ++The usernetctl_t SELinux type can be entered via the \fBusernetctl_exec_t\fP file type. ++ ++The default entrypoint paths for the usernetctl_t domain are the following: + +/usr/sbin/usernetctl +.SH PROCESS TYPES @@ -99902,8 +186274,100 @@ index 0000000..cb4d1bf +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a usernetctl_t ++can be used to make the process type usernetctl_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. usernetctl policy is extremely flexible and has several booleans that allow you to manipulate the policy and run usernetctl with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the usernetctl_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the usernetctl_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -99913,7 +186377,20 @@ index 0000000..cb4d1bf +Policy governs the access confined processes have to these files. +SELinux usernetctl policy is very flexible allowing users to setup their usernetctl processes in as secure a method as possible. +.PP -+The following file types are defined for usernetctl: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the usernetctl, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t usernetctl_exec_t '/srv/usernetctl/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myusernetctl_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for usernetctl: + + +.EX @@ -99931,22 +186408,6 @@ index 0000000..cb4d1bf +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the usernetctl_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the usernetctl_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -99957,6 +186418,9 @@ index 0000000..cb4d1bf +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -99968,15 +186432,15 @@ index 0000000..cb4d1bf + +.SH "SEE ALSO" +selinux(8), usernetctl(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, user_selinux(8) ++, setsebool(8), user_selinux(8) \ No newline at end of file diff --git a/man/man8/utempter_selinux.8 b/man/man8/utempter_selinux.8 new file mode 100644 -index 0000000..7ae0085 +index 0000000..10aa336 --- /dev/null +++ b/man/man8/utempter_selinux.8 -@@ -0,0 +1,134 @@ -+.TH "utempter_selinux" "8" "12-11-01" "utempter" "SELinux Policy documentation for utempter" +@@ -0,0 +1,231 @@ ++.TH "utempter_selinux" "8" "13-01-16" "utempter" "SELinux Policy documentation for utempter" +.SH "NAME" +utempter_selinux \- Security Enhanced Linux Policy for the utempter processes +.SH "DESCRIPTION" @@ -99992,7 +186456,9 @@ index 0000000..7ae0085 + +.SH "ENTRYPOINTS" + -+The utempter_t SELinux type can be entered via the "utempter_exec_t" file type. The default entrypoint paths for the utempter_t domain are the following:" ++The utempter_t SELinux type can be entered via the \fButempter_exec_t\fP file type. ++ ++The default entrypoint paths for the utempter_t domain are the following: + +/usr/sbin/utempter +.SH PROCESS TYPES @@ -100010,34 +186476,100 @@ index 0000000..7ae0085 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a utempter_t ++can be used to make the process type utempter_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux utempter policy is very flexible allowing users to setup their utempter processes in as secure a method as possible. -+.PP -+The following file types are defined for utempter: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. utempter policy is extremely flexible and has several booleans that allow you to manipulate the policy and run utempter with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B utempter_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the utempter_exec_t type, if you want to transition an executable to the utempter_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the utempter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the utempter_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -100062,6 +186594,8 @@ index 0000000..7ae0085 +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest @@ -100073,21 +186607,44 @@ index 0000000..7ae0085 + /var/log/wtmp.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux utempter policy is very flexible allowing users to setup their utempter processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the utempter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the utempter, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t utempter_exec_t '/srv/utempter/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myutempter_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for utempter: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B utempter_exec_t +.EE + ++- Set files with the utempter_exec_t type, if you want to transition an executable to the utempter_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the utempter_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -100099,6 +186656,9 @@ index 0000000..7ae0085 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -100110,13 +186670,15 @@ index 0000000..7ae0085 + +.SH "SEE ALSO" +selinux(8), utempter(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/uucpd_selinux.8 b/man/man8/uucpd_selinux.8 new file mode 100644 -index 0000000..1f472de +index 0000000..a6fd614 --- /dev/null +++ b/man/man8/uucpd_selinux.8 -@@ -0,0 +1,218 @@ -+.TH "uucpd_selinux" "8" "12-11-01" "uucpd" "SELinux Policy documentation for uucpd" +@@ -0,0 +1,362 @@ ++.TH "uucpd_selinux" "8" "13-01-16" "uucpd" "SELinux Policy documentation for uucpd" +.SH "NAME" +uucpd_selinux \- Security Enhanced Linux Policy for the uucpd processes +.SH "DESCRIPTION" @@ -100132,7 +186694,9 @@ index 0000000..1f472de + +.SH "ENTRYPOINTS" + -+The uucpd_t SELinux type can be entered via the "uucpd_exec_t" file type. The default entrypoint paths for the uucpd_t domain are the following:" ++The uucpd_t SELinux type can be entered via the \fBuucpd_exec_t\fP file type. ++ ++The default entrypoint paths for the uucpd_t domain are the following: + +/usr/sbin/uucico +.SH PROCESS TYPES @@ -100150,8 +186714,185 @@ index 0000000..1f472de +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a uucpd_t ++can be used to make the process type uucpd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. uucpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run uucpd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the uucpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the uucpd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux uucpd policy is very flexible allowing users to setup their uucpd processes in as secure a method as possible. ++.PP ++The following port types are defined for uucpd: ++ ++.EX ++.TP 5 ++.B uucpd_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 540 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type uucpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B uucpd_lock_t ++ ++ /var/lock/uucp(/.*)? ++.br ++ ++.br ++.B uucpd_rw_t ++ ++ ++.br ++.B uucpd_spool_t ++ ++ /var/spool/uucp(/.*)? ++.br ++ /var/spool/uucppublic(/.*)? ++.br ++ ++.br ++.B uucpd_tmp_t ++ ++ ++.br ++.B uucpd_var_run_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -100161,7 +186902,31 @@ index 0000000..1f472de +Policy governs the access confined processes have to these files. +SELinux uucpd policy is very flexible allowing users to setup their uucpd processes in as secure a method as possible. +.PP -+The following file types are defined for uucpd: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++uucpd policy stores data with multiple different file context types under the /var/spool/uucp directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/spool/uucp /srv/uucp ++.br ++.B restorecon -R -v /srv/uucp ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the uucpd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t uucpd_exec_t '/srv/uucpd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myuucpd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for uucpd: + + +.EX @@ -100174,6 +186939,14 @@ index 0000000..1f472de + +.EX +.PP ++.B uucpd_initrc_exec_t ++.EE ++ ++- Set files with the uucpd_initrc_exec_t type, if you want to transition an executable to the uucpd_initrc_t domain. ++ ++ ++.EX ++.PP +.B uucpd_lock_t +.EE + @@ -100211,6 +186984,10 @@ index 0000000..1f472de + +- Set files with the uucpd_spool_t type, if you want to store the uucpd files under the /var/spool directory. + ++.br ++.TP 5 ++Paths: ++/var/spool/uucp(/.*)?, /var/spool/uucppublic(/.*)? + +.EX +.PP @@ -100225,7 +187002,7 @@ index 0000000..1f472de +.B uucpd_var_run_t +.EE + -+- Set files with the uucpd_var_run_t type, if you want to store the uucpd files under the /run directory. ++- Set files with the uucpd_var_run_t type, if you want to store the uucpd files under the /run or /var/run directory. + + +.PP @@ -100235,81 +187012,6 @@ index 0000000..1f472de +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux uucpd policy is very flexible allowing users to setup their uucpd processes in as secure a method as possible. -+.PP -+The following port types are defined for uucpd: -+ -+.EX -+.TP 5 -+.B uucpd_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 540 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type uucpd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B uucpd_lock_t -+ -+ /var/lock/uucp(/.*)? -+.br -+ -+.br -+.B uucpd_log_t -+ -+ /var/log/uucp(/.*)? -+.br -+ -+.br -+.B uucpd_rw_t -+ -+ -+.br -+.B uucpd_spool_t -+ -+ /var/spool/uucp(/.*)? -+.br -+ /var/spool/uucppublic(/.*)? -+.br -+ -+.br -+.B uucpd_tmp_t -+ -+ -+.br -+.B uucpd_var_run_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the uucpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the uucpd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -100323,6 +187025,9 @@ index 0000000..1f472de +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -100334,13 +187039,15 @@ index 0000000..1f472de + +.SH "SEE ALSO" +selinux(8), uucpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/uuidd_selinux.8 b/man/man8/uuidd_selinux.8 new file mode 100644 -index 0000000..219e6f4 +index 0000000..03d5bb8 --- /dev/null +++ b/man/man8/uuidd_selinux.8 -@@ -0,0 +1,126 @@ -+.TH "uuidd_selinux" "8" "12-11-01" "uuidd" "SELinux Policy documentation for uuidd" +@@ -0,0 +1,219 @@ ++.TH "uuidd_selinux" "8" "13-01-16" "uuidd" "SELinux Policy documentation for uuidd" +.SH "NAME" +uuidd_selinux \- Security Enhanced Linux Policy for the uuidd processes +.SH "DESCRIPTION" @@ -100356,7 +187063,9 @@ index 0000000..219e6f4 + +.SH "ENTRYPOINTS" + -+The uuidd_t SELinux type can be entered via the "uuidd_exec_t" file type. The default entrypoint paths for the uuidd_t domain are the following:" ++The uuidd_t SELinux type can be entered via the \fBuuidd_exec_t\fP file type. ++ ++The default entrypoint paths for the uuidd_t domain are the following: + +/usr/sbin/uuidd +.SH PROCESS TYPES @@ -100374,8 +187083,100 @@ index 0000000..219e6f4 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a uuidd_t ++can be used to make the process type uuidd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. uuidd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run uuidd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type uuidd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B uuidd_var_lib_t ++ ++ /var/lib/libuuid(/.*)? ++.br ++ ++.br ++.B uuidd_var_run_t ++ ++ /var/run/uuidd(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -100385,7 +187186,20 @@ index 0000000..219e6f4 +Policy governs the access confined processes have to these files. +SELinux uuidd policy is very flexible allowing users to setup their uuidd processes in as secure a method as possible. +.PP -+The following file types are defined for uuidd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the uuidd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t uuidd_exec_t '/srv/uuidd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myuuidd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for uuidd: + + +.EX @@ -100417,7 +187231,7 @@ index 0000000..219e6f4 +.B uuidd_var_run_t +.EE + -+- Set files with the uuidd_var_run_t type, if you want to store the uuidd files under the /run directory. ++- Set files with the uuidd_var_run_t type, if you want to store the uuidd files under the /run or /var/run directory. + + +.PP @@ -100427,24 +187241,6 @@ index 0000000..219e6f4 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type uuidd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B uuidd_var_lib_t -+ -+ /var/lib/libuuid(/.*)? -+.br -+ -+.br -+.B uuidd_var_run_t -+ -+ /var/run/uuidd(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -100455,6 +187251,9 @@ index 0000000..219e6f4 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -100466,13 +187265,15 @@ index 0000000..219e6f4 + +.SH "SEE ALSO" +selinux(8), uuidd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/uux_selinux.8 b/man/man8/uux_selinux.8 new file mode 100644 -index 0000000..5c1314d +index 0000000..b372dfc --- /dev/null +++ b/man/man8/uux_selinux.8 -@@ -0,0 +1,116 @@ -+.TH "uux_selinux" "8" "12-11-01" "uux" "SELinux Policy documentation for uux" +@@ -0,0 +1,211 @@ ++.TH "uux_selinux" "8" "13-01-16" "uux" "SELinux Policy documentation for uux" +.SH "NAME" +uux_selinux \- Security Enhanced Linux Policy for the uux processes +.SH "DESCRIPTION" @@ -100488,7 +187289,9 @@ index 0000000..5c1314d + +.SH "ENTRYPOINTS" + -+The uux_t SELinux type can be entered via the "uux_exec_t" file type. The default entrypoint paths for the uux_t domain are the following:" ++The uux_t SELinux type can be entered via the \fBuux_exec_t\fP file type. ++ ++The default entrypoint paths for the uux_t domain are the following: + +/usr/bin/uux +.SH PROCESS TYPES @@ -100506,34 +187309,100 @@ index 0000000..5c1314d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a uux_t ++can be used to make the process type uux_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux uux policy is very flexible allowing users to setup their uux processes in as secure a method as possible. -+.PP -+The following file types are defined for uux: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. uux policy is extremely flexible and has several booleans that allow you to manipulate the policy and run uux with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B uux_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the uux_exec_t type, if you want to transition an executable to the uux_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the uux_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the uux_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -100551,21 +187420,44 @@ index 0000000..5c1314d + /var/spool/uucppublic(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux uux policy is very flexible allowing users to setup their uux processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the uux_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the uux, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t uux_exec_t '/srv/uux/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myuux_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for uux: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B uux_exec_t +.EE + ++- Set files with the uux_exec_t type, if you want to transition an executable to the uux_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the uux_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -100577,6 +187469,9 @@ index 0000000..5c1314d +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -100588,13 +187483,15 @@ index 0000000..5c1314d + +.SH "SEE ALSO" +selinux(8), uux(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/varnishd_selinux.8 b/man/man8/varnishd_selinux.8 new file mode 100644 -index 0000000..a0af064 +index 0000000..d758c0f --- /dev/null +++ b/man/man8/varnishd_selinux.8 -@@ -0,0 +1,208 @@ -+.TH "varnishd_selinux" "8" "12-11-01" "varnishd" "SELinux Policy documentation for varnishd" +@@ -0,0 +1,321 @@ ++.TH "varnishd_selinux" "8" "13-01-16" "varnishd" "SELinux Policy documentation for varnishd" +.SH "NAME" +varnishd_selinux \- Security Enhanced Linux Policy for the varnishd processes +.SH "DESCRIPTION" @@ -100610,7 +187507,9 @@ index 0000000..a0af064 + +.SH "ENTRYPOINTS" + -+The varnishd_t SELinux type can be entered via the "varnishd_exec_t" file type. The default entrypoint paths for the varnishd_t domain are the following:" ++The varnishd_t SELinux type can be entered via the \fBvarnishd_exec_t\fP file type. ++ ++The default entrypoint paths for the varnishd_t domain are the following: + +/usr/sbin/varnishd +.SH PROCESS TYPES @@ -100628,27 +187527,184 @@ index 0000000..a0af064 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a varnishd_t ++can be used to make the process type varnishd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. varnishd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run varnishd with the tightest access possible. + + +.PP -+If you want to allow varnishd to connect to all ports, not just HTTP, you must turn on the varnishd_connect_any boolean. ++If you want to determine whether varnishd can use the full TCP network, you must turn on the varnishd_connect_any boolean. Disabled by default. + +.EX +.B setsebool -P varnishd_connect_any 1 ++ +.EE + +.PP -+If you want to allow varnishd to connect to all ports, not just HTTP, you must turn on the varnishd_connect_any boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P varnishd_connect_any 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the varnishd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the varnishd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux varnishd policy is very flexible allowing users to setup their varnishd processes in as secure a method as possible. ++.PP ++The following port types are defined for varnishd: ++ ++.EX ++.TP 5 ++.B varnishd_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 6081-6082 ++.EE ++.SH "MANAGED FILES" ++ ++The SELinux process type varnishd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B varnishd_tmp_t ++ ++ ++.br ++.B varnishd_var_lib_t ++ ++ /var/lib/varnish(/.*)? ++.br ++ ++.br ++.B varnishd_var_run_t ++ ++ /var/run/varnish\.pid ++.br ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -100657,7 +187713,20 @@ index 0000000..a0af064 +Policy governs the access confined processes have to these files. +SELinux varnishd policy is very flexible allowing users to setup their varnishd processes in as secure a method as possible. +.PP -+The following file types are defined for varnishd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the varnishd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t varnishd_etc_t '/srv/varnishd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvarnishd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for varnishd: + + +.EX @@ -100705,7 +187774,7 @@ index 0000000..a0af064 +.B varnishd_var_run_t +.EE + -+- Set files with the varnishd_var_run_t type, if you want to store the varnishd files under the /run directory. ++- Set files with the varnishd_var_run_t type, if you want to store the varnishd files under the /run or /var/run directory. + + +.PP @@ -100715,65 +187784,6 @@ index 0000000..a0af064 +.B restorecon +to apply the labels. + -+.SH PORT TYPES -+SELinux defines port types to represent TCP and UDP ports. -+.PP -+You can see the types associated with a port by using the following command: -+ -+.B semanage port -l -+ -+.PP -+Policy governs the access confined processes have to these ports. -+SELinux varnishd policy is very flexible allowing users to setup their varnishd processes in as secure a method as possible. -+.PP -+The following port types are defined for varnishd: -+ -+.EX -+.TP 5 -+.B varnishd_port_t -+.TP 10 -+.EE -+ -+ -+Default Defined Ports: -+tcp 6081-6082 -+.EE -+.SH "MANAGED FILES" -+ -+The SELinux process type varnishd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B varnishd_tmp_t -+ -+ -+.br -+.B varnishd_var_lib_t -+ -+ /var/lib/varnish(/.*)? -+.br -+ -+.br -+.B varnishd_var_run_t -+ -+ /var/run/varnish\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the varnishd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the varnishd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -100805,11 +187815,11 @@ index 0000000..a0af064 \ No newline at end of file diff --git a/man/man8/varnishlog_selinux.8 b/man/man8/varnishlog_selinux.8 new file mode 100644 -index 0000000..bc3b750 +index 0000000..ff16eb0 --- /dev/null +++ b/man/man8/varnishlog_selinux.8 -@@ -0,0 +1,128 @@ -+.TH "varnishlog_selinux" "8" "12-11-01" "varnishlog" "SELinux Policy documentation for varnishlog" +@@ -0,0 +1,227 @@ ++.TH "varnishlog_selinux" "8" "13-01-16" "varnishlog" "SELinux Policy documentation for varnishlog" +.SH "NAME" +varnishlog_selinux \- Security Enhanced Linux Policy for the varnishlog processes +.SH "DESCRIPTION" @@ -100825,7 +187835,9 @@ index 0000000..bc3b750 + +.SH "ENTRYPOINTS" + -+The varnishlog_t SELinux type can be entered via the "varnishlog_exec_t" file type. The default entrypoint paths for the varnishlog_t domain are the following:" ++The varnishlog_t SELinux type can be entered via the \fBvarnishlog_exec_t\fP file type. ++ ++The default entrypoint paths for the varnishlog_t domain are the following: + +/usr/bin/varnishlog, /usr/bin/varnisncsa +.SH PROCESS TYPES @@ -100843,8 +187855,96 @@ index 0000000..bc3b750 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a varnishlog_t ++can be used to make the process type varnishlog_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. varnishlog policy is extremely flexible and has several booleans that allow you to manipulate the policy and run varnishlog with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type varnishlog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B varnishlog_var_run_t ++ ++ /var/run/varnishlog\.pid ++.br ++ /var/run/varnishncsa\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -100854,7 +187954,20 @@ index 0000000..bc3b750 +Policy governs the access confined processes have to these files. +SELinux varnishlog policy is very flexible allowing users to setup their varnishlog processes in as secure a method as possible. +.PP -+The following file types are defined for varnishlog: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the varnishlog, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t varnishlog_exec_t '/srv/varnishlog/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvarnishlog_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for varnishlog: + + +.EX @@ -100864,6 +187977,10 @@ index 0000000..bc3b750 + +- Set files with the varnishlog_exec_t type, if you want to transition an executable to the varnishlog_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/varnishlog, /usr/bin/varnisncsa + +.EX +.PP @@ -100872,6 +187989,10 @@ index 0000000..bc3b750 + +- Set files with the varnishlog_initrc_exec_t type, if you want to transition an executable to the varnishlog_initrc_t domain. + ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/varnishlog, /etc/rc\.d/init\.d/varnishncsa + +.EX +.PP @@ -100886,8 +188007,12 @@ index 0000000..bc3b750 +.B varnishlog_var_run_t +.EE + -+- Set files with the varnishlog_var_run_t type, if you want to store the varnishlog files under the /run directory. ++- Set files with the varnishlog_var_run_t type, if you want to store the varnishlog files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/varnishlog\.pid, /var/run/varnishncsa\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -100896,26 +188021,6 @@ index 0000000..bc3b750 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type varnishlog_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B varnishlog_log_t -+ -+ /var/log/varnish(/.*)? -+.br -+ -+.br -+.B varnishlog_var_run_t -+ -+ /var/run/varnishlog\.pid -+.br -+ /var/run/varnishncsa\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -100926,6 +188031,9 @@ index 0000000..bc3b750 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -100937,13 +188045,15 @@ index 0000000..bc3b750 + +.SH "SEE ALSO" +selinux(8), varnishlog(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/vbetool_selinux.8 b/man/man8/vbetool_selinux.8 new file mode 100644 -index 0000000..507145b +index 0000000..621ccbd --- /dev/null +++ b/man/man8/vbetool_selinux.8 -@@ -0,0 +1,124 @@ -+.TH "vbetool_selinux" "8" "12-11-01" "vbetool" "SELinux Policy documentation for vbetool" +@@ -0,0 +1,179 @@ ++.TH "vbetool_selinux" "8" "13-01-16" "vbetool" "SELinux Policy documentation for vbetool" +.SH "NAME" +vbetool_selinux \- Security Enhanced Linux Policy for the vbetool processes +.SH "DESCRIPTION" @@ -100959,7 +188069,9 @@ index 0000000..507145b + +.SH "ENTRYPOINTS" + -+The vbetool_t SELinux type can be entered via the "vbetool_exec_t" file type. The default entrypoint paths for the vbetool_t domain are the following:" ++The vbetool_t SELinux type can be entered via the \fBvbetool_exec_t\fP file type. ++ ++The default entrypoint paths for the vbetool_t domain are the following: + +/usr/sbin/vbetool +.SH PROCESS TYPES @@ -100977,52 +188089,68 @@ index 0000000..507145b +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a vbetool_t ++can be used to make the process type vbetool_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. vbetool policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vbetool with the tightest access possible. + + +.PP -+If you want to ignore vbetool mmap_zero errors, you must turn on the vbetool_mmap_zero_ignore boolean. ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.B setsebool -P vbetool_mmap_zero_ignore 1 ++.B setsebool -P daemons_use_tty 1 ++ +.EE + +.PP -+If you want to ignore vbetool mmap_zero errors, you must turn on the vbetool_mmap_zero_ignore boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P vbetool_mmap_zero_ignore 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux vbetool policy is very flexible allowing users to setup their vbetool processes in as secure a method as possible. -+.PP -+The following file types are defined for vbetool: -+ ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B vbetool_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the vbetool_exec_t type, if you want to transition an executable to the vbetool_t domain. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -101040,7 +188168,44 @@ index 0000000..507145b + /sys(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux vbetool policy is very flexible allowing users to setup their vbetool processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the vbetool, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t vbetool_exec_t '/srv/vbetool/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvbetool_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for vbetool: ++ ++ ++.EX ++.PP ++.B vbetool_exec_t ++.EE ++ ++- Set files with the vbetool_exec_t type, if you want to transition an executable to the vbetool_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -101070,11 +188235,11 @@ index 0000000..507145b \ No newline at end of file diff --git a/man/man8/vdagent_selinux.8 b/man/man8/vdagent_selinux.8 new file mode 100644 -index 0000000..1d1e6e4 +index 0000000..9b63bff --- /dev/null +++ b/man/man8/vdagent_selinux.8 -@@ -0,0 +1,122 @@ -+.TH "vdagent_selinux" "8" "12-11-01" "vdagent" "SELinux Policy documentation for vdagent" +@@ -0,0 +1,242 @@ ++.TH "vdagent_selinux" "8" "13-01-16" "vdagent" "SELinux Policy documentation for vdagent" +.SH "NAME" +vdagent_selinux \- Security Enhanced Linux Policy for the vdagent processes +.SH "DESCRIPTION" @@ -101090,7 +188255,9 @@ index 0000000..1d1e6e4 + +.SH "ENTRYPOINTS" + -+The vdagent_t SELinux type can be entered via the "vdagent_exec_t" file type. The default entrypoint paths for the vdagent_t domain are the following:" ++The vdagent_t SELinux type can be entered via the \fBvdagent_exec_t\fP file type. ++ ++The default entrypoint paths for the vdagent_t domain are the following: + +/usr/sbin/spice-vdagentd +.SH PROCESS TYPES @@ -101108,8 +188275,96 @@ index 0000000..1d1e6e4 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a vdagent_t ++can be used to make the process type vdagent_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. vdagent policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vdagent with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type vdagent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B vdagent_var_run_t ++ ++ /var/run/spice-vdagentd(/.*)? ++.br ++ /var/run/spice-vdagentd\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -101119,7 +188374,39 @@ index 0000000..1d1e6e4 +Policy governs the access confined processes have to these files. +SELinux vdagent policy is very flexible allowing users to setup their vdagent processes in as secure a method as possible. +.PP -+The following file types are defined for vdagent: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++vdagent policy stores data with multiple different file context types under the /var/run/spice-vdagentd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/spice-vdagentd /srv/spice-vdagentd ++.br ++.B restorecon -R -v /srv/spice-vdagentd ++.PP ++ ++.PP ++vdagent policy stores data with multiple different file context types under the /var/log/spice-vdagentd directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/log/spice-vdagentd /srv/spice-vdagentd ++.br ++.B restorecon -R -v /srv/spice-vdagentd ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the vdagent, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t vdagent_exec_t '/srv/vdagent/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvdagent_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for vdagent: + + +.EX @@ -101137,13 +188424,29 @@ index 0000000..1d1e6e4 + +- Set files with the vdagent_log_t type, if you want to treat the data as vdagent log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/spice-vdagentd(/.*)?, /var/log/spice-vdagentd\.log.* + +.EX +.PP +.B vdagent_var_run_t +.EE + -+- Set files with the vdagent_var_run_t type, if you want to store the vdagent files under the /run directory. ++- Set files with the vdagent_var_run_t type, if you want to store the vdagent files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/spice-vdagentd(/.*)?, /var/run/spice-vdagentd\.pid ++ ++.EX ++.PP ++.B vdagentd_initrc_exec_t ++.EE ++ ++- Set files with the vdagentd_initrc_exec_t type, if you want to transition an executable to the vdagentd_initrc_t domain. + + +.PP @@ -101153,28 +188456,6 @@ index 0000000..1d1e6e4 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type vdagent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B vdagent_log_t -+ -+ /var/log/spice-vdagentd(/.*)? -+.br -+ /var/log/spice-vdagentd\.log.* -+.br -+ -+.br -+.B vdagent_var_run_t -+ -+ /var/run/spice-vdagentd(/.*)? -+.br -+ /var/run/spice-vdagentd\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -101185,6 +188466,9 @@ index 0000000..1d1e6e4 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -101196,13 +188480,15 @@ index 0000000..1d1e6e4 + +.SH "SEE ALSO" +selinux(8), vdagent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/vhostmd_selinux.8 b/man/man8/vhostmd_selinux.8 new file mode 100644 -index 0000000..eafe755 +index 0000000..9100217 --- /dev/null +++ b/man/man8/vhostmd_selinux.8 -@@ -0,0 +1,156 @@ -+.TH "vhostmd_selinux" "8" "12-11-01" "vhostmd" "SELinux Policy documentation for vhostmd" +@@ -0,0 +1,285 @@ ++.TH "vhostmd_selinux" "8" "13-01-16" "vhostmd" "SELinux Policy documentation for vhostmd" +.SH "NAME" +vhostmd_selinux \- Security Enhanced Linux Policy for the vhostmd processes +.SH "DESCRIPTION" @@ -101218,7 +188504,9 @@ index 0000000..eafe755 + +.SH "ENTRYPOINTS" + -+The vhostmd_t SELinux type can be entered via the "vhostmd_exec_t" file type. The default entrypoint paths for the vhostmd_t domain are the following:" ++The vhostmd_t SELinux type can be entered via the \fBvhostmd_exec_t\fP file type. ++ ++The default entrypoint paths for the vhostmd_t domain are the following: + +/usr/sbin/vhostmd +.SH PROCESS TYPES @@ -101236,8 +188524,166 @@ index 0000000..eafe755 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a vhostmd_t ++can be used to make the process type vhostmd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. vhostmd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vhostmd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the vhostmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the vhostmd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type vhostmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B vhostmd_tmpfs_t ++ ++ ++.br ++.B vhostmd_var_run_t ++ ++ /var/run/vhostmd.* ++.br ++ ++.br ++.B virt_content_t ++ ++ /var/lib/vdsm(/.*)? ++.br ++ /var/lib/oz/isos(/.*)? ++.br ++ /var/lib/libvirt/boot(/.*)? ++.br ++ /var/lib/libvirt/isos(/.*)? ++.br ++ /home/[^/]*/VirtualMachines/isos(/.*)? ++.br ++ /home/pwalsh/VirtualMachines/isos(/.*)? ++.br ++ /home/dwalsh/VirtualMachines/isos(/.*)? ++.br ++ /var/lib/xguest/home/xguest/VirtualMachines/isos(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -101247,7 +188693,20 @@ index 0000000..eafe755 +Policy governs the access confined processes have to these files. +SELinux vhostmd policy is very flexible allowing users to setup their vhostmd processes in as secure a method as possible. +.PP -+The following file types are defined for vhostmd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the vhostmd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t vhostmd_exec_t '/srv/vhostmd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvhostmd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for vhostmd: + + +.EX @@ -101279,7 +188738,7 @@ index 0000000..eafe755 +.B vhostmd_var_run_t +.EE + -+- Set files with the vhostmd_var_run_t type, if you want to store the vhostmd files under the /run directory. ++- Set files with the vhostmd_var_run_t type, if you want to store the vhostmd files under the /run or /var/run directory. + + +.PP @@ -101289,54 +188748,6 @@ index 0000000..eafe755 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type vhostmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B vhostmd_tmpfs_t -+ -+ -+.br -+.B vhostmd_var_run_t -+ -+ /var/run/vhostmd.pid -+.br -+ -+.br -+.B virt_content_t -+ -+ /var/lib/vdsm(/.*)? -+.br -+ /var/lib/oz/isos(/.*)? -+.br -+ /var/lib/libvirt/boot(/.*)? -+.br -+ /var/lib/libvirt/isos(/.*)? -+.br -+ /home/[^/]*/VirtualMachines/isos(/.*)? -+.br -+ /home/dwalsh/VirtualMachines/isos(/.*)? -+.br -+ /var/lib/xguest/home/xguest/VirtualMachines/isos(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vhostmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the vhostmd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -101347,6 +188758,9 @@ index 0000000..eafe755 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -101358,13 +188772,15 @@ index 0000000..eafe755 + +.SH "SEE ALSO" +selinux(8), vhostmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/virsh_selinux.8 b/man/man8/virsh_selinux.8 new file mode 100644 -index 0000000..595b506 +index 0000000..8cea83b --- /dev/null +++ b/man/man8/virsh_selinux.8 -@@ -0,0 +1,186 @@ -+.TH "virsh_selinux" "8" "12-11-01" "virsh" "SELinux Policy documentation for virsh" +@@ -0,0 +1,299 @@ ++.TH "virsh_selinux" "8" "13-01-16" "virsh" "SELinux Policy documentation for virsh" +.SH "NAME" +virsh_selinux \- Security Enhanced Linux Policy for the virsh processes +.SH "DESCRIPTION" @@ -101380,9 +188796,11 @@ index 0000000..595b506 + +.SH "ENTRYPOINTS" + -+The virsh_t SELinux type can be entered via the "virsh_exec_t" file type. The default entrypoint paths for the virsh_t domain are the following:" ++The virsh_t SELinux type can be entered via the \fBvirsh_exec_t\fP file type. + -+/usr/bin/virt-sandbox-service.*, /usr/bin/virsh ++The default entrypoint paths for the virsh_t domain are the following: ++ ++/usr/bin/virt-sandbox-service.*, /usr/sbin/xl, /usr/sbin/xm, /usr/bin/virsh +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -101398,44 +188816,120 @@ index 0000000..595b506 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a virsh_t ++can be used to make the process type virsh_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux virsh policy is very flexible allowing users to setup their virsh processes in as secure a method as possible. -+.PP -+The following file types are defined for virsh: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. virsh policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virsh with the tightest access possible. + + ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ +.EX -+.PP -+.B virsh_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the virsh_exec_t type, if you want to transition an executable to the virsh_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_nfs 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean. Disabled by default. ++ ++.EX ++.B setsebool -P virt_use_samba 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the virsh_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the virsh_ssh_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type virsh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br +.B ssh_home_t + + /root/\.ssh(/.*)? +.br ++ /var/lib/pgsql/\.ssh(/.*)? ++.br + /var/lib/openshift/[^/]+/\.ssh(/.*)? +.br + /var/lib/amanda/\.ssh(/.*)? @@ -101454,6 +188948,10 @@ index 0000000..595b506 +.br + /home/[^/]*/\.shosts +.br ++ /home/pwalsh/\.ssh(/.*)? ++.br ++ /home/pwalsh/\.shosts ++.br + /home/dwalsh/\.ssh(/.*)? +.br + /home/dwalsh/\.shosts @@ -101513,21 +189011,48 @@ index 0000000..595b506 +.B xenfs_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux virsh policy is very flexible allowing users to setup their virsh processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virsh_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the virsh, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t virsh_exec_t '/srv/virsh/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvirsh_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for virsh: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B virsh_exec_t +.EE + ++- Set files with the virsh_exec_t type, if you want to transition an executable to the virsh_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/virt-sandbox-service.*, /usr/sbin/xl, /usr/sbin/xm, /usr/bin/virsh ++ +.PP -+If you want to allow confined applications to run with kerberos for the virsh_ssh_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -101539,6 +189064,9 @@ index 0000000..595b506 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -101550,13 +189078,238 @@ index 0000000..595b506 + +.SH "SEE ALSO" +selinux(8), virsh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), virsh_ssh_selinux(8) +\ No newline at end of file +diff --git a/man/man8/virsh_ssh_selinux.8 b/man/man8/virsh_ssh_selinux.8 +new file mode 100644 +index 0000000..570cddd +--- /dev/null ++++ b/man/man8/virsh_ssh_selinux.8 +@@ -0,0 +1,216 @@ ++.TH "virsh_ssh_selinux" "8" "13-01-16" "virsh_ssh" "SELinux Policy documentation for virsh_ssh" ++.SH "NAME" ++virsh_ssh_selinux \- Security Enhanced Linux Policy for the virsh_ssh processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the virsh_ssh processes via flexible mandatory access control. ++ ++The virsh_ssh processes execute with the virsh_ssh_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep virsh_ssh_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The virsh_ssh_t SELinux type can be entered via the \fBssh_exec_t\fP file type. ++ ++The default entrypoint paths for the virsh_ssh_t domain are the following: ++ ++/usr/bin/ssh ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux virsh_ssh policy is very flexible allowing users to setup their virsh_ssh processes in as secure a method as possible. ++.PP ++The following process types are defined for virsh_ssh: ++ ++.EX ++.B virsh_ssh_t ++.EE ++.PP ++Note: ++.B semanage permissive -a virsh_ssh_t ++can be used to make the process type virsh_ssh_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. virsh_ssh policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virsh_ssh with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the virsh_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the virsh_ssh_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type virsh_ssh_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B ssh_home_t ++ ++ /root/\.ssh(/.*)? ++.br ++ /var/lib/pgsql/\.ssh(/.*)? ++.br ++ /var/lib/openshift/[^/]+/\.ssh(/.*)? ++.br ++ /var/lib/amanda/\.ssh(/.*)? ++.br ++ /var/lib/stickshift/[^/]+/\.ssh(/.*)? ++.br ++ /var/lib/gitolite/\.ssh(/.*)? ++.br ++ /var/lib/nocpulse/\.ssh(/.*)? ++.br ++ /var/lib/gitolite3/\.ssh(/.*)? ++.br ++ /root/\.shosts ++.br ++ /home/[^/]*/\.ssh(/.*)? ++.br ++ /home/[^/]*/\.shosts ++.br ++ /home/pwalsh/\.ssh(/.*)? ++.br ++ /home/pwalsh/\.shosts ++.br ++ /home/dwalsh/\.ssh(/.*)? ++.br ++ /home/dwalsh/\.shosts ++.br ++ /var/lib/xguest/home/xguest/\.ssh(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.shosts ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest ++.br ++ ++.br ++.B xenfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), virsh_ssh(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), virsh_selinux(8), virsh_selinux(8) +\ No newline at end of file diff --git a/man/man8/virt_bridgehelper_selinux.8 b/man/man8/virt_bridgehelper_selinux.8 new file mode 100644 -index 0000000..4c6e5e6 +index 0000000..b4503a8 --- /dev/null +++ b/man/man8/virt_bridgehelper_selinux.8 -@@ -0,0 +1,119 @@ -+.TH "virt_bridgehelper_selinux" "8" "12-11-01" "virt_bridgehelper" "SELinux Policy documentation for virt_bridgehelper" +@@ -0,0 +1,187 @@ ++.TH "virt_bridgehelper_selinux" "8" "13-01-16" "virt_bridgehelper" "SELinux Policy documentation for virt_bridgehelper" +.SH "NAME" +virt_bridgehelper_selinux \- Security Enhanced Linux Policy for the virt_bridgehelper processes +.SH "DESCRIPTION" @@ -101572,7 +189325,9 @@ index 0000000..4c6e5e6 + +.SH "ENTRYPOINTS" + -+The virt_bridgehelper_t SELinux type can be entered via the "virt_bridgehelper_exec_t" file type. The default entrypoint paths for the virt_bridgehelper_t domain are the following:" ++The virt_bridgehelper_t SELinux type can be entered via the \fBvirt_bridgehelper_exec_t\fP file type. ++ ++The default entrypoint paths for the virt_bridgehelper_t domain are the following: + +/usr/libexec/qemu-bridge-helper +.SH PROCESS TYPES @@ -101590,34 +189345,52 @@ index 0000000..4c6e5e6 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a virt_bridgehelper_t ++can be used to make the process type virt_bridgehelper_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux virt_bridgehelper policy is very flexible allowing users to setup their virt_bridgehelper processes in as secure a method as possible. -+.PP -+The following file types are defined for virt_bridgehelper: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. virt_bridgehelper policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virt_bridgehelper with the tightest access possible. + + ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ +.EX -+.PP -+.B virt_bridgehelper_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the virt_bridgehelper_exec_t type, if you want to transition an executable to the virt_bridgehelper_t domain. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + @@ -101634,6 +189407,14 @@ index 0000000..4c6e5e6 +.br + /home/[^/]*/\.local/share/gnome-boxes/images(/.*)? +.br ++ /home/pwalsh/\.libvirt/qemu(/.*)? ++.br ++ /home/pwalsh/\.cache/libvirt/qemu(/.*)? ++.br ++ /home/pwalsh/\.config/libvirt/qemu(/.*)? ++.br ++ /home/pwalsh/\.local/share/gnome-boxes/images(/.*)? ++.br + /home/dwalsh/\.libvirt/qemu(/.*)? +.br + /home/dwalsh/\.cache/libvirt/qemu(/.*)? @@ -101651,7 +189432,44 @@ index 0000000..4c6e5e6 + /var/lib/xguest/home/xguest/\.local/share/gnome-boxes/images(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux virt_bridgehelper policy is very flexible allowing users to setup their virt_bridgehelper processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the virt_bridgehelper, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t virt_bridgehelper_exec_t '/srv/virt_bridgehelper/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvirt_bridgehelper_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for virt_bridgehelper: ++ ++ ++.EX ++.PP ++.B virt_bridgehelper_exec_t ++.EE ++ ++- Set files with the virt_bridgehelper_exec_t type, if you want to transition an executable to the virt_bridgehelper_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -101663,6 +189481,9 @@ index 0000000..4c6e5e6 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -101674,15 +189495,15 @@ index 0000000..4c6e5e6 + +.SH "SEE ALSO" +selinux(8), virt_bridgehelper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, virt_qemu_ga_selinux(8), virt_qmf_selinux(8), virtd_selinux(8), virtd_lxc_selinux(8) ++, setsebool(8), virt_qemu_ga_selinux(8), virt_qmf_selinux(8), virtd_selinux(8), virtd_lxc_selinux(8) \ No newline at end of file diff --git a/man/man8/virt_qemu_ga_selinux.8 b/man/man8/virt_qemu_ga_selinux.8 new file mode 100644 -index 0000000..0419773 +index 0000000..d6018a4 --- /dev/null +++ b/man/man8/virt_qemu_ga_selinux.8 -@@ -0,0 +1,119 @@ -+.TH "virt_qemu_ga_selinux" "8" "12-11-01" "virt_qemu_ga" "SELinux Policy documentation for virt_qemu_ga" +@@ -0,0 +1,247 @@ ++.TH "virt_qemu_ga_selinux" "8" "13-01-16" "virt_qemu_ga" "SELinux Policy documentation for virt_qemu_ga" +.SH "NAME" +virt_qemu_ga_selinux \- Security Enhanced Linux Policy for the virt_qemu_ga processes +.SH "DESCRIPTION" @@ -101698,7 +189519,9 @@ index 0000000..0419773 + +.SH "ENTRYPOINTS" + -+The virt_qemu_ga_t SELinux type can be entered via the "virt_qemu_ga_exec_t" file type. The default entrypoint paths for the virt_qemu_ga_t domain are the following:" ++The virt_qemu_ga_t SELinux type can be entered via the \fBvirt_qemu_ga_exec_t\fP file type. ++ ++The default entrypoint paths for the virt_qemu_ga_t domain are the following: + +/usr/bin/qemu-ga +.SH PROCESS TYPES @@ -101716,8 +189539,136 @@ index 0000000..0419773 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a virt_qemu_ga_t ++can be used to make the process type virt_qemu_ga_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. virt_qemu_ga policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virt_qemu_ga with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type virt_qemu_ga_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B devicekit_var_run_t ++ ++ /var/run/udisks.* ++.br ++ /var/run/devkit(/.*)? ++.br ++ /var/run/upower(/.*)? ++.br ++ /var/run/pm-utils(/.*)? ++.br ++ /var/run/DeviceKit-disks(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B sysfs_t ++ ++ /sys(/.*)? ++.br ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br ++ ++.br ++.B virt_qemu_ga_log_t ++ ++ /var/log/qemu-ga\.log ++.br ++ ++.br ++.B virt_qemu_ga_var_run_t ++ ++ /var/run/qemu-ga\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -101727,7 +189678,20 @@ index 0000000..0419773 +Policy governs the access confined processes have to these files. +SELinux virt_qemu_ga policy is very flexible allowing users to setup their virt_qemu_ga processes in as secure a method as possible. +.PP -+The following file types are defined for virt_qemu_ga: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the virt_qemu_ga, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t virt_qemu_ga_exec_t '/srv/virt_qemu_ga/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvirt_qemu_ga_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for virt_qemu_ga: + + +.EX @@ -101751,7 +189715,7 @@ index 0000000..0419773 +.B virt_qemu_ga_var_run_t +.EE + -+- Set files with the virt_qemu_ga_var_run_t type, if you want to store the virt qemu ga files under the /run directory. ++- Set files with the virt_qemu_ga_var_run_t type, if you want to store the virt qemu ga files under the /run or /var/run directory. + + +.PP @@ -101761,24 +189725,6 @@ index 0000000..0419773 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type virt_qemu_ga_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B virt_qemu_ga_log_t -+ -+ /var/log/qemu-ga\.log -+.br -+ -+.br -+.B virt_qemu_ga_var_run_t -+ -+ /var/run/qemu-ga\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -101789,6 +189735,9 @@ index 0000000..0419773 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -101800,15 +189749,15 @@ index 0000000..0419773 + +.SH "SEE ALSO" +selinux(8), virt_qemu_ga(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, virt_bridgehelper_selinux(8), virt_qmf_selinux(8), virtd_selinux(8), virtd_lxc_selinux(8) ++, setsebool(8), virt_bridgehelper_selinux(8), virt_qmf_selinux(8), virtd_selinux(8), virtd_lxc_selinux(8) \ No newline at end of file diff --git a/man/man8/virt_qmf_selinux.8 b/man/man8/virt_qmf_selinux.8 new file mode 100644 -index 0000000..03fd507 +index 0000000..63e1275 --- /dev/null +++ b/man/man8/virt_qmf_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "virt_qmf_selinux" "8" "12-11-01" "virt_qmf" "SELinux Policy documentation for virt_qmf" +@@ -0,0 +1,183 @@ ++.TH "virt_qmf_selinux" "8" "13-01-16" "virt_qmf" "SELinux Policy documentation for virt_qmf" +.SH "NAME" +virt_qmf_selinux \- Security Enhanced Linux Policy for the virt_qmf processes +.SH "DESCRIPTION" @@ -101824,7 +189773,9 @@ index 0000000..03fd507 + +.SH "ENTRYPOINTS" + -+The virt_qmf_t SELinux type can be entered via the "virt_qmf_exec_t" file type. The default entrypoint paths for the virt_qmf_t domain are the following:" ++The virt_qmf_t SELinux type can be entered via the \fBvirt_qmf_exec_t\fP file type. ++ ++The default entrypoint paths for the virt_qmf_t domain are the following: + +/usr/sbin/libvirt-qmf +.SH PROCESS TYPES @@ -101842,8 +189793,88 @@ index 0000000..03fd507 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a virt_qmf_t ++can be used to make the process type virt_qmf_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. virt_qmf policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virt_qmf with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type virt_qmf_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -101853,7 +189884,20 @@ index 0000000..03fd507 +Policy governs the access confined processes have to these files. +SELinux virt_qmf policy is very flexible allowing users to setup their virt_qmf processes in as secure a method as possible. +.PP -+The following file types are defined for virt_qmf: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the virt_qmf, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t virt_qmf_exec_t '/srv/virt_qmf/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvirt_qmf_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for virt_qmf: + + +.EX @@ -101871,8 +189915,6 @@ index 0000000..03fd507 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -101883,6 +189925,9 @@ index 0000000..03fd507 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -101894,7 +189939,7 @@ index 0000000..03fd507 + +.SH "SEE ALSO" +selinux(8), virt_qmf(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, virt_bridgehelper_selinux(8), virt_qemu_ga_selinux(8), virtd_selinux(8), virtd_lxc_selinux(8) ++, setsebool(8), virt_bridgehelper_selinux(8), virt_qemu_ga_selinux(8), virtd_selinux(8), virtd_lxc_selinux(8) \ No newline at end of file diff --git a/man/man8/virt_selinux.8 b/man/man8/virt_selinux.8 new file mode 100644 @@ -101906,11 +189951,11 @@ index 0000000..ee560da \ No newline at end of file diff --git a/man/man8/virtd_lxc_selinux.8 b/man/man8/virtd_lxc_selinux.8 new file mode 100644 -index 0000000..68244d4 +index 0000000..5516f18 --- /dev/null +++ b/man/man8/virtd_lxc_selinux.8 -@@ -0,0 +1,145 @@ -+.TH "virtd_lxc_selinux" "8" "12-11-01" "virtd_lxc" "SELinux Policy documentation for virtd_lxc" +@@ -0,0 +1,247 @@ ++.TH "virtd_lxc_selinux" "8" "13-01-16" "virtd_lxc" "SELinux Policy documentation for virtd_lxc" +.SH "NAME" +virtd_lxc_selinux \- Security Enhanced Linux Policy for the virtd_lxc processes +.SH "DESCRIPTION" @@ -101926,7 +189971,9 @@ index 0000000..68244d4 + +.SH "ENTRYPOINTS" + -+The virtd_lxc_t SELinux type can be entered via the "virtd_lxc_exec_t" file type. The default entrypoint paths for the virtd_lxc_t domain are the following:" ++The virtd_lxc_t SELinux type can be entered via the \fBvirtd_lxc_exec_t\fP file type. ++ ++The default entrypoint paths for the virtd_lxc_t domain are the following: + +/usr/libexec/libvirt_lxc +.SH PROCESS TYPES @@ -101944,34 +189991,108 @@ index 0000000..68244d4 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a virtd_lxc_t ++can be used to make the process type virtd_lxc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux virtd_lxc policy is very flexible allowing users to setup their virtd_lxc processes in as secure a method as possible. -+.PP -+The following file types are defined for virtd_lxc: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. virtd_lxc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virtd_lxc with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B virtd_lxc_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the virtd_lxc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -102017,21 +190138,44 @@ index 0000000..68244d4 + /var/run/libvirt-sandbox(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux virtd_lxc policy is very flexible allowing users to setup their virtd_lxc processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the virtd_lxc, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t virtd_lxc_exec_t '/srv/virtd_lxc/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvirtd_lxc_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for virtd_lxc: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B virtd_lxc_exec_t +.EE + ++- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the virtd_lxc_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -102043,6 +190187,9 @@ index 0000000..68244d4 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -102054,15 +190201,15 @@ index 0000000..68244d4 + +.SH "SEE ALSO" +selinux(8), virtd_lxc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, virtd_selinux(8), virtd_selinux(8) ++, setsebool(8), virtd_selinux(8), virtd_selinux(8) \ No newline at end of file diff --git a/man/man8/virtd_selinux.8 b/man/man8/virtd_selinux.8 new file mode 100644 -index 0000000..783d0c9 +index 0000000..617ad1c --- /dev/null +++ b/man/man8/virtd_selinux.8 -@@ -0,0 +1,616 @@ -+.TH "virtd_selinux" "8" "12-11-01" "virtd" "SELinux Policy documentation for virtd" +@@ -0,0 +1,563 @@ ++.TH "virtd_selinux" "8" "13-01-16" "virtd" "SELinux Policy documentation for virtd" +.SH "NAME" +virtd_selinux \- Security Enhanced Linux Policy for the virtd processes +.SH "DESCRIPTION" @@ -102078,7 +190225,9 @@ index 0000000..783d0c9 + +.SH "ENTRYPOINTS" + -+The virtd_t SELinux type can be entered via the "virtd_exec_t" file type. The default entrypoint paths for the virtd_t domain are the following:" ++The virtd_t SELinux type can be entered via the \fBvirtd_exec_t\fP file type. ++ ++The default entrypoint paths for the virtd_t domain are the following: + +/usr/sbin/libvirtd, /usr/bin/imgfac\.py, /usr/bin/imagefactory, /usr/bin/nova-compute, /usr/sbin/condor_vm-gahp, /usr/bin/vios-proxy-host, /usr/bin/vios-proxy-guest +.SH PROCESS TYPES @@ -102096,302 +190245,141 @@ index 0000000..783d0c9 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a virtd_t ++can be used to make the process type virtd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. virtd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virtd with the tightest access possible. + + +.PP -+If you want to allow confined virtual guests to manage device configuration, (pci), you must turn on the virt_use_sysfs boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P virt_use_sysfs 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P unprivuser_use_svirt 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean. Disabled by default. + +.EX +.B setsebool -P virt_use_nfs 1 ++ +.EE + +.PP -+If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean. ++If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean. Disabled by default. + +.EX +.B setsebool -P virt_use_samba 1 ++ +.EE + ++.SH NSSWITCH DOMAIN ++ +.PP -+If you want to allow confined virtual guests to use usb devices, you must turn on the virt_use_usb boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the virtd_t, virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.B setsebool -P virt_use_usb 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + +.PP -+If you want to allow confined virtual guests to use serial/parallel communication ports, you must turn on the virt_use_comm boolean. ++If you want to allow confined applications to run with kerberos for the virtd_t, virtd_lxc_t, you must turn on the kerberos_enabled boolean. + +.EX -+.B setsebool -P virt_use_comm 1 ++.B setsebool -P kerberos_enabled 1 +.EE + -+.PP -+If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean. -+ -+.EX -+.B setsebool -P virt_use_xserver 1 -+.EE -+ -+.PP -+If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean. -+ -+.EX -+.B setsebool -P staff_use_svirt 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to read fuse files, you must turn on the virt_use_fusefs boolean. -+ -+.EX -+.B setsebool -P virt_use_fusefs 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to use executable memory and executable stack, you must turn on the virt_use_execmem boolean. -+ -+.EX -+.B setsebool -P virt_use_execmem 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean. -+ -+.EX -+.B setsebool -P virt_use_sanlock 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to manage device configuration, (pci), you must turn on the virt_use_sysfs boolean. -+ -+.EX -+.B setsebool -P virt_use_sysfs 1 -+.EE -+ -+.PP -+If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean. -+ -+.EX -+.B setsebool -P unprivuser_use_svirt 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean. -+ -+.EX -+.B setsebool -P virt_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean. -+ -+.EX -+.B setsebool -P virt_use_samba 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to use usb devices, you must turn on the virt_use_usb boolean. -+ -+.EX -+.B setsebool -P virt_use_usb 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to use serial/parallel communication ports, you must turn on the virt_use_comm boolean. -+ -+.EX -+.B setsebool -P virt_use_comm 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean. -+ -+.EX -+.B setsebool -P virt_use_xserver 1 -+.EE -+ -+.PP -+If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean. -+ -+.EX -+.B setsebool -P staff_use_svirt 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to read fuse files, you must turn on the virt_use_fusefs boolean. -+ -+.EX -+.B setsebool -P virt_use_fusefs 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to use executable memory and executable stack, you must turn on the virt_use_execmem boolean. -+ -+.EX -+.B setsebool -P virt_use_execmem 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean. -+ -+.EX -+.B setsebool -P virt_use_sanlock 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to manage device configuration, (pci), you must turn on the virt_use_sysfs boolean. -+ -+.EX -+.B setsebool -P virt_use_sysfs 1 -+.EE -+ -+.PP -+If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean. -+ -+.EX -+.B setsebool -P unprivuser_use_svirt 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean. -+ -+.EX -+.B setsebool -P virt_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean. -+ -+.EX -+.B setsebool -P virt_use_samba 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to use usb devices, you must turn on the virt_use_usb boolean. -+ -+.EX -+.B setsebool -P virt_use_usb 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to use serial/parallel communication ports, you must turn on the virt_use_comm boolean. -+ -+.EX -+.B setsebool -P virt_use_comm 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean. -+ -+.EX -+.B setsebool -P virt_use_xserver 1 -+.EE -+ -+.PP -+If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean. -+ -+.EX -+.B setsebool -P staff_use_svirt 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to read fuse files, you must turn on the virt_use_fusefs boolean. -+ -+.EX -+.B setsebool -P virt_use_fusefs 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to use executable memory and executable stack, you must turn on the virt_use_execmem boolean. -+ -+.EX -+.B setsebool -P virt_use_execmem 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean. -+ -+.EX -+.B setsebool -P virt_use_sanlock 1 -+.EE -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible. -+.PP -+The following file types are defined for virtd: -+ -+ -+.EX -+.PP -+.B virtd_exec_t -+.EE -+ -+- Set files with the virtd_exec_t type, if you want to transition an executable to the virtd_t domain. -+ -+ -+.EX -+.PP -+.B virtd_initrc_exec_t -+.EE -+ -+- Set files with the virtd_initrc_exec_t type, if you want to transition an executable to the virtd_initrc_t domain. -+ -+ -+.EX -+.PP -+.B virtd_keytab_t -+.EE -+ -+- Set files with the virtd_keytab_t type, if you want to treat the files as kerberos keytab files. -+ -+ -+.EX -+.PP -+.B virtd_lxc_exec_t -+.EE -+ -+- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain. -+ -+ -+.EX -+.PP -+.B virtd_unit_file_t -+.EE -+ -+- Set files with the virtd_unit_file_t type, if you want to treat the files as virtd unit content. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. +.PP @@ -102428,6 +190416,19 @@ index 0000000..783d0c9 +.EE +udp 16509,16514 +.EE ++ ++.EX ++.TP 5 ++.B virtual_places_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 1533 ++.EE ++udp 1533 ++.EE +.SH "MANAGED FILES" + +The SELinux process type virtd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -102445,11 +190446,15 @@ index 0000000..783d0c9 +.br + +.br ++.B cifs_t ++ ++ ++.br +.B dnsmasq_var_run_t + -+ /var/run/libvirt/network(/.*)? ++ /var/run/dnsmasq.* +.br -+ /var/run/dnsmasq\.pid ++ /var/run/libvirt/network(/.*)? +.br + +.br @@ -102483,6 +190488,10 @@ index 0000000..783d0c9 +.br + +.br ++.B nfs_t ++ ++ ++.br +.B qemu_var_run_t + + /var/lib/libvirt/qemu(/.*)? @@ -102491,6 +190500,14 @@ index 0000000..783d0c9 +.br + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B security_t + + /selinux @@ -102559,6 +190576,18 @@ index 0000000..783d0c9 +.br + /home/[^/]*/\.cache/gnome-boxes(/.*)? +.br ++ /home/pwalsh/\.libvirt(/.*)? ++.br ++ /home/pwalsh/\.virtinst(/.*)? ++.br ++ /home/pwalsh/\.cache/libvirt(/.*)? ++.br ++ /home/pwalsh/\.config/libvirt(/.*)? ++.br ++ /home/pwalsh/VirtualMachines(/.*)? ++.br ++ /home/pwalsh/\.cache/gnome-boxes(/.*)? ++.br + /home/dwalsh/\.libvirt(/.*)? +.br + /home/dwalsh/\.virtinst(/.*)? @@ -102633,22 +190662,87 @@ index 0000000..783d0c9 +.br + /var/run/libvirt(/.*)? +.br ++ /var/run/libvirtd\.pid ++.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virtd_t, virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the virtd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t virtd_exec_t '/srv/virtd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvirtd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for virtd: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B virtd_exec_t +.EE + ++- Set files with the virtd_exec_t type, if you want to transition an executable to the virtd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/libvirtd, /usr/bin/imgfac\.py, /usr/bin/imagefactory, /usr/bin/nova-compute, /usr/sbin/condor_vm-gahp, /usr/bin/vios-proxy-host, /usr/bin/vios-proxy-guest ++ ++.EX ++.PP ++.B virtd_initrc_exec_t ++.EE ++ ++- Set files with the virtd_initrc_exec_t type, if you want to transition an executable to the virtd_initrc_t domain. ++ ++ ++.EX ++.PP ++.B virtd_keytab_t ++.EE ++ ++- Set files with the virtd_keytab_t type, if you want to treat the files as kerberos keytab files. ++ ++ ++.EX ++.PP ++.B virtd_lxc_exec_t ++.EE ++ ++- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain. ++ ++ ++.EX ++.PP ++.B virtd_unit_file_t ++.EE ++ ++- Set files with the virtd_unit_file_t type, if you want to treat the files as virtd unit content. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/systemd/system/.*xen.*\.service, /usr/lib/systemd/system/virt.*\.service, /usr/lib/systemd/system/libvirt.*\.service ++ +.PP -+If you want to allow confined applications to run with kerberos for the virtd_t, virtd_lxc_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -102681,11 +190775,11 @@ index 0000000..783d0c9 \ No newline at end of file diff --git a/man/man8/vlock_selinux.8 b/man/man8/vlock_selinux.8 new file mode 100644 -index 0000000..372dfc6 +index 0000000..3355972 --- /dev/null +++ b/man/man8/vlock_selinux.8 -@@ -0,0 +1,130 @@ -+.TH "vlock_selinux" "8" "12-11-01" "vlock" "SELinux Policy documentation for vlock" +@@ -0,0 +1,251 @@ ++.TH "vlock_selinux" "8" "13-01-16" "vlock" "SELinux Policy documentation for vlock" +.SH "NAME" +vlock_selinux \- Security Enhanced Linux Policy for the vlock processes +.SH "DESCRIPTION" @@ -102701,9 +190795,11 @@ index 0000000..372dfc6 + +.SH "ENTRYPOINTS" + -+The vlock_t SELinux type can be entered via the "vlock_exec_t" file type. The default entrypoint paths for the vlock_t domain are the following:" ++The vlock_t SELinux type can be entered via the \fBvlock_exec_t\fP file type. + -+/usr/sbin/vlock-main ++The default entrypoint paths for the vlock_t domain are the following: ++ ++/usr/bin/vlock, /usr/sbin/vlock-main +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -102719,69 +190815,89 @@ index 0000000..372dfc6 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a vlock_t ++can be used to make the process type vlock_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux vlock policy is very flexible allowing users to setup their vlock processes in as secure a method as possible. -+.PP -+The following file types are defined for vlock: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. vlock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vlock with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B vlock_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the vlock_exec_t type, if you want to transition an executable to the vlock_t domain. ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + -+.SH "MANAGED FILES" ++.EX ++.B setsebool -P domain_fd_use 1 + -+The SELinux process type vlock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++.EE + -+.br -+.B faillog_t ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + -+ /var/log/btmp.* -+.br -+ /var/run/faillock(/.*)? -+.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br ++.EX ++.B setsebool -P domain_kernel_load_modules 1 + -+.br -+.B pcscd_var_run_t ++.EE + -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the vlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -102794,6 +190910,101 @@ index 0000000..372dfc6 +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH "MANAGED FILES" ++ ++The SELinux process type vlock_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B faillog_t ++ ++ /var/log/btmp.* ++.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br ++ /var/run/faillock(/.*)? ++.br ++ ++.br ++.B krb5_host_rcache_t ++ ++ /var/cache/krb5rcache(/.*)? ++.br ++ /var/tmp/nfs_0 ++.br ++ /var/tmp/DNS_25 ++.br ++ /var/tmp/host_0 ++.br ++ /var/tmp/imap_0 ++.br ++ /var/tmp/HTTP_23 ++.br ++ /var/tmp/HTTP_48 ++.br ++ /var/tmp/ldap_55 ++.br ++ /var/tmp/ldap_487 ++.br ++ /var/tmp/ldapmap1_0 ++.br ++ ++.br ++.B lastlog_t ++ ++ /var/log/lastlog.* ++.br ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux vlock policy is very flexible allowing users to setup their vlock processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the vlock, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t vlock_exec_t '/srv/vlock/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvlock_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for vlock: ++ ++ ++.EX ++.PP ++.B vlock_exec_t ++.EE ++ ++- Set files with the vlock_exec_t type, if you want to transition an executable to the vlock_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/vlock, /usr/sbin/vlock-main ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -102804,6 +191015,9 @@ index 0000000..372dfc6 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -102815,13 +191029,15 @@ index 0000000..372dfc6 + +.SH "SEE ALSO" +selinux(8), vlock(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/vmware_host_selinux.8 b/man/man8/vmware_host_selinux.8 new file mode 100644 -index 0000000..2dd2f97 +index 0000000..15fbfda --- /dev/null +++ b/man/man8/vmware_host_selinux.8 -@@ -0,0 +1,139 @@ -+.TH "vmware_host_selinux" "8" "12-11-01" "vmware_host" "SELinux Policy documentation for vmware_host" +@@ -0,0 +1,235 @@ ++.TH "vmware_host_selinux" "8" "13-01-16" "vmware_host" "SELinux Policy documentation for vmware_host" +.SH "NAME" +vmware_host_selinux \- Security Enhanced Linux Policy for the vmware_host processes +.SH "DESCRIPTION" @@ -102837,9 +191053,11 @@ index 0000000..2dd2f97 + +.SH "ENTRYPOINTS" + -+The vmware_host_t SELinux type can be entered via the "vmware_host_exec_t" file type. The default entrypoint paths for the vmware_host_t domain are the following:" ++The vmware_host_t SELinux type can be entered via the \fBvmware_host_exec_t\fP file type. + -+/usr/sbin/vmware-guest.*, /usr/lib/vmware-tools/sbin32/vmware.*, /usr/lib/vmware-tools/sbin64/vmware.*, /usr/bin/vmnet-natd, /usr/bin/vmware-vmx, /usr/bin/vmnet-dhcpd, /usr/bin/vmware-nmbd, /usr/bin/vmware-smbd, /usr/bin/vmnet-bridge, /usr/bin/vmnet-netifup, /usr/bin/vmnet-sniffer, /usr/bin/vmware-network, /usr/bin/vmware-smbpasswd, /usr/bin/vmware-smbpasswd\.bin, /usr/lib/vmware/bin/vmware-vmx ++The default entrypoint paths for the vmware_host_t domain are the following: ++ ++/opt/vmware/(workstation|player)/bin/vmnet-natd, /opt/vmware/(workstation|player)/bin/vmnet-dhcpd, /opt/vmware/(workstation|player)/bin/vmware-nmbd, /opt/vmware/(workstation|player)/bin/vmware-smbd, /opt/vmware/(workstation|player)/bin/vmnet-bridge, /opt/vmware/(workstation|player)/bin/vmnet-netifup, /opt/vmware/(workstation|player)/bin/vmnet-sniffer, /opt/vmware/(workstation|player)/bin/vmware-smbpasswd, /opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin, /usr/sbin/vmware-guest.*, /usr/lib/vmware-tools/sbin32/vmware.*, /usr/lib/vmware-tools/sbin64/vmware.*, /usr/bin/vmnet-natd, /usr/bin/vmware-vmx, /usr/bin/vmnet-dhcpd, /usr/bin/vmware-nmbd, /usr/bin/vmware-smbd, /usr/bin/vmnet-bridge, /usr/bin/vmnet-netifup, /usr/bin/vmnet-sniffer, /usr/bin/vmware-network, /usr/bin/vmware-smbpasswd, /usr/bin/vmware-smbpasswd\.bin, /usr/lib/vmware/bin/vmware-vmx +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -102855,8 +191073,120 @@ index 0000000..2dd2f97 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a vmware_host_t ++can be used to make the process type vmware_host_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. vmware_host policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vmware_host with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Enabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type vmware_host_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B systemd_passwd_var_run_t ++ ++ /var/run/systemd/ask-password(/.*)? ++.br ++ /var/run/systemd/ask-password-block(/.*)? ++.br ++ ++.br ++.B vmware_host_pid_t ++ ++ ++.br ++.B vmware_host_tmp_t ++ ++ ++.br ++.B vmware_sys_conf_t ++ ++ /etc/vmware.*(/.*)? ++.br ++ /usr/lib/vmware/config ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -102866,7 +191196,20 @@ index 0000000..2dd2f97 +Policy governs the access confined processes have to these files. +SELinux vmware_host policy is very flexible allowing users to setup their vmware_host processes in as secure a method as possible. +.PP -+The following file types are defined for vmware_host: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the vmware_host, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t vmware_host_exec_t '/srv/vmware_host/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvmware_host_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for vmware_host: + + +.EX @@ -102876,6 +191219,10 @@ index 0000000..2dd2f97 + +- Set files with the vmware_host_exec_t type, if you want to transition an executable to the vmware_host_t domain. + ++.br ++.TP 5 ++Paths: ++/opt/vmware/(workstation|player)/bin/vmnet-natd, /opt/vmware/(workstation|player)/bin/vmnet-dhcpd, /opt/vmware/(workstation|player)/bin/vmware-nmbd, /opt/vmware/(workstation|player)/bin/vmware-smbd, /opt/vmware/(workstation|player)/bin/vmnet-bridge, /opt/vmware/(workstation|player)/bin/vmnet-netifup, /opt/vmware/(workstation|player)/bin/vmnet-sniffer, /opt/vmware/(workstation|player)/bin/vmware-smbpasswd, /opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin, /usr/sbin/vmware-guest.*, /usr/lib/vmware-tools/sbin32/vmware.*, /usr/lib/vmware-tools/sbin64/vmware.*, /usr/bin/vmnet-natd, /usr/bin/vmware-vmx, /usr/bin/vmnet-dhcpd, /usr/bin/vmware-nmbd, /usr/bin/vmware-smbd, /usr/bin/vmnet-bridge, /usr/bin/vmnet-netifup, /usr/bin/vmnet-sniffer, /usr/bin/vmware-network, /usr/bin/vmware-smbpasswd, /usr/bin/vmware-smbpasswd\.bin, /usr/lib/vmware/bin/vmware-vmx + +.EX +.PP @@ -102900,44 +191247,6 @@ index 0000000..2dd2f97 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type vmware_host_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B systemd_passwd_var_run_t -+ -+ /var/run/systemd/ask-password(/.*)? -+.br -+ /var/run/systemd/ask-password-block(/.*)? -+.br -+ -+.br -+.B vmware_host_pid_t -+ -+ -+.br -+.B vmware_host_tmp_t -+ -+ -+.br -+.B vmware_log_t -+ -+ /var/log/vmware.* -+.br -+ /var/log/vnetlib.* -+.br -+ -+.br -+.B vmware_sys_conf_t -+ -+ /etc/vmware.*(/.*)? -+.br -+ /usr/lib/vmware/config -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -102948,6 +191257,9 @@ index 0000000..2dd2f97 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -102959,15 +191271,15 @@ index 0000000..2dd2f97 + +.SH "SEE ALSO" +selinux(8), vmware_host(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, vmware_selinux(8), vmware_selinux(8) ++, setsebool(8), vmware_selinux(8), vmware_selinux(8) \ No newline at end of file diff --git a/man/man8/vmware_selinux.8 b/man/man8/vmware_selinux.8 new file mode 100644 -index 0000000..de1de63 +index 0000000..36e2f21 --- /dev/null +++ b/man/man8/vmware_selinux.8 -@@ -0,0 +1,241 @@ -+.TH "vmware_selinux" "8" "12-11-01" "vmware" "SELinux Policy documentation for vmware" +@@ -0,0 +1,408 @@ ++.TH "vmware_selinux" "8" "13-01-16" "vmware" "SELinux Policy documentation for vmware" +.SH "NAME" +vmware_selinux \- Security Enhanced Linux Policy for the vmware processes +.SH "DESCRIPTION" @@ -102983,9 +191295,11 @@ index 0000000..de1de63 + +.SH "ENTRYPOINTS" + -+The vmware_t SELinux type can be entered via the "vmware_exec_t" file type. The default entrypoint paths for the vmware_t domain are the following:" ++The vmware_t SELinux type can be entered via the \fBvmware_exec_t\fP file type. + -+/usr/bin/vmware, /usr/bin/vmware-ping, /usr/bin/vmware-wizard, /usr/sbin/vmware-serverd, /usr/lib/vmware/bin/vmplayer, /usr/lib/vmware/bin/vmware-ui, /usr/lib/vmware/bin/vmware-mks ++The default entrypoint paths for the vmware_t domain are the following: ++ ++/opt/vmware/(workstation|player)/bin/vmware, /opt/vmware/(workstation|player)/bin/vmware-ping, /opt/vmware/(workstation|player)/bin/vmware-wizard, /usr/bin/vmware, /usr/bin/vmware-ping, /usr/bin/vmware-wizard, /usr/sbin/vmware-serverd, /usr/lib/vmware/bin/vmplayer, /usr/lib/vmware/bin/vmware-ui, /usr/lib/vmware/bin/vmware-mks +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -103001,8 +191315,198 @@ index 0000000..de1de63 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a vmware_t ++can be used to make the process type vmware_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. vmware policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vmware with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type vmware_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B usbfs_t ++ ++ ++.br ++.B user_fonts_cache_t ++ ++ /root/\.fontconfig(/.*)? ++.br ++ /root/\.fonts/auto(/.*)? ++.br ++ /root/\.fonts\.cache-.* ++.br ++ /home/[^/]*/\.fontconfig(/.*)? ++.br ++ /home/[^/]*/\.fonts/auto(/.*)? ++.br ++ /home/[^/]*/\.fonts\.cache-.* ++.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br ++ /home/dwalsh/\.fontconfig(/.*)? ++.br ++ /home/dwalsh/\.fonts/auto(/.*)? ++.br ++ /home/dwalsh/\.fonts\.cache-.* ++.br ++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts\.cache-.* ++.br ++ ++.br ++.B vmware_conf_t ++ ++ /home/[^/]*/\.vmware[^/]*/.*\.cfg ++.br ++ /home/pwalsh/\.vmware[^/]*/.*\.cfg ++.br ++ /home/dwalsh/\.vmware[^/]*/.*\.cfg ++.br ++ /var/lib/xguest/home/xguest/\.vmware[^/]*/.*\.cfg ++.br ++ ++.br ++.B vmware_file_t ++ ++ /home/[^/]*/vmware(/.*)? ++.br ++ /home/[^/]*/\.vmware(/.*)? ++.br ++ /home/pwalsh/vmware(/.*)? ++.br ++ /home/pwalsh/\.vmware(/.*)? ++.br ++ /home/dwalsh/vmware(/.*)? ++.br ++ /home/dwalsh/\.vmware(/.*)? ++.br ++ /var/lib/xguest/home/xguest/vmware(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.vmware(/.*)? ++.br ++ ++.br ++.B vmware_pid_t ++ ++ ++.br ++.B vmware_tmp_t ++ ++ ++.br ++.B vmware_tmpfs_t ++ ++ ++.br ++.B xserver_tmpfs_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -103012,7 +191516,31 @@ index 0000000..de1de63 +Policy governs the access confined processes have to these files. +SELinux vmware policy is very flexible allowing users to setup their vmware processes in as secure a method as possible. +.PP -+The following file types are defined for vmware: ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++vmware policy stores data with multiple different file context types under the /var/lib/xguest/home/xguest/\.vmware directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/xguest/home/xguest/\.vmware /srv/\.vmware ++.br ++.B restorecon -R -v /srv/\.vmware ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the vmware, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t vmware_conf_t '/srv/vmware/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvmware_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for vmware: + + +.EX @@ -103022,6 +191550,10 @@ index 0000000..de1de63 + +- Set files with the vmware_conf_t type, if you want to treat the files as vmware configuration data, usually stored under the /etc directory. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.vmware[^/]*/.*\.cfg, /home/pwalsh/\.vmware[^/]*/.*\.cfg, /home/dwalsh/\.vmware[^/]*/.*\.cfg, /var/lib/xguest/home/xguest/\.vmware[^/]*/.*\.cfg + +.EX +.PP @@ -103030,6 +191562,10 @@ index 0000000..de1de63 + +- Set files with the vmware_exec_t type, if you want to transition an executable to the vmware_t domain. + ++.br ++.TP 5 ++Paths: ++/opt/vmware/(workstation|player)/bin/vmware, /opt/vmware/(workstation|player)/bin/vmware-ping, /opt/vmware/(workstation|player)/bin/vmware-wizard, /usr/bin/vmware, /usr/bin/vmware-ping, /usr/bin/vmware-wizard, /usr/sbin/vmware-serverd, /usr/lib/vmware/bin/vmplayer, /usr/lib/vmware/bin/vmware-ui, /usr/lib/vmware/bin/vmware-mks + +.EX +.PP @@ -103038,6 +191574,10 @@ index 0000000..de1de63 + +- Set files with the vmware_file_t type, if you want to treat the files as vmware content. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/vmware(/.*)?, /home/[^/]*/\.vmware(/.*)?, /home/pwalsh/vmware(/.*)?, /home/pwalsh/\.vmware(/.*)?, /home/dwalsh/vmware(/.*)?, /home/dwalsh/\.vmware(/.*)?, /var/lib/xguest/home/xguest/vmware(/.*)?, /var/lib/xguest/home/xguest/\.vmware(/.*)? + +.EX +.PP @@ -103046,6 +191586,10 @@ index 0000000..de1de63 + +- Set files with the vmware_host_exec_t type, if you want to transition an executable to the vmware_host_t domain. + ++.br ++.TP 5 ++Paths: ++/opt/vmware/(workstation|player)/bin/vmnet-natd, /opt/vmware/(workstation|player)/bin/vmnet-dhcpd, /opt/vmware/(workstation|player)/bin/vmware-nmbd, /opt/vmware/(workstation|player)/bin/vmware-smbd, /opt/vmware/(workstation|player)/bin/vmnet-bridge, /opt/vmware/(workstation|player)/bin/vmnet-netifup, /opt/vmware/(workstation|player)/bin/vmnet-sniffer, /opt/vmware/(workstation|player)/bin/vmware-smbpasswd, /opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin, /usr/sbin/vmware-guest.*, /usr/lib/vmware-tools/sbin32/vmware.*, /usr/lib/vmware-tools/sbin64/vmware.*, /usr/bin/vmnet-natd, /usr/bin/vmware-vmx, /usr/bin/vmnet-dhcpd, /usr/bin/vmware-nmbd, /usr/bin/vmware-smbd, /usr/bin/vmnet-bridge, /usr/bin/vmnet-netifup, /usr/bin/vmnet-sniffer, /usr/bin/vmware-network, /usr/bin/vmware-smbpasswd, /usr/bin/vmware-smbpasswd\.bin, /usr/lib/vmware/bin/vmware-vmx + +.EX +.PP @@ -103070,6 +191614,10 @@ index 0000000..de1de63 + +- Set files with the vmware_log_t type, if you want to treat the data as vmware log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/vmware.*, /var/log/vnetlib.* + +.EX +.PP @@ -103086,6 +191634,10 @@ index 0000000..de1de63 + +- Set files with the vmware_sys_conf_t type, if you want to treat the files as vmware sys configuration data, usually stored under the /etc directory. + ++.br ++.TP 5 ++Paths: ++/etc/vmware.*(/.*)?, /usr/lib/vmware/config + +.EX +.PP @@ -103110,82 +191662,6 @@ index 0000000..de1de63 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type vmware_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B usbfs_t -+ -+ -+.br -+.B user_fonts_cache_t -+ -+ /root/\.fontconfig(/.*)? -+.br -+ /root/\.fonts/auto(/.*)? -+.br -+ /root/\.fonts\.cache-.* -+.br -+ /home/[^/]*/\.fontconfig(/.*)? -+.br -+ /home/[^/]*/\.fonts/auto(/.*)? -+.br -+ /home/[^/]*/\.fonts\.cache-.* -+.br -+ /home/dwalsh/\.fontconfig(/.*)? -+.br -+ /home/dwalsh/\.fonts/auto(/.*)? -+.br -+ /home/dwalsh/\.fonts\.cache-.* -+.br -+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.fonts\.cache-.* -+.br -+ -+.br -+.B vmware_conf_t -+ -+ /home/[^/]*/\.vmware[^/]*/.*\.cfg -+.br -+ /home/dwalsh/\.vmware[^/]*/.*\.cfg -+.br -+ /var/lib/xguest/home/xguest/\.vmware[^/]*/.*\.cfg -+.br -+ -+.br -+.B vmware_file_t -+ -+ /home/[^/]*/vmware(/.*)? -+.br -+ /home/[^/]*/\.vmware(/.*)? -+.br -+ /home/dwalsh/vmware(/.*)? -+.br -+ /home/dwalsh/\.vmware(/.*)? -+.br -+ /var/lib/xguest/home/xguest/vmware(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.vmware(/.*)? -+.br -+ -+.br -+.B vmware_pid_t -+ -+ -+.br -+.B vmware_tmp_t -+ -+ -+.br -+.B vmware_tmpfs_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -103196,6 +191672,9 @@ index 0000000..de1de63 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -103207,15 +191686,15 @@ index 0000000..de1de63 + +.SH "SEE ALSO" +selinux(8), vmware(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, vmware_host_selinux(8) ++, setsebool(8), vmware_host_selinux(8) \ No newline at end of file diff --git a/man/man8/vnstat_selinux.8 b/man/man8/vnstat_selinux.8 new file mode 100644 -index 0000000..2139a86 +index 0000000..224093c --- /dev/null +++ b/man/man8/vnstat_selinux.8 -@@ -0,0 +1,121 @@ -+.TH "vnstat_selinux" "8" "12-11-01" "vnstat" "SELinux Policy documentation for vnstat" +@@ -0,0 +1,189 @@ ++.TH "vnstat_selinux" "8" "13-01-16" "vnstat" "SELinux Policy documentation for vnstat" +.SH "NAME" +vnstat_selinux \- Security Enhanced Linux Policy for the vnstat processes +.SH "DESCRIPTION" @@ -103231,7 +191710,9 @@ index 0000000..2139a86 + +.SH "ENTRYPOINTS" + -+The vnstat_t SELinux type can be entered via the "vnstat_exec_t" file type. The default entrypoint paths for the vnstat_t domain are the following:" ++The vnstat_t SELinux type can be entered via the \fBvnstat_exec_t\fP file type. ++ ++The default entrypoint paths for the vnstat_t domain are the following: + +/usr/bin/vnstat +.SH PROCESS TYPES @@ -103249,8 +191730,62 @@ index 0000000..2139a86 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a vnstat_t ++can be used to make the process type vnstat_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. vnstat policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vnstat with the tightest access possible. ++ ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type vnstat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B vnstatd_var_lib_t ++ ++ /var/lib/vnstat(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -103260,7 +191795,20 @@ index 0000000..2139a86 +Policy governs the access confined processes have to these files. +SELinux vnstat policy is very flexible allowing users to setup their vnstat processes in as secure a method as possible. +.PP -+The following file types are defined for vnstat: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the vnstat, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t vnstat_exec_t '/srv/vnstat/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvnstat_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for vnstat: + + +.EX @@ -103281,6 +191829,14 @@ index 0000000..2139a86 + +.EX +.PP ++.B vnstatd_initrc_exec_t ++.EE ++ ++- Set files with the vnstatd_initrc_exec_t type, if you want to transition an executable to the vnstatd_initrc_t domain. ++ ++ ++.EX ++.PP +.B vnstatd_var_lib_t +.EE + @@ -103292,7 +191848,7 @@ index 0000000..2139a86 +.B vnstatd_var_run_t +.EE + -+- Set files with the vnstatd_var_run_t type, if you want to store the vnstatd files under the /run directory. ++- Set files with the vnstatd_var_run_t type, if you want to store the vnstatd files under the /run or /var/run directory. + + +.PP @@ -103302,18 +191858,6 @@ index 0000000..2139a86 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type vnstat_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B vnstatd_var_lib_t -+ -+ /var/lib/vnstat(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -103324,6 +191868,9 @@ index 0000000..2139a86 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -103335,15 +191882,15 @@ index 0000000..2139a86 + +.SH "SEE ALSO" +selinux(8), vnstat(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, vnstatd_selinux(8) ++, setsebool(8), vnstatd_selinux(8) \ No newline at end of file diff --git a/man/man8/vnstatd_selinux.8 b/man/man8/vnstatd_selinux.8 new file mode 100644 -index 0000000..548eb69 +index 0000000..1a81f4a --- /dev/null +++ b/man/man8/vnstatd_selinux.8 -@@ -0,0 +1,119 @@ -+.TH "vnstatd_selinux" "8" "12-11-01" "vnstatd" "SELinux Policy documentation for vnstatd" +@@ -0,0 +1,219 @@ ++.TH "vnstatd_selinux" "8" "13-01-16" "vnstatd" "SELinux Policy documentation for vnstatd" +.SH "NAME" +vnstatd_selinux \- Security Enhanced Linux Policy for the vnstatd processes +.SH "DESCRIPTION" @@ -103359,7 +191906,9 @@ index 0000000..548eb69 + +.SH "ENTRYPOINTS" + -+The vnstatd_t SELinux type can be entered via the "vnstatd_exec_t" file type. The default entrypoint paths for the vnstatd_t domain are the following:" ++The vnstatd_t SELinux type can be entered via the \fBvnstatd_exec_t\fP file type. ++ ++The default entrypoint paths for the vnstatd_t domain are the following: + +/usr/sbin/vnstatd +.SH PROCESS TYPES @@ -103377,8 +191926,100 @@ index 0000000..548eb69 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a vnstatd_t ++can be used to make the process type vnstatd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. vnstatd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vnstatd with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type vnstatd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B vnstatd_var_lib_t ++ ++ /var/lib/vnstat(/.*)? ++.br ++ ++.br ++.B vnstatd_var_run_t ++ ++ /var/run/vnstat.* ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -103388,7 +192029,20 @@ index 0000000..548eb69 +Policy governs the access confined processes have to these files. +SELinux vnstatd policy is very flexible allowing users to setup their vnstatd processes in as secure a method as possible. +.PP -+The following file types are defined for vnstatd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the vnstatd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t vnstatd_exec_t '/srv/vnstatd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvnstatd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for vnstatd: + + +.EX @@ -103401,6 +192055,14 @@ index 0000000..548eb69 + +.EX +.PP ++.B vnstatd_initrc_exec_t ++.EE ++ ++- Set files with the vnstatd_initrc_exec_t type, if you want to transition an executable to the vnstatd_initrc_t domain. ++ ++ ++.EX ++.PP +.B vnstatd_var_lib_t +.EE + @@ -103412,7 +192074,7 @@ index 0000000..548eb69 +.B vnstatd_var_run_t +.EE + -+- Set files with the vnstatd_var_run_t type, if you want to store the vnstatd files under the /run directory. ++- Set files with the vnstatd_var_run_t type, if you want to store the vnstatd files under the /run or /var/run directory. + + +.PP @@ -103422,24 +192084,6 @@ index 0000000..548eb69 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type vnstatd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B vnstatd_var_lib_t -+ -+ /var/lib/vnstat(/.*)? -+.br -+ -+.br -+.B vnstatd_var_run_t -+ -+ /var/run/vnstat\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -103450,6 +192094,9 @@ index 0000000..548eb69 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -103461,15 +192108,15 @@ index 0000000..548eb69 + +.SH "SEE ALSO" +selinux(8), vnstatd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, vnstat_selinux(8), vnstat_selinux(8) ++, setsebool(8), vnstat_selinux(8), vnstat_selinux(8) \ No newline at end of file diff --git a/man/man8/vpnc_selinux.8 b/man/man8/vpnc_selinux.8 new file mode 100644 -index 0000000..d20c0f1 +index 0000000..ae76e33 --- /dev/null +++ b/man/man8/vpnc_selinux.8 -@@ -0,0 +1,156 @@ -+.TH "vpnc_selinux" "8" "12-11-01" "vpnc" "SELinux Policy documentation for vpnc" +@@ -0,0 +1,259 @@ ++.TH "vpnc_selinux" "8" "13-01-16" "vpnc" "SELinux Policy documentation for vpnc" +.SH "NAME" +vpnc_selinux \- Security Enhanced Linux Policy for the vpnc processes +.SH "DESCRIPTION" @@ -103485,7 +192132,9 @@ index 0000000..d20c0f1 + +.SH "ENTRYPOINTS" + -+The vpnc_t SELinux type can be entered via the "vpnc_exec_t" file type. The default entrypoint paths for the vpnc_t domain are the following:" ++The vpnc_t SELinux type can be entered via the \fBvpnc_exec_t\fP file type. ++ ++The default entrypoint paths for the vpnc_t domain are the following: + +/sbin/vpnc, /usr/sbin/vpnc, /usr/bin/openconnect +.SH PROCESS TYPES @@ -103503,50 +192152,108 @@ index 0000000..d20c0f1 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a vpnc_t ++can be used to make the process type vpnc_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux vpnc policy is very flexible allowing users to setup their vpnc processes in as secure a method as possible. -+.PP -+The following file types are defined for vpnc: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. vpnc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vpnc with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B vpnc_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the vpnc_exec_t type, if you want to transition an executable to the vpnc_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B vpnc_tmp_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the vpnc_tmp_t type, if you want to store vpnc temporary files in the /tmp directories. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B vpnc_var_run_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the vpnc_var_run_t type, if you want to store the vpnc files under the /run directory. ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the vpnc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the vpnc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -103555,8 +192262,6 @@ index 0000000..d20c0f1 +.br +.B net_conf_t + -+ /etc/ntpd?\.conf.* -+.br + /etc/hosts[^/]* +.br + /etc/yp\.conf.* @@ -103567,8 +192272,6 @@ index 0000000..d20c0f1 +.br + /etc/resolv\.conf.* +.br -+ /etc/ntp/step-tickers.* -+.br + /etc/sysconfig/networking(/.*)? +.br + /etc/sysconfig/network-scripts(/.*)? @@ -103588,21 +192291,64 @@ index 0000000..d20c0f1 + /var/run/vpnc(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux vpnc policy is very flexible allowing users to setup their vpnc processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vpnc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the vpnc, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t vpnc_exec_t '/srv/vpnc/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myvpnc_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for vpnc: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B vpnc_exec_t +.EE + ++- Set files with the vpnc_exec_t type, if you want to transition an executable to the vpnc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/vpnc, /usr/sbin/vpnc, /usr/bin/openconnect ++ ++.EX ++.PP ++.B vpnc_tmp_t ++.EE ++ ++- Set files with the vpnc_tmp_t type, if you want to store vpnc temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B vpnc_var_run_t ++.EE ++ ++- Set files with the vpnc_var_run_t type, if you want to store the vpnc files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the vpnc_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -103614,6 +192360,9 @@ index 0000000..d20c0f1 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -103625,13 +192374,15 @@ index 0000000..d20c0f1 + +.SH "SEE ALSO" +selinux(8), vpnc(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/wdmd_selinux.8 b/man/man8/wdmd_selinux.8 new file mode 100644 -index 0000000..347d6d8 +index 0000000..baaa5e5 --- /dev/null +++ b/man/man8/wdmd_selinux.8 -@@ -0,0 +1,138 @@ -+.TH "wdmd_selinux" "8" "12-11-01" "wdmd" "SELinux Policy documentation for wdmd" +@@ -0,0 +1,275 @@ ++.TH "wdmd_selinux" "8" "13-01-16" "wdmd" "SELinux Policy documentation for wdmd" +.SH "NAME" +wdmd_selinux \- Security Enhanced Linux Policy for the wdmd processes +.SH "DESCRIPTION" @@ -103647,7 +192398,9 @@ index 0000000..347d6d8 + +.SH "ENTRYPOINTS" + -+The wdmd_t SELinux type can be entered via the "wdmd_exec_t" file type. The default entrypoint paths for the wdmd_t domain are the following:" ++The wdmd_t SELinux type can be entered via the \fBwdmd_exec_t\fP file type. ++ ++The default entrypoint paths for the wdmd_t domain are the following: + +/usr/sbin/wdmd +.SH PROCESS TYPES @@ -103665,8 +192418,152 @@ index 0000000..347d6d8 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a wdmd_t ++can be used to make the process type wdmd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. wdmd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run wdmd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the wdmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the wdmd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type wdmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B corosync_tmpfs_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B wdmd_tmpfs_t ++ ++ ++.br ++.B wdmd_var_run_t ++ ++ /var/run/wdmd(/.*)? ++.br ++ /var/run/checkquorum-timer ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -103676,7 +192573,20 @@ index 0000000..347d6d8 +Policy governs the access confined processes have to these files. +SELinux wdmd policy is very flexible allowing users to setup their wdmd processes in as secure a method as possible. +.PP -+The following file types are defined for wdmd: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the wdmd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t wdmd_exec_t '/srv/wdmd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mywdmd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for wdmd: + + +.EX @@ -103708,8 +192618,12 @@ index 0000000..347d6d8 +.B wdmd_var_run_t +.EE + -+- Set files with the wdmd_var_run_t type, if you want to store the wdmd files under the /run directory. ++- Set files with the wdmd_var_run_t type, if you want to store the wdmd files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/wdmd(/.*)?, /var/run/checkquorum-timer + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -103718,36 +192632,6 @@ index 0000000..347d6d8 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type wdmd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B wdmd_tmpfs_t -+ -+ -+.br -+.B wdmd_var_run_t -+ -+ /var/run/wdmd(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the wdmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the wdmd_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -103758,6 +192642,9 @@ index 0000000..347d6d8 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -103769,15 +192656,17 @@ index 0000000..347d6d8 + +.SH "SEE ALSO" +selinux(8), wdmd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/webadm_selinux.8 b/man/man8/webadm_selinux.8 new file mode 100644 -index 0000000..46d2721 +index 0000000..80fae68 --- /dev/null +++ b/man/man8/webadm_selinux.8 -@@ -0,0 +1,255 @@ +@@ -0,0 +1,399 @@ +.TH "webadm_selinux" "8" "webadm" "mgrepl@redhat.com" "webadm SELinux Policy documentation" +.SH "NAME" -+webadm_r \- \fBWeb administrator role\fP - Security Enhanced Linux Policy ++webadm_r \- \fBWeb administrator role.\fP - Security Enhanced Linux Policy + +.SH DESCRIPTION + @@ -103822,31 +192711,139 @@ index 0000000..46d2721 + + +.PP -+If you want to allow webadm to manage files in users home directories, you must turn on the webadm_manage_user_files boolean. ++If you want to determine whether webadm can manage generic user files, you must turn on the webadm_manage_user_files boolean. Disabled by default. + +.EX +.B setsebool -P webadm_manage_user_files 1 ++ +.EE + +.PP -+If you want to allow webadm to read files in users home directories, you must turn on the webadm_read_user_files boolean. ++If you want to determine whether webadm can read generic user files, you must turn on the webadm_read_user_files boolean. Disabled by default. + +.EX +.B setsebool -P webadm_read_user_files 1 ++ +.EE + +.PP -+If you want to allow webadm to manage files in users home directories, you must turn on the webadm_manage_user_files boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P webadm_manage_user_files 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow webadm to read files in users home directories, you must turn on the webadm_read_user_files boolean. ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. + +.EX -+.B setsebool -P webadm_read_user_files 1 ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ssh_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xdm_sysadm_login 1 ++ +.EE + +.SH "MANAGED FILES" @@ -103866,9 +192863,9 @@ index 0000000..46d2721 +.br + /etc/apache-ssl(2)?(/.*)? +.br -+ /var/lib/openshift/.httpd.d(/.*)? ++ /var/lib/openshift/\.httpd\.d(/.*)? +.br -+ /var/lib/stickshift/.httpd.d(/.*)? ++ /var/lib/stickshift/\.httpd\.d(/.*)? +.br + /etc/vhosts +.br @@ -103888,6 +192885,8 @@ index 0000000..46d2721 +.br + /var/log/apache(2)?(/.*)? +.br ++ /var/log/php-fpm(/.*)? ++.br + /var/log/cherokee(/.*)? +.br + /var/log/lighttpd(/.*)? @@ -103904,6 +192903,14 @@ index 0000000..46d2721 +.br + /var/log/dirsrv/admin-serv(/.*)? +.br ++ /var/lib/openshift/\.log/httpd(/.*)? ++.br ++ /var/www/openshift/console/log(/.*)? ++.br ++ /var/www/openshift/broker/httpd/logs(/.*)? ++.br ++ /var/www/openshift/console/httpd/logs(/.*)? ++.br + /etc/httpd/logs +.br + @@ -103940,6 +192947,8 @@ index 0000000..46d2721 + + /var/run/user/apache(/.*)? +.br ++ /var/www/openshift/console/tmp(/.*)? ++.br + +.br +.B httpd_unit_file_t @@ -103948,6 +192957,8 @@ index 0000000..46d2721 +.br + /usr/lib/systemd/system/jetty.* +.br ++ /usr/lib/systemd/system/php-fpm.* ++.br + +.br +.B httpd_var_run_t @@ -103960,12 +192971,18 @@ index 0000000..46d2721 +.br + /var/run/apache.* +.br ++ /var/run/php-fpm(/.*)? ++.br + /var/run/lighttpd(/.*)? +.br + /var/lib/php/session(/.*)? +.br + /var/run/dirsrv/admin-serv.* +.br ++ /var/www/openshift/broker/httpd/run(/.*)? ++.br ++ /var/www/openshift/console/httpd/run(/.*)? ++.br + /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? +.br + /var/run/gcache_port @@ -103992,13 +193009,29 @@ index 0000000..46d2721 +.br + +.br -+.B var_lock_t ++.B user_home_t + -+ /var/lock(/.*)? ++ /home/[^/]*/.+ +.br -+ /run/lock(/.*)? ++ /home/pwalsh/.+ +.br -+ /var/lock ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmp_t ++ ++ /var/run/user(/.*)? ++.br ++ /tmp/gconfd-.* ++.br ++ /tmp/gconfd-pwalsh ++.br ++ /tmp/gconfd-dwalsh ++.br ++ /tmp/gconfd-xguest +.br + +.br @@ -104033,11 +193066,11 @@ index 0000000..46d2721 \ No newline at end of file diff --git a/man/man8/webalizer_selinux.8 b/man/man8/webalizer_selinux.8 new file mode 100644 -index 0000000..c971659 +index 0000000..17b5309 --- /dev/null +++ b/man/man8/webalizer_selinux.8 -@@ -0,0 +1,198 @@ -+.TH "webalizer_selinux" "8" "12-11-01" "webalizer" "SELinux Policy documentation for webalizer" +@@ -0,0 +1,301 @@ ++.TH "webalizer_selinux" "8" "13-01-16" "webalizer" "SELinux Policy documentation for webalizer" +.SH "NAME" +webalizer_selinux \- Security Enhanced Linux Policy for the webalizer processes +.SH "DESCRIPTION" @@ -104053,9 +193086,11 @@ index 0000000..c971659 + +.SH "ENTRYPOINTS" + -+The webalizer_t SELinux type can be entered via the "webalizer_exec_t" file type. The default entrypoint paths for the webalizer_t domain are the following:" ++The webalizer_t SELinux type can be entered via the \fBwebalizer_exec_t\fP file type. + -+/usr/bin/awffull, /usr/bin/webalizer ++The default entrypoint paths for the webalizer_t domain are the following: ++ ++/usr/bin/awffull, /usr/bin/webalizer, /usr/bin/webazolver +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -104071,8 +193106,162 @@ index 0000000..c971659 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a webalizer_t ++can be used to make the process type webalizer_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. webalizer policy is extremely flexible and has several booleans that allow you to manipulate the policy and run webalizer with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the webalizer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the webalizer_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type webalizer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B anon_inodefs_t ++ ++ ++.br ++.B httpd_sys_content_t ++ ++ /srv/([^/]*/)?www(/.*)? ++.br ++ /var/www(/.*)? ++.br ++ /etc/htdig(/.*)? ++.br ++ /srv/gallery2(/.*)? ++.br ++ /var/lib/trac(/.*)? ++.br ++ /var/lib/htdig(/.*)? ++.br ++ /var/www/icons(/.*)? ++.br ++ /usr/share/htdig(/.*)? ++.br ++ /usr/share/drupal.* ++.br ++ /usr/share/z-push(/.*)? ++.br ++ /var/www/svn/conf(/.*)? ++.br ++ /usr/share/icecast(/.*)? ++.br ++ /var/lib/cacti/rra(/.*)? ++.br ++ /usr/share/ntop/html(/.*)? ++.br ++ /usr/share/doc/ghc/html(/.*)? ++.br ++ /usr/share/openca/htdocs(/.*)? ++.br ++ /usr/share/selinux-policy[^/]*/html(/.*)? ++.br ++ ++.br ++.B httpd_webalizer_content_t ++ ++ /var/www/usage(/.*)? ++.br ++ ++.br ++.B webalizer_tmp_t ++ ++ ++.br ++.B webalizer_var_lib_t ++ ++ /var/lib/webalizer(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -104082,7 +193271,20 @@ index 0000000..c971659 +Policy governs the access confined processes have to these files. +SELinux webalizer policy is very flexible allowing users to setup their webalizer processes in as secure a method as possible. +.PP -+The following file types are defined for webalizer: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the webalizer, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t webalizer_etc_t '/srv/webalizer/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mywebalizer_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for webalizer: + + +.EX @@ -104100,6 +193302,10 @@ index 0000000..c971659 + +- Set files with the webalizer_exec_t type, if you want to transition an executable to the webalizer_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/awffull, /usr/bin/webalizer, /usr/bin/webazolver + +.EX +.PP @@ -104140,80 +193346,6 @@ index 0000000..c971659 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type webalizer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B anon_inodefs_t -+ -+ -+.br -+.B httpd_sys_content_t -+ -+ /srv/([^/]*/)?www(/.*)? -+.br -+ /var/www(/.*)? -+.br -+ /etc/htdig(/.*)? -+.br -+ /srv/gallery2(/.*)? -+.br -+ /var/lib/trac(/.*)? -+.br -+ /var/lib/htdig(/.*)? -+.br -+ /var/www/icons(/.*)? -+.br -+ /usr/share/htdig(/.*)? -+.br -+ /usr/share/drupal.* -+.br -+ /var/www/svn/conf(/.*)? -+.br -+ /usr/share/icecast(/.*)? -+.br -+ /usr/share/mythweb(/.*)? -+.br -+ /var/lib/cacti/rra(/.*)? -+.br -+ /usr/share/ntop/html(/.*)? -+.br -+ /usr/share/mythtv/data(/.*)? -+.br -+ /usr/share/doc/ghc/html(/.*)? -+.br -+ /usr/share/openca/htdocs(/.*)? -+.br -+ /usr/share/selinux-policy[^/]*/html(/.*)? -+.br -+ -+.br -+.B webalizer_tmp_t -+ -+ -+.br -+.B webalizer_var_lib_t -+ -+ /var/lib/webalizer(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the webalizer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the webalizer_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -104224,6 +193356,9 @@ index 0000000..c971659 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -104235,13 +193370,15 @@ index 0000000..c971659 + +.SH "SEE ALSO" +selinux(8), webalizer(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/winbind_helper_selinux.8 b/man/man8/winbind_helper_selinux.8 new file mode 100644 -index 0000000..2cf4c75 +index 0000000..ed8444e --- /dev/null +++ b/man/man8/winbind_helper_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "winbind_helper_selinux" "8" "12-11-01" "winbind_helper" "SELinux Policy documentation for winbind_helper" +@@ -0,0 +1,203 @@ ++.TH "winbind_helper_selinux" "8" "13-01-16" "winbind_helper" "SELinux Policy documentation for winbind_helper" +.SH "NAME" +winbind_helper_selinux \- Security Enhanced Linux Policy for the winbind_helper processes +.SH "DESCRIPTION" @@ -104257,7 +193394,9 @@ index 0000000..2cf4c75 + +.SH "ENTRYPOINTS" + -+The winbind_helper_t SELinux type can be entered via the "winbind_helper_exec_t" file type. The default entrypoint paths for the winbind_helper_t domain are the following:" ++The winbind_helper_t SELinux type can be entered via the \fBwinbind_helper_exec_t\fP file type. ++ ++The default entrypoint paths for the winbind_helper_t domain are the following: + +/usr/bin/ntlm_auth +.SH PROCESS TYPES @@ -104275,8 +193414,108 @@ index 0000000..2cf4c75 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a winbind_helper_t ++can be used to make the process type winbind_helper_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. winbind_helper policy is extremely flexible and has several booleans that allow you to manipulate the policy and run winbind_helper with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_mod_auth_ntlm_winbind 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the winbind_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the winbind_helper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -104286,7 +193525,20 @@ index 0000000..2cf4c75 +Policy governs the access confined processes have to these files. +SELinux winbind_helper policy is very flexible allowing users to setup their winbind_helper processes in as secure a method as possible. +.PP -+The following file types are defined for winbind_helper: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the winbind_helper, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t winbind_helper_exec_t '/srv/winbind_helper/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mywinbind_helper_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for winbind_helper: + + +.EX @@ -104304,22 +193556,6 @@ index 0000000..2cf4c75 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the winbind_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the winbind_helper_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -104330,6 +193566,9 @@ index 0000000..2cf4c75 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -104341,15 +193580,15 @@ index 0000000..2cf4c75 + +.SH "SEE ALSO" +selinux(8), winbind_helper(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, winbind_selinux(8), winbind_selinux(8) ++, setsebool(8), winbind_selinux(8), winbind_selinux(8) \ No newline at end of file diff --git a/man/man8/winbind_selinux.8 b/man/man8/winbind_selinux.8 new file mode 100644 -index 0000000..63e0898 +index 0000000..187c4ee --- /dev/null +++ b/man/man8/winbind_selinux.8 -@@ -0,0 +1,284 @@ -+.TH "winbind_selinux" "8" "12-11-01" "winbind" "SELinux Policy documentation for winbind" +@@ -0,0 +1,379 @@ ++.TH "winbind_selinux" "8" "13-01-16" "winbind" "SELinux Policy documentation for winbind" +.SH "NAME" +winbind_selinux \- Security Enhanced Linux Policy for the winbind processes +.SH "DESCRIPTION" @@ -104365,7 +193604,9 @@ index 0000000..63e0898 + +.SH "ENTRYPOINTS" + -+The winbind_t SELinux type can be entered via the "winbind_exec_t" file type. The default entrypoint paths for the winbind_t domain are the following:" ++The winbind_t SELinux type can be entered via the \fBwinbind_exec_t\fP file type. ++ ++The default entrypoint paths for the winbind_t domain are the following: + +/usr/sbin/winbindd +.SH PROCESS TYPES @@ -104383,76 +193624,124 @@ index 0000000..63e0898 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a winbind_t ++can be used to make the process type winbind_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. winbind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run winbind with the tightest access possible. + + +.PP -+If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_mod_auth_ntlm_winbind 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn on the httpd_mod_auth_ntlm_winbind boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_mod_auth_ntlm_winbind 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux winbind policy is very flexible allowing users to setup their winbind processes in as secure a method as possible. -+.PP -+The following file types are defined for winbind: -+ ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B winbind_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the winbind_exec_t type, if you want to transition an executable to the winbind_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B winbind_helper_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the winbind_helper_exec_t type, if you want to transition an executable to the winbind_helper_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B winbind_log_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the winbind_log_t type, if you want to treat the data as winbind log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B winbind_var_run_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the winbind_var_run_t type, if you want to store the winbind files under the /run directory. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the winbind_helper_t, winbind_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the winbind_helper_t, winbind_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + @@ -104467,12 +193756,6 @@ index 0000000..63e0898 +.br +.B ctdbd_var_lib_t + -+ /etc/ctdb(/.*)? -+.br -+ /var/ctdb(/.*)? -+.br -+ /var/ctdbd(/.*)? -+.br + /var/lib/ctdbd(/.*)? +.br + @@ -104481,25 +193764,19 @@ index 0000000..63e0898 + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br -+.B pcscd_var_run_t ++.B root_t + -+ /var/run/pcscd(/.*)? ++ / +.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm ++ /initrd +.br + +.br @@ -104523,6 +193800,8 @@ index 0000000..63e0898 +.br +.B samba_var_t + ++ /var/nmbd(/.*)? ++.br + /var/lib/samba(/.*)? +.br + /var/cache/samba(/.*)? @@ -104559,6 +193838,8 @@ index 0000000..63e0898 + + /home/[^/]*/.+ +.br ++ /home/pwalsh/.+ ++.br + /home/dwalsh/.+ +.br + /var/lib/xguest/home/xguest/.+ @@ -104571,6 +193852,8 @@ index 0000000..63e0898 +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest @@ -104592,21 +193875,72 @@ index 0000000..63e0898 + /var/cache/samba/winbindd_privileged(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux winbind policy is very flexible allowing users to setup their winbind processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the winbind_helper_t, winbind_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the winbind, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t winbind_exec_t '/srv/winbind/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mywinbind_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for winbind: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B winbind_exec_t +.EE + ++- Set files with the winbind_exec_t type, if you want to transition an executable to the winbind_t domain. ++ ++ ++.EX ++.PP ++.B winbind_helper_exec_t ++.EE ++ ++- Set files with the winbind_helper_exec_t type, if you want to transition an executable to the winbind_helper_t domain. ++ ++ ++.EX ++.PP ++.B winbind_log_t ++.EE ++ ++- Set files with the winbind_log_t type, if you want to treat the data as winbind log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B winbind_var_run_t ++.EE ++ ++- Set files with the winbind_var_run_t type, if you want to store the winbind files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/winbindd(/.*)?, /var/run/samba/winbindd(/.*)?, /var/lib/samba/winbindd_privileged(/.*)?, /var/cache/samba/winbindd_privileged(/.*)? ++ +.PP -+If you want to allow confined applications to run with kerberos for the winbind_helper_t, winbind_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -104636,11 +193970,11 @@ index 0000000..63e0898 \ No newline at end of file diff --git a/man/man8/wine_selinux.8 b/man/man8/wine_selinux.8 new file mode 100644 -index 0000000..b6b7f15 +index 0000000..6b86ef7 --- /dev/null +++ b/man/man8/wine_selinux.8 -@@ -0,0 +1,124 @@ -+.TH "wine_selinux" "8" "12-11-01" "wine" "SELinux Policy documentation for wine" +@@ -0,0 +1,187 @@ ++.TH "wine_selinux" "8" "13-01-16" "wine" "SELinux Policy documentation for wine" +.SH "NAME" +wine_selinux \- Security Enhanced Linux Policy for the wine processes +.SH "DESCRIPTION" @@ -104656,9 +193990,11 @@ index 0000000..b6b7f15 + +.SH "ENTRYPOINTS" + -+The wine_t SELinux type can be entered via the "wine_exec_t" file type. The default entrypoint paths for the wine_t domain are the following:" ++The wine_t SELinux type can be entered via the \fBwine_exec_t\fP file type. + -+/usr/bin/wine.*, /opt/teamviewer(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/msiexec, /opt/google/picasa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/progman, /opt/google/picasa(/.*)?/bin/regedit, /opt/google/picasa(/.*)?/bin/regsvr32, /opt/google/picasa(/.*)?/Picasa3/.*exe, /opt/google/picasa(/.*)?/bin/uninstaller, /opt/cxoffice/bin/wine.*, /opt/picasa/wine/bin/wine.*, /usr/bin/msiexec, /usr/bin/notepad, /usr/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller, /home/[^/]*/cxoffice/bin/wine.+, /home/dwalsh/cxoffice/bin/wine.+, /var/lib/xguest/home/xguest/cxoffice/bin/wine.+ ++The default entrypoint paths for the wine_t domain are the following: ++ ++/usr/bin/wine.*, /opt/teamviewer(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/msiexec, /opt/google/picasa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/progman, /opt/google/picasa(/.*)?/bin/regedit, /opt/google/picasa(/.*)?/bin/regsvr32, /opt/google/picasa(/.*)?/Picasa3/.*exe, /opt/google/picasa(/.*)?/bin/uninstaller, /opt/cxoffice/bin/wine.*, /opt/picasa/wine/bin/wine.*, /usr/bin/msiexec, /usr/bin/notepad, /usr/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller, /home/[^/]*/cxoffice/bin/wine.+, /home/pwalsh/cxoffice/bin/wine.+, /home/dwalsh/cxoffice/bin/wine.+, /var/lib/xguest/home/xguest/cxoffice/bin/wine.+ +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -104674,27 +194010,69 @@ index 0000000..b6b7f15 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a wine_t ++can be used to make the process type wine_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. wine policy is extremely flexible and has several booleans that allow you to manipulate the policy and run wine with the tightest access possible. + + +.PP -+If you want to ignore wine mmap_zero errors, you must turn on the wine_mmap_zero_ignore boolean. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.B setsebool -P wine_mmap_zero_ignore 1 ++.B setsebool -P deny_ptrace 1 ++ +.EE + +.PP -+If you want to ignore wine mmap_zero errors, you must turn on the wine_mmap_zero_ignore boolean. ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.B setsebool -P wine_mmap_zero_ignore 1 ++.B setsebool -P domain_fd_use 1 ++ +.EE + ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr, you must turn on the mmap_low_allowed boolean. Disabled by default. ++ ++.EX ++.B setsebool -P mmap_low_allowed 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type wine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B wine_tmp_t ++ ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -104703,7 +194081,20 @@ index 0000000..b6b7f15 +Policy governs the access confined processes have to these files. +SELinux wine policy is very flexible allowing users to setup their wine processes in as secure a method as possible. +.PP -+The following file types are defined for wine: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the wine, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t wine_exec_t '/srv/wine/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mywine_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for wine: + + +.EX @@ -104713,6 +194104,22 @@ index 0000000..b6b7f15 + +- Set files with the wine_exec_t type, if you want to transition an executable to the wine_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/wine.*, /opt/teamviewer(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/msiexec, /opt/google/picasa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/progman, /opt/google/picasa(/.*)?/bin/regedit, /opt/google/picasa(/.*)?/bin/regsvr32, /opt/google/picasa(/.*)?/Picasa3/.*exe, /opt/google/picasa(/.*)?/bin/uninstaller, /opt/cxoffice/bin/wine.*, /opt/picasa/wine/bin/wine.*, /usr/bin/msiexec, /usr/bin/notepad, /usr/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller, /home/[^/]*/cxoffice/bin/wine.+, /home/pwalsh/cxoffice/bin/wine.+, /home/dwalsh/cxoffice/bin/wine.+, /var/lib/xguest/home/xguest/cxoffice/bin/wine.+ ++ ++.EX ++.PP ++.B wine_home_t ++.EE ++ ++- Set files with the wine_home_t type, if you want to store wine files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.wine(/.*)?, /home/pwalsh/\.wine(/.*)?, /home/dwalsh/\.wine(/.*)?, /var/lib/xguest/home/xguest/\.wine(/.*)? + +.EX +.PP @@ -104729,16 +194136,6 @@ index 0000000..b6b7f15 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type wine_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B wine_tmp_t -+ -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -104767,11 +194164,11 @@ index 0000000..b6b7f15 \ No newline at end of file diff --git a/man/man8/wireshark_selinux.8 b/man/man8/wireshark_selinux.8 new file mode 100644 -index 0000000..58e07b9 +index 0000000..0b16e0b --- /dev/null +++ b/man/man8/wireshark_selinux.8 -@@ -0,0 +1,184 @@ -+.TH "wireshark_selinux" "8" "12-11-01" "wireshark" "SELinux Policy documentation for wireshark" +@@ -0,0 +1,385 @@ ++.TH "wireshark_selinux" "8" "13-01-16" "wireshark" "SELinux Policy documentation for wireshark" +.SH "NAME" +wireshark_selinux \- Security Enhanced Linux Policy for the wireshark processes +.SH "DESCRIPTION" @@ -104787,7 +194184,9 @@ index 0000000..58e07b9 + +.SH "ENTRYPOINTS" + -+The wireshark_t SELinux type can be entered via the "wireshark_exec_t" file type. The default entrypoint paths for the wireshark_t domain are the following:" ++The wireshark_t SELinux type can be entered via the \fBwireshark_exec_t\fP file type. ++ ++The default entrypoint paths for the wireshark_t domain are the following: + +/usr/bin/wireshark +.SH PROCESS TYPES @@ -104805,8 +194204,262 @@ index 0000000..58e07b9 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a wireshark_t ++can be used to make the process type wireshark_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. wireshark policy is extremely flexible and has several booleans that allow you to manipulate the policy and run wireshark with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the wireshark_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the wireshark_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type wireshark_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B user_fonts_cache_t ++ ++ /root/\.fontconfig(/.*)? ++.br ++ /root/\.fonts/auto(/.*)? ++.br ++ /root/\.fonts\.cache-.* ++.br ++ /home/[^/]*/\.fontconfig(/.*)? ++.br ++ /home/[^/]*/\.fonts/auto(/.*)? ++.br ++ /home/[^/]*/\.fonts\.cache-.* ++.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br ++ /home/dwalsh/\.fontconfig(/.*)? ++.br ++ /home/dwalsh/\.fonts/auto(/.*)? ++.br ++ /home/dwalsh/\.fonts\.cache-.* ++.br ++ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.fonts\.cache-.* ++.br ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B wireshark_home_t ++ ++ /home/[^/]*/\.wireshark(/.*)? ++.br ++ /home/pwalsh/\.wireshark(/.*)? ++.br ++ /home/dwalsh/\.wireshark(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.wireshark(/.*)? ++.br ++ ++.br ++.B wireshark_tmp_t ++ ++ ++.br ++.B wireshark_tmpfs_t ++ ++ ++.br ++.B xserver_tmpfs_t ++ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -104816,7 +194469,20 @@ index 0000000..58e07b9 +Policy governs the access confined processes have to these files. +SELinux wireshark policy is very flexible allowing users to setup their wireshark processes in as secure a method as possible. +.PP -+The following file types are defined for wireshark: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the wireshark, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t wireshark_exec_t '/srv/wireshark/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mywireshark_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for wireshark: + + +.EX @@ -104834,6 +194500,10 @@ index 0000000..58e07b9 + +- Set files with the wireshark_home_t type, if you want to store wireshark files in the users home directory. + ++.br ++.TP 5 ++Paths: ++/home/[^/]*/\.wireshark(/.*)?, /home/pwalsh/\.wireshark(/.*)?, /home/dwalsh/\.wireshark(/.*)?, /var/lib/xguest/home/xguest/\.wireshark(/.*)? + +.EX +.PP @@ -104858,82 +194528,6 @@ index 0000000..58e07b9 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type wireshark_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B user_fonts_cache_t -+ -+ /root/\.fontconfig(/.*)? -+.br -+ /root/\.fonts/auto(/.*)? -+.br -+ /root/\.fonts\.cache-.* -+.br -+ /home/[^/]*/\.fontconfig(/.*)? -+.br -+ /home/[^/]*/\.fonts/auto(/.*)? -+.br -+ /home/[^/]*/\.fonts\.cache-.* -+.br -+ /home/dwalsh/\.fontconfig(/.*)? -+.br -+ /home/dwalsh/\.fonts/auto(/.*)? -+.br -+ /home/dwalsh/\.fonts\.cache-.* -+.br -+ /var/lib/xguest/home/xguest/\.fontconfig(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.fonts/auto(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.fonts\.cache-.* -+.br -+ -+.br -+.B user_home_t -+ -+ /home/[^/]*/.+ -+.br -+ /home/dwalsh/.+ -+.br -+ /var/lib/xguest/home/xguest/.+ -+.br -+ -+.br -+.B wireshark_home_t -+ -+ /home/[^/]*/\.wireshark(/.*)? -+.br -+ /home/dwalsh/\.wireshark(/.*)? -+.br -+ /var/lib/xguest/home/xguest/\.wireshark(/.*)? -+.br -+ -+.br -+.B wireshark_tmp_t -+ -+ -+.br -+.B wireshark_tmpfs_t -+ -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the wireshark_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the wireshark_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -104944,6 +194538,9 @@ index 0000000..58e07b9 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -104955,13 +194552,15 @@ index 0000000..58e07b9 + +.SH "SEE ALSO" +selinux(8), wireshark(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/wpa_cli_selinux.8 b/man/man8/wpa_cli_selinux.8 new file mode 100644 -index 0000000..2ea0f25 +index 0000000..4b464a6 --- /dev/null +++ b/man/man8/wpa_cli_selinux.8 -@@ -0,0 +1,86 @@ -+.TH "wpa_cli_selinux" "8" "12-11-01" "wpa_cli" "SELinux Policy documentation for wpa_cli" +@@ -0,0 +1,159 @@ ++.TH "wpa_cli_selinux" "8" "13-01-16" "wpa_cli" "SELinux Policy documentation for wpa_cli" +.SH "NAME" +wpa_cli_selinux \- Security Enhanced Linux Policy for the wpa_cli processes +.SH "DESCRIPTION" @@ -104977,7 +194576,9 @@ index 0000000..2ea0f25 + +.SH "ENTRYPOINTS" + -+The wpa_cli_t SELinux type can be entered via the "wpa_cli_exec_t" file type. The default entrypoint paths for the wpa_cli_t domain are the following:" ++The wpa_cli_t SELinux type can be entered via the \fBwpa_cli_exec_t\fP file type. ++ ++The default entrypoint paths for the wpa_cli_t domain are the following: + +/sbin/wpa_cli, /usr/sbin/wpa_cli +.SH PROCESS TYPES @@ -104995,8 +194596,60 @@ index 0000000..2ea0f25 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a wpa_cli_t ++can be used to make the process type wpa_cli_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. wpa_cli policy is extremely flexible and has several booleans that allow you to manipulate the policy and run wpa_cli with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -105006,7 +194659,20 @@ index 0000000..2ea0f25 +Policy governs the access confined processes have to these files. +SELinux wpa_cli policy is very flexible allowing users to setup their wpa_cli processes in as secure a method as possible. +.PP -+The following file types are defined for wpa_cli: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the wpa_cli, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t wpa_cli_exec_t '/srv/wpa_cli/content(/.*)?' ++.br ++.B restorecon -R -v /srv/mywpa_cli_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for wpa_cli: + + +.EX @@ -105016,6 +194682,10 @@ index 0000000..2ea0f25 + +- Set files with the wpa_cli_exec_t type, if you want to transition an executable to the wpa_cli_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/wpa_cli, /usr/sbin/wpa_cli + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -105024,8 +194694,6 @@ index 0000000..2ea0f25 +.B restorecon +to apply the labels. + -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -105036,6 +194704,9 @@ index 0000000..2ea0f25 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -105047,13 +194718,15 @@ index 0000000..2ea0f25 + +.SH "SEE ALSO" +selinux(8), wpa_cli(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/xauth_selinux.8 b/man/man8/xauth_selinux.8 new file mode 100644 -index 0000000..4e36630 +index 0000000..ebcfde0 --- /dev/null +++ b/man/man8/xauth_selinux.8 -@@ -0,0 +1,232 @@ -+.TH "xauth_selinux" "8" "12-11-01" "xauth" "SELinux Policy documentation for xauth" +@@ -0,0 +1,413 @@ ++.TH "xauth_selinux" "8" "13-01-16" "xauth" "SELinux Policy documentation for xauth" +.SH "NAME" +xauth_selinux \- Security Enhanced Linux Policy for the xauth processes +.SH "DESCRIPTION" @@ -105069,7 +194742,9 @@ index 0000000..4e36630 + +.SH "ENTRYPOINTS" + -+The xauth_t SELinux type can be entered via the "xauth_exec_t" file type. The default entrypoint paths for the xauth_t domain are the following:" ++The xauth_t SELinux type can be entered via the \fBxauth_exec_t\fP file type. ++ ++The default entrypoint paths for the xauth_t domain are the following: + +/usr/bin/xauth, /usr/X11R6/bin/xauth +.SH PROCESS TYPES @@ -105087,60 +194762,176 @@ index 0000000..4e36630 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a xauth_t ++can be used to make the process type xauth_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux xauth policy is very flexible allowing users to setup their xauth processes in as secure a method as possible. -+.PP -+The following file types are defined for xauth: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. xauth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xauth with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B xauth_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the xauth_exec_t type, if you want to transition an executable to the xauth_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B xauth_home_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the xauth_home_t type, if you want to store xauth files in the users home directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B xauth_tmp_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the xauth_tmp_t type, if you want to store xauth temporary files in the /tmp directories. ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the xauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the xauth_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type xauth_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br +.B user_home_t + + /home/[^/]*/.+ +.br ++ /home/pwalsh/.+ ++.br + /home/dwalsh/.+ +.br + /var/lib/xguest/home/xguest/.+ @@ -105153,6 +194944,8 @@ index 0000000..4e36630 +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest @@ -105185,6 +194978,14 @@ index 0000000..4e36630 +.br + /home/[^/]*/\.Xauthority.* +.br ++ /home/pwalsh/\.xauth.* ++.br ++ /home/pwalsh/\.Xauth.* ++.br ++ /home/pwalsh/\.serverauth.* ++.br ++ /home/pwalsh/\.Xauthority.* ++.br + /home/dwalsh/\.xauth.* +.br + /home/dwalsh/\.Xauth.* @@ -105221,10 +195022,10 @@ index 0000000..4e36630 + + /etc/kde[34]?/kdm/backgroundrc +.br -+ /var/run/[gx]dm\.pid -+.br + /var/run/[kgm]dm(/.*)? +.br ++ /var/run/gdm(3)?\.pid ++.br + /usr/lib/qt-.*/etc/settings(/.*)? +.br + /var/run/slim.* @@ -105241,6 +195042,8 @@ index 0000000..4e36630 +.br + /var/run/systemd/multi-session-x(/.*)? +.br ++ /var/run/xdm\.pid ++.br + /var/run/lxdm\.pid +.br + /var/run/lxdm\.auth @@ -105248,21 +195051,68 @@ index 0000000..4e36630 + /var/run/gdm_socket +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux xauth policy is very flexible allowing users to setup their xauth processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the xauth, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t xauth_exec_t '/srv/xauth/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myxauth_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for xauth: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B xauth_exec_t +.EE + ++- Set files with the xauth_exec_t type, if you want to transition an executable to the xauth_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/xauth, /usr/X11R6/bin/xauth ++ ++.EX ++.PP ++.B xauth_home_t ++.EE ++ ++- Set files with the xauth_home_t type, if you want to store xauth files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/root/\.xauth.*, /root/\.Xauth.*, /root/\.serverauth.*, /root/\.Xauthority.*, /var/lib/pqsql/\.xauth.*, /var/lib/pqsql/\.Xauthority.*, /var/lib/nxserver/home/\.xauth.*, /var/lib/nxserver/home/\.Xauthority.*, /home/[^/]*/\.xauth.*, /home/[^/]*/\.Xauth.*, /home/[^/]*/\.serverauth.*, /home/[^/]*/\.Xauthority.*, /home/pwalsh/\.xauth.*, /home/pwalsh/\.Xauth.*, /home/pwalsh/\.serverauth.*, /home/pwalsh/\.Xauthority.*, /home/dwalsh/\.xauth.*, /home/dwalsh/\.Xauth.*, /home/dwalsh/\.serverauth.*, /home/dwalsh/\.Xauthority.*, /var/lib/xguest/home/xguest/\.xauth.*, /var/lib/xguest/home/xguest/\.Xauth.*, /var/lib/xguest/home/xguest/\.serverauth.*, /var/lib/xguest/home/xguest/\.Xauthority.* ++ ++.EX ++.PP ++.B xauth_tmp_t ++.EE ++ ++- Set files with the xauth_tmp_t type, if you want to store xauth temporary files in the /tmp directories. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the xauth_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -105274,6 +195124,9 @@ index 0000000..4e36630 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -105285,13 +195138,276 @@ index 0000000..4e36630 + +.SH "SEE ALSO" +selinux(8), xauth(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/xdm_dbusd_selinux.8 b/man/man8/xdm_dbusd_selinux.8 +new file mode 100644 +index 0000000..9a44f8b +--- /dev/null ++++ b/man/man8/xdm_dbusd_selinux.8 +@@ -0,0 +1,254 @@ ++.TH "xdm_dbusd_selinux" "8" "13-01-16" "xdm_dbusd" "SELinux Policy documentation for xdm_dbusd" ++.SH "NAME" ++xdm_dbusd_selinux \- Security Enhanced Linux Policy for the xdm_dbusd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the xdm_dbusd processes via flexible mandatory access control. ++ ++The xdm_dbusd processes execute with the xdm_dbusd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep xdm_dbusd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The xdm_dbusd_t SELinux type can be entered via the \fBdbusd_exec_t\fP file type. ++ ++The default entrypoint paths for the xdm_dbusd_t domain are the following: ++ ++/usr/bin/dbus-daemon(-1)?, /bin/dbus-daemon, /lib/dbus-1/dbus-daemon-launch-helper, /usr/lib/dbus-1/dbus-daemon-launch-helper ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux xdm_dbusd policy is very flexible allowing users to setup their xdm_dbusd processes in as secure a method as possible. ++.PP ++The following process types are defined for xdm_dbusd: ++ ++.EX ++.B xdm_dbusd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a xdm_dbusd_t ++can be used to make the process type xdm_dbusd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. xdm_dbusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xdm_dbusd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the xdm_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the xdm_dbusd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type xdm_dbusd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B session_dbusd_tmp_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmpfs_t ++ ++ /dev/shm/mono.* ++.br ++ /dev/shm/pulse-shm.* ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), xdm_dbusd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), xdm_selinux(8), xdm_selinux(8) +\ No newline at end of file diff --git a/man/man8/xdm_selinux.8 b/man/man8/xdm_selinux.8 new file mode 100644 -index 0000000..b6a703d +index 0000000..cda504c --- /dev/null +++ b/man/man8/xdm_selinux.8 -@@ -0,0 +1,758 @@ -+.TH "xdm_selinux" "8" "12-11-01" "xdm" "SELinux Policy documentation for xdm" +@@ -0,0 +1,1027 @@ ++.TH "xdm_selinux" "8" "13-01-16" "xdm" "SELinux Policy documentation for xdm" +.SH "NAME" +xdm_selinux \- Security Enhanced Linux Policy for the xdm processes +.SH "DESCRIPTION" @@ -105307,9 +195423,12 @@ index 0000000..b6a703d + +.SH "ENTRYPOINTS" + -+The xdm_t SELinux type can be entered via the "xdm_exec_t,bin_t" file types. The default entrypoint paths for the xdm_t domain are the following:" ++The xdm_t SELinux type can be entered via the \fBxdm_exec_t, bin_t\fP file types. + -+/usr/(s)?bin/lightdm*, /usr/(s)?bin/[mxgkw]dm, /usr/(s)?bin/gdm-binary, /usr/(s)?bin/lxdm(-binary)?, /usr/X11R6/bin/[xgkw]dm, /usr/bin/slim, /usr/bin/gpe-dm, /opt/kde3/bin/kdm, /usr/sbin/mdm-binary, /bin/.*, /opt/(.*/)?bin(/.*)?, /usr/(.*/)?Bin(/.*)?, /usr/(.*/)?bin(/.*)?, /usr/(.*/)?sbin(/.*)?, /opt/(.*/)?sbin(/.*)?, /opt/(.*/)?libexec(/.*)?, /sbin/.*, /usr/lib(.*/)?bin(/.*)?, /usr/lib(.*/)?sbin(/.*)?, /etc/gdm/[^/]+, /root/bin(/.*)?, /etc/gdm/[^/]+/.*, /etc/cron.daily(/.*)?, /etc/cron.weekly(/.*)?, /etc/cron.hourly(/.*)?, /etc/cron.monthly(/.*)?, /usr/lib/.*/program(/.*)?, /usr/lib/.*/scripts(/.*)?, /usr/lib/[^/]*/run-mozilla\.sh, /usr/lib/[^/]*/mozilla-xremote-client, /usr/lib/[^/]*thunderbird[^/]*/thunderbird, /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh, /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin, /lib/udev/[^/]*, /etc/auto\.[^/]*, /etc/avahi/.*\.action, /usr/lib/qt.*/bin(/.*)?, /usr/lib/yp/.+, /var/ftp/bin(/.*)?, /usr/Brother(/.*)?, /usr/Printer(/.*)?, /usr/libexec(/.*)?, /lib/upstart(/.*)?, /etc/kde/env(/.*)?, /etc/profile.d(/.*)?, /var/mailman.*/bin(/.*)?, /etc/lxdm/Pre.*, /etc/hotplug/.*rc, /usr/lib/cups(/.*)?, /etc/hotplug/.*agent, /usr/Brother/(.*/)?inf/setup.*, /usr/Brother/(.*/)?inf/brprintconf.*, /usr/lib/dpkg/.+, /etc/lxdm/Post.*, /usr/lib/udev/[^/]*, /var/qmail/bin(/.*)?, /usr/lib/xfce4(/.*)?, /usr/lib/fence(/.*)?, /etc/X11/xinit(/.*)?, /lib/readahead(/.*)?, /etc/netplug\.d(/.*)?, /usr/lib/gimp/.*/plug-ins(/.*)?, /usr/lib/ipsec/.*, /etc/ppp/ip-up\..*, /usr/bin/pingus.*, /etc/cipe/ip-up.*, /usr/lib/dracut(/.*)?, /etc/pm/power\.d(/.*)?, /etc/pm/sleep\.d(/.*)?, /etc/redhat-lsb(/.*)?, /usr/lib/tuned/.*/.*\.sh, /usr/lib/xen/bin(/.*)?, /usr/lib/upstart(/.*)?, /usr/lib/courier(/.*)?, /etc/xen/scripts(/.*)?, /usr/share/tucan.*/tucan.py, /usr/lib/mailman.*/bin(/.*)?, /usr/lib/mailman.*/mail(/.*)?, /etc/ppp/ipv6-up\..*, /etc/ppp/ip-down\..*, /etc/cipe/ip-down.*, /usr/share/hplip/[^/]*, /usr/lib/news/bin(/.*)?, /usr/lib/pm-utils(/.*)?, /etc/vmware-tools(/.*)?, /etc/kde/shutdown(/.*)?, /etc/acpi/actions(/.*)?, /etc/pki/tls/misc(/.*)?, /usr/lib/jvm/java(.*/)bin(/.*), /usr/lib/tumbler-[^/]*/tumblerd, /usr/lib/readahead(/.*)?, /opt/google/chrome(/.*)?, /etc/munin/plugins(/.*)?, /usr/lib/bluetooth(/.*)?, /usr/lib/debug/bin(/.*)?, /usr/lib/xulrunner[^/]*/updater, /usr/lib/xulrunner[^/]*/crashreporter, /usr/lib/xulrunner[^/]*/xulrunner[^/]*, /usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)?, /usr/share/debconf/.+, /etc/ppp/ipv6-down\..*, /usr/share/cluster/.*\.sh, /usr/share/sectool/.*\.py, /usr/share/ssl/misc(/.*)?, /usr/share/e16/misc(/.*)?, /usr/lib/ccache/bin(/.*)?, /etc/racoon/scripts(/.*)?, /usr/lib/debug/sbin(/.*)?, /usr/lib/ruby/gems/.*/agents(/.*)?, /usr/share/mc/extfs/.*, /usr/lib/apt/methods.+, /usr/lib/portage/bin(/.*)?, /usr/lib/MailScanner(/.*)?, /etc/mcelog/triggers(/.*)?, /etc/dhcp/dhclient\.d(/.*)?, /emul/ia32-linux/bin(/.*)?, /usr/lib/libreoffice(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/bin(/.*)?, /emul/ia32-linux/usr(/.*)?/Bin(/.*)?, /emul/ia32-linux/usr(/.*)?/sbin(/.*)?, /usr/lib/thunderbird.*/mozilla-xremote-client, /usr/lib/cyrus-imapd/.*, /usr/share/createrepo(/.*)?, /emul/ia32-linux/sbin(/.*)?, /usr/share/virtualbox/.*\.sh, /usr/share/wicd/daemon(/.*)?, /usr/share/hal/scripts(/.*)?, /lib/security/pam_krb5(/.*)?, /opt/google/talkplugin(/.*)?, /etc/PackageKit/events(/.*)?, /usr/lib/debug/usr/bin(/.*)?, /usr/lib/vmware-tools/(s)?bin64(/.*)?, /usr/lib/vmware-tools/(s)?bin32(/.*)?, /etc/gdm/XKeepsCrashing[^/]*, /usr/lib/oracle/xe/apps(/.*)?, /usr/share/Modules/init(/.*)?, /usr/share/smolt/client(/.*)?, /usr/lib/nagios/plugins(/.*)?, /usr/lib/debug/usr/sbin(/.*)?, /usr/share/apr-0/build/[^/]+\.sh, /usr/lib/emacsen-common/.*, /usr/share/ajaxterm/qweb.py.*, /var/lib/asterisk/agi-bin(/.*)?, /usr/share/shorewall-perl(/.*)?, /usr/share/shorewall-lite(/.*)?, /usr/linuxprinter/filters(/.*)?, /usr/lib/netsaint/plugins(/.*)?, /usr/lib/chromium-browser(/.*)?, /usr/share/turboprint/lib(/.*)?, /usr/lib/nfs-utils/scripts(/.*)?, /usr/share/shorewall6-lite(/.*)?, /usr/share/shorewall-shell(/.*)?, /usr/share/vhostmd/scripts(/.*)?, /usr/lib/debug/usr/libexec(/.*)?, /etc/ConsoleKit/run-seat\.d(/.*)?, /usr/lib/nspluginwrapper/np.*, /usr/share/sandbox/sandboxX.sh, /usr/lib/ConsoleKit/scripts(/.*)?, /usr/share/ajaxterm/ajaxterm.py.*, /usr/lib/pgsql/test/regress/.*\.sh, /usr/share/denyhosts/scripts(/.*)?, /usr/share/denyhosts/plugins(/.*)?, /emul/ia32-linux/usr/libexec(/.*)?, /usr/lib/mediawiki/math/texvc.*, /usr/share/PackageKit/helpers(/.*)?, /etc/ConsoleKit/run-session\.d(/.*)?, /etc/hotplug\.d/default/default.*, /usr/lib/systemd/system-sleep/(.*)?, /opt/gutenprint/cups/lib/filter(/.*)?, /usr/share/system-config-network(/netconfig)?/[^/]+\.py, /usr/lib/ConsoleKit/run-session\.d(/.*)?, /etc/sysconfig/network-scripts/net.*, /etc/sysconfig/network-scripts/ifup.*, /etc/sysconfig/network-scripts/init.*, /usr/share/kde4/apps/kajongg/kajongg.py, /etc/sysconfig/network-scripts/ifdown.*, /opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)?, /usr/share/gedit-2/plugins/externaltools/tools(/.*)?, /bin, /sbin, /usr/bin, /dev/MAKEDEV, /var/qmail/rc, /var/qmail/bin, /etc/mail/make, /bin/mountpoint, /usr/lib/rpm/rpmq, /usr/lib/rpm/rpmv, /usr/lib/rpm/rpmd, /usr/lib/rpm/rpmk, /lib/udev/scsi_id, /sbin/mkfs\.cramfs, /etc/xen/qemu-ifup, /etc/lxdm/Xsession, /etc/sysconfig/init, /usr/bin/mountpoint, /etc/apcupsd/commok, /usr/lib/sftp-server, /etc/sysconfig/crond, /etc/lxdm/LoginReady, /usr/sbin/mkfs\.cramfs, /usr/lib/udev/scsi_id, /etc/X11/xdm/Xsetup_0, /etc/init\.d/functions, /etc/apcupsd/changeme, /usr/lib/iscan/network, /etc/apcupsd/onbattery, /usr/lib/yaboot/addnote, /etc/sysconfig/libvirtd, /etc/apcupsd/apccontrol, /etc/apcupsd/offbattery, /usr/lib/wicd/monitor\.py, /etc/X11/xdm/TakeConsole, /etc/X11/xdm/GiveConsole, /etc/apcupsd/commfailure, /usr/lib/misc/sftp-server, /etc/sysconfig/netconsole, /lib/udev/devices/MAKEDEV, /var/lib/iscan/interpreter, /etc/rc\.d/init\.d/functions, /etc/apcupsd/masterconnect, /etc/apcupsd/mastertimeout, /usr/share/pydict/pydict\.py, /usr/share/clamav/clamd-gen, /sbin/insmod_ksymoops_clean, /etc/mgetty\+sendfax/new_fax, /usr/lib/xfce4/panel/migrate, /usr/lib/xfce4/panel/wrapper, /etc/sysconfig/readonly-root, /usr/lib/vte/gnome-pty-helper, /usr/lib/udev/devices/MAKEDEV, /usr/lib/xfce4/xfconf/xfconfd, /usr/share/cvs/contrib/rcs2log, /usr/share/hwbrowser/hwbrowser, /usr/X11R6/lib/X11/xkb/xkbcomp, /usr/lib/virtualbox/VBoxManage, /usr/share/cluster/SAPInstance, /usr/share/cluster/checkquorum, /usr/share/shorewall/getparams, /usr/share/apr-0/build/libtool, /usr/share/cluster/SAPDatabase, /etc/hotplug/hotplug\.functions, /usr/share/texmf/web2c/mktexdir, /usr/share/texmf/web2c/mktexnam, /usr/share/texmf/web2c/mktexupd, /usr/share/shorewall/configpath, /usr/sbin/insmod_ksymoops_clean, /etc/mcelog/cache-error-trigger, /usr/share/shorewall/compiler\.pl, /usr/share/dayplanner/dayplanner, /usr/libexec/openssh/sftp-server, /usr/share/texmf/texconfig/tcfmgr, /usr/share/clamav/freshclam-sleep, /usr/share/cluster/svclib_nfslock, /usr/share/cluster/ocf-shellfuncs, /usr/lib/xfce4/exo-1/exo-helper-1, /usr/share/pwlib/make/ptlib-config, /usr/share/fedora-usermgmt/wrapper, /usr/share/printconf/util/print\.py, /usr/lib/xfce4/xfwm4/helper-dialog, /etc/pki/tls/certs/make-dummy-cert, /usr/share/rhn/rhn_applet/applet\.py, /usr/share/authconfig/authconfig\.py, /usr/share/spamassassin/sa-update\.cron, /usr/share/gnucash/finance-quote-check, /usr/share/cluster/fence_scsi_check\.pl, /usr/share/selinux/devel/policygentool, /usr/share/switchdesk/switchdesk-gui\.py, /usr/share/authconfig/authconfig-tui\.py, /usr/share/authconfig/authconfig-gtk\.py, /usr/share/gnucash/finance-quote-helper, /usr/share/gitolite/hooks/common/update, /usr/lib/xfce4/exo-1/exo-compose-mail-1, /usr/share/system-config-services/gui\.py, /lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-config-netboot/pxeos\.py, /usr/lib/xfce4/session/balou-export-theme, /usr/share/system-config-selinux/polgen\.py, /usr/share/system-config-nfs/nfs-export\.py, /usr/share/system-config-printer/applet\.py, /usr/share/PackageKit/pk-upgrade-distro\.sh, /usr/lib/xfce4/session/balou-install-theme, /usr/share/system-config-netboot/pxeboot\.py, /usr/lib/xfce4/session/xfsm-shutdown-helper, /usr/share/rhn/rhn_applet/needed-packages\.py, /usr/lib/security/pam_krb5/pam_krb5_storetmp, /usr/share/system-logviewer/system-logviewer\.py, /usr/share/system-config-network/neat-control\.py, /usr/share/system-config-services/serviceconf\.py, /usr/share/hal/device-manager/hal-device-manager, /usr/share/system-config-lvm/system-config-lvm\.py, /usr/share/system-config-nfs/system-config-nfs\.py, /usr/share/system-config-mouse/system-config-mouse, /usr/share/system-config-httpd/system-config-httpd, /usr/share/system-config-users/system-config-users, /usr/share/system-config-date/system-config-date\.py, /usr/share/doc/ghc/html/libraries/gen_contents_index, /usr/share/gitolite/hooks/gitolite-admin/post-update, /usr/share/system-config-samba/system-config-samba\.py, /usr/share/system-config-display/system-config-display, /usr/share/system-config-keyboard/system-config-keyboard, /usr/share/system-config-language/system-config-language, /usr/share/system-config-services/system-config-services, /usr/share/system-config-selinux/system-config-selinux\.py, /usr/share/system-config-netboot/system-config-netboot\.py, /usr/share/system-config-soundcard/system-config-soundcard, /usr/share/system-config-rootpassword/system-config-rootpassword, /usr/share/system-config-securitylevel/system-config-securitylevel\.py ++The default entrypoint paths for the xdm_t domain are the following: ++ ++All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin. ++/usr/(s)?bin/gdm(3)?, /usr/(s)?bin/lightdm*, /usr/(s)?bin/[mxgkw]dm, /usr/(s)?bin/gdm-binary, /usr/(s)?bin/lxdm(-binary)?, /usr/X11R6/bin/[xgkw]dm, /usr/bin/slim, /usr/bin/gpe-dm, /opt/kde3/bin/kdm, /usr/sbin/mdm-binary, /etc/rc\.d/init\.d/x11-common +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -105325,154 +195444,204 @@ index 0000000..b6a703d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a xdm_t ++can be used to make the process type xdm_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. xdm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xdm with the tightest access possible. + + +.PP -+If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean. ++If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean. Disabled by default. + +.EX +.B setsebool -P xdm_exec_bootloader 1 ++ +.EE + +.PP -+If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Disabled by default. + +.EX +.B setsebool -P xdm_sysadm_login 1 ++ +.EE + +.PP -+If you want to allow the graphical login program to execute bootloader, you must turn on the xdm_exec_bootloader boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P xdm_exec_bootloader 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. ++If you want to allow users to login using a radius server, you must turn on the authlogin_radius boolean. Disabled by default. + +.EX -+.B setsebool -P xdm_sysadm_login 1 ++.B setsebool -P authlogin_radius 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux xdm policy is very flexible allowing users to setup their xdm processes in as secure a method as possible. -+.PP -+The following file types are defined for xdm: -+ ++If you want to allow users to login using a yubikey server, you must turn on the authlogin_yubikey boolean. Disabled by default. + +.EX -+.PP -+.B xdm_etc_t ++.B setsebool -P authlogin_yubikey 1 ++ +.EE + -+- Set files with the xdm_etc_t type, if you want to store xdm files in the /etc directories. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B xdm_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the xdm_exec_t type, if you want to transition an executable to the xdm_t domain. -+ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. + +.EX -+.PP -+.B xdm_home_t ++.B setsebool -P deny_execmem 1 ++ +.EE + -+- Set files with the xdm_home_t type, if you want to store xdm files in the users home directory. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B xdm_lock_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the xdm_lock_t type, if you want to treat the files as xdm lock data, stored under the /var/lock directory -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B xdm_log_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the xdm_log_t type, if you want to treat the data as xdm log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B xdm_rw_etc_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the xdm_rw_etc_t type, if you want to store xdm rw files in the /etc directories. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B xdm_spool_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the xdm_spool_t type, if you want to store the xdm files under the /var/spool directory. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B xdm_tmp_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the xdm_tmp_t type, if you want to store xdm temporary files in the /tmp directories. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B xdm_tmpfs_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the xdm_tmpfs_t type, if you want to store xdm files on a tmpfs file system. -+ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.PP -+.B xdm_unconfined_exec_t ++.B setsebool -P nis_enabled 1 ++ +.EE + -+- Set files with the xdm_unconfined_exec_t type, if you want to transition an executable to the xdm_unconfined_t domain. -+ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + +.EX -+.PP -+.B xdm_var_lib_t ++.B setsebool -P nscd_use_shm 1 ++ +.EE + -+- Set files with the xdm_var_lib_t type, if you want to store the xdm files under the /var/lib directory. -+ ++.PP ++If you want to enable polyinstantiated directory support, you must turn on the polyinstantiation_enabled boolean. Enabled by default. + +.EX -+.PP -+.B xdm_var_run_t ++.B setsebool -P polyinstantiation_enabled 1 ++ +.EE + -+- Set files with the xdm_var_run_t type, if you want to store the xdm files under the /run directory. ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. + ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the xdm_dbusd_t, xdm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the xdm_dbusd_t, xdm_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -105524,6 +195693,10 @@ index 0000000..b6a703d +.br + /home/[^/]*/\.google_authenticator~ +.br ++ /home/pwalsh/\.google_authenticator ++.br ++ /home/pwalsh/\.google_authenticator~ ++.br + /home/dwalsh/\.google_authenticator +.br + /home/dwalsh/\.google_authenticator~ @@ -105542,6 +195715,30 @@ index 0000000..b6a703d +.br + +.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br +.B etc_runtime_t + + /[^/]+ @@ -105562,10 +195759,10 @@ index 0000000..b6a703d +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -105574,10 +195771,10 @@ index 0000000..b6a703d +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -105600,12 +195797,12 @@ index 0000000..b6a703d + + /var/log/btmp.* +.br ++ /var/log/faillog.* ++.br ++ /var/log/tallylog.* ++.br + /var/run/faillock(/.*)? +.br -+ /var/log/faillog -+.br -+ /var/log/tallylog -+.br + +.br +.B fonts_cache_t @@ -105614,6 +195811,10 @@ index 0000000..b6a703d +.br + +.br ++.B fusefs_t ++ ++ ++.br +.B gconf_home_t + + /root/\.local.* @@ -105624,6 +195825,10 @@ index 0000000..b6a703d +.br + /home/[^/]*/\.gconf(d)?(/.*)? +.br ++ /home/pwalsh/\.local.* ++.br ++ /home/pwalsh/\.gconf(d)?(/.*)? ++.br + /home/dwalsh/\.local.* +.br + /home/dwalsh/\.gconf(d)?(/.*)? @@ -105676,7 +195881,7 @@ index 0000000..b6a703d +.br +.B lastlog_t + -+ /var/log/lastlog ++ /var/log/lastlog.* +.br + +.br @@ -105684,6 +195889,8 @@ index 0000000..b6a703d + + /etc/locale.conf +.br ++ /etc/vconsole.conf ++.br + /usr/lib/locale(/.*)? +.br + /usr/share/locale(/.*)? @@ -105706,6 +195913,10 @@ index 0000000..b6a703d +.br + +.br ++.B nfs_t ++ ++ ++.br +.B pam_var_console_t + + /var/run/console(/.*)? @@ -105724,20 +195935,6 @@ index 0000000..b6a703d +.br + +.br -+.B pcscd_var_run_t -+ -+ /var/run/pcscd(/.*)? -+.br -+ /var/run/pcscd\.events(/.*)? -+.br -+ /var/run/pcscd\.pid -+.br -+ /var/run/pcscd\.pub -+.br -+ /var/run/pcscd\.comm -+.br -+ -+.br +.B security_t + + /selinux @@ -105766,6 +195963,8 @@ index 0000000..b6a703d +.br + /home/[^/]*/\.fonts(/.*)? +.br ++ /home/pwalsh/\.fonts(/.*)? ++.br + /home/dwalsh/\.fonts(/.*)? +.br + /var/lib/xguest/home/xguest/\.fonts(/.*)? @@ -105778,6 +195977,8 @@ index 0000000..b6a703d +.br + /tmp/gconfd-.* +.br ++ /tmp/gconfd-pwalsh ++.br + /tmp/gconfd-dwalsh +.br + /tmp/gconfd-xguest @@ -105806,6 +196007,8 @@ index 0000000..b6a703d +.br + /var/lib/pam_shield(/.*)? +.br ++ /var/opt/quest/vas/vasd(/.*)? ++.br + /var/lib/google-authenticator(/.*)? +.br + @@ -105842,6 +196045,14 @@ index 0000000..b6a703d +.br + /home/[^/]*/\.Xauthority.* +.br ++ /home/pwalsh/\.xauth.* ++.br ++ /home/pwalsh/\.Xauth.* ++.br ++ /home/pwalsh/\.serverauth.* ++.br ++ /home/pwalsh/\.Xauthority.* ++.br + /home/dwalsh/\.xauth.* +.br + /home/dwalsh/\.Xauth.* @@ -105872,6 +196083,12 @@ index 0000000..b6a703d +.br + /home/[^/]*/\.xsession-errors.* +.br ++ /home/pwalsh/\.dmrc.* ++.br ++ /home/pwalsh/\.cache/gdm(/.*)? ++.br ++ /home/pwalsh/\.xsession-errors.* ++.br + /home/dwalsh/\.dmrc.* +.br + /home/dwalsh/\.cache/gdm(/.*)? @@ -105892,10 +196109,10 @@ index 0000000..b6a703d +.br +.B xdm_log_t + -+ /var/log/[mg]dm(/.*)? -+.br + /var/log/[mkwx]dm\.log.* +.br ++ /var/log/mdm(/.*)? ++.br + /var/log/lxdm\.log.* +.br + /var/log/slim\.log @@ -105936,6 +196153,8 @@ index 0000000..b6a703d +.br + /var/cache/[mg]dm(/.*)? +.br ++ /var/lib/gdm(3)?(/.*)? ++.br + /var/lib/lxdm(/.*)? +.br + /var/lib/lightdm(/.*)? @@ -105948,10 +196167,10 @@ index 0000000..b6a703d + + /etc/kde[34]?/kdm/backgroundrc +.br -+ /var/run/[gx]dm\.pid -+.br + /var/run/[kgm]dm(/.*)? +.br ++ /var/run/gdm(3)?\.pid ++.br + /usr/lib/qt-.*/etc/settings(/.*)? +.br + /var/run/slim.* @@ -105968,6 +196187,8 @@ index 0000000..b6a703d +.br + /var/run/systemd/multi-session-x(/.*)? +.br ++ /var/run/xdm\.pid ++.br + /var/run/lxdm\.pid +.br + /var/run/lxdm\.auth @@ -105992,6 +196213,8 @@ index 0000000..b6a703d +.br + /usr/var/[xgkw]dm(/.*)? +.br ++ /var/log/gdm(3)?(/.*)? ++.br + /var/log/Xorg.* +.br + /var/log/XFree86.* @@ -106005,22 +196228,184 @@ index 0000000..b6a703d +.B xserver_tmpfs_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux xdm policy is very flexible allowing users to setup their xdm processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xdm_dbusd_t, xdm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE ++.B EQUIVALENCE DIRECTORIES + +.PP -+If you want to allow confined applications to run with kerberos for the xdm_dbusd_t, xdm_t, you must turn on the kerberos_enabled boolean. ++xdm policy stores data with multiple different file context types under the /var/run/lxdm directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/lxdm /srv/lxdm ++.br ++.B restorecon -R -v /srv/lxdm ++.PP ++ ++.PP ++xdm policy stores data with multiple different file context types under the /var/run/slim directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/slim /srv/slim ++.br ++.B restorecon -R -v /srv/slim ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the xdm, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t xdm_etc_t '/srv/xdm/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myxdm_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for xdm: ++ + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B xdm_etc_t +.EE + ++- Set files with the xdm_etc_t type, if you want to store xdm files in the /etc directories. ++ ++ ++.EX ++.PP ++.B xdm_exec_t ++.EE ++ ++- Set files with the xdm_exec_t type, if you want to transition an executable to the xdm_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/(s)?bin/gdm(3)?, /usr/(s)?bin/lightdm*, /usr/(s)?bin/[mxgkw]dm, /usr/(s)?bin/gdm-binary, /usr/(s)?bin/lxdm(-binary)?, /usr/X11R6/bin/[xgkw]dm, /usr/bin/slim, /usr/bin/gpe-dm, /opt/kde3/bin/kdm, /usr/sbin/mdm-binary, /etc/rc\.d/init\.d/x11-common ++ ++.EX ++.PP ++.B xdm_home_t ++.EE ++ ++- Set files with the xdm_home_t type, if you want to store xdm files in the users home directory. ++ ++.br ++.TP 5 ++Paths: ++/root/\.dmrc.*, /root/\.xsession-errors.*, /home/[^/]*/\.dmrc.*, /home/[^/]*/\.cache/gdm(/.*)?, /home/[^/]*/\.xsession-errors.*, /home/pwalsh/\.dmrc.*, /home/pwalsh/\.cache/gdm(/.*)?, /home/pwalsh/\.xsession-errors.*, /home/dwalsh/\.dmrc.*, /home/dwalsh/\.cache/gdm(/.*)?, /home/dwalsh/\.xsession-errors.*, /var/lib/xguest/home/xguest/\.dmrc.*, /var/lib/xguest/home/xguest/\.cache/gdm(/.*)?, /var/lib/xguest/home/xguest/\.xsession-errors.* ++ ++.EX ++.PP ++.B xdm_lock_t ++.EE ++ ++- Set files with the xdm_lock_t type, if you want to treat the files as xdm lock data, stored under the /var/lock directory ++ ++ ++.EX ++.PP ++.B xdm_log_t ++.EE ++ ++- Set files with the xdm_log_t type, if you want to treat the data as xdm log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/[mkwx]dm\.log.*, /var/log/mdm(/.*)?, /var/log/lxdm\.log.*, /var/log/slim\.log ++ ++.EX ++.PP ++.B xdm_rw_etc_t ++.EE ++ ++- Set files with the xdm_rw_etc_t type, if you want to store xdm rw files in the /etc directories. ++ ++.br ++.TP 5 ++Paths: ++/etc/X11/wdm(/.*)?, /etc/opt/VirtualGL(/.*)? ++ ++.EX ++.PP ++.B xdm_spool_t ++.EE ++ ++- Set files with the xdm_spool_t type, if you want to store the xdm files under the /var/spool directory. ++ ++ ++.EX ++.PP ++.B xdm_tmp_t ++.EE ++ ++- Set files with the xdm_tmp_t type, if you want to store xdm temporary files in the /tmp directories. ++ ++.br ++.TP 5 ++Paths: ++/tmp/\.X11-unix(/.*)?, /tmp/\.ICE-unix(/.*)?, /tmp/\.X0-lock ++ ++.EX ++.PP ++.B xdm_tmpfs_t ++.EE ++ ++- Set files with the xdm_tmpfs_t type, if you want to store xdm files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B xdm_unconfined_exec_t ++.EE ++ ++- Set files with the xdm_unconfined_exec_t type, if you want to transition an executable to the xdm_unconfined_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/[mg]dm/Init(/.*)?, /etc/[mg]dm/PostLogin(/.*)?, /etc/[mg]dm/PreSession(/.*)?, /etc/[mg]dm/PostSession(/.*)? ++ ++.EX ++.PP ++.B xdm_var_lib_t ++.EE ++ ++- Set files with the xdm_var_lib_t type, if you want to store the xdm files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/[mxkwg]dm(/.*)?, /var/cache/[mg]dm(/.*)?, /var/lib/gdm(3)?(/.*)?, /var/lib/lxdm(/.*)?, /var/lib/lightdm(/.*)?, /var/cache/lightdm(/.*)? ++ ++.EX ++.PP ++.B xdm_var_run_t ++.EE ++ ++- Set files with the xdm_var_run_t type, if you want to store the xdm files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/etc/kde[34]?/kdm/backgroundrc, /var/run/[kgm]dm(/.*)?, /var/run/gdm(3)?\.pid, /usr/lib/qt-.*/etc/settings(/.*)?, /var/run/slim.*, /var/run/lxdm(/.*)?, /var/run/slim(/.*)?, /var/run/xauth(/.*)?, /var/run/xdmctl(/.*)?, /var/run/lightdm(/.*)?, /var/run/systemd/multi-session-x(/.*)?, /var/run/xdm\.pid, /var/run/lxdm\.pid, /var/run/lxdm\.auth, /var/run/gdm_socket ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -106048,15 +196433,15 @@ index 0000000..b6a703d + +.SH "SEE ALSO" +selinux(8), xdm(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8) ++, setsebool(8), xdm_dbusd_selinux(8) \ No newline at end of file diff --git a/man/man8/xenconsoled_selinux.8 b/man/man8/xenconsoled_selinux.8 new file mode 100644 -index 0000000..9d5fe35 +index 0000000..a38e2b2 --- /dev/null +++ b/man/man8/xenconsoled_selinux.8 -@@ -0,0 +1,126 @@ -+.TH "xenconsoled_selinux" "8" "12-11-01" "xenconsoled" "SELinux Policy documentation for xenconsoled" +@@ -0,0 +1,219 @@ ++.TH "xenconsoled_selinux" "8" "13-01-16" "xenconsoled" "SELinux Policy documentation for xenconsoled" +.SH "NAME" +xenconsoled_selinux \- Security Enhanced Linux Policy for the xenconsoled processes +.SH "DESCRIPTION" @@ -106072,7 +196457,9 @@ index 0000000..9d5fe35 + +.SH "ENTRYPOINTS" + -+The xenconsoled_t SELinux type can be entered via the "xenconsoled_exec_t" file type. The default entrypoint paths for the xenconsoled_t domain are the following:" ++The xenconsoled_t SELinux type can be entered via the \fBxenconsoled_exec_t\fP file type. ++ ++The default entrypoint paths for the xenconsoled_t domain are the following: + +/usr/sbin/xenconsoled +.SH PROCESS TYPES @@ -106090,48 +196477,90 @@ index 0000000..9d5fe35 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a xenconsoled_t ++can be used to make the process type xenconsoled_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux xenconsoled policy is very flexible allowing users to setup their xenconsoled processes in as secure a method as possible. -+.PP -+The following file types are defined for xenconsoled: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. xenconsoled policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xenconsoled with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B xenconsoled_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the xenconsoled_exec_t type, if you want to transition an executable to the xenconsoled_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B xenconsoled_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the xenconsoled_var_run_t type, if you want to store the xenconsoled files under the /run directory. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + +The SELinux process type xenconsoled_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B sysfs_t + + /sys(/.*)? @@ -106159,7 +196588,52 @@ index 0000000..9d5fe35 +.B xenfs_t + + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux xenconsoled policy is very flexible allowing users to setup their xenconsoled processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the xenconsoled, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t xenconsoled_exec_t '/srv/xenconsoled/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myxenconsoled_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for xenconsoled: ++ ++ ++.EX ++.PP ++.B xenconsoled_exec_t ++.EE ++ ++- Set files with the xenconsoled_exec_t type, if you want to transition an executable to the xenconsoled_t domain. ++ ++ ++.EX ++.PP ++.B xenconsoled_var_run_t ++.EE ++ ++- Set files with the xenconsoled_var_run_t type, if you want to store the xenconsoled files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -106171,6 +196645,9 @@ index 0000000..9d5fe35 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -106182,13 +196659,15 @@ index 0000000..9d5fe35 + +.SH "SEE ALSO" +selinux(8), xenconsoled(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/xend_selinux.8 b/man/man8/xend_selinux.8 new file mode 100644 -index 0000000..b211bcb +index 0000000..c71001d --- /dev/null +++ b/man/man8/xend_selinux.8 -@@ -0,0 +1,330 @@ -+.TH "xend_selinux" "8" "12-11-01" "xend" "SELinux Policy documentation for xend" +@@ -0,0 +1,456 @@ ++.TH "xend_selinux" "8" "13-01-16" "xend" "SELinux Policy documentation for xend" +.SH "NAME" +xend_selinux \- Security Enhanced Linux Policy for the xend processes +.SH "DESCRIPTION" @@ -106204,7 +196683,9 @@ index 0000000..b211bcb + +.SH "ENTRYPOINTS" + -+The xend_t SELinux type can be entered via the "xend_exec_t" file type. The default entrypoint paths for the xend_t domain are the following:" ++The xend_t SELinux type can be entered via the \fBxend_exec_t\fP file type. ++ ++The default entrypoint paths for the xend_t domain are the following: + +/usr/sbin/xend +.SH PROCESS TYPES @@ -106222,113 +196703,109 @@ index 0000000..b211bcb +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a xend_t ++can be used to make the process type xend_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. xend policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xend with the tightest access possible. + + +.PP -+If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean. ++If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean. Enabled by default. + +.EX +.B setsebool -P xend_run_blktap 1 ++ +.EE + +.PP -+If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean. -+ -+.EX -+.B setsebool -P xen_use_nfs 1 -+.EE -+ -+.PP -+If you want to allow xend to run qemu-dm. Not required if using paravirt and no vfb, you must turn on the xend_run_qemu boolean. ++If you want to allow xend to run qemu-dm. Not required if using paravirt and no vfb, you must turn on the xend_run_qemu boolean. Enabled by default. + +.EX +.B setsebool -P xend_run_qemu 1 ++ +.EE + +.PP -+If you want to allow xend to run blktapctrl/tapdisk. Not required if using dedicated logical volumes for disk images, you must turn on the xend_run_blktap boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P xend_run_blktap 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to allow xen to manage nfs files, you must turn on the xen_use_nfs boolean. Disabled by default. + +.EX +.B setsebool -P xen_use_nfs 1 ++ +.EE + -+.PP -+If you want to allow xend to run qemu-dm. Not required if using paravirt and no vfb, you must turn on the xend_run_qemu boolean. -+ -+.EX -+.B setsebool -P xend_run_qemu 1 -+.EE -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux xend policy is very flexible allowing users to setup their xend processes in as secure a method as possible. -+.PP -+The following file types are defined for xend: -+ -+ -+.EX -+.PP -+.B xend_exec_t -+.EE -+ -+- Set files with the xend_exec_t type, if you want to transition an executable to the xend_t domain. -+ -+ -+.EX -+.PP -+.B xend_tmp_t -+.EE -+ -+- Set files with the xend_tmp_t type, if you want to store xend temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B xend_var_lib_t -+.EE -+ -+- Set files with the xend_var_lib_t type, if you want to store the xend files under the /var/lib directory. -+ -+ -+.EX -+.PP -+.B xend_var_log_t -+.EE -+ -+- Set files with the xend_var_log_t type, if you want to treat the data as xend var log data, usually stored under the /var/log directory. -+ -+ -+.EX -+.PP -+.B xend_var_run_t -+.EE -+ -+- Set files with the xend_var_run_t type, if you want to store the xend files under the /run directory. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. +.PP @@ -106395,10 +196872,10 @@ index 0000000..b211bcb +.br + /etc/cmtab +.br -+ /\.autofsck -+.br + /forcefsck +.br ++ /\.autofsck ++.br + /\.suspended +.br + /fsckoptions @@ -106407,10 +196884,10 @@ index 0000000..b211bcb +.br + /etc/securetty +.br -+ /etc/killpower -+.br + /etc/nohotplug +.br ++ /etc/killpower ++.br + /etc/ioctl\.save +.br + /etc/fstab\.REVOKE @@ -106429,12 +196906,32 @@ index 0000000..b211bcb +.br + +.br ++.B nfs_t ++ ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B sysfs_t + + /sys(/.*)? +.br + +.br ++.B virt_image_t ++ ++ /var/lib/libvirt/images(/.*)? ++.br ++ /var/lib/imagefactory/images(/.*)? ++.br ++ ++.br +.B xen_image_t + + /xen(/.*)? @@ -106488,7 +196985,115 @@ index 0000000..b211bcb + /var/run/xenstore\.pid +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux xend policy is very flexible allowing users to setup their xend processes in as secure a method as possible. ++.PP ++ ++.PP ++.B EQUIVALENCE DIRECTORIES ++ ++.PP ++xend policy stores data with multiple different file context types under the /var/log/xen directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/log/xen /srv/xen ++.br ++.B restorecon -R -v /srv/xen ++.PP ++ ++.PP ++xend policy stores data with multiple different file context types under the /var/lib/xen directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/lib/xen /srv/xen ++.br ++.B restorecon -R -v /srv/xen ++.PP ++ ++.PP ++xend policy stores data with multiple different file context types under the /var/run/xend directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: ++.PP ++.B semanage fcontext -a -e /var/run/xend /srv/xend ++.br ++.B restorecon -R -v /srv/xend ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the xend, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t xend_exec_t '/srv/xend/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myxend_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for xend: ++ ++ ++.EX ++.PP ++.B xend_exec_t ++.EE ++ ++- Set files with the xend_exec_t type, if you want to transition an executable to the xend_t domain. ++ ++ ++.EX ++.PP ++.B xend_tmp_t ++.EE ++ ++- Set files with the xend_tmp_t type, if you want to store xend temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B xend_var_lib_t ++.EE ++ ++- Set files with the xend_var_lib_t type, if you want to store the xend files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/xen(/.*)?, /var/lib/xend(/.*)? ++ ++.EX ++.PP ++.B xend_var_log_t ++.EE ++ ++- Set files with the xend_var_log_t type, if you want to treat the data as xend var log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/xen(/.*)?, /var/log/xend\.log.*, /var/log/xend-debug\.log.*, /var/log/xen-hotplug\.log.* ++ ++.EX ++.PP ++.B xend_var_run_t ++.EE ++ ++- Set files with the xend_var_run_t type, if you want to store the xend files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/xend(/.*)?, /var/run/xenner(/.*)?, /var/run/xend\.pid ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -106521,11 +197126,11 @@ index 0000000..b211bcb \ No newline at end of file diff --git a/man/man8/xenstored_selinux.8 b/man/man8/xenstored_selinux.8 new file mode 100644 -index 0000000..5ad6f42 +index 0000000..3ecd931 --- /dev/null +++ b/man/man8/xenstored_selinux.8 -@@ -0,0 +1,148 @@ -+.TH "xenstored_selinux" "8" "12-11-01" "xenstored" "SELinux Policy documentation for xenstored" +@@ -0,0 +1,245 @@ ++.TH "xenstored_selinux" "8" "13-01-16" "xenstored" "SELinux Policy documentation for xenstored" +.SH "NAME" +xenstored_selinux \- Security Enhanced Linux Policy for the xenstored processes +.SH "DESCRIPTION" @@ -106541,7 +197146,9 @@ index 0000000..5ad6f42 + +.SH "ENTRYPOINTS" + -+The xenstored_t SELinux type can be entered via the "xenstored_exec_t" file type. The default entrypoint paths for the xenstored_t domain are the following:" ++The xenstored_t SELinux type can be entered via the \fBxenstored_exec_t\fP file type. ++ ++The default entrypoint paths for the xenstored_t domain are the following: + +/usr/sbin/xenstored +.SH PROCESS TYPES @@ -106559,8 +197166,114 @@ index 0000000..5ad6f42 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a xenstored_t ++can be used to make the process type xenstored_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. xenstored policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xenstored with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type xenstored_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B xenfs_t ++ ++ ++.br ++.B xenstored_tmp_t ++ ++ ++.br ++.B xenstored_var_lib_t ++ ++ /var/lib/xenstored(/.*)? ++.br ++ ++.br ++.B xenstored_var_log_t ++ ++ ++.br ++.B xenstored_var_run_t ++ ++ /var/run/xenstored(/.*)? ++.br ++ /var/run/xenstore\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -106570,7 +197283,20 @@ index 0000000..5ad6f42 +Policy governs the access confined processes have to these files. +SELinux xenstored policy is very flexible allowing users to setup their xenstored processes in as secure a method as possible. +.PP -+The following file types are defined for xenstored: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the xenstored, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t xenstored_exec_t '/srv/xenstored/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myxenstored_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for xenstored: + + +.EX @@ -106610,8 +197336,12 @@ index 0000000..5ad6f42 +.B xenstored_var_run_t +.EE + -+- Set files with the xenstored_var_run_t type, if you want to store the xenstored files under the /run directory. ++- Set files with the xenstored_var_run_t type, if you want to store the xenstored files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/xenstored(/.*)?, /var/run/xenstore\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -106620,38 +197350,6 @@ index 0000000..5ad6f42 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type xenstored_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B xenfs_t -+ -+ -+.br -+.B xenstored_tmp_t -+ -+ -+.br -+.B xenstored_var_lib_t -+ -+ /var/lib/xenstored(/.*)? -+.br -+ -+.br -+.B xenstored_var_log_t -+ -+ -+.br -+.B xenstored_var_run_t -+ -+ /var/run/xenstored(/.*)? -+.br -+ /var/run/xenstore\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -106662,6 +197360,9 @@ index 0000000..5ad6f42 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -106673,15 +197374,599 @@ index 0000000..5ad6f42 + +.SH "SEE ALSO" +selinux(8), xenstored(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/xguest_dbusd_selinux.8 b/man/man8/xguest_dbusd_selinux.8 +new file mode 100644 +index 0000000..42cd1a4 +--- /dev/null ++++ b/man/man8/xguest_dbusd_selinux.8 +@@ -0,0 +1,254 @@ ++.TH "xguest_dbusd_selinux" "8" "13-01-16" "xguest_dbusd" "SELinux Policy documentation for xguest_dbusd" ++.SH "NAME" ++xguest_dbusd_selinux \- Security Enhanced Linux Policy for the xguest_dbusd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the xguest_dbusd processes via flexible mandatory access control. ++ ++The xguest_dbusd processes execute with the xguest_dbusd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep xguest_dbusd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The xguest_dbusd_t SELinux type can be entered via the \fBdbusd_exec_t\fP file type. ++ ++The default entrypoint paths for the xguest_dbusd_t domain are the following: ++ ++/usr/bin/dbus-daemon(-1)?, /bin/dbus-daemon, /lib/dbus-1/dbus-daemon-launch-helper, /usr/lib/dbus-1/dbus-daemon-launch-helper ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux xguest_dbusd policy is very flexible allowing users to setup their xguest_dbusd processes in as secure a method as possible. ++.PP ++The following process types are defined for xguest_dbusd: ++ ++.EX ++.B xguest_dbusd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a xguest_dbusd_t ++can be used to make the process type xguest_dbusd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. xguest_dbusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xguest_dbusd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the xguest_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the xguest_dbusd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type xguest_dbusd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B nfs_t ++ ++ ++.br ++.B security_t ++ ++ /selinux ++.br ++ ++.br ++.B session_dbusd_tmp_t ++ ++ ++.br ++.B user_home_t ++ ++ /home/[^/]*/.+ ++.br ++ /home/pwalsh/.+ ++.br ++ /home/dwalsh/.+ ++.br ++ /var/lib/xguest/home/xguest/.+ ++.br ++ ++.br ++.B user_tmpfs_t ++ ++ /dev/shm/mono.* ++.br ++ /dev/shm/pulse-shm.* ++.br ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), xguest_dbusd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), xguest_selinux(8), xguest_selinux(8), xguest_gkeyringd_selinux(8) +\ No newline at end of file +diff --git a/man/man8/xguest_gkeyringd_selinux.8 b/man/man8/xguest_gkeyringd_selinux.8 +new file mode 100644 +index 0000000..0e60ac1 +--- /dev/null ++++ b/man/man8/xguest_gkeyringd_selinux.8 +@@ -0,0 +1,314 @@ ++.TH "xguest_gkeyringd_selinux" "8" "13-01-16" "xguest_gkeyringd" "SELinux Policy documentation for xguest_gkeyringd" ++.SH "NAME" ++xguest_gkeyringd_selinux \- Security Enhanced Linux Policy for the xguest_gkeyringd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the xguest_gkeyringd processes via flexible mandatory access control. ++ ++The xguest_gkeyringd processes execute with the xguest_gkeyringd_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. ++ ++For example: ++ ++.B ps -eZ | grep xguest_gkeyringd_t ++ ++ ++.SH "ENTRYPOINTS" ++ ++The xguest_gkeyringd_t SELinux type can be entered via the \fBgkeyringd_exec_t\fP file type. ++ ++The default entrypoint paths for the xguest_gkeyringd_t domain are the following: ++ ++/usr/bin/gnome-keyring-daemon ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux xguest_gkeyringd policy is very flexible allowing users to setup their xguest_gkeyringd processes in as secure a method as possible. ++.PP ++The following process types are defined for xguest_gkeyringd: ++ ++.EX ++.B xguest_gkeyringd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a xguest_gkeyringd_t ++can be used to make the process type xguest_gkeyringd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. xguest_gkeyringd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xguest_gkeyringd with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the xguest_gkeyringd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the xguest_gkeyringd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type xguest_gkeyringd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B cache_home_t ++ ++ /root/\.cache(/.*)? ++.br ++ /home/[^/]*/\.nv(/.*)? ++.br ++ /home/[^/]*/\.cache(/.*)? ++.br ++ /home/pwalsh/\.nv(/.*)? ++.br ++ /home/pwalsh/\.cache(/.*)? ++.br ++ /home/dwalsh/\.nv(/.*)? ++.br ++ /home/dwalsh/\.cache(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.nv(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.cache(/.*)? ++.br ++ ++.br ++.B cifs_t ++ ++ ++.br ++.B config_home_t ++ ++ /root/\.kde(/.*)? ++.br ++ /root/\.xine(/.*)? ++.br ++ /root/\.config(/.*)? ++.br ++ /var/run/user/[^/]*/dconf(/.*)? ++.br ++ /root/\.Xdefaults ++.br ++ /home/[^/]*/\.kde(/.*)? ++.br ++ /home/[^/]*/\.xine(/.*)? ++.br ++ /home/[^/]*/\.config(/.*)? ++.br ++ /home/[^/]*/\.Xdefaults ++.br ++ /home/pwalsh/\.kde(/.*)? ++.br ++ /home/pwalsh/\.xine(/.*)? ++.br ++ /home/pwalsh/\.config(/.*)? ++.br ++ /home/pwalsh/\.Xdefaults ++.br ++ /home/dwalsh/\.kde(/.*)? ++.br ++ /home/dwalsh/\.xine(/.*)? ++.br ++ /home/dwalsh/\.config(/.*)? ++.br ++ /home/dwalsh/\.Xdefaults ++.br ++ /var/lib/xguest/home/xguest/\.kde(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.xine(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.config(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Xdefaults ++.br ++ ++.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br ++.B gkeyringd_gnome_home_t ++ ++ /root/\.gnome2/keyrings(/.*)? ++.br ++ /home/[^/]*/\.gnome2/keyrings(/.*)? ++.br ++ /home/[^/]*/\.local/share/keyrings(/.*)? ++.br ++ /home/pwalsh/\.gnome2/keyrings(/.*)? ++.br ++ /home/pwalsh/\.local/share/keyrings(/.*)? ++.br ++ /home/dwalsh/\.gnome2/keyrings(/.*)? ++.br ++ /home/dwalsh/\.local/share/keyrings(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.gnome2/keyrings(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.local/share/keyrings(/.*)? ++.br ++ ++.br ++.B nfs_t ++ ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.B semanage boolean ++can also be used to manipulate the booleans ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was auto-generated using ++.B "sepolicy manpage" ++by Dan Walsh. ++ ++.SH "SEE ALSO" ++selinux(8), xguest_gkeyringd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8), xguest_selinux(8), xguest_selinux(8), xguest_dbusd_selinux(8) +\ No newline at end of file diff --git a/man/man8/xguest_selinux.8 b/man/man8/xguest_selinux.8 new file mode 100644 -index 0000000..9a09106 +index 0000000..7bd1e7b --- /dev/null +++ b/man/man8/xguest_selinux.8 -@@ -0,0 +1,345 @@ +@@ -0,0 +1,541 @@ +.TH "xguest_selinux" "8" "xguest" "mgrepl@redhat.com" "xguest SELinux Policy documentation" +.SH "NAME" -+xguest_u \- \fBLeast privledge xwindows user role\fP - Security Enhanced Linux Policy ++xguest_u \- \fBLeast privledge xwindows user role.\fP - Security Enhanced Linux Policy + +.SH DESCRIPTION + @@ -106691,7 +197976,7 @@ index 0000000..9a09106 + +The SELinux user will usually login to a system with a context that looks like: + -+.B xguest_u:xguest_r:xguest_t:s0-s0:c0.c1023 ++.B xguest_u:xguest_r:xguest_t:s0 + +Linux users are automatically assigned an SELinux users at login. +Login programs use the SELinux User to assign initial context to the user's shell. @@ -106733,115 +198018,289 @@ index 0000000..9a09106 + +.B dns_port_t: 53 + -+.B all ports with out defined types -+ +.B ftp_port_t: 21,990 + +.B speech_port_t: 8036 + -+.B http_cache_port_t: 8080,8118,10001-10010 ++.B http_cache_port_t: 8080,8118,8123,10001-10010 + -+.B http_port_t: 80,81,443,488,8008,8009,8443 ++.B http_port_t: 80,81,443,488,8008,8009,8443,9000 + +.B ocsp_port_t: 9080 + ++.B commplex_link_port_t: 5001 ++ +.B squid_port_t: 3128,3401,4827 + +.B ephemeral_port_t: 32768-61000 + -+.B kerberos_port_t: 88,750,4444 -+ +.B pulseaudio_port_t: 4713 + ++.B kerberos_port_t: 88,750,4444 ++ +.B flash_port_t: 843,1935 + +.B soundd_port_t: 8000,9433,16001 + -+.B commplex_port_t: 5001 -+ +.B ipp_port_t: 631,8610-8614 + +.B transproxy_port_t: 8081 + ++.B all ports with out defined types ++ +.TP +The SELinux user xguest_u is able to connect to the following tcp ports. + +.B dns_port_t: 53 + -+.B all ports with out defined types -+ +.B ftp_port_t: 21,990 + +.B speech_port_t: 8036 + -+.B http_cache_port_t: 8080,8118,10001-10010 ++.B http_cache_port_t: 8080,8118,8123,10001-10010 + -+.B http_port_t: 80,81,443,488,8008,8009,8443 ++.B http_port_t: 80,81,443,488,8008,8009,8443,9000 + +.B ocsp_port_t: 9080 + ++.B commplex_link_port_t: 5001 ++ +.B squid_port_t: 3128,3401,4827 + +.B ephemeral_port_t: 32768-61000 + -+.B kerberos_port_t: 88,750,4444 -+ +.B pulseaudio_port_t: 4713 + ++.B kerberos_port_t: 88,750,4444 ++ +.B flash_port_t: 843,1935 + +.B soundd_port_t: 8000,9433,16001 + -+.B commplex_port_t: 5001 -+ +.B ipp_port_t: 631,8610-8614 + +.B transproxy_port_t: 8081 + ++.B all ports with out defined types ++ +.SH BOOLEANS +SELinux policy is customizable based on least access required. xguest policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xguest with the tightest access possible. + + +.PP -+If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean. -+ -+.EX -+.B setsebool -P xguest_mount_media 1 -+.EE -+ -+.PP -+If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean. ++If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean. Enabled by default. + +.EX +.B setsebool -P xguest_connect_network 1 ++ +.EE + +.PP -+If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean. -+ -+.EX -+.B setsebool -P xguest_use_bluetooth 1 -+.EE -+ -+.PP -+If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean. ++If you want to allow xguest users to mount removable media, you must turn on the xguest_mount_media boolean. Enabled by default. + +.EX +.B setsebool -P xguest_mount_media 1 ++ +.EE + +.PP -+If you want to allow xguest users to configure Network Manager and connect to apache ports, you must turn on the xguest_connect_network boolean. -+ -+.EX -+.B setsebool -P xguest_connect_network 1 -+.EE -+ -+.PP -+If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean. ++If you want to allow xguest to use blue tooth devices, you must turn on the xguest_use_bluetooth boolean. Enabled by default. + +.EX +.B setsebool -P xguest_use_bluetooth 1 ++ ++.EE ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla, you must turn on the deny_execmem boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_execmem 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_enable_cgi 1 ++ ++.EE ++ ++.PP ++If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean. Disabled by default. ++ ++.EX ++.B setsebool -P httpd_unified 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow logging in and using the system from /dev/console, you must turn on the login_console_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P login_console_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to disallow programs, such as newrole, from transitioning to administrative user domains, you must turn on the secure_mode boolean. Disabled by default. ++ ++.EX ++.B setsebool -P secure_mode 1 ++ ++.EE ++ ++.PP ++If you want to allow regular users direct dri device access, you must turn on the selinuxuser_direct_dri_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_direct_dri_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla, you must turn on the selinuxuser_execstack boolean. Enabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++ ++.EE ++ ++.PP ++If you want to allow user to r/w files on filesystems that do not have extended attributes (FAT, CDROM, FLOPPY), you must turn on the selinuxuser_rw_noexattrfile boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_rw_noexattrfile 1 ++ ++.EE ++ ++.PP ++If you want to allow user to use ssh chroot environment, you must turn on the selinuxuser_use_ssh_chroot boolean. Disabled by default. ++ ++.EX ++.B setsebool -P selinuxuser_use_ssh_chroot 1 ++ ++.EE ++ ++.PP ++If you want to allow ssh logins as sysadm_r:sysadm_t, you must turn on the ssh_sysadm_login boolean. Disabled by default. ++ ++.EX ++.B setsebool -P ssh_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow the graphical login program to login directly as sysadm_r:sysadm_t, you must turn on the xdm_sysadm_login boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xdm_sysadm_login 1 ++ ++.EE ++ ++.PP ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P xserver_clients_write_xshm 1 ++ ++.EE ++ ++.PP ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++ +.EE + +.SH HOME_EXEC @@ -106890,10 +198349,16 @@ index 0000000..9a09106 + + +.br ++.B cifs_t ++ ++ ++.br +.B httpd_user_content_t + + /home/[^/]*/((www)|(web)|(public_html))(/.+)? +.br ++ /home/pwalsh/((www)|(web)|(public_html))(/.+)? ++.br + /home/dwalsh/((www)|(web)|(public_html))(/.+)? +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.+)? @@ -106904,6 +198369,8 @@ index 0000000..9a09106 + + /home/[^/]*/((www)|(web)|(public_html))(/.*)?/\.htaccess +.br ++ /home/pwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess ++.br + /home/dwalsh/((www)|(web)|(public_html))(/.*)?/\.htaccess +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/\.htaccess @@ -106914,6 +198381,8 @@ index 0000000..9a09106 + + /home/[^/]*/((www)|(web)|(public_html))(/.*)?/logs(/.*)? +.br ++ /home/pwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)? ++.br + /home/dwalsh/((www)|(web)|(public_html))(/.*)?/logs(/.*)? +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))(/.*)?/logs(/.*)? @@ -106928,6 +198397,8 @@ index 0000000..9a09106 + + /home/[^/]*/((www)|(web)|(public_html))/cgi-bin(/.+)? +.br ++ /home/pwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)? ++.br + /home/dwalsh/((www)|(web)|(public_html))/cgi-bin(/.+)? +.br + /var/lib/xguest/home/xguest/((www)|(web)|(public_html))/cgi-bin(/.+)? @@ -106958,6 +198429,12 @@ index 0000000..9a09106 +.br + /home/[^/]*/\.fonts\.cache-.* +.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br + /home/dwalsh/\.fontconfig(/.*)? +.br + /home/dwalsh/\.fonts/auto(/.*)? @@ -106999,6 +198476,10 @@ index 0000000..9a09106 + /tmp/\.X0-lock +.br + ++.br ++.B xserver_tmpfs_t ++ ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -107023,15 +198504,15 @@ index 0000000..9a09106 + +.SH "SEE ALSO" +selinux(8), xguest(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, setsebool(8) ++, setsebool(8), xguest_dbusd_selinux(8), xguest_gkeyringd_selinux(8) \ No newline at end of file diff --git a/man/man8/xserver_selinux.8 b/man/man8/xserver_selinux.8 new file mode 100644 -index 0000000..936e2de +index 0000000..dca2625 --- /dev/null +++ b/man/man8/xserver_selinux.8 -@@ -0,0 +1,416 @@ -+.TH "xserver_selinux" "8" "12-11-01" "xserver" "SELinux Policy documentation for xserver" +@@ -0,0 +1,563 @@ ++.TH "xserver_selinux" "8" "13-01-16" "xserver" "SELinux Policy documentation for xserver" +.SH "NAME" +xserver_selinux \- Security Enhanced Linux Policy for the xserver processes +.SH "DESCRIPTION" @@ -107047,9 +198528,11 @@ index 0000000..936e2de + +.SH "ENTRYPOINTS" + -+The xserver_t SELinux type can be entered via the "xserver_exec_t" file type. The default entrypoint paths for the xserver_t domain are the following:" ++The xserver_t SELinux type can be entered via the \fBxserver_exec_t\fP file type. + -+/usr/bin/Xair, /usr/bin/Xorg, /usr/bin/Xephyr, /usr/X11R6/bin/X, /usr/X11R6/bin/Xorg, /usr/X11R6/bin/Xipaq, /usr/X11R6/bin/XFree86, /usr/X11R6/bin/Xwrapper, /etc/init\.d/xfree86-common ++The default entrypoint paths for the xserver_t domain are the following: ++ ++/usr/bin/Xair, /usr/bin/Xorg, /usr/bin/Xvnc, /usr/bin/Xephyr, /usr/X11R6/bin/X, /usr/X11R6/bin/Xorg, /usr/X11R6/bin/Xipaq, /usr/X11R6/bin/XFree86, /usr/X11R6/bin/Xwrapper +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -107065,127 +198548,165 @@ index 0000000..936e2de +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a xserver_t ++can be used to make the process type xserver_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. xserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xserver with the tightest access possible. + + +.PP -+If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. -+ -+.EX -+.B setsebool -P xserver_object_manager 1 -+.EE -+ -+.PP -+If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean. -+ -+.EX -+.B setsebool -P virt_use_xserver 1 -+.EE -+ -+.PP -+If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. -+ -+.EX -+.B setsebool -P xserver_clients_write_xshm 1 -+.EE -+ -+.PP -+If you want to allows XServer to execute writable memory, you must turn on the xserver_execmem boolean. ++If you want to allows XServer to execute writable memory, you must turn on the xserver_execmem boolean. Disabled by default. + +.EX +.B setsebool -P xserver_execmem 1 ++ +.EE + +.PP -+If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. ++If you want to support X userspace object manager, you must turn on the xserver_object_manager boolean. Enabled by default. + +.EX +.B setsebool -P xserver_object_manager 1 ++ +.EE + +.PP -+If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.PP ++If you want to support ecryptfs home directories, you must turn on the use_ecryptfs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_ecryptfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support fusefs home directories, you must turn on the use_fusefs_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_fusefs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support NFS home directories, you must turn on the use_nfs_home_dirs boolean. Enabled by default. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to support SAMBA home directories, you must turn on the use_samba_home_dirs boolean. Disabled by default. ++ ++.EX ++.B setsebool -P use_samba_home_dirs 1 ++ ++.EE ++ ++.PP ++If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean. Disabled by default. + +.EX +.B setsebool -P virt_use_xserver 1 ++ +.EE + ++.SH NSSWITCH DOMAIN ++ +.PP -+If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the xserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.B setsebool -P xserver_clients_write_xshm 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + +.PP -+If you want to allows XServer to execute writable memory, you must turn on the xserver_execmem boolean. ++If you want to allow confined applications to run with kerberos for the xserver_t, you must turn on the kerberos_enabled boolean. + +.EX -+.B setsebool -P xserver_execmem 1 ++.B setsebool -P kerberos_enabled 1 +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux xserver policy is very flexible allowing users to setup their xserver processes in as secure a method as possible. -+.PP -+The following file types are defined for xserver: -+ -+ -+.EX -+.PP -+.B xserver_exec_t -+.EE -+ -+- Set files with the xserver_exec_t type, if you want to transition an executable to the xserver_t domain. -+ -+ -+.EX -+.PP -+.B xserver_log_t -+.EE -+ -+- Set files with the xserver_log_t type, if you want to treat the data as xserver log data, usually stored under the /var/log directory. -+ -+ -+.EX -+.PP -+.B xserver_tmpfs_t -+.EE -+ -+- Set files with the xserver_tmpfs_t type, if you want to store xserver files on a tmpfs file system. -+ -+ -+.EX -+.PP -+.B xserver_var_lib_t -+.EE -+ -+- Set files with the xserver_var_lib_t type, if you want to store the xserver files under the /var/lib directory. -+ -+ -+.EX -+.PP -+.B xserver_var_run_t -+.EE -+ -+- Set files with the xserver_var_run_t type, if you want to store the xserver files under the /run directory. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. +.PP @@ -107222,10 +198743,38 @@ index 0000000..936e2de + + +.br ++.B cifs_t ++ ++ ++.br +.B consolekit_tmpfs_t + + +.br ++.B ecryptfs_t ++ ++ /home/[^/]*/\.Private(/.*)? ++.br ++ /home/[^/]*/\.ecryptfs(/.*)? ++.br ++ /home/pwalsh/\.Private(/.*)? ++.br ++ /home/pwalsh/\.ecryptfs(/.*)? ++.br ++ /home/dwalsh/\.Private(/.*)? ++.br ++ /home/dwalsh/\.ecryptfs(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.Private(/.*)? ++.br ++ /var/lib/xguest/home/xguest/\.ecryptfs(/.*)? ++.br ++ ++.br ++.B fusefs_t ++ ++ ++.br +.B games_tmpfs_t + + @@ -107248,6 +198797,10 @@ index 0000000..936e2de +.br + +.br ++.B nfs_t ++ ++ ++.br +.B pulseaudio_tmpfs_t + + @@ -107304,6 +198857,12 @@ index 0000000..936e2de +.br + /home/[^/]*/\.fonts\.cache-.* +.br ++ /home/pwalsh/\.fontconfig(/.*)? ++.br ++ /home/pwalsh/\.fonts/auto(/.*)? ++.br ++ /home/pwalsh/\.fonts\.cache-.* ++.br + /home/dwalsh/\.fontconfig(/.*)? +.br + /home/dwalsh/\.fonts/auto(/.*)? @@ -107336,10 +198895,10 @@ index 0000000..936e2de +.br +.B xdm_log_t + -+ /var/log/[mg]dm(/.*)? -+.br + /var/log/[mkwx]dm\.log.* +.br ++ /var/log/mdm(/.*)? ++.br + /var/log/lxdm\.log.* +.br + /var/log/slim\.log @@ -107376,6 +198935,8 @@ index 0000000..936e2de +.br + /usr/var/[xgkw]dm(/.*)? +.br ++ /var/log/gdm(3)?(/.*)? ++.br + /var/log/Xorg.* +.br + /var/log/XFree86.* @@ -107403,21 +198964,88 @@ index 0000000..936e2de + /var/run/video.rom +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux xserver policy is very flexible allowing users to setup their xserver processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the xserver, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t xserver_exec_t '/srv/xserver/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myxserver_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for xserver: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B xserver_exec_t +.EE + ++- Set files with the xserver_exec_t type, if you want to transition an executable to the xserver_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/Xair, /usr/bin/Xorg, /usr/bin/Xvnc, /usr/bin/Xephyr, /usr/X11R6/bin/X, /usr/X11R6/bin/Xorg, /usr/X11R6/bin/Xipaq, /usr/X11R6/bin/XFree86, /usr/X11R6/bin/Xwrapper ++ ++.EX ++.PP ++.B xserver_log_t ++.EE ++ ++- Set files with the xserver_log_t type, if you want to treat the data as xserver log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/[xgkw]dm(/.*)?, /usr/var/[xgkw]dm(/.*)?, /var/log/gdm(3)?(/.*)?, /var/log/Xorg.*, /var/log/XFree86.*, /var/log/lightdm(/.*)?, /var/log/nvidia-installer\.log.* ++ ++.EX ++.PP ++.B xserver_tmpfs_t ++.EE ++ ++- Set files with the xserver_tmpfs_t type, if you want to store xserver files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B xserver_var_lib_t ++.EE ++ ++- Set files with the xserver_var_lib_t type, if you want to store the xserver files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B xserver_var_run_t ++.EE ++ ++- Set files with the xserver_var_run_t type, if you want to store the xserver files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/xorg(/.*)?, /var/run/video.rom ++ +.PP -+If you want to allow confined applications to run with kerberos for the xserver_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -107449,12 +199077,12 @@ index 0000000..936e2de +, setsebool(8) \ No newline at end of file diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8 -index 5061a5f..017254a 100644 +index 5061a5f..3451109 100644 --- a/man/man8/ypbind_selinux.8 +++ b/man/man8/ypbind_selinux.8 -@@ -1,19 +1,138 @@ +@@ -1,19 +1,235 @@ -.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation" -+.TH "ypbind_selinux" "8" "12-11-01" "ypbind" "SELinux Policy documentation for ypbind" ++.TH "ypbind_selinux" "8" "13-01-16" "ypbind" "SELinux Policy documentation for ypbind" .SH "NAME" -ypbind_selinux \- Security Enhanced Linux Policy for NIS. +ypbind_selinux \- Security Enhanced Linux Policy for the ypbind processes @@ -107462,15 +199090,6 @@ index 5061a5f..017254a 100644 -Security-Enhanced Linux secures the system via flexible mandatory access -control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network. --.SH BOOLEANS --.TP --You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment. --.TP --setsebool -P allow_ypbind 1 --.TP --system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR --This manual page was written by Dan Walsh . +Security-Enhanced Linux secures the ypbind processes via flexible mandatory access control. + +The ypbind processes execute with the ypbind_t SELinux type. You can check if you have these processes running by executing the \fBps\fP command with the \fB\-Z\fP qualifier. @@ -107482,7 +199101,9 @@ index 5061a5f..017254a 100644 + +.SH "ENTRYPOINTS" + -+The ypbind_t SELinux type can be entered via the "ypbind_exec_t" file type. The default entrypoint paths for the ypbind_t domain are the following:" ++The ypbind_t SELinux type can be entered via the \fBypbind_exec_t\fP file type. ++ ++The default entrypoint paths for the ypbind_t domain are the following: + +/sbin/ypbind, /usr/sbin/ypbind +.SH PROCESS TYPES @@ -107500,8 +199121,112 @@ index 5061a5f..017254a 100644 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ypbind_t ++can be used to make the process type ypbind_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ + .SH BOOLEANS +-.TP +-You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment. +-.TP +-setsebool -P allow_ypbind 1 +-.TP +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +-.SH AUTHOR +-This manual page was written by Dan Walsh . ++SELinux policy is customizable based on least access required. ypbind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ypbind with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type ypbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B var_yp_t ++ ++ /var/yp(/.*)? ++.br ++ ++.br ++.B ypbind_tmp_t ++ ++ ++.br ++.B ypbind_var_run_t ++ ++ /var/run/ypbind.* ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -107511,7 +199236,20 @@ index 5061a5f..017254a 100644 +Policy governs the access confined processes have to these files. +SELinux ypbind policy is very flexible allowing users to setup their ypbind processes in as secure a method as possible. +.PP -+The following file types are defined for ypbind: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ypbind, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ypbind_exec_t '/srv/ypbind/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myypbind_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ypbind: + + +.EX @@ -107521,6 +199259,10 @@ index 5061a5f..017254a 100644 + +- Set files with the ypbind_exec_t type, if you want to transition an executable to the ypbind_t domain. + ++.br ++.TP 5 ++Paths: ++/sbin/ypbind, /usr/sbin/ypbind + +.EX +.PP @@ -107551,7 +199293,7 @@ index 5061a5f..017254a 100644 +.B ypbind_var_run_t +.EE + -+- Set files with the ypbind_var_run_t type, if you want to store the ypbind files under the /run directory. ++- Set files with the ypbind_var_run_t type, if you want to store the ypbind files under the /run or /var/run directory. + + +.PP @@ -107561,28 +199303,6 @@ index 5061a5f..017254a 100644 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type ypbind_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B var_yp_t -+ -+ /var/yp(/.*)? -+.br -+ -+.br -+.B ypbind_tmp_t -+ -+ -+.br -+.B ypbind_var_run_t -+ -+ /var/run/ypbind.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -107593,6 +199313,9 @@ index 5061a5f..017254a 100644 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -107605,13 +199328,15 @@ index 5061a5f..017254a 100644 .SH "SEE ALSO" -selinux(8), ypbind(8), chcon(1), setsebool(8) +selinux(8), ypbind(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/yppasswdd_selinux.8 b/man/man8/yppasswdd_selinux.8 new file mode 100644 -index 0000000..dc85345 +index 0000000..f51bc06 --- /dev/null +++ b/man/man8/yppasswdd_selinux.8 -@@ -0,0 +1,124 @@ -+.TH "yppasswdd_selinux" "8" "12-11-01" "yppasswdd" "SELinux Policy documentation for yppasswdd" +@@ -0,0 +1,223 @@ ++.TH "yppasswdd_selinux" "8" "13-01-16" "yppasswdd" "SELinux Policy documentation for yppasswdd" +.SH "NAME" +yppasswdd_selinux \- Security Enhanced Linux Policy for the yppasswdd processes +.SH "DESCRIPTION" @@ -107627,7 +199352,9 @@ index 0000000..dc85345 + +.SH "ENTRYPOINTS" + -+The yppasswdd_t SELinux type can be entered via the "yppasswdd_exec_t" file type. The default entrypoint paths for the yppasswdd_t domain are the following:" ++The yppasswdd_t SELinux type can be entered via the \fByppasswdd_exec_t\fP file type. ++ ++The default entrypoint paths for the yppasswdd_t domain are the following: + +/usr/sbin/rpc\.yppasswdd, /usr/sbin/rpc\.yppasswdd\.env +.SH PROCESS TYPES @@ -107645,54 +199372,98 @@ index 0000000..dc85345 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a yppasswdd_t ++can be used to make the process type yppasswdd_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux yppasswdd policy is very flexible allowing users to setup their yppasswdd processes in as secure a method as possible. -+.PP -+The following file types are defined for yppasswdd: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. yppasswdd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run yppasswdd with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B yppasswdd_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the yppasswdd_exec_t type, if you want to transition an executable to the yppasswdd_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B yppasswdd_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the yppasswdd_var_run_t type, if you want to store the yppasswdd files under the /run directory. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + +The SELinux process type yppasswdd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B shadow_t + + /etc/shadow.* +.br + /etc/gshadow.* +.br ++ /etc/nshadow.* ++.br + /var/db/shadow.* +.br + /etc/security/opasswd @@ -107712,7 +199483,56 @@ index 0000000..dc85345 + /var/run/yppass.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux yppasswdd policy is very flexible allowing users to setup their yppasswdd processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the yppasswdd, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t yppasswdd_exec_t '/srv/yppasswdd/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myyppasswdd_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for yppasswdd: ++ ++ ++.EX ++.PP ++.B yppasswdd_exec_t ++.EE ++ ++- Set files with the yppasswdd_exec_t type, if you want to transition an executable to the yppasswdd_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/rpc\.yppasswdd, /usr/sbin/rpc\.yppasswdd\.env ++ ++.EX ++.PP ++.B yppasswdd_var_run_t ++.EE ++ ++- Set files with the yppasswdd_var_run_t type, if you want to store the yppasswdd files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -107724,6 +199544,9 @@ index 0000000..dc85345 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -107735,13 +199558,15 @@ index 0000000..dc85345 + +.SH "SEE ALSO" +selinux(8), yppasswdd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ypserv_selinux.8 b/man/man8/ypserv_selinux.8 new file mode 100644 -index 0000000..b34ed73 +index 0000000..ef89fa6 --- /dev/null +++ b/man/man8/ypserv_selinux.8 -@@ -0,0 +1,130 @@ -+.TH "ypserv_selinux" "8" "12-11-01" "ypserv" "SELinux Policy documentation for ypserv" +@@ -0,0 +1,223 @@ ++.TH "ypserv_selinux" "8" "13-01-16" "ypserv" "SELinux Policy documentation for ypserv" +.SH "NAME" +ypserv_selinux \- Security Enhanced Linux Policy for the ypserv processes +.SH "DESCRIPTION" @@ -107757,7 +199582,9 @@ index 0000000..b34ed73 + +.SH "ENTRYPOINTS" + -+The ypserv_t SELinux type can be entered via the "ypserv_exec_t" file type. The default entrypoint paths for the ypserv_t domain are the following:" ++The ypserv_t SELinux type can be entered via the \fBypserv_exec_t\fP file type. ++ ++The default entrypoint paths for the ypserv_t domain are the following: + +/usr/sbin/ypserv +.SH PROCESS TYPES @@ -107775,8 +199602,104 @@ index 0000000..b34ed73 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ypserv_t ++can be used to make the process type ypserv_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ypserv policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ypserv with the tightest access possible. ++ ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type ypserv_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B var_yp_t ++ ++ /var/yp(/.*)? ++.br ++ ++.br ++.B ypserv_tmp_t ++ ++ ++.br ++.B ypserv_var_run_t ++ ++ /var/run/ypserv.* ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -107786,7 +199709,20 @@ index 0000000..b34ed73 +Policy governs the access confined processes have to these files. +SELinux ypserv policy is very flexible allowing users to setup their ypserv processes in as secure a method as possible. +.PP -+The following file types are defined for ypserv: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ypserv, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ypserv_conf_t '/srv/ypserv/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myypserv_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ypserv: + + +.EX @@ -107818,7 +199754,7 @@ index 0000000..b34ed73 +.B ypserv_var_run_t +.EE + -+- Set files with the ypserv_var_run_t type, if you want to store the ypserv files under the /run directory. ++- Set files with the ypserv_var_run_t type, if you want to store the ypserv files under the /run or /var/run directory. + + +.PP @@ -107828,28 +199764,6 @@ index 0000000..b34ed73 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type ypserv_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B var_yp_t -+ -+ /var/yp(/.*)? -+.br -+ -+.br -+.B ypserv_tmp_t -+ -+ -+.br -+.B ypserv_var_run_t -+ -+ /var/run/ypserv.* -+.br -+ -+.SH NSSWITCH DOMAIN -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -107860,6 +199774,9 @@ index 0000000..b34ed73 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -107871,13 +199788,15 @@ index 0000000..b34ed73 + +.SH "SEE ALSO" +selinux(8), ypserv(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/ypxfr_selinux.8 b/man/man8/ypxfr_selinux.8 new file mode 100644 -index 0000000..ca3f8ec +index 0000000..f8a58a7 --- /dev/null +++ b/man/man8/ypxfr_selinux.8 -@@ -0,0 +1,110 @@ -+.TH "ypxfr_selinux" "8" "12-11-01" "ypxfr" "SELinux Policy documentation for ypxfr" +@@ -0,0 +1,207 @@ ++.TH "ypxfr_selinux" "8" "13-01-16" "ypxfr" "SELinux Policy documentation for ypxfr" +.SH "NAME" +ypxfr_selinux \- Security Enhanced Linux Policy for the ypxfr processes +.SH "DESCRIPTION" @@ -107893,7 +199812,9 @@ index 0000000..ca3f8ec + +.SH "ENTRYPOINTS" + -+The ypxfr_t SELinux type can be entered via the "ypxfr_exec_t" file type. The default entrypoint paths for the ypxfr_t domain are the following:" ++The ypxfr_t SELinux type can be entered via the \fBypxfr_exec_t\fP file type. ++ ++The default entrypoint paths for the ypxfr_t domain are the following: + +/usr/lib/yp/ypxfr, /usr/sbin/rpc\.ypxfrd +.SH PROCESS TYPES @@ -107911,48 +199832,90 @@ index 0000000..ca3f8ec +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a ypxfr_t ++can be used to make the process type ypxfr_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux ypxfr policy is very flexible allowing users to setup their ypxfr processes in as secure a method as possible. -+.PP -+The following file types are defined for ypxfr: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. ypxfr policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ypxfr with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B ypxfr_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the ypxfr_exec_t type, if you want to transition an executable to the ypxfr_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B ypxfr_var_run_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the ypxfr_var_run_t type, if you want to store the ypxfr files under the /run directory. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.SH "MANAGED FILES" + +The SELinux process type ypxfr_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B var_yp_t + + /var/yp(/.*)? @@ -107964,7 +199927,56 @@ index 0000000..ca3f8ec + /var/run/ypxfrd.* +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux ypxfr policy is very flexible allowing users to setup their ypxfr processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the ypxfr, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t ypxfr_exec_t '/srv/ypxfr/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myypxfr_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for ypxfr: ++ ++ ++.EX ++.PP ++.B ypxfr_exec_t ++.EE ++ ++- Set files with the ypxfr_exec_t type, if you want to transition an executable to the ypxfr_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/lib/yp/ypxfr, /usr/sbin/rpc\.ypxfrd ++ ++.EX ++.PP ++.B ypxfr_var_run_t ++.EE ++ ++- Set files with the ypxfr_var_run_t type, if you want to store the ypxfr files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -107976,6 +199988,9 @@ index 0000000..ca3f8ec +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -107987,13 +200002,15 @@ index 0000000..ca3f8ec + +.SH "SEE ALSO" +selinux(8), ypxfr(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/zabbix_agent_selinux.8 b/man/man8/zabbix_agent_selinux.8 new file mode 100644 -index 0000000..e7df99d +index 0000000..c9affd7 --- /dev/null +++ b/man/man8/zabbix_agent_selinux.8 -@@ -0,0 +1,141 @@ -+.TH "zabbix_agent_selinux" "8" "12-11-01" "zabbix_agent" "SELinux Policy documentation for zabbix_agent" +@@ -0,0 +1,239 @@ ++.TH "zabbix_agent_selinux" "8" "13-01-16" "zabbix_agent" "SELinux Policy documentation for zabbix_agent" +.SH "NAME" +zabbix_agent_selinux \- Security Enhanced Linux Policy for the zabbix_agent processes +.SH "DESCRIPTION" @@ -108009,9 +200026,11 @@ index 0000000..e7df99d + +.SH "ENTRYPOINTS" + -+The zabbix_agent_t SELinux type can be entered via the "zabbix_agent_exec_t" file type. The default entrypoint paths for the zabbix_agent_t domain are the following:" ++The zabbix_agent_t SELinux type can be entered via the \fBzabbix_agent_exec_t\fP file type. + -+/usr/(s)?bin/zabbix_agentd ++The default entrypoint paths for the zabbix_agent_t domain are the following: ++ ++/usr/bin/zabbix_agentd, /usr/sbin/zabbix_agentd +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -108027,42 +200046,84 @@ index 0000000..e7df99d +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a zabbix_agent_t ++can be used to make the process type zabbix_agent_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux zabbix_agent policy is very flexible allowing users to setup their zabbix_agent processes in as secure a method as possible. -+.PP -+The following file types are defined for zabbix_agent: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. zabbix_agent policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zabbix_agent with the tightest access possible. + + ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ +.EX -+.PP -+.B zabbix_agent_exec_t ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+- Set files with the zabbix_agent_exec_t type, if you want to transition an executable to the zabbix_agent_t domain. -+ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B zabbix_agent_initrc_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the zabbix_agent_initrc_exec_t type, if you want to transition an executable to the zabbix_agent_initrc_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -108092,9 +200153,11 @@ index 0000000..e7df99d +The SELinux process type zabbix_agent_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B zabbix_log_t ++.B root_t + -+ /var/log/zabbix(/.*)? ++ / ++.br ++ /initrd +.br + +.br @@ -108107,7 +200170,56 @@ index 0000000..e7df99d + /var/run/zabbix(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux zabbix_agent policy is very flexible allowing users to setup their zabbix_agent processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the zabbix_agent, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t zabbix_agent_exec_t '/srv/zabbix_agent/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myzabbix_agent_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for zabbix_agent: ++ ++ ++.EX ++.PP ++.B zabbix_agent_exec_t ++.EE ++ ++- Set files with the zabbix_agent_exec_t type, if you want to transition an executable to the zabbix_agent_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/zabbix_agentd, /usr/sbin/zabbix_agentd ++ ++.EX ++.PP ++.B zabbix_agent_initrc_exec_t ++.EE ++ ++- Set files with the zabbix_agent_initrc_exec_t type, if you want to transition an executable to the zabbix_agent_initrc_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -108122,6 +200234,9 @@ index 0000000..e7df99d +.B semanage port +can also be used to manipulate the port definitions + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -108133,15 +200248,15 @@ index 0000000..e7df99d + +.SH "SEE ALSO" +selinux(8), zabbix_agent(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, zabbix_selinux(8), zabbix_selinux(8) ++, setsebool(8), zabbix_selinux(8), zabbix_selinux(8) \ No newline at end of file diff --git a/man/man8/zabbix_selinux.8 b/man/man8/zabbix_selinux.8 new file mode 100644 -index 0000000..ed7cfcc +index 0000000..1f972b0 --- /dev/null +++ b/man/man8/zabbix_selinux.8 -@@ -0,0 +1,253 @@ -+.TH "zabbix_selinux" "8" "12-11-01" "zabbix" "SELinux Policy documentation for zabbix" +@@ -0,0 +1,354 @@ ++.TH "zabbix_selinux" "8" "13-01-16" "zabbix" "SELinux Policy documentation for zabbix" +.SH "NAME" +zabbix_selinux \- Security Enhanced Linux Policy for the zabbix processes +.SH "DESCRIPTION" @@ -108157,9 +200272,11 @@ index 0000000..ed7cfcc + +.SH "ENTRYPOINTS" + -+The zabbix_t SELinux type can be entered via the "zabbix_exec_t" file type. The default entrypoint paths for the zabbix_t domain are the following:" ++The zabbix_t SELinux type can be entered via the \fBzabbix_exec_t\fP file type. + -+/usr/(s)?bin/zabbix_server, /usr/sbin/zabbix_server_mysql, /usr/sbin/zabbix_server_pgsql, /usr/sbin/zabbix_server_sqlite3 ++The default entrypoint paths for the zabbix_t domain are the following: ++ ++/usr/bin/zabbix_server, /usr/sbin/zabbix_server, /usr/sbin/zabbix_server_mysql, /usr/sbin/zabbix_server_pgsql, /usr/sbin/zabbix_server_sqlite3 +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -108175,122 +200292,132 @@ index 0000000..ed7cfcc +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a zabbix_t ++can be used to make the process type zabbix_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. zabbix policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zabbix with the tightest access possible. + + +.PP -+If you want to allow zabbix to connect to unreserved ports, you must turn on the zabbix_can_network boolean. ++If you want to determine whether zabbix can connect to all TCP ports, you must turn on the zabbix_can_network boolean. Disabled by default. + +.EX +.B setsebool -P zabbix_can_network 1 ++ +.EE + +.PP -+If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_can_connect_zabbix 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow zabbix to connect to unreserved ports, you must turn on the zabbix_can_network boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P zabbix_can_network 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + +.PP -+If you want to allow http daemon to connect to zabbix, you must turn on the httpd_can_connect_zabbix boolean. ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.B setsebool -P httpd_can_connect_zabbix 1 ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux zabbix policy is very flexible allowing users to setup their zabbix processes in as secure a method as possible. -+.PP -+The following file types are defined for zabbix: -+ ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B zabbix_agent_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the zabbix_agent_exec_t type, if you want to transition an executable to the zabbix_agent_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B zabbix_agent_initrc_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the zabbix_agent_initrc_exec_t type, if you want to transition an executable to the zabbix_agent_initrc_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B zabbix_exec_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the zabbix_exec_t type, if you want to transition an executable to the zabbix_t domain. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B zabbix_initrc_exec_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the zabbix_initrc_exec_t type, if you want to transition an executable to the zabbix_initrc_t domain. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B zabbix_log_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the zabbix_log_t type, if you want to treat the data as zabbix log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B zabbix_tmp_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the zabbix_tmp_t type, if you want to store zabbix temporary files in the /tmp directories. -+ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + +.EX -+.PP -+.B zabbix_tmpfs_t ++.B setsebool -P kerberos_enabled 1 ++ +.EE + -+- Set files with the zabbix_tmpfs_t type, if you want to store zabbix files on a tmpfs file system. -+ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. + +.EX -+.PP -+.B zabbix_var_run_t ++.B setsebool -P nis_enabled 1 ++ +.EE + -+- Set files with the zabbix_var_run_t type, if you want to store the zabbix files under the /run directory. ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. + ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the zabbix_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zabbix_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -108331,9 +200458,11 @@ index 0000000..ed7cfcc +The SELinux process type zabbix_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br -+.B zabbix_log_t ++.B root_t + -+ /var/log/zabbix(/.*)? ++ / ++.br ++ /initrd +.br + +.br @@ -108350,21 +200479,108 @@ index 0000000..ed7cfcc + /var/run/zabbix(/.*)? +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux zabbix policy is very flexible allowing users to setup their zabbix processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zabbix_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the zabbix, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t zabbix_agent_exec_t '/srv/zabbix/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myzabbix_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for zabbix: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B zabbix_agent_exec_t +.EE + ++- Set files with the zabbix_agent_exec_t type, if you want to transition an executable to the zabbix_agent_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/zabbix_agentd, /usr/sbin/zabbix_agentd ++ ++.EX ++.PP ++.B zabbix_agent_initrc_exec_t ++.EE ++ ++- Set files with the zabbix_agent_initrc_exec_t type, if you want to transition an executable to the zabbix_agent_initrc_t domain. ++ ++ ++.EX ++.PP ++.B zabbix_exec_t ++.EE ++ ++- Set files with the zabbix_exec_t type, if you want to transition an executable to the zabbix_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/zabbix_server, /usr/sbin/zabbix_server, /usr/sbin/zabbix_server_mysql, /usr/sbin/zabbix_server_pgsql, /usr/sbin/zabbix_server_sqlite3 ++ ++.EX ++.PP ++.B zabbix_initrc_exec_t ++.EE ++ ++- Set files with the zabbix_initrc_exec_t type, if you want to transition an executable to the zabbix_initrc_t domain. ++ ++ ++.EX ++.PP ++.B zabbix_log_t ++.EE ++ ++- Set files with the zabbix_log_t type, if you want to treat the data as zabbix log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B zabbix_tmp_t ++.EE ++ ++- Set files with the zabbix_tmp_t type, if you want to store zabbix temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B zabbix_tmpfs_t ++.EE ++ ++- Set files with the zabbix_tmpfs_t type, if you want to store zabbix files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B zabbix_var_run_t ++.EE ++ ++- Set files with the zabbix_var_run_t type, if you want to store the zabbix files under the /run or /var/run directory. ++ ++ +.PP -+If you want to allow confined applications to run with kerberos for the zabbix_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -108397,11 +200613,11 @@ index 0000000..ed7cfcc \ No newline at end of file diff --git a/man/man8/zarafa_deliver_selinux.8 b/man/man8/zarafa_deliver_selinux.8 new file mode 100644 -index 0000000..a840dc6 +index 0000000..7453de1 --- /dev/null +++ b/man/man8/zarafa_deliver_selinux.8 -@@ -0,0 +1,145 @@ -+.TH "zarafa_deliver_selinux" "8" "12-11-01" "zarafa_deliver" "SELinux Policy documentation for zarafa_deliver" +@@ -0,0 +1,271 @@ ++.TH "zarafa_deliver_selinux" "8" "13-01-16" "zarafa_deliver" "SELinux Policy documentation for zarafa_deliver" +.SH "NAME" +zarafa_deliver_selinux \- Security Enhanced Linux Policy for the zarafa_deliver processes +.SH "DESCRIPTION" @@ -108417,7 +200633,9 @@ index 0000000..a840dc6 + +.SH "ENTRYPOINTS" + -+The zarafa_deliver_t SELinux type can be entered via the "zarafa_deliver_exec_t" file type. The default entrypoint paths for the zarafa_deliver_t domain are the following:" ++The zarafa_deliver_t SELinux type can be entered via the \fBzarafa_deliver_exec_t\fP file type. ++ ++The default entrypoint paths for the zarafa_deliver_t domain are the following: + +/usr/bin/zarafa-dagent +.SH PROCESS TYPES @@ -108435,8 +200653,152 @@ index 0000000..a840dc6 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a zarafa_deliver_t ++can be used to make the process type zarafa_deliver_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. zarafa_deliver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zarafa_deliver with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the zarafa_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zarafa_deliver_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type zarafa_deliver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B zarafa_deliver_log_t ++ ++ /var/log/zarafa/dagent\.log.* ++.br ++ ++.br ++.B zarafa_deliver_tmp_t ++ ++ ++.br ++.B zarafa_deliver_var_run_t ++ ++ /var/run/zarafa-dagent\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -108446,7 +200808,20 @@ index 0000000..a840dc6 +Policy governs the access confined processes have to these files. +SELinux zarafa_deliver policy is very flexible allowing users to setup their zarafa_deliver processes in as secure a method as possible. +.PP -+The following file types are defined for zarafa_deliver: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the zarafa_deliver, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t zarafa_deliver_exec_t '/srv/zarafa_deliver/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myzarafa_deliver_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for zarafa_deliver: + + +.EX @@ -108478,7 +200853,7 @@ index 0000000..a840dc6 +.B zarafa_deliver_var_run_t +.EE + -+- Set files with the zarafa_deliver_var_run_t type, if you want to store the zarafa deliver files under the /run directory. ++- Set files with the zarafa_deliver_var_run_t type, if you want to store the zarafa deliver files under the /run or /var/run directory. + + +.PP @@ -108488,42 +200863,6 @@ index 0000000..a840dc6 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type zarafa_deliver_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B zarafa_deliver_log_t -+ -+ /var/log/zarafa/dagent\.log.* -+.br -+ -+.br -+.B zarafa_deliver_tmp_t -+ -+ -+.br -+.B zarafa_deliver_var_run_t -+ -+ /var/run/zarafa-dagent\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the zarafa_deliver_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -108534,6 +200873,9 @@ index 0000000..a840dc6 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -108545,15 +200887,15 @@ index 0000000..a840dc6 + +.SH "SEE ALSO" +selinux(8), zarafa_deliver(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8) ++, setsebool(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8) \ No newline at end of file diff --git a/man/man8/zarafa_gateway_selinux.8 b/man/man8/zarafa_gateway_selinux.8 new file mode 100644 -index 0000000..e4eeeb5 +index 0000000..273b2ef --- /dev/null +++ b/man/man8/zarafa_gateway_selinux.8 -@@ -0,0 +1,133 @@ -+.TH "zarafa_gateway_selinux" "8" "12-11-01" "zarafa_gateway" "SELinux Policy documentation for zarafa_gateway" +@@ -0,0 +1,259 @@ ++.TH "zarafa_gateway_selinux" "8" "13-01-16" "zarafa_gateway" "SELinux Policy documentation for zarafa_gateway" +.SH "NAME" +zarafa_gateway_selinux \- Security Enhanced Linux Policy for the zarafa_gateway processes +.SH "DESCRIPTION" @@ -108569,7 +200911,9 @@ index 0000000..e4eeeb5 + +.SH "ENTRYPOINTS" + -+The zarafa_gateway_t SELinux type can be entered via the "zarafa_gateway_exec_t" file type. The default entrypoint paths for the zarafa_gateway_t domain are the following:" ++The zarafa_gateway_t SELinux type can be entered via the \fBzarafa_gateway_exec_t\fP file type. ++ ++The default entrypoint paths for the zarafa_gateway_t domain are the following: + +/usr/bin/zarafa-gateway +.SH PROCESS TYPES @@ -108587,8 +200931,148 @@ index 0000000..e4eeeb5 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a zarafa_gateway_t ++can be used to make the process type zarafa_gateway_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. zarafa_gateway policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zarafa_gateway with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the zarafa_gateway_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zarafa_gateway_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type zarafa_gateway_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B zarafa_gateway_log_t ++ ++ /var/log/zarafa/gateway\.log.* ++.br ++ ++.br ++.B zarafa_gateway_var_run_t ++ ++ /var/run/zarafa-gateway\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -108598,7 +201082,20 @@ index 0000000..e4eeeb5 +Policy governs the access confined processes have to these files. +SELinux zarafa_gateway policy is very flexible allowing users to setup their zarafa_gateway processes in as secure a method as possible. +.PP -+The following file types are defined for zarafa_gateway: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the zarafa_gateway, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t zarafa_gateway_exec_t '/srv/zarafa_gateway/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myzarafa_gateway_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for zarafa_gateway: + + +.EX @@ -108622,7 +201119,7 @@ index 0000000..e4eeeb5 +.B zarafa_gateway_var_run_t +.EE + -+- Set files with the zarafa_gateway_var_run_t type, if you want to store the zarafa gateway files under the /run directory. ++- Set files with the zarafa_gateway_var_run_t type, if you want to store the zarafa gateway files under the /run or /var/run directory. + + +.PP @@ -108632,38 +201129,6 @@ index 0000000..e4eeeb5 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type zarafa_gateway_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B zarafa_gateway_log_t -+ -+ /var/log/zarafa/gateway\.log.* -+.br -+ -+.br -+.B zarafa_gateway_var_run_t -+ -+ /var/run/zarafa-gateway\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_gateway_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the zarafa_gateway_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -108674,6 +201139,9 @@ index 0000000..e4eeeb5 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -108685,15 +201153,15 @@ index 0000000..e4eeeb5 + +.SH "SEE ALSO" +selinux(8), zarafa_gateway(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, zarafa_deliver_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8) ++, setsebool(8), zarafa_deliver_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8) \ No newline at end of file diff --git a/man/man8/zarafa_ical_selinux.8 b/man/man8/zarafa_ical_selinux.8 new file mode 100644 -index 0000000..08fcb78 +index 0000000..2b259d5 --- /dev/null +++ b/man/man8/zarafa_ical_selinux.8 -@@ -0,0 +1,133 @@ -+.TH "zarafa_ical_selinux" "8" "12-11-01" "zarafa_ical" "SELinux Policy documentation for zarafa_ical" +@@ -0,0 +1,259 @@ ++.TH "zarafa_ical_selinux" "8" "13-01-16" "zarafa_ical" "SELinux Policy documentation for zarafa_ical" +.SH "NAME" +zarafa_ical_selinux \- Security Enhanced Linux Policy for the zarafa_ical processes +.SH "DESCRIPTION" @@ -108709,7 +201177,9 @@ index 0000000..08fcb78 + +.SH "ENTRYPOINTS" + -+The zarafa_ical_t SELinux type can be entered via the "zarafa_ical_exec_t" file type. The default entrypoint paths for the zarafa_ical_t domain are the following:" ++The zarafa_ical_t SELinux type can be entered via the \fBzarafa_ical_exec_t\fP file type. ++ ++The default entrypoint paths for the zarafa_ical_t domain are the following: + +/usr/bin/zarafa-ical +.SH PROCESS TYPES @@ -108727,8 +201197,148 @@ index 0000000..08fcb78 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a zarafa_ical_t ++can be used to make the process type zarafa_ical_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. zarafa_ical policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zarafa_ical with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the zarafa_ical_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zarafa_ical_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type zarafa_ical_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B zarafa_ical_log_t ++ ++ /var/log/zarafa/ical\.log.* ++.br ++ ++.br ++.B zarafa_ical_var_run_t ++ ++ /var/run/zarafa-ical\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -108738,7 +201348,20 @@ index 0000000..08fcb78 +Policy governs the access confined processes have to these files. +SELinux zarafa_ical policy is very flexible allowing users to setup their zarafa_ical processes in as secure a method as possible. +.PP -+The following file types are defined for zarafa_ical: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the zarafa_ical, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t zarafa_ical_exec_t '/srv/zarafa_ical/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myzarafa_ical_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for zarafa_ical: + + +.EX @@ -108762,7 +201385,7 @@ index 0000000..08fcb78 +.B zarafa_ical_var_run_t +.EE + -+- Set files with the zarafa_ical_var_run_t type, if you want to store the zarafa ical files under the /run directory. ++- Set files with the zarafa_ical_var_run_t type, if you want to store the zarafa ical files under the /run or /var/run directory. + + +.PP @@ -108772,38 +201395,6 @@ index 0000000..08fcb78 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type zarafa_ical_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B zarafa_ical_log_t -+ -+ /var/log/zarafa/ical\.log.* -+.br -+ -+.br -+.B zarafa_ical_var_run_t -+ -+ /var/run/zarafa-ical\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_ical_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the zarafa_ical_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -108814,6 +201405,9 @@ index 0000000..08fcb78 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -108825,15 +201419,15 @@ index 0000000..08fcb78 + +.SH "SEE ALSO" +selinux(8), zarafa_ical(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8) ++, setsebool(8), zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8) \ No newline at end of file diff --git a/man/man8/zarafa_indexer_selinux.8 b/man/man8/zarafa_indexer_selinux.8 new file mode 100644 -index 0000000..72df8d0 +index 0000000..1d88552 --- /dev/null +++ b/man/man8/zarafa_indexer_selinux.8 -@@ -0,0 +1,155 @@ -+.TH "zarafa_indexer_selinux" "8" "12-11-01" "zarafa_indexer" "SELinux Policy documentation for zarafa_indexer" +@@ -0,0 +1,287 @@ ++.TH "zarafa_indexer_selinux" "8" "13-01-16" "zarafa_indexer" "SELinux Policy documentation for zarafa_indexer" +.SH "NAME" +zarafa_indexer_selinux \- Security Enhanced Linux Policy for the zarafa_indexer processes +.SH "DESCRIPTION" @@ -108849,7 +201443,9 @@ index 0000000..72df8d0 + +.SH "ENTRYPOINTS" + -+The zarafa_indexer_t SELinux type can be entered via the "zarafa_indexer_exec_t" file type. The default entrypoint paths for the zarafa_indexer_t domain are the following:" ++The zarafa_indexer_t SELinux type can be entered via the \fBzarafa_indexer_exec_t\fP file type. ++ ++The default entrypoint paths for the zarafa_indexer_t domain are the following: + +/usr/bin/zarafa-indexer +.SH PROCESS TYPES @@ -108867,8 +201463,164 @@ index 0000000..72df8d0 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a zarafa_indexer_t ++can be used to make the process type zarafa_indexer_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. zarafa_indexer policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zarafa_indexer with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the zarafa_indexer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zarafa_indexer_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type zarafa_indexer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B zarafa_indexer_log_t ++ ++ /var/log/zarafa/indexer\.log.* ++.br ++ ++.br ++.B zarafa_indexer_tmp_t ++ ++ ++.br ++.B zarafa_indexer_var_run_t ++ ++ /var/run/zarafa-indexer ++.br ++ /var/run/zarafa-indexer\.pid ++.br ++ ++.br ++.B zarafa_var_lib_t ++ ++ /var/lib/zarafa(/.*)? ++.br ++ /var/lib/zarafa-webapp(/.*)? ++.br ++ /var/lib/zarafa-webaccess(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -108878,7 +201630,20 @@ index 0000000..72df8d0 +Policy governs the access confined processes have to these files. +SELinux zarafa_indexer policy is very flexible allowing users to setup their zarafa_indexer processes in as secure a method as possible. +.PP -+The following file types are defined for zarafa_indexer: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the zarafa_indexer, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t zarafa_indexer_exec_t '/srv/zarafa_indexer/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myzarafa_indexer_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for zarafa_indexer: + + +.EX @@ -108910,8 +201675,12 @@ index 0000000..72df8d0 +.B zarafa_indexer_var_run_t +.EE + -+- Set files with the zarafa_indexer_var_run_t type, if you want to store the zarafa indexer files under the /run directory. ++- Set files with the zarafa_indexer_var_run_t type, if you want to store the zarafa indexer files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/zarafa-indexer, /var/run/zarafa-indexer\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -108920,52 +201689,6 @@ index 0000000..72df8d0 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type zarafa_indexer_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B zarafa_indexer_log_t -+ -+ /var/log/zarafa/indexer\.log.* -+.br -+ -+.br -+.B zarafa_indexer_tmp_t -+ -+ -+.br -+.B zarafa_indexer_var_run_t -+ -+ /var/run/zarafa-indexer -+.br -+ /var/run/zarafa-indexer\.pid -+.br -+ -+.br -+.B zarafa_var_lib_t -+ -+ /var/lib/zarafa(/.*)? -+.br -+ /var/lib/zarafa-webaccess(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_indexer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the zarafa_indexer_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -108976,6 +201699,9 @@ index 0000000..72df8d0 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -108987,15 +201713,15 @@ index 0000000..72df8d0 + +.SH "SEE ALSO" +selinux(8), zarafa_indexer(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8) ++, setsebool(8), zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8) \ No newline at end of file diff --git a/man/man8/zarafa_monitor_selinux.8 b/man/man8/zarafa_monitor_selinux.8 new file mode 100644 -index 0000000..c563b1e +index 0000000..3c133a4 --- /dev/null +++ b/man/man8/zarafa_monitor_selinux.8 -@@ -0,0 +1,133 @@ -+.TH "zarafa_monitor_selinux" "8" "12-11-01" "zarafa_monitor" "SELinux Policy documentation for zarafa_monitor" +@@ -0,0 +1,259 @@ ++.TH "zarafa_monitor_selinux" "8" "13-01-16" "zarafa_monitor" "SELinux Policy documentation for zarafa_monitor" +.SH "NAME" +zarafa_monitor_selinux \- Security Enhanced Linux Policy for the zarafa_monitor processes +.SH "DESCRIPTION" @@ -109011,7 +201737,9 @@ index 0000000..c563b1e + +.SH "ENTRYPOINTS" + -+The zarafa_monitor_t SELinux type can be entered via the "zarafa_monitor_exec_t" file type. The default entrypoint paths for the zarafa_monitor_t domain are the following:" ++The zarafa_monitor_t SELinux type can be entered via the \fBzarafa_monitor_exec_t\fP file type. ++ ++The default entrypoint paths for the zarafa_monitor_t domain are the following: + +/usr/bin/zarafa-monitor +.SH PROCESS TYPES @@ -109029,8 +201757,148 @@ index 0000000..c563b1e +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a zarafa_monitor_t ++can be used to make the process type zarafa_monitor_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. zarafa_monitor policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zarafa_monitor with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the zarafa_monitor_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zarafa_monitor_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type zarafa_monitor_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B zarafa_monitor_log_t ++ ++ /var/log/zarafa/monitor\.log.* ++.br ++ ++.br ++.B zarafa_monitor_var_run_t ++ ++ /var/run/zarafa-monitor\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -109040,7 +201908,20 @@ index 0000000..c563b1e +Policy governs the access confined processes have to these files. +SELinux zarafa_monitor policy is very flexible allowing users to setup their zarafa_monitor processes in as secure a method as possible. +.PP -+The following file types are defined for zarafa_monitor: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the zarafa_monitor, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t zarafa_monitor_exec_t '/srv/zarafa_monitor/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myzarafa_monitor_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for zarafa_monitor: + + +.EX @@ -109064,7 +201945,7 @@ index 0000000..c563b1e +.B zarafa_monitor_var_run_t +.EE + -+- Set files with the zarafa_monitor_var_run_t type, if you want to store the zarafa monitor files under the /run directory. ++- Set files with the zarafa_monitor_var_run_t type, if you want to store the zarafa monitor files under the /run or /var/run directory. + + +.PP @@ -109074,38 +201955,6 @@ index 0000000..c563b1e +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type zarafa_monitor_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B zarafa_monitor_log_t -+ -+ /var/log/zarafa/monitor\.log.* -+.br -+ -+.br -+.B zarafa_monitor_var_run_t -+ -+ /var/run/zarafa-monitor\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_monitor_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the zarafa_monitor_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -109116,6 +201965,9 @@ index 0000000..c563b1e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -109127,187 +201979,15 @@ index 0000000..c563b1e + +.SH "SEE ALSO" +selinux(8), zarafa_monitor(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8) -\ No newline at end of file -diff --git a/man/man8/zarafa_selinux.8 b/man/man8/zarafa_selinux.8 -new file mode 100644 -index 0000000..23c13e3 ---- /dev/null -+++ b/man/man8/zarafa_selinux.8 -@@ -0,0 +1,165 @@ -+.TH "zarafa_selinux" "8" "zarafa" "dwalsh@redhat.com" "zarafa SELinux Policy documentation" -+.SH "NAME" -+zarafa_selinux \- Security Enhanced Linux Policy for the zarafa processes -+.SH "DESCRIPTION" -+ -+Security-Enhanced Linux secures the zarafa processes via flexible mandatory access -+control. -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_deliver_t, zarafa_spooler_t, zarafa_gateway_t, zarafa_ical_t, zarafa_server_t, zarafa_monitor_t, zarafa_indexer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the zarafa_deliver_t, zarafa_spooler_t, zarafa_gateway_t, zarafa_ical_t, zarafa_server_t, zarafa_monitor_t, zarafa_indexer_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux zarafa policy is very flexible allowing users to setup their zarafa processes in as secure a method as possible. -+.PP -+The following file types are defined for zarafa: -+ -+ -+.EX -+.PP -+.B zarafa_deliver_exec_t -+.EE -+ -+- Set files with the zarafa_deliver_exec_t type, if you want to transition an executable to the zarafa_deliver_t domain. -+ -+ -+.EX -+.PP -+.B zarafa_deliver_log_t -+.EE -+ -+- Set files with the zarafa_deliver_log_t type, if you want to treat the data as zarafa deliver log data, usually stored under the /var/log directory. -+ -+ -+.EX -+.PP -+.B zarafa_deliver_tmp_t -+.EE -+ -+- Set files with the zarafa_deliver_tmp_t type, if you want to store zarafa deliver temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B zarafa_deliver_var_run_t -+.EE -+ -+- Set files with the zarafa_deliver_var_run_t type, if you want to store the zarafa deliver files under the /run directory. -+ -+ -+.EX -+.PP -+.B zarafa_etc_t -+.EE -+ -+- Set files with the zarafa_etc_t type, if you want to store zarafa files in the /etc directories. -+ -+ -+.EX -+.PP -+.B zarafa_gateway_exec_t -+.EE -+ -+- Set files with the zarafa_gateway_exec_t type, if you want to transition an executable to the zarafa_gateway_t domain. -+ -+ -+.EX -+.PP -+.B zarafa_gateway_log_t -+.EE -+ -+- Set files with the zarafa_gateway_log_t type, if you want to treat the data as zarafa gateway log data, usually stored under the /var/log directory. -+ -+ -+.EX -+.PP -+.B zarafa_gateway_var_run_t -+.EE -+ -+- Set files with the zarafa_gateway_var_run_t type, if you want to store the zarafa gateway files under the /run directory. -+ -+ -+.EX -+.PP -+.B zarafa_ical_exec_t -+.EE -+ -+- Set files with the zarafa_ical_exec_t type, if you want to transition an executable to the zarafa_ical_t domain. -+ -+ -+.EX -+.PP -+.B zarafa_ical_log_t -+.EE -+ -+- Set files with the zarafa_ical_log_t type, if you want to treat the data as zarafa ical log data, usually stored under the /var/log directory. -+ -+ -+.EX -+.PP -+.B zarafa_ical_var_run_t -+.EE -+ -+- Set files with the zarafa_ical_var_run_t type, if you want to store the zarafa ical files under the /run directory. -+ -+ -+.EX -+.PP -+.B zarafa_indexer_exec_t -+.EE -+ -+- Set files with the zarafa_indexer_exec_t type, if you want to transition an executable to the zarafa_indexer_t domain. -+ -+ -+.EX -+.PP -+.B zarafa_indexer_log_t -+.EE -+ -+- Set files with the zarafa_indexer_log_t type, if you want to treat the data as zarafa indexer log data, usually stored under the /var/log directory. -+ -+ -+.EX -+.PP -+.B zarafa_indexer_tmp_t -+.EE -+ -+- Set files with the zarafa_indexer_tmp_t type, if you want to store zarafa indexer temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B zarafa_indexer_var_run_t -+.EE -+ -+- Set files with the zarafa_indexer_var_run_t type, if you want to store the zarafa indexer files under the /run directory. -+ -+.br -+.TP 5 -+Paths: -+/var/run/zarafa-indexer\.pid, /var/run/zarafa-indexer -+ -+.EX -+.PP -+.B zarafa_monitor_exec_t -+.EE -+ -+- Set files with the zarafa_monitor_exec_t type, if you want to transition an execut ++, setsebool(8), zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_server_selinux(8), zarafa_spooler_selinux(8) \ No newline at end of file diff --git a/man/man8/zarafa_server_selinux.8 b/man/man8/zarafa_server_selinux.8 new file mode 100644 -index 0000000..09bb9df +index 0000000..fc4db8a --- /dev/null +++ b/man/man8/zarafa_server_selinux.8 -@@ -0,0 +1,155 @@ -+.TH "zarafa_server_selinux" "8" "12-11-01" "zarafa_server" "SELinux Policy documentation for zarafa_server" +@@ -0,0 +1,287 @@ ++.TH "zarafa_server_selinux" "8" "13-01-16" "zarafa_server" "SELinux Policy documentation for zarafa_server" +.SH "NAME" +zarafa_server_selinux \- Security Enhanced Linux Policy for the zarafa_server processes +.SH "DESCRIPTION" @@ -109323,7 +202003,9 @@ index 0000000..09bb9df + +.SH "ENTRYPOINTS" + -+The zarafa_server_t SELinux type can be entered via the "zarafa_server_exec_t" file type. The default entrypoint paths for the zarafa_server_t domain are the following:" ++The zarafa_server_t SELinux type can be entered via the \fBzarafa_server_exec_t\fP file type. ++ ++The default entrypoint paths for the zarafa_server_t domain are the following: + +/usr/bin/zarafa-server +.SH PROCESS TYPES @@ -109341,8 +202023,164 @@ index 0000000..09bb9df +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a zarafa_server_t ++can be used to make the process type zarafa_server_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. zarafa_server policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zarafa_server with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the zarafa_server_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zarafa_server_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type zarafa_server_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B zarafa_server_log_t ++ ++ /var/log/zarafa/server\.log.* ++.br ++ ++.br ++.B zarafa_server_tmp_t ++ ++ ++.br ++.B zarafa_server_var_run_t ++ ++ /var/run/zarafa ++.br ++ /var/run/zarafa-server\.pid ++.br ++ ++.br ++.B zarafa_var_lib_t ++ ++ /var/lib/zarafa(/.*)? ++.br ++ /var/lib/zarafa-webapp(/.*)? ++.br ++ /var/lib/zarafa-webaccess(/.*)? ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -109352,7 +202190,20 @@ index 0000000..09bb9df +Policy governs the access confined processes have to these files. +SELinux zarafa_server policy is very flexible allowing users to setup their zarafa_server processes in as secure a method as possible. +.PP -+The following file types are defined for zarafa_server: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the zarafa_server, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t zarafa_server_exec_t '/srv/zarafa_server/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myzarafa_server_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for zarafa_server: + + +.EX @@ -109384,8 +202235,12 @@ index 0000000..09bb9df +.B zarafa_server_var_run_t +.EE + -+- Set files with the zarafa_server_var_run_t type, if you want to store the zarafa server files under the /run directory. ++- Set files with the zarafa_server_var_run_t type, if you want to store the zarafa server files under the /run or /var/run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/zarafa, /var/run/zarafa-server\.pid + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the @@ -109394,52 +202249,6 @@ index 0000000..09bb9df +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type zarafa_server_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B zarafa_server_log_t -+ -+ /var/log/zarafa/server\.log.* -+.br -+ -+.br -+.B zarafa_server_tmp_t -+ -+ -+.br -+.B zarafa_server_var_run_t -+ -+ /var/run/zarafa -+.br -+ /var/run/zarafa-server\.pid -+.br -+ -+.br -+.B zarafa_var_lib_t -+ -+ /var/lib/zarafa(/.*)? -+.br -+ /var/lib/zarafa-webaccess(/.*)? -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_server_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the zarafa_server_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -109450,6 +202259,9 @@ index 0000000..09bb9df +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -109461,15 +202273,15 @@ index 0000000..09bb9df + +.SH "SEE ALSO" +selinux(8), zarafa_server(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_spooler_selinux(8) ++, setsebool(8), zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_spooler_selinux(8) \ No newline at end of file diff --git a/man/man8/zarafa_spooler_selinux.8 b/man/man8/zarafa_spooler_selinux.8 new file mode 100644 -index 0000000..2c41587 +index 0000000..b8169b8 --- /dev/null +++ b/man/man8/zarafa_spooler_selinux.8 -@@ -0,0 +1,133 @@ -+.TH "zarafa_spooler_selinux" "8" "12-11-01" "zarafa_spooler" "SELinux Policy documentation for zarafa_spooler" +@@ -0,0 +1,259 @@ ++.TH "zarafa_spooler_selinux" "8" "13-01-16" "zarafa_spooler" "SELinux Policy documentation for zarafa_spooler" +.SH "NAME" +zarafa_spooler_selinux \- Security Enhanced Linux Policy for the zarafa_spooler processes +.SH "DESCRIPTION" @@ -109485,7 +202297,9 @@ index 0000000..2c41587 + +.SH "ENTRYPOINTS" + -+The zarafa_spooler_t SELinux type can be entered via the "zarafa_spooler_exec_t" file type. The default entrypoint paths for the zarafa_spooler_t domain are the following:" ++The zarafa_spooler_t SELinux type can be entered via the \fBzarafa_spooler_exec_t\fP file type. ++ ++The default entrypoint paths for the zarafa_spooler_t domain are the following: + +/usr/bin/zarafa-spooler +.SH PROCESS TYPES @@ -109503,8 +202317,148 @@ index 0000000..2c41587 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a zarafa_spooler_t ++can be used to make the process type zarafa_spooler_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. zarafa_spooler policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zarafa_spooler with the tightest access possible. ++ ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_dump_core 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ ++.EE ++ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. ++ ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE ++ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the zarafa_spooler_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zarafa_spooler_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH "MANAGED FILES" ++ ++The SELinux process type zarafa_spooler_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B zarafa_spooler_log_t ++ ++ /var/log/zarafa/spooler\.log.* ++.br ++ ++.br ++.B zarafa_spooler_var_run_t ++ ++ /var/run/zarafa-spooler\.pid ++.br + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -109514,7 +202468,20 @@ index 0000000..2c41587 +Policy governs the access confined processes have to these files. +SELinux zarafa_spooler policy is very flexible allowing users to setup their zarafa_spooler processes in as secure a method as possible. +.PP -+The following file types are defined for zarafa_spooler: ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the zarafa_spooler, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t zarafa_spooler_exec_t '/srv/zarafa_spooler/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myzarafa_spooler_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for zarafa_spooler: + + +.EX @@ -109538,7 +202505,7 @@ index 0000000..2c41587 +.B zarafa_spooler_var_run_t +.EE + -+- Set files with the zarafa_spooler_var_run_t type, if you want to store the zarafa spooler files under the /run directory. ++- Set files with the zarafa_spooler_var_run_t type, if you want to store the zarafa spooler files under the /run or /var/run directory. + + +.PP @@ -109548,38 +202515,6 @@ index 0000000..2c41587 +.B restorecon +to apply the labels. + -+.SH "MANAGED FILES" -+ -+The SELinux process type zarafa_spooler_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. -+ -+.br -+.B zarafa_spooler_log_t -+ -+ /var/log/zarafa/spooler\.log.* -+.br -+ -+.br -+.B zarafa_spooler_var_run_t -+ -+ /var/run/zarafa-spooler\.pid -+.br -+ -+.SH NSSWITCH DOMAIN -+ -+.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_spooler_t, you must turn on the authlogin_nsswitch_use_ldap boolean. -+ -+.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 -+.EE -+ -+.PP -+If you want to allow confined applications to run with kerberos for the zarafa_spooler_t, you must turn on the kerberos_enabled boolean. -+ -+.EX -+.B setsebool -P kerberos_enabled 1 -+.EE -+ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -109590,6 +202525,9 @@ index 0000000..2c41587 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -109601,15 +202539,15 @@ index 0000000..2c41587 + +.SH "SEE ALSO" +selinux(8), zarafa_spooler(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) -+, zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8) ++, setsebool(8), zarafa_deliver_selinux(8), zarafa_gateway_selinux(8), zarafa_ical_selinux(8), zarafa_indexer_selinux(8), zarafa_monitor_selinux(8), zarafa_server_selinux(8) \ No newline at end of file diff --git a/man/man8/zebra_selinux.8 b/man/man8/zebra_selinux.8 new file mode 100644 -index 0000000..0875d31 +index 0000000..92c4c9a --- /dev/null +++ b/man/man8/zebra_selinux.8 -@@ -0,0 +1,198 @@ -+.TH "zebra_selinux" "8" "12-11-01" "zebra" "SELinux Policy documentation for zebra" +@@ -0,0 +1,313 @@ ++.TH "zebra_selinux" "8" "13-01-16" "zebra" "SELinux Policy documentation for zebra" +.SH "NAME" +zebra_selinux \- Security Enhanced Linux Policy for the zebra processes +.SH "DESCRIPTION" @@ -109625,7 +202563,9 @@ index 0000000..0875d31 + +.SH "ENTRYPOINTS" + -+The zebra_t SELinux type can be entered via the "zebra_exec_t" file type. The default entrypoint paths for the zebra_t domain are the following:" ++The zebra_t SELinux type can be entered via the \fBzebra_exec_t\fP file type. ++ ++The default entrypoint paths for the zebra_t domain are the following: + +/usr/sbin/rip.*, /usr/sbin/ospf.*, /usr/sbin/bgpd, /usr/sbin/zebra +.SH PROCESS TYPES @@ -109643,92 +202583,92 @@ index 0000000..0875d31 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a zebra_t ++can be used to make the process type zebra_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. zebra policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zebra with the tightest access possible. + + +.PP -+If you want to allow zebra daemon to write it configuration files, you must turn on the zebra_write_config boolean. ++If you want to allow zebra daemon to write it configuration files, you must turn on the zebra_write_config boolean. Disabled by default. + +.EX +.B setsebool -P zebra_write_config 1 ++ +.EE + +.PP -+If you want to allow zebra daemon to write it configuration files, you must turn on the zebra_write_config boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P zebra_write_config 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux zebra policy is very flexible allowing users to setup their zebra processes in as secure a method as possible. -+.PP -+The following file types are defined for zebra: -+ ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B zebra_conf_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the zebra_conf_t type, if you want to treat the files as zebra configuration data, usually stored under the /etc directory. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B zebra_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the zebra_exec_t type, if you want to transition an executable to the zebra_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B zebra_initrc_exec_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the zebra_initrc_exec_t type, if you want to transition an executable to the zebra_initrc_t domain. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B zebra_log_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the zebra_log_t type, if you want to treat the data as zebra log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B zebra_tmp_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the zebra_tmp_t type, if you want to store zebra temporary files in the /tmp directories. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B zebra_var_run_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the zebra_var_run_t type, if you want to store the zebra files under the /run directory. ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. @@ -109760,6 +202700,22 @@ index 0000000..0875d31 +The SELinux process type zebra_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br ++.B zebra_conf_t ++ ++ /etc/zebra(/.*)? ++.br ++ /etc/quagga(/.*)? ++.br ++ ++.br +.B zebra_log_t + + /var/log/zebra(/.*)? @@ -109777,7 +202733,104 @@ index 0000000..0875d31 + /var/run/\.zserv +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux zebra policy is very flexible allowing users to setup their zebra processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the zebra, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t zebra_conf_t '/srv/zebra/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myzebra_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for zebra: ++ ++ ++.EX ++.PP ++.B zebra_conf_t ++.EE ++ ++- Set files with the zebra_conf_t type, if you want to treat the files as zebra configuration data, usually stored under the /etc directory. ++ ++.br ++.TP 5 ++Paths: ++/etc/zebra(/.*)?, /etc/quagga(/.*)? ++ ++.EX ++.PP ++.B zebra_exec_t ++.EE ++ ++- Set files with the zebra_exec_t type, if you want to transition an executable to the zebra_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/rip.*, /usr/sbin/ospf.*, /usr/sbin/bgpd, /usr/sbin/zebra ++ ++.EX ++.PP ++.B zebra_initrc_exec_t ++.EE ++ ++- Set files with the zebra_initrc_exec_t type, if you want to transition an executable to the zebra_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/bgpd, /etc/rc\.d/init\.d/ripd, /etc/rc\.d/init\.d/ospfd, /etc/rc\.d/init\.d/zebra, /etc/rc\.d/init\.d/ospf6d, /etc/rc\.d/init\.d/ripngd ++ ++.EX ++.PP ++.B zebra_log_t ++.EE ++ ++- Set files with the zebra_log_t type, if you want to treat the data as zebra log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/zebra(/.*)?, /var/log/quagga(/.*)? ++ ++.EX ++.PP ++.B zebra_tmp_t ++.EE ++ ++- Set files with the zebra_tmp_t type, if you want to store zebra temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B zebra_var_run_t ++.EE ++ ++- Set files with the zebra_var_run_t type, if you want to store the zebra files under the /run or /var/run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/quagga(/.*)?, /var/run/\.zebra, /var/run/\.zserv ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + +.SH "COMMANDS" +.B semanage fcontext @@ -109810,11 +202863,11 @@ index 0000000..0875d31 \ No newline at end of file diff --git a/man/man8/zoneminder_selinux.8 b/man/man8/zoneminder_selinux.8 new file mode 100644 -index 0000000..ac66364 +index 0000000..e2100ed --- /dev/null +++ b/man/man8/zoneminder_selinux.8 -@@ -0,0 +1,217 @@ -+.TH "zoneminder_selinux" "8" "12-11-01" "zoneminder" "SELinux Policy documentation for zoneminder" +@@ -0,0 +1,359 @@ ++.TH "zoneminder_selinux" "8" "13-01-16" "zoneminder" "SELinux Policy documentation for zoneminder" +.SH "NAME" +zoneminder_selinux \- Security Enhanced Linux Policy for the zoneminder processes +.SH "DESCRIPTION" @@ -109830,7 +202883,9 @@ index 0000000..ac66364 + +.SH "ENTRYPOINTS" + -+The zoneminder_t SELinux type can be entered via the "zoneminder_exec_t" file type. The default entrypoint paths for the zoneminder_t domain are the following:" ++The zoneminder_t SELinux type can be entered via the \fBzoneminder_exec_t\fP file type. ++ ++The default entrypoint paths for the zoneminder_t domain are the following: + +/usr/bin/zmpkg.pl, /usr/bin/motion +.SH PROCESS TYPES @@ -109848,121 +202903,144 @@ index 0000000..ac66364 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a zoneminder_t ++can be used to make the process type zoneminder_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH SHARING FILES -+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. -+.TP -+Allow zoneminder servers to read the /var/zoneminder directory by adding the public_content_t file type to the directory and by restoring the file type. -+.PP -+.B -+semanage fcontext -a -t public_content_t "/var/zoneminder(/.*)?" -+.br -+.B restorecon -F -R -v /var/zoneminder -+.pp -+.TP -+Allow zoneminder servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_zoneminderd_anon_write boolean to be set. -+.PP -+.B -+semanage fcontext -a -t public_content_rw_t "/var/zoneminder/incoming(/.*)?" -+.br -+.B restorecon -F -R -v /var/zoneminder/incoming ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. zoneminder policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zoneminder with the tightest access possible. + + +.PP -+If you want to allow ZoneMinder to modify public files used for public file transfer services., you must turn on the zoneminder_anon_write boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. + +.EX -+.B setsebool -P zoneminder_anon_write 1 ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + +.PP -+If you want to allow ZoneMinder to modify public files used for public file transfer services., you must turn on the zoneminder_anon_write boolean. ++If you want to allow all daemons to write corefiles to /, you must turn on the daemons_dump_core boolean. Disabled by default. + +.EX -+.B setsebool -P zoneminder_anon_write 1 ++.B setsebool -P daemons_dump_core 1 ++ +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux zoneminder policy is very flexible allowing users to setup their zoneminder processes in as secure a method as possible. -+.PP -+The following file types are defined for zoneminder: -+ ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. Disabled by default. + +.EX -+.PP -+.B zoneminder_exec_t ++.B setsebool -P daemons_use_tcp_wrapper 1 ++ +.EE + -+- Set files with the zoneminder_exec_t type, if you want to transition an executable to the zoneminder_t domain. -+ ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + +.EX -+.PP -+.B zoneminder_initrc_exec_t ++.B setsebool -P daemons_use_tty 1 ++ +.EE + -+- Set files with the zoneminder_initrc_exec_t type, if you want to transition an executable to the zoneminder_initrc_t domain. -+ ++.PP ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. + +.EX -+.PP -+.B zoneminder_log_t ++.B setsebool -P deny_ptrace 1 ++ +.EE + -+- Set files with the zoneminder_log_t type, if you want to treat the data as zoneminder log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. + +.EX -+.PP -+.B zoneminder_spool_t ++.B setsebool -P domain_fd_use 1 ++ +.EE + -+- Set files with the zoneminder_spool_t type, if you want to store the zoneminder files under the /var/spool directory. -+ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. + +.EX -+.PP -+.B zoneminder_tmpfs_t ++.B setsebool -P domain_kernel_load_modules 1 ++ +.EE + -+- Set files with the zoneminder_tmpfs_t type, if you want to store zoneminder files on a tmpfs file system. -+ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. + +.EX -+.PP -+.B zoneminder_var_lib_t ++.B setsebool -P fips_mode 1 ++ +.EE + -+- Set files with the zoneminder_var_lib_t type, if you want to store the zoneminder files under the /var/lib directory. -+ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. + +.EX -+.PP -+.B zoneminder_var_run_t ++.B setsebool -P global_ssp 1 ++ +.EE + -+- Set files with the zoneminder_var_run_t type, if you want to store the zoneminder files under the /run directory. ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. + ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the zoneminder_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zoneminder_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++.EE + +.SH "MANAGED FILES" + +The SELinux process type zoneminder_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. + +.br ++.B public_content_rw_t ++ ++ /var/spool/abrt-upload(/.*)? ++.br ++ ++.br ++.B root_t ++ ++ / ++.br ++ /initrd ++.br ++ ++.br +.B zoneminder_log_t + + /var/log/motion\.log.* @@ -109994,20 +203072,133 @@ index 0000000..ac66364 + /var/run/motion\.pid +.br + -+.SH NSSWITCH DOMAIN ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux zoneminder policy is very flexible allowing users to setup their zoneminder processes in as secure a method as possible. ++.PP + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zoneminder_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the zoneminder, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t zoneminder_exec_t '/srv/zoneminder/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myzoneminder_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for zoneminder: ++ + +.EX -+.B setsebool -P authlogin_nsswitch_use_ldap 1 ++.PP ++.B zoneminder_exec_t +.EE + -+.PP -+If you want to allow confined applications to run with kerberos for the zoneminder_t, you must turn on the kerberos_enabled boolean. ++- Set files with the zoneminder_exec_t type, if you want to transition an executable to the zoneminder_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/bin/zmpkg.pl, /usr/bin/motion + +.EX -+.B setsebool -P kerberos_enabled 1 ++.PP ++.B zoneminder_initrc_exec_t ++.EE ++ ++- Set files with the zoneminder_initrc_exec_t type, if you want to transition an executable to the zoneminder_initrc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/motion, /etc/rc\.d/init\.d/zoneminder ++ ++.EX ++.PP ++.B zoneminder_log_t ++.EE ++ ++- Set files with the zoneminder_log_t type, if you want to treat the data as zoneminder log data, usually stored under the /var/log directory. ++ ++.br ++.TP 5 ++Paths: ++/var/log/motion\.log.*, /var/log/zoneminder(/.*)? ++ ++.EX ++.PP ++.B zoneminder_spool_t ++.EE ++ ++- Set files with the zoneminder_spool_t type, if you want to store the zoneminder files under the /var/spool directory. ++ ++ ++.EX ++.PP ++.B zoneminder_tmpfs_t ++.EE ++ ++- Set files with the zoneminder_tmpfs_t type, if you want to store zoneminder files on a tmpfs file system. ++ ++ ++.EX ++.PP ++.B zoneminder_var_lib_t ++.EE ++ ++- Set files with the zoneminder_var_lib_t type, if you want to store the zoneminder files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/motion(/.*)?, /var/lib/zoneminder(/.*)? ++ ++.EX ++.PP ++.B zoneminder_var_run_t ++.EE ++ ++- Set files with the zoneminder_var_run_t type, if you want to store the zoneminder files under the /run or /var/run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH SHARING FILES ++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. ++.TP ++Allow zoneminder servers to read the /var/zoneminder directory by adding the public_content_t file type to the directory and by restoring the file type. ++.PP ++.B ++semanage fcontext -a -t public_content_t "/var/zoneminder(/.*)?" ++.br ++.B restorecon -F -R -v /var/zoneminder ++.pp ++.TP ++Allow zoneminder servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_zoneminderd_anon_write boolean to be set. ++.PP ++.B ++semanage fcontext -a -t public_content_rw_t "/var/zoneminder/incoming(/.*)?" ++.br ++.B restorecon -F -R -v /var/zoneminder/incoming ++ ++ ++.PP ++If you want to allow ZoneMinder to modify public files used for public file transfer services., you must turn on the zoneminder_anon_write boolean. ++ ++.EX ++.B setsebool -P zoneminder_anon_write 1 +.EE + +.SH "COMMANDS" @@ -110020,6 +203211,9 @@ index 0000000..ac66364 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -110031,13 +203225,15 @@ index 0000000..ac66364 + +.SH "SEE ALSO" +selinux(8), zoneminder(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/zos_remote_selinux.8 b/man/man8/zos_remote_selinux.8 new file mode 100644 -index 0000000..29d9940 +index 0000000..444e67d --- /dev/null +++ b/man/man8/zos_remote_selinux.8 -@@ -0,0 +1,100 @@ -+.TH "zos_remote_selinux" "8" "12-11-01" "zos_remote" "SELinux Policy documentation for zos_remote" +@@ -0,0 +1,207 @@ ++.TH "zos_remote_selinux" "8" "13-01-16" "zos_remote" "SELinux Policy documentation for zos_remote" +.SH "NAME" +zos_remote_selinux \- Security Enhanced Linux Policy for the zos_remote processes +.SH "DESCRIPTION" @@ -110053,7 +203249,9 @@ index 0000000..29d9940 + +.SH "ENTRYPOINTS" + -+The zos_remote_t SELinux type can be entered via the "zos_remote_exec_t" file type. The default entrypoint paths for the zos_remote_t domain are the following:" ++The zos_remote_t SELinux type can be entered via the \fBzos_remote_exec_t\fP file type. ++ ++The default entrypoint paths for the zos_remote_t domain are the following: + +/sbin/audispd-zos-remote, /usr/sbin/audispd-zos-remote +.SH PROCESS TYPES @@ -110071,39 +203269,97 @@ index 0000000..29d9940 +.EE +.PP +Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++.B semanage permissive -a zos_remote_t ++can be used to make the process type zos_remote_t permissive. SELinux does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated. + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux zos_remote policy is very flexible allowing users to setup their zos_remote processes in as secure a method as possible. -+.PP -+The following file types are defined for zos_remote: ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. zos_remote policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zos_remote with the tightest access possible. + + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server, you must turn on the authlogin_nsswitch_use_ldap boolean. Disabled by default. ++ +.EX -+.PP -+.B zos_remote_exec_t ++.B setsebool -P authlogin_nsswitch_use_ldap 1 ++ +.EE + -+- Set files with the zos_remote_exec_t type, if you want to transition an executable to the zos_remote_t domain. ++.PP ++If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default. + ++.EX ++.B setsebool -P daemons_use_tty 1 ++ ++.EE + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. ++If you want to allow sysadm to debug or ptrace all processes, you must turn on the deny_ptrace boolean. Enabled by default. ++ ++.EX ++.B setsebool -P deny_ptrace 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default. ++ ++.EX ++.B setsebool -P domain_fd_use 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to have the kernel load modules, you must turn on the domain_kernel_load_modules boolean. Disabled by default. ++ ++.EX ++.B setsebool -P domain_kernel_load_modules 1 ++ ++.EE ++ ++.PP ++If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default. ++ ++.EX ++.B setsebool -P fips_mode 1 ++ ++.EE ++ ++.PP ++If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default. ++ ++.EX ++.B setsebool -P global_ssp 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos, you must turn on the kerberos_enabled boolean. Enabled by default. ++ ++.EX ++.B setsebool -P kerberos_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nis_enabled 1 ++ ++.EE ++ ++.PP ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. Disabled by default. ++ ++.EX ++.B setsebool -P nscd_use_shm 1 ++ ++.EE + +.SH NSSWITCH DOMAIN + +.PP -+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zos_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the zos_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX +.B setsebool -P authlogin_nsswitch_use_ldap 1 @@ -110116,6 +203372,49 @@ index 0000000..29d9940 +.B setsebool -P kerberos_enabled 1 +.EE + ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux zos_remote policy is very flexible allowing users to setup their zos_remote processes in as secure a method as possible. ++.PP ++ ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the zos_remote, if you wanted to ++store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t zos_remote_exec_t '/srv/zos_remote/content(/.*)?' ++.br ++.B restorecon -R -v /srv/myzos_remote_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++ ++.I The following file types are defined for zos_remote: ++ ++ ++.EX ++.PP ++.B zos_remote_exec_t ++.EE ++ ++- Set files with the zos_remote_exec_t type, if you want to transition an executable to the zos_remote_t domain. ++ ++.br ++.TP 5 ++Paths: ++/sbin/audispd-zos-remote, /usr/sbin/audispd-zos-remote ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. @@ -110126,6 +203425,9 @@ index 0000000..29d9940 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -110137,6 +203439,8 @@ index 0000000..29d9940 + +.SH "SEE ALSO" +selinux(8), zos_remote(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) ++, setsebool(8) +\ No newline at end of file diff --git a/policy/constraints b/policy/constraints index 3a45f23..f4754f0 100644 --- a/policy/constraints @@ -110161,7 +203465,7 @@ index 3a45f23..f4754f0 100644 # fork # setexec diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index 28802c5..d9460ea 100644 +index 28802c5..943c42e 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -329,6 +329,7 @@ class process @@ -110197,7 +203501,17 @@ index 28802c5..d9460ea 100644 } # -@@ -862,3 +869,20 @@ inherits database +@@ -827,6 +834,9 @@ class kernel_service + + class tun_socket + inherits socket ++{ ++ attach_queue ++} + + class x_pointer + inherits x_device +@@ -862,3 +872,20 @@ inherits database implement execute } @@ -112970,7 +206284,7 @@ index f9b25c1..9af1f7a 100644 +/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index 07126bd..7ac4630 100644 +index 07126bd..4aecd37 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -55,6 +55,7 @@ interface(`corenet_reserved_port',` @@ -113039,7 +206353,33 @@ index 07126bd..7ac4630 100644 ## Bind TCP sockets to generic nodes. ## ## -@@ -928,6 +966,24 @@ interface(`corenet_inout_generic_node',` +@@ -855,6 +893,25 @@ interface(`corenet_udp_bind_generic_node',` + + ######################################## + ## ++## Dontaudit attempts to bind UDP sockets to generic nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`corenet_dontaudit_udp_bind_generic_node',` ++ gen_require(` ++ type node_t; ++ ') ++ ++ dontaudit $1 node_t:udp_socket node_bind; ++') ++ ++######################################## ++## + ## Bind raw sockets to genric nodes. + ## + ## +@@ -928,6 +985,24 @@ interface(`corenet_inout_generic_node',` ######################################## ## @@ -113064,7 +206404,7 @@ index 07126bd..7ac4630 100644 ## Send and receive TCP network traffic on all nodes. ## ## -@@ -1102,6 +1158,24 @@ interface(`corenet_raw_sendrecv_all_nodes',` +@@ -1102,6 +1177,24 @@ interface(`corenet_raw_sendrecv_all_nodes',` ######################################## ## @@ -113089,7 +206429,7 @@ index 07126bd..7ac4630 100644 ## Bind TCP sockets to all nodes. ## ## -@@ -1157,6 +1231,24 @@ interface(`corenet_raw_bind_all_nodes',` +@@ -1157,6 +1250,24 @@ interface(`corenet_raw_bind_all_nodes',` ######################################## ## @@ -113114,15 +206454,14 @@ index 07126bd..7ac4630 100644 ## Send and receive TCP network traffic on generic ports. ## ## -@@ -1167,10 +1259,30 @@ interface(`corenet_raw_bind_all_nodes',` +@@ -1167,10 +1278,30 @@ interface(`corenet_raw_bind_all_nodes',` # interface(`corenet_tcp_sendrecv_generic_port',` gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; - ') - -- allow $1 port_t:tcp_socket { send_msg recv_msg }; ++ ') ++ + allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg }; +') + @@ -113141,13 +206480,14 @@ index 07126bd..7ac4630 100644 +interface(`corenet_dontaudit_dccp_sendrecv_generic_port',` + gen_require(` + type port_t, unreserved_port_t, ephemeral_port_t; -+ ') -+ + ') + +- allow $1 port_t:tcp_socket { send_msg recv_msg }; + dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg }; ') ######################################## -@@ -1185,10 +1297,10 @@ interface(`corenet_tcp_sendrecv_generic_port',` +@@ -1185,10 +1316,10 @@ interface(`corenet_tcp_sendrecv_generic_port',` # interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` gen_require(` @@ -113160,7 +206500,7 @@ index 07126bd..7ac4630 100644 ') ######################################## -@@ -1203,10 +1315,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` +@@ -1203,10 +1334,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` # interface(`corenet_udp_send_generic_port',` gen_require(` @@ -113173,7 +206513,7 @@ index 07126bd..7ac4630 100644 ') ######################################## -@@ -1221,10 +1333,10 @@ interface(`corenet_udp_send_generic_port',` +@@ -1221,10 +1352,10 @@ interface(`corenet_udp_send_generic_port',` # interface(`corenet_udp_receive_generic_port',` gen_require(` @@ -113186,7 +206526,7 @@ index 07126bd..7ac4630 100644 ') ######################################## -@@ -1244,6 +1356,26 @@ interface(`corenet_udp_sendrecv_generic_port',` +@@ -1244,6 +1375,26 @@ interface(`corenet_udp_sendrecv_generic_port',` ######################################## ## @@ -113213,7 +206553,7 @@ index 07126bd..7ac4630 100644 ## Bind TCP sockets to generic ports. ## ## -@@ -1254,16 +1386,35 @@ interface(`corenet_udp_sendrecv_generic_port',` +@@ -1254,16 +1405,35 @@ interface(`corenet_udp_sendrecv_generic_port',` # interface(`corenet_tcp_bind_generic_port',` gen_require(` @@ -113251,7 +206591,7 @@ index 07126bd..7ac4630 100644 ## Do not audit bind TCP sockets to generic ports. ## ## -@@ -1274,10 +1425,10 @@ interface(`corenet_tcp_bind_generic_port',` +@@ -1274,10 +1444,10 @@ interface(`corenet_tcp_bind_generic_port',` # interface(`corenet_dontaudit_tcp_bind_generic_port',` gen_require(` @@ -113264,7 +206604,7 @@ index 07126bd..7ac4630 100644 ') ######################################## -@@ -1292,16 +1443,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` +@@ -1292,16 +1462,34 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` # interface(`corenet_udp_bind_generic_port',` gen_require(` @@ -113301,7 +206641,7 @@ index 07126bd..7ac4630 100644 ## Connect TCP sockets to generic ports. ## ## -@@ -1312,10 +1481,28 @@ interface(`corenet_udp_bind_generic_port',` +@@ -1312,10 +1500,28 @@ interface(`corenet_udp_bind_generic_port',` # interface(`corenet_tcp_connect_generic_port',` gen_require(` @@ -113332,7 +206672,7 @@ index 07126bd..7ac4630 100644 ') ######################################## -@@ -1439,6 +1626,25 @@ interface(`corenet_udp_sendrecv_all_ports',` +@@ -1439,6 +1645,25 @@ interface(`corenet_udp_sendrecv_all_ports',` ######################################## ## @@ -113358,7 +206698,7 @@ index 07126bd..7ac4630 100644 ## Bind TCP sockets to all ports. ## ## -@@ -1458,6 +1664,24 @@ interface(`corenet_tcp_bind_all_ports',` +@@ -1458,6 +1683,24 @@ interface(`corenet_tcp_bind_all_ports',` ######################################## ## @@ -113383,7 +206723,7 @@ index 07126bd..7ac4630 100644 ## Do not audit attepts to bind TCP sockets to any ports. ## ## -@@ -1513,6 +1737,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',` +@@ -1513,6 +1756,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',` ######################################## ## @@ -113408,7 +206748,7 @@ index 07126bd..7ac4630 100644 ## Connect TCP sockets to all ports. ## ## -@@ -1559,6 +1801,25 @@ interface(`corenet_tcp_connect_all_ports',` +@@ -1559,6 +1820,25 @@ interface(`corenet_tcp_connect_all_ports',` ######################################## ## @@ -113434,7 +206774,7 @@ index 07126bd..7ac4630 100644 ## Do not audit attempts to connect TCP sockets ## to all ports. ## -@@ -1578,6 +1839,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',` +@@ -1578,6 +1858,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',` ######################################## ## @@ -113459,7 +206799,7 @@ index 07126bd..7ac4630 100644 ## Send and receive TCP network traffic on generic reserved ports. ## ## -@@ -1647,6 +1926,25 @@ interface(`corenet_udp_sendrecv_reserved_port',` +@@ -1647,6 +1945,25 @@ interface(`corenet_udp_sendrecv_reserved_port',` ######################################## ## @@ -113485,7 +206825,7 @@ index 07126bd..7ac4630 100644 ## Bind TCP sockets to generic reserved ports. ## ## -@@ -1685,6 +1983,24 @@ interface(`corenet_udp_bind_reserved_port',` +@@ -1685,6 +2002,24 @@ interface(`corenet_udp_bind_reserved_port',` ######################################## ## @@ -113510,7 +206850,7 @@ index 07126bd..7ac4630 100644 ## Connect TCP sockets to generic reserved ports. ## ## -@@ -1703,6 +2019,24 @@ interface(`corenet_tcp_connect_reserved_port',` +@@ -1703,6 +2038,24 @@ interface(`corenet_tcp_connect_reserved_port',` ######################################## ## @@ -113535,7 +206875,7 @@ index 07126bd..7ac4630 100644 ## Send and receive TCP network traffic on all reserved ports. ## ## -@@ -1752,12 +2086,210 @@ interface(`corenet_udp_receive_all_reserved_ports',` +@@ -1752,12 +2105,210 @@ interface(`corenet_udp_receive_all_reserved_ports',` attribute reserved_port_type; ') @@ -113748,7 +207088,7 @@ index 07126bd..7ac4630 100644 ## ## ## -@@ -1765,14 +2297,17 @@ interface(`corenet_udp_receive_all_reserved_ports',` +@@ -1765,14 +2316,17 @@ interface(`corenet_udp_receive_all_reserved_ports',` ## ## # @@ -113770,7 +207110,7 @@ index 07126bd..7ac4630 100644 ## ## ## -@@ -1780,36 +2315,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` +@@ -1780,36 +2334,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` ## ## # @@ -113814,7 +207154,7 @@ index 07126bd..7ac4630 100644 ## ## ## -@@ -1817,36 +2351,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` +@@ -1817,36 +2370,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` ## ## # @@ -113865,7 +207205,7 @@ index 07126bd..7ac4630 100644 ## ## ## -@@ -1854,17 +2387,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` +@@ -1854,17 +2406,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` ## ## # @@ -113886,7 +207226,7 @@ index 07126bd..7ac4630 100644 ## ## ## -@@ -1872,67 +2405,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',` +@@ -1872,67 +2424,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',` ## ## # @@ -113973,7 +207313,7 @@ index 07126bd..7ac4630 100644 ') ######################################## -@@ -1955,6 +2489,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',` +@@ -1955,6 +2508,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',` ######################################## ## @@ -113999,7 +207339,7 @@ index 07126bd..7ac4630 100644 ## Do not audit attempts to connect TCP sockets ## all rpc ports. ## -@@ -1993,6 +2546,24 @@ interface(`corenet_rw_tun_tap_dev',` +@@ -1993,6 +2565,24 @@ interface(`corenet_rw_tun_tap_dev',` ######################################## ## @@ -114024,7 +207364,7 @@ index 07126bd..7ac4630 100644 ## Do not audit attempts to read or write the TUN/TAP ## virtual network device. ## -@@ -2049,6 +2620,25 @@ interface(`corenet_rw_ppp_dev',` +@@ -2049,6 +2639,25 @@ interface(`corenet_rw_ppp_dev',` ######################################## ## @@ -114050,7 +207390,7 @@ index 07126bd..7ac4630 100644 ## Bind TCP sockets to all RPC ports. ## ## -@@ -2068,6 +2658,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` +@@ -2068,6 +2677,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` ######################################## ## @@ -114075,7 +207415,7 @@ index 07126bd..7ac4630 100644 ## Do not audit attempts to bind TCP sockets to all RPC ports. ## ## -@@ -2194,6 +2802,25 @@ interface(`corenet_tcp_recv_netlabel',` +@@ -2194,6 +2821,25 @@ interface(`corenet_tcp_recv_netlabel',` ######################################## ## @@ -114101,7 +207441,7 @@ index 07126bd..7ac4630 100644 ## Receive TCP packets from a NetLabel connection. ## ## -@@ -2213,7 +2840,7 @@ interface(`corenet_tcp_recvfrom_netlabel',` +@@ -2213,7 +2859,7 @@ interface(`corenet_tcp_recvfrom_netlabel',` ######################################## ## @@ -114110,7 +207450,7 @@ index 07126bd..7ac4630 100644 ## ## ## -@@ -2221,10 +2848,15 @@ interface(`corenet_tcp_recvfrom_netlabel',` +@@ -2221,10 +2867,15 @@ interface(`corenet_tcp_recvfrom_netlabel',` ## ## # @@ -114128,7 +207468,7 @@ index 07126bd..7ac4630 100644 # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems -@@ -2249,6 +2881,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` +@@ -2249,6 +2900,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` ######################################## ## @@ -114155,7 +207495,7 @@ index 07126bd..7ac4630 100644 ## Do not audit attempts to receive TCP packets from a NetLabel ## connection. ## -@@ -2269,6 +2921,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` +@@ -2269,6 +2940,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` ######################################## ## @@ -114183,7 +207523,7 @@ index 07126bd..7ac4630 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2533,15 +3206,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` +@@ -2533,15 +3225,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` ## # interface(`corenet_all_recvfrom_unlabeled',` @@ -114203,7 +207543,7 @@ index 07126bd..7ac4630 100644 ') ######################################## -@@ -2567,11 +3235,34 @@ interface(`corenet_all_recvfrom_unlabeled',` +@@ -2567,11 +3254,34 @@ interface(`corenet_all_recvfrom_unlabeled',` # interface(`corenet_all_recvfrom_netlabel',` gen_require(` @@ -114241,7 +207581,7 @@ index 07126bd..7ac4630 100644 ') ######################################## -@@ -2585,6 +3276,7 @@ interface(`corenet_all_recvfrom_netlabel',` +@@ -2585,6 +3295,7 @@ interface(`corenet_all_recvfrom_netlabel',` ## # interface(`corenet_dontaudit_all_recvfrom_unlabeled',` @@ -114249,7 +207589,7 @@ index 07126bd..7ac4630 100644 kernel_dontaudit_tcp_recvfrom_unlabeled($1) kernel_dontaudit_udp_recvfrom_unlabeled($1) kernel_dontaudit_raw_recvfrom_unlabeled($1) -@@ -2613,7 +3305,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` +@@ -2613,7 +3324,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` ') dontaudit $1 netlabel_peer_t:peer recv; @@ -114286,7 +207626,7 @@ index 07126bd..7ac4630 100644 ') ######################################## -@@ -2727,6 +3447,7 @@ interface(`corenet_raw_recvfrom_labeled',` +@@ -2727,6 +3466,7 @@ interface(`corenet_raw_recvfrom_labeled',` ## # interface(`corenet_all_recvfrom_labeled',` @@ -114294,7 +207634,7 @@ index 07126bd..7ac4630 100644 corenet_tcp_recvfrom_labeled($1, $2) corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) -@@ -3134,3 +3855,53 @@ interface(`corenet_unconfined',` +@@ -3134,3 +3874,53 @@ interface(`corenet_unconfined',` typeattribute $1 corenet_unconfined_type; ') @@ -114404,7 +207744,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..26fc01f 100644 +index 4edc40d..030b246 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -114569,8 +207909,9 @@ index 4edc40d..26fc01f 100644 -network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) +network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0) network_port(lirc, tcp,8765,s0) +-network_port(lmtp, tcp,24,s0, udp,24,s0) +network_port(luci, tcp,8084,s0) - network_port(lmtp, tcp,24,s0, udp,24,s0) ++network_port(lmtp, tcp,24,s0, udp,24,s0, tcp,2003,s0) network_port(lrrd) # no defined portcon +network_port(l2tp, tcp,1701,s0, udp,1701,s0) network_port(mail, tcp,2000,s0, tcp,3905,s0) @@ -117010,7 +210351,7 @@ index 6a1e4d1..70c5c72 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..bba3449 100644 +index cf04cb5..ba58454 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -117136,7 +210477,7 @@ index cf04cb5..bba3449 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +227,274 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +227,278 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -117152,6 +210493,10 @@ index cf04cb5..bba3449 100644 +files_config_all_files(unconfined_domain_type) +dev_config_null_dev_service(unconfined_domain_type) + ++optional_policy(` ++ seutil_filetrans_named_content(unconfined_domain_type) ++') ++ +storage_filetrans_all_named_dev(unconfined_domain_type) + +term_filetrans_all_named_dev(unconfined_domain_type) @@ -117646,7 +210991,7 @@ index c2c6e05..d0e6d1c 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..f67e6ba 100644 +index 64ff4d7..6e07122 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -117877,7 +211222,17 @@ index 64ff4d7..f67e6ba 100644 ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. -@@ -1673,6 +1800,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1443,9 +1570,6 @@ interface(`files_relabel_non_auth_files',` + # device nodes with file types. + relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) + relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) +- +- # satisfy the assertions: +- seutil_relabelto_bin_policy($1) + ') + + ############################################# +@@ -1673,6 +1797,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -117902,7 +211257,7 @@ index 64ff4d7..f67e6ba 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1691,6 +1836,24 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1691,6 +1833,24 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## @@ -117927,7 +211282,7 @@ index 64ff4d7..f67e6ba 100644 ## List the contents of the root directory. ## ## -@@ -1874,25 +2037,25 @@ interface(`files_delete_root_dir_entry',` +@@ -1874,25 +2034,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -117959,7 +211314,7 @@ index 64ff4d7..f67e6ba 100644 ## ## ## -@@ -1905,7 +2068,7 @@ interface(`files_relabel_rootfs',` +@@ -1905,7 +2065,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -117968,7 +211323,7 @@ index 64ff4d7..f67e6ba 100644 ') ######################################## -@@ -1928,6 +2091,24 @@ interface(`files_unmount_rootfs',` +@@ -1928,6 +2088,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -117993,7 +211348,7 @@ index 64ff4d7..f67e6ba 100644 ## Get attributes of the /boot directory. ## ## -@@ -2627,6 +2808,24 @@ interface(`files_rw_etc_dirs',` +@@ -2627,6 +2805,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -118018,7 +211373,7 @@ index 64ff4d7..f67e6ba 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2698,6 +2897,7 @@ interface(`files_read_etc_files',` +@@ -2698,6 +2894,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -118026,7 +211381,7 @@ index 64ff4d7..f67e6ba 100644 ') ######################################## -@@ -2706,7 +2906,7 @@ interface(`files_read_etc_files',` +@@ -2706,7 +2903,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -118035,7 +211390,7 @@ index 64ff4d7..f67e6ba 100644 ## ## # -@@ -2762,6 +2962,25 @@ interface(`files_manage_etc_files',` +@@ -2762,6 +2959,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -118061,7 +211416,7 @@ index 64ff4d7..f67e6ba 100644 ## Delete system configuration files in /etc. ## ## -@@ -2780,6 +2999,24 @@ interface(`files_delete_etc_files',` +@@ -2780,6 +2996,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -118086,7 +211441,7 @@ index 64ff4d7..f67e6ba 100644 ## Execute generic files in /etc. ## ## -@@ -2945,24 +3182,6 @@ interface(`files_delete_boot_flag',` +@@ -2945,24 +3179,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -118111,7 +211466,7 @@ index 64ff4d7..f67e6ba 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3003,9 +3222,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3003,9 +3219,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -118122,7 +211477,7 @@ index 64ff4d7..f67e6ba 100644 ## ## ## -@@ -3013,18 +3230,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3013,18 +3227,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -118144,22 +211499,20 @@ index 64ff4d7..f67e6ba 100644 ## ## ## -@@ -3042,15 +3258,35 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3042,7 +3255,27 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## -## Read and write files in /etc that are dynamically +## Do not audit attempts to read files +## in /etc that are dynamically - ## created on boot, such as mtab. - ## - ## - ## --## Domain allowed access. ++## created on boot, such as mtab. ++## ++## ++## +## Domain to not audit. - ## - ## --## ++## ++## +# +interface(`files_dontaudit_read_etc_runtime_files',` + gen_require(` @@ -118172,18 +211525,10 @@ index 64ff4d7..f67e6ba 100644 +######################################## +## +## Read and write files in /etc that are dynamically -+## created on boot, such as mtab. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## - # - interface(`files_rw_etc_runtime_files',` - gen_require(` -@@ -3059,6 +3295,7 @@ interface(`files_rw_etc_runtime_files',` + ## created on boot, such as mtab. + ## + ## +@@ -3059,6 +3292,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -118191,7 +211536,7 @@ index 64ff4d7..f67e6ba 100644 ') ######################################## -@@ -3080,6 +3317,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3080,6 +3314,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -118199,7 +211544,7 @@ index 64ff4d7..f67e6ba 100644 ') ######################################## -@@ -3132,6 +3370,25 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3132,6 +3367,25 @@ interface(`files_getattr_isid_type_dirs',` ######################################## ## @@ -118225,7 +211570,7 @@ index 64ff4d7..f67e6ba 100644 ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3208,6 +3465,25 @@ interface(`files_delete_isid_type_dirs',` +@@ -3208,6 +3462,25 @@ interface(`files_delete_isid_type_dirs',` ######################################## ## @@ -118251,7 +211596,7 @@ index 64ff4d7..f67e6ba 100644 ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## -@@ -3455,6 +3731,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3455,6 +3728,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -118277,7 +211622,7 @@ index 64ff4d7..f67e6ba 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3796,20 +4091,38 @@ interface(`files_list_mnt',` +@@ -3796,20 +4088,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -118321,7 +211666,7 @@ index 64ff4d7..f67e6ba 100644 ') ######################################## -@@ -4199,6 +4512,133 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,6 +4509,133 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -118455,7 +211800,7 @@ index 64ff4d7..f67e6ba 100644 ######################################## ## ## Allow the specified type to associate -@@ -4221,6 +4661,26 @@ interface(`files_associate_tmp',` +@@ -4221,6 +4658,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -118482,7 +211827,7 @@ index 64ff4d7..f67e6ba 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4234,17 +4694,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4234,17 +4691,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -118521,7 +211866,7 @@ index 64ff4d7..f67e6ba 100644 ## ## # -@@ -4271,6 +4751,7 @@ interface(`files_search_tmp',` +@@ -4271,6 +4748,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -118529,7 +211874,7 @@ index 64ff4d7..f67e6ba 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4307,6 +4788,7 @@ interface(`files_list_tmp',` +@@ -4307,6 +4785,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -118537,7 +211882,7 @@ index 64ff4d7..f67e6ba 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4316,7 +4798,7 @@ interface(`files_list_tmp',` +@@ -4316,7 +4795,7 @@ interface(`files_list_tmp',` ## ## ## @@ -118546,7 +211891,7 @@ index 64ff4d7..f67e6ba 100644 ## ## # -@@ -4328,6 +4810,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4328,6 +4807,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -118572,7 +211917,7 @@ index 64ff4d7..f67e6ba 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4343,6 +4844,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4343,6 +4841,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -118580,7 +211925,7 @@ index 64ff4d7..f67e6ba 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4384,6 +4886,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4384,6 +4883,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -118613,7 +211958,7 @@ index 64ff4d7..f67e6ba 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4438,7 +4966,7 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4438,7 +4963,7 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -118622,7 +211967,7 @@ index 64ff4d7..f67e6ba 100644 ## ## ## -@@ -4446,17 +4974,17 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4446,17 +4971,17 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -118644,7 +211989,7 @@ index 64ff4d7..f67e6ba 100644 ## ## ## -@@ -4464,59 +4992,53 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4464,59 +4989,53 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # @@ -118715,7 +212060,7 @@ index 64ff4d7..f67e6ba 100644 ## ## ## -@@ -4524,53 +5046,131 @@ interface(`files_dontaudit_getattr_all_tmp_files',` +@@ -4524,54 +5043,132 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ## ## # @@ -118777,6 +212122,7 @@ index 64ff4d7..f67e6ba 100644 ') - dontaudit $1 tmpfile:sock_file getattr; +-') + allow $1 var_t:dir search_dir_perms; + relabel_dirs_pattern($1, tmpfile, tmpfile) +') @@ -118858,10 +212204,11 @@ index 64ff4d7..f67e6ba 100644 + ') + + dontaudit $1 tmpfile:sock_file getattr; - ') ++') ######################################## -@@ -4646,6 +5246,16 @@ interface(`files_purge_tmp',` + ## +@@ -4646,6 +5243,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -118878,7 +212225,7 @@ index 64ff4d7..f67e6ba 100644 ') ######################################## -@@ -5223,6 +5833,24 @@ interface(`files_list_var',` +@@ -5223,6 +5830,24 @@ interface(`files_list_var',` ######################################## ## @@ -118903,7 +212250,7 @@ index 64ff4d7..f67e6ba 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5578,6 +6206,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5578,6 +6203,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -118929,7 +212276,7 @@ index 64ff4d7..f67e6ba 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5623,7 +6270,7 @@ interface(`files_manage_mounttab',` +@@ -5623,7 +6267,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -118938,7 +212285,7 @@ index 64ff4d7..f67e6ba 100644 ## ## ## -@@ -5631,12 +6278,13 @@ interface(`files_manage_mounttab',` +@@ -5631,12 +6275,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -118954,7 +212301,7 @@ index 64ff4d7..f67e6ba 100644 ') ######################################## -@@ -5654,6 +6302,7 @@ interface(`files_search_locks',` +@@ -5654,6 +6299,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -118962,7 +212309,7 @@ index 64ff4d7..f67e6ba 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5680,7 +6329,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5680,7 +6326,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -118990,7 +212337,7 @@ index 64ff4d7..f67e6ba 100644 ## ## ## -@@ -5688,13 +6356,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,13 +6353,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -119007,7 +212354,7 @@ index 64ff4d7..f67e6ba 100644 ') ######################################## -@@ -5713,7 +6380,7 @@ interface(`files_rw_lock_dirs',` +@@ -5713,7 +6377,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -119016,7 +212363,7 @@ index 64ff4d7..f67e6ba 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5746,7 +6413,6 @@ interface(`files_create_lock_dirs',` +@@ -5746,7 +6410,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -119024,7 +212371,7 @@ index 64ff4d7..f67e6ba 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5774,8 +6440,7 @@ interface(`files_getattr_generic_locks',` +@@ -5774,8 +6437,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -119034,7 +212381,7 @@ index 64ff4d7..f67e6ba 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5791,13 +6456,12 @@ interface(`files_getattr_generic_locks',` +@@ -5791,13 +6453,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -119052,7 +212399,7 @@ index 64ff4d7..f67e6ba 100644 ') ######################################## -@@ -5816,9 +6480,7 @@ interface(`files_manage_generic_locks',` +@@ -5816,9 +6477,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -119063,7 +212410,7 @@ index 64ff4d7..f67e6ba 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5860,8 +6522,7 @@ interface(`files_read_all_locks',` +@@ -5860,8 +6519,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -119073,7 +212420,7 @@ index 64ff4d7..f67e6ba 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5883,8 +6544,7 @@ interface(`files_manage_all_locks',` +@@ -5883,8 +6541,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -119083,7 +212430,7 @@ index 64ff4d7..f67e6ba 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5921,8 +6581,7 @@ interface(`files_lock_filetrans',` +@@ -5921,8 +6578,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -119093,7 +212440,7 @@ index 64ff4d7..f67e6ba 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5985,6 +6644,43 @@ interface(`files_search_pids',` +@@ -5985,6 +6641,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -119137,7 +212484,7 @@ index 64ff4d7..f67e6ba 100644 ######################################## ## ## Do not audit attempts to search -@@ -6007,6 +6703,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6007,6 +6700,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -119163,7 +212510,7 @@ index 64ff4d7..f67e6ba 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6122,7 +6837,6 @@ interface(`files_pid_filetrans',` +@@ -6122,7 +6834,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -119171,7 +212518,7 @@ index 64ff4d7..f67e6ba 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6231,55 +6945,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6231,55 +6942,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -119234,7 +212581,7 @@ index 64ff4d7..f67e6ba 100644 ## ## ## -@@ -6287,42 +6989,35 @@ interface(`files_delete_all_pids',` +@@ -6287,42 +6986,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -119284,7 +212631,7 @@ index 64ff4d7..f67e6ba 100644 ## ## ## -@@ -6330,18 +7025,18 @@ interface(`files_manage_all_pids',` +@@ -6330,18 +7022,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -119308,7 +212655,7 @@ index 64ff4d7..f67e6ba 100644 ## ## ## -@@ -6349,37 +7044,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6349,37 +7041,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -119360,7 +212707,7 @@ index 64ff4d7..f67e6ba 100644 ## ## ## -@@ -6387,18 +7085,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6387,18 +7082,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -119383,7 +212730,7 @@ index 64ff4d7..f67e6ba 100644 ## ## ## -@@ -6406,18 +7103,18 @@ interface(`files_list_spool',` +@@ -6406,18 +7100,284 @@ interface(`files_list_spool',` ## ## # @@ -119404,14 +212751,13 @@ index 64ff4d7..f67e6ba 100644 -## Read generic spool files. +## manage all pidfiles +## in the /var/run directory. - ## - ## - ## -@@ -6425,7 +7122,273 @@ interface(`files_manage_generic_spool_dirs',` - ## - ## - # --interface(`files_read_generic_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_all_pids',` + gen_require(` + attribute pidfile; @@ -119671,18 +213017,10 @@ index 64ff4d7..f67e6ba 100644 +######################################## +## +## Read generic spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_generic_spool',` - gen_require(` - type var_t, var_spool_t; - ') -@@ -6562,3 +7525,459 @@ interface(`files_unconfined',` + ## + ## + ## +@@ -6562,3 +7522,459 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -124425,7 +217763,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 5da7870..6ce4f9d 100644 +index 5da7870..d98e924 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,68 @@ policy_module(staff, 2.3.1) @@ -124635,11 +217973,10 @@ index 5da7870..6ce4f9d 100644 ') optional_policy(` -@@ -52,10 +215,56 @@ optional_policy(` +@@ -52,10 +215,55 @@ optional_policy(` ') optional_policy(` -+ systemd_dbus_chat_timedated(staff_t) + systemd_read_unit_files(staff_t) + systemd_exec_systemctl(staff_t) +') @@ -124692,7 +218029,7 @@ index 5da7870..6ce4f9d 100644 xserver_role(staff_r, staff_t) ') -@@ -65,10 +274,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +273,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -124703,7 +218040,7 @@ index 5da7870..6ce4f9d 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +283,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +282,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -124714,7 +218051,7 @@ index 5da7870..6ce4f9d 100644 ') optional_policy(` -@@ -101,10 +302,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +301,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -124725,7 +218062,7 @@ index 5da7870..6ce4f9d 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +322,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +321,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -124736,7 +218073,7 @@ index 5da7870..6ce4f9d 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +334,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +333,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -124747,7 +218084,7 @@ index 5da7870..6ce4f9d 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +365,20 @@ ifndef(`distro_redhat',` +@@ -176,3 +364,20 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -124797,10 +218134,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..42e9b2e 100644 +index 88d0028..2268840 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.1) +@@ -5,39 +5,74 @@ policy_module(sysadm, 2.5.1) # Declarations # @@ -124874,6 +218211,7 @@ index 88d0028..42e9b2e 100644 userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) +userdom_manage_tmp_role(sysadm_r, sysadm_t) ++userdom_exec_admin_home_files(sysadm_t) + +optional_policy(` + alsa_filetrans_named_content(sysadm_t) @@ -124885,7 +218223,7 @@ index 88d0028..42e9b2e 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +89,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +90,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -124900,7 +218238,7 @@ index 88d0028..42e9b2e 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +99,9 @@ optional_policy(` +@@ -71,9 +100,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -124911,7 +218249,7 @@ index 88d0028..42e9b2e 100644 ') optional_policy(` -@@ -87,6 +115,7 @@ optional_policy(` +@@ -87,6 +116,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -124919,7 +218257,7 @@ index 88d0028..42e9b2e 100644 ') optional_policy(` -@@ -110,6 +139,10 @@ optional_policy(` +@@ -110,6 +140,10 @@ optional_policy(` ') optional_policy(` @@ -124930,7 +218268,7 @@ index 88d0028..42e9b2e 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -122,11 +155,19 @@ optional_policy(` +@@ -122,11 +156,19 @@ optional_policy(` ') optional_policy(` @@ -124952,7 +218290,7 @@ index 88d0028..42e9b2e 100644 ') optional_policy(` -@@ -140,6 +181,10 @@ optional_policy(` +@@ -140,6 +182,10 @@ optional_policy(` ') optional_policy(` @@ -124963,7 +218301,7 @@ index 88d0028..42e9b2e 100644 dmesg_exec(sysadm_t) ') -@@ -156,11 +201,11 @@ optional_policy(` +@@ -156,11 +202,11 @@ optional_policy(` ') optional_policy(` @@ -124977,7 +218315,7 @@ index 88d0028..42e9b2e 100644 ') optional_policy(` -@@ -179,6 +224,13 @@ optional_policy(` +@@ -179,6 +225,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -124991,7 +218329,7 @@ index 88d0028..42e9b2e 100644 ') optional_policy(` -@@ -186,15 +238,20 @@ optional_policy(` +@@ -186,15 +239,20 @@ optional_policy(` ') optional_policy(` @@ -125015,7 +218353,7 @@ index 88d0028..42e9b2e 100644 ') optional_policy(` -@@ -214,22 +271,20 @@ optional_policy(` +@@ -214,22 +272,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -125044,7 +218382,7 @@ index 88d0028..42e9b2e 100644 ') optional_policy(` -@@ -241,25 +296,47 @@ optional_policy(` +@@ -241,25 +297,47 @@ optional_policy(` ') optional_policy(` @@ -125092,7 +218430,7 @@ index 88d0028..42e9b2e 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,31 +347,36 @@ optional_policy(` +@@ -270,31 +348,36 @@ optional_policy(` ') optional_policy(` @@ -125136,7 +218474,7 @@ index 88d0028..42e9b2e 100644 ') optional_policy(` -@@ -319,12 +401,18 @@ optional_policy(` +@@ -319,12 +402,18 @@ optional_policy(` ') optional_policy(` @@ -125156,7 +218494,7 @@ index 88d0028..42e9b2e 100644 ') optional_policy(` -@@ -349,7 +437,18 @@ optional_policy(` +@@ -349,7 +438,18 @@ optional_policy(` ') optional_policy(` @@ -125176,7 +218514,7 @@ index 88d0028..42e9b2e 100644 ') optional_policy(` -@@ -360,19 +459,15 @@ optional_policy(` +@@ -360,19 +460,15 @@ optional_policy(` ') optional_policy(` @@ -125198,7 +218536,7 @@ index 88d0028..42e9b2e 100644 ') optional_policy(` -@@ -384,10 +479,6 @@ optional_policy(` +@@ -384,10 +480,6 @@ optional_policy(` ') optional_policy(` @@ -125209,7 +218547,7 @@ index 88d0028..42e9b2e 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +486,9 @@ optional_policy(` +@@ -395,6 +487,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -125219,7 +218557,7 @@ index 88d0028..42e9b2e 100644 ') optional_policy(` -@@ -402,31 +496,34 @@ optional_policy(` +@@ -402,31 +497,34 @@ optional_policy(` ') optional_policy(` @@ -125260,7 +218598,7 @@ index 88d0028..42e9b2e 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +536,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +537,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -125271,7 +218609,7 @@ index 88d0028..42e9b2e 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -463,15 +556,75 @@ ifndef(`distro_redhat',` +@@ -463,15 +557,75 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -129671,7 +223009,7 @@ index 6bf0ecc..f74788a 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..ffd9c11 100644 +index 2696452..92cfa7e 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -129906,7 +223244,7 @@ index 2696452..ffd9c11 100644 ') ######################################## -@@ -247,45 +311,81 @@ tunable_policy(`use_samba_home_dirs',` +@@ -247,48 +311,85 @@ tunable_policy(`use_samba_home_dirs',` # Xauth local policy # @@ -129998,7 +223336,11 @@ index 2696452..ffd9c11 100644 ') optional_policy(` -@@ -299,64 +399,108 @@ optional_policy(` ++ ssh_use_ptys(xauth_t) + ssh_sigchld(xauth_t) + ssh_read_pipes(xauth_t) + ssh_dontaudit_rw_tcp_sockets(xauth_t) +@@ -299,64 +400,108 @@ optional_policy(` # XDM Local policy # @@ -130117,7 +223459,7 @@ index 2696452..ffd9c11 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,20 +509,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +510,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -130147,7 +223489,7 @@ index 2696452..ffd9c11 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +539,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +540,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -130200,7 +223542,7 @@ index 2696452..ffd9c11 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +591,26 @@ files_list_mnt(xdm_t) +@@ -430,9 +592,26 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -130227,7 +223569,7 @@ index 2696452..ffd9c11 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +619,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +620,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -130271,7 +223613,7 @@ index 2696452..ffd9c11 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +661,43 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +662,43 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -130321,7 +223663,7 @@ index 2696452..ffd9c11 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +711,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +712,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -130348,7 +223690,7 @@ index 2696452..ffd9c11 100644 ') optional_policy(` -@@ -514,12 +738,71 @@ optional_policy(` +@@ -514,12 +739,71 @@ optional_policy(` ') optional_policy(` @@ -130420,7 +223762,7 @@ index 2696452..ffd9c11 100644 hostname_exec(xdm_t) ') -@@ -537,28 +820,78 @@ optional_policy(` +@@ -537,28 +821,78 @@ optional_policy(` ') optional_policy(` @@ -130508,7 +223850,7 @@ index 2696452..ffd9c11 100644 ') optional_policy(` -@@ -570,6 +903,14 @@ optional_policy(` +@@ -570,6 +904,14 @@ optional_policy(` ') optional_policy(` @@ -130523,7 +223865,7 @@ index 2696452..ffd9c11 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +935,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +936,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -130536,7 +223878,7 @@ index 2696452..ffd9c11 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +952,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +953,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -130552,7 +223894,7 @@ index 2696452..ffd9c11 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -628,12 +979,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +980,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -130574,7 +223916,7 @@ index 2696452..ffd9c11 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +999,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1000,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -130588,7 +223930,7 @@ index 2696452..ffd9c11 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1025,27 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1026,27 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -130619,7 +223961,7 @@ index 2696452..ffd9c11 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,8 +1056,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,8 +1057,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -130633,7 +223975,7 @@ index 2696452..ffd9c11 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -708,20 +1075,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1076,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -130657,7 +223999,7 @@ index 2696452..ffd9c11 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1094,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1095,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -130666,7 +224008,7 @@ index 2696452..ffd9c11 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1138,40 @@ optional_policy(` +@@ -775,16 +1139,40 @@ optional_policy(` ') optional_policy(` @@ -130708,7 +224050,7 @@ index 2696452..ffd9c11 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1180,10 @@ optional_policy(` +@@ -793,6 +1181,10 @@ optional_policy(` ') optional_policy(` @@ -130719,7 +224061,7 @@ index 2696452..ffd9c11 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1199,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1200,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -130733,7 +224075,7 @@ index 2696452..ffd9c11 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1210,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1211,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -130742,7 +224084,7 @@ index 2696452..ffd9c11 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1223,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1224,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -130777,7 +224119,7 @@ index 2696452..ffd9c11 100644 ') optional_policy(` -@@ -902,7 +1288,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1289,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -130786,7 +224128,7 @@ index 2696452..ffd9c11 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1342,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1343,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -130818,7 +224160,7 @@ index 2696452..ffd9c11 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1388,40 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1389,40 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -139181,7 +232523,7 @@ index d43f3b1..c4182e8 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..702e0e0 100644 +index 3822072..2639601 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',` @@ -139656,7 +232998,7 @@ index 3822072..702e0e0 100644 ') ####################################### -@@ -1137,3 +1486,69 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1137,3 +1486,98 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -139726,8 +233068,37 @@ index 3822072..702e0e0 100644 + + logging_send_syslog_msg($1) +') ++ ++##################################### ++## ++## File name transition for selinux utility content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_filetrans_named_content',` ++ gen_require(` ++ type default_context_t, semanage_store_t; ++ type selinux_config_t, semanage_trans_lock_t; ++ type file_context_t, selinux_login_config_t; ++ ') ++ ++ filetrans_pattern($1, selinux_config_t, default_context_t, dir, "contexts") ++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "policy") ++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active") ++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp") ++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous") ++ filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.read.LOCK") ++ filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.trans.LOCK") ++ filetrans_pattern($1, selinux_config_t, selinux_login_config_t, dir, "logins") ++ filetrans_pattern($1, default_context_t, file_context_t, dir, "files") ++ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context") ++') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ec01d0b..4873b1c 100644 +index ec01d0b..d08ae58 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,17 @@ gen_require(` @@ -139753,19 +233124,38 @@ index ec01d0b..4873b1c 100644 # # selinux_config_t is the type applied to -@@ -30,6 +33,12 @@ roleattribute system_r semanage_roles; +@@ -28,7 +31,13 @@ roleattribute system_r semanage_roles; + # in the domain_type interface + # (fix dup decl) type selinux_config_t; - files_type(selinux_config_t) - +-files_type(selinux_config_t) ++files_security_file(selinux_config_t) ++ +type selinux_login_config_t; -+files_type(selinux_login_config_t) ++files_security_file(selinux_login_config_t) + +type selinux_var_lib_t; +files_type(selinux_var_lib_t) -+ + type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; - application_domain(checkpolicy_t, checkpolicy_exec_t) +@@ -40,14 +49,14 @@ role system_r types checkpolicy_t; + # /etc/selinux/*/contexts/* + # + type default_context_t; +-files_type(default_context_t) ++files_security_file(default_context_t) + + # + # file_context_t is the type applied to + # /etc/selinux/*/contexts/files + # + type file_context_t; +-files_type(file_context_t) ++files_security_file(file_context_t) + + type load_policy_t; + type load_policy_exec_t; @@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t) domain_role_change_exemption(newrole_t) domain_obj_id_change_exemption(newrole_t) @@ -139820,7 +233210,8 @@ index ec01d0b..4873b1c 100644 +init_system_domain(setsebool_t, setsebool_exec_t) type semanage_store_t; - files_type(semanage_store_t) +-files_type(semanage_store_t) ++files_security_file(semanage_store_t) type semanage_read_lock_t; -files_type(semanage_read_lock_t) @@ -141244,10 +234635,10 @@ index 0000000..4c08b36 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..699dcef +index 0000000..a4b0917 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1020 @@ +@@ -0,0 +1,1041 @@ +## SELinux policy for systemd components + +####################################### @@ -142268,12 +235659,33 @@ index 0000000..699dcef + allow systemd_timedated_t $1:dbus send_msg; +') + ++######################################## ++## ++## Send and receive messages from ++## systemd hostnamed over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_dbus_chat_hostnamed',` ++ gen_require(` ++ type systemd_hostnamed_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 systemd_hostnamed_t:dbus send_msg; ++ allow systemd_hostnamed_t $1:dbus send_msg; ++') ++ diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..74c656b +index 0000000..42af592 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,578 @@ +@@ -0,0 +1,589 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -142761,10 +236173,21 @@ index 0000000..74c656b +# +# Hostnamed policy +# ++dontaudit systemd_hostnamed_t self:capability sys_ptrace; ++ +allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms; +allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms; ++allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms; ++ ++kernel_dgram_send(systemd_hostnamed_t) ++ ++dev_write_kmsg(systemd_hostnamed_t) ++dev_read_sysfs(systemd_hostnamed_t) + +init_status(systemd_hostnamed_t) ++init_read_state(systemd_hostnamed_t) ++ ++logging_stream_connect_syslog(systemd_hostnamed_t) + +optional_policy(` + dbus_system_bus_client(systemd_hostnamed_t) @@ -144223,7 +237646,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..2d9f96b 100644 +index 3c5dba7..f3ab128 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -145474,7 +238897,7 @@ index 3c5dba7..2d9f96b 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1302,56 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1302,57 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -145518,6 +238941,7 @@ index 3c5dba7..2d9f96b 100644 + + optional_policy(` + systemd_dbus_chat_timedated($1_t) ++ systemd_dbus_chat_hostnamed($1_t) + ') + + optional_policy(` @@ -145541,7 +238965,7 @@ index 3c5dba7..2d9f96b 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1360,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1361,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -145552,7 +238976,7 @@ index 3c5dba7..2d9f96b 100644 ') ') -@@ -1082,7 +1398,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1399,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -145561,7 +238985,7 @@ index 3c5dba7..2d9f96b 100644 ') ############################## -@@ -1109,6 +1425,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1426,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -145569,7 +238993,7 @@ index 3c5dba7..2d9f96b 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1434,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1435,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -145579,7 +239003,7 @@ index 3c5dba7..2d9f96b 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1451,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1452,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -145587,7 +239011,7 @@ index 3c5dba7..2d9f96b 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1469,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1470,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -145602,7 +239026,7 @@ index 3c5dba7..2d9f96b 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1487,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1488,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -145645,7 +239069,7 @@ index 3c5dba7..2d9f96b 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1528,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1529,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -145654,7 +239078,7 @@ index 3c5dba7..2d9f96b 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1537,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1538,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -145673,7 +239097,7 @@ index 3c5dba7..2d9f96b 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1593,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1594,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -145682,7 +239106,7 @@ index 3c5dba7..2d9f96b 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1607,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1608,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -145694,7 +239118,7 @@ index 3c5dba7..2d9f96b 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,35 +1621,37 @@ template(`userdom_security_admin_template',` +@@ -1277,35 +1622,37 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -145745,7 +239169,7 @@ index 3c5dba7..2d9f96b 100644 ######################################## ## -@@ -1360,14 +1706,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1707,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -145764,7 +239188,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -1408,6 +1757,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1758,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -145816,7 +239240,7 @@ index 3c5dba7..2d9f96b 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1906,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1907,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -145848,7 +239272,7 @@ index 3c5dba7..2d9f96b 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +1972,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +1973,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -145863,7 +239287,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -1573,9 +1995,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +1996,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -145875,7 +239299,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -1632,6 +2056,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2057,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -145918,7 +239342,7 @@ index 3c5dba7..2d9f96b 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2171,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2172,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -145927,7 +239351,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -1744,10 +2206,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2207,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -145942,7 +239366,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -1772,7 +2236,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2237,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -145951,7 +239375,7 @@ index 3c5dba7..2d9f96b 100644 ## ## ## -@@ -1780,19 +2244,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1780,19 +2245,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -145975,7 +239399,7 @@ index 3c5dba7..2d9f96b 100644 ## ## ## -@@ -1800,31 +2262,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1800,31 +2263,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -146015,7 +239439,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -1848,6 +2310,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2311,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -146041,7 +239465,7 @@ index 3c5dba7..2d9f96b 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2359,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2360,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -146079,7 +239503,7 @@ index 3c5dba7..2d9f96b 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2399,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2400,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -146097,7 +239521,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -1941,7 +2447,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2448,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -146124,7 +239548,7 @@ index 3c5dba7..2d9f96b 100644 ## ## ## -@@ -1951,17 +2475,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1951,17 +2476,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # interface(`userdom_delete_all_user_home_content_files',` gen_require(` @@ -146145,7 +239569,7 @@ index 3c5dba7..2d9f96b 100644 ## ## ## -@@ -1969,12 +2491,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2492,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -146196,7 +239620,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -2010,8 +2568,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2569,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -146206,7 +239630,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -2027,20 +2584,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2585,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -146231,7 +239655,7 @@ index 3c5dba7..2d9f96b 100644 ######################################## ## -@@ -2123,7 +2674,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2675,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -146240,7 +239664,7 @@ index 3c5dba7..2d9f96b 100644 ## ## ## -@@ -2131,19 +2682,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2683,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -146264,7 +239688,7 @@ index 3c5dba7..2d9f96b 100644 ## ## ## -@@ -2151,12 +2700,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2701,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -146280,7 +239704,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -2393,11 +2942,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +2943,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -146295,7 +239719,7 @@ index 3c5dba7..2d9f96b 100644 files_search_tmp($1) ') -@@ -2417,7 +2966,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +2967,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -146304,7 +239728,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -2664,6 +3213,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3214,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -146330,7 +239754,7 @@ index 3c5dba7..2d9f96b 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3248,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3249,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -146346,7 +239770,7 @@ index 3c5dba7..2d9f96b 100644 ## ## ## -@@ -2707,7 +3276,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3277,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -146355,7 +239779,7 @@ index 3c5dba7..2d9f96b 100644 ## ## ## -@@ -2715,19 +3284,17 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,19 +3285,17 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -146378,7 +239802,7 @@ index 3c5dba7..2d9f96b 100644 ## ## ## -@@ -2735,35 +3302,53 @@ interface(`userdom_manage_user_tmpfs_files',` +@@ -2735,35 +3303,53 @@ interface(`userdom_manage_user_tmpfs_files',` ## ## # @@ -146440,7 +239864,7 @@ index 3c5dba7..2d9f96b 100644 ## ## ## -@@ -2817,6 +3402,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3403,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -146465,7 +239889,7 @@ index 3c5dba7..2d9f96b 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3438,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3439,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -146508,7 +239932,7 @@ index 3c5dba7..2d9f96b 100644 ## ## ## -@@ -2859,14 +3474,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3475,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -146546,7 +239970,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -2885,8 +3519,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3520,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -146576,7 +240000,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -2958,69 +3611,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3612,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -146677,7 +240101,7 @@ index 3c5dba7..2d9f96b 100644 ## ## ## -@@ -3028,12 +3680,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3681,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -146692,7 +240116,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -3097,7 +3749,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3750,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -146701,7 +240125,7 @@ index 3c5dba7..2d9f96b 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3765,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3766,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -146735,7 +240159,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -3217,7 +3853,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3854,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -146744,7 +240168,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -3272,7 +3908,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3909,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -146810,7 +240234,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -3290,7 +3983,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +3984,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -146819,7 +240243,7 @@ index 3c5dba7..2d9f96b 100644 ') ######################################## -@@ -3309,6 +4002,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4003,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -146827,7 +240251,7 @@ index 3c5dba7..2d9f96b 100644 kernel_search_proc($1) ') -@@ -3385,6 +4079,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4080,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -146870,7 +240294,7 @@ index 3c5dba7..2d9f96b 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4135,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4136,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -146895,7 +240319,7 @@ index 3c5dba7..2d9f96b 100644 ## Create keys for all user domains. ## ## -@@ -3439,3 +4187,1365 @@ interface(`userdom_dbus_send_all_users',` +@@ -3439,3 +4188,1365 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index c5c40e77..928c934d 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -490,7 +490,7 @@ index 058d908..cce58bb 100644 + dontaudit $1 abrt_t:sock_file write; ') diff --git a/abrt.te b/abrt.te -index cc43d25..23e8575 100644 +index cc43d25..304203f 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -499,7 +499,7 @@ index cc43d25..23e8575 100644 ######################################## # -@@ -6,129 +6,143 @@ policy_module(abrt, 1.3.4) +@@ -6,105 +6,115 @@ policy_module(abrt, 1.3.4) # ## @@ -552,7 +552,6 @@ index cc43d25..23e8575 100644 type abrt_var_log_t; logging_log_file(abrt_var_log_t) -+# tmp files type abrt_tmp_t; files_tmp_file(abrt_tmp_t) @@ -659,8 +658,7 @@ index cc43d25..23e8575 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -+# abrt tmp files - manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -112,23 +122,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -689,7 +687,7 @@ index cc43d25..23e8575 100644 kernel_request_load_module(abrt_t) kernel_rw_kernel_sysctl(abrt_t) -@@ -137,16 +151,14 @@ corecmd_exec_shell(abrt_t) +@@ -137,16 +149,14 @@ corecmd_exec_shell(abrt_t) corecmd_read_all_executables(abrt_t) corenet_all_recvfrom_netlabel(abrt_t) @@ -708,7 +706,7 @@ index cc43d25..23e8575 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -163,29 +175,34 @@ files_getattr_all_files(abrt_t) +@@ -163,29 +173,34 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -747,7 +745,7 @@ index cc43d25..23e8575 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -193,15 +210,11 @@ tunable_policy(`abrt_anon_write',` +@@ -193,15 +208,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -764,7 +762,7 @@ index cc43d25..23e8575 100644 ') optional_policy(` -@@ -209,6 +222,12 @@ optional_policy(` +@@ -209,6 +220,12 @@ optional_policy(` ') optional_policy(` @@ -777,7 +775,7 @@ index cc43d25..23e8575 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -220,6 +239,7 @@ optional_policy(` +@@ -220,6 +237,7 @@ optional_policy(` corecmd_exec_all_executables(abrt_t) ') @@ -785,7 +783,7 @@ index cc43d25..23e8575 100644 optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -230,6 +250,7 @@ optional_policy(` +@@ -230,6 +248,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -793,7 +791,7 @@ index cc43d25..23e8575 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -240,9 +261,17 @@ optional_policy(` +@@ -240,9 +259,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -812,7 +810,7 @@ index cc43d25..23e8575 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +282,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +280,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -827,7 +825,7 @@ index cc43d25..23e8575 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -268,6 +301,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -268,6 +299,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -835,7 +833,7 @@ index cc43d25..23e8575 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -276,15 +310,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +308,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -856,7 +854,7 @@ index cc43d25..23e8575 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +331,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +329,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -883,7 +881,7 @@ index cc43d25..23e8575 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -314,10 +367,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -314,10 +365,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -897,7 +895,7 @@ index cc43d25..23e8575 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +385,11 @@ optional_policy(` +@@ -330,10 +383,11 @@ optional_policy(` ####################################### # @@ -911,7 +909,7 @@ index cc43d25..23e8575 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,30 +408,37 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,30 +406,37 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -952,7 +950,7 @@ index cc43d25..23e8575 100644 kernel_read_kernel_sysctls(abrt_dump_oops_t) kernel_read_ring_buffer(abrt_dump_oops_t) -@@ -384,14 +447,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) +@@ -384,14 +445,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) fs_list_inotifyfs(abrt_dump_oops_t) logging_read_generic_logs(abrt_dump_oops_t) @@ -970,7 +968,7 @@ index cc43d25..23e8575 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +464,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +462,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -7352,7 +7350,7 @@ index 866a1e2..6c2dbe4 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 076ffee..74e77ff 100644 +index 076ffee..6bf02f0 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -7374,7 +7372,15 @@ index 076ffee..74e77ff 100644 type named_log_t; logging_log_file(named_log_t) -@@ -110,7 +113,6 @@ kernel_read_network_state(named_t) +@@ -70,6 +73,7 @@ role ndc_roles types ndc_t; + + allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; + dontaudit named_t self:capability sys_tty_config; ++allow named_t self:capability2 block_suspend; + allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; + allow named_t self:fifo_file rw_fifo_file_perms; + allow named_t self:unix_stream_socket { accept listen }; +@@ -110,7 +114,6 @@ kernel_read_network_state(named_t) corecmd_search_bin(named_t) @@ -7382,7 +7388,7 @@ index 076ffee..74e77ff 100644 corenet_all_recvfrom_netlabel(named_t) corenet_tcp_sendrecv_generic_if(named_t) corenet_udp_sendrecv_generic_if(named_t) -@@ -170,6 +172,11 @@ tunable_policy(`named_write_master_zones',` +@@ -170,6 +173,11 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -7394,7 +7400,7 @@ index 076ffee..74e77ff 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -183,6 +190,7 @@ optional_policy(` +@@ -183,6 +191,7 @@ optional_policy(` optional_policy(` kerberos_keytab_template(named, named_t) @@ -7402,7 +7408,7 @@ index 076ffee..74e77ff 100644 ') optional_policy(` -@@ -209,7 +217,8 @@ optional_policy(` +@@ -209,7 +218,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -7412,7 +7418,7 @@ index 076ffee..74e77ff 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -223,10 +232,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -223,10 +233,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -7424,7 +7430,7 @@ index 076ffee..74e77ff 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -251,7 +259,7 @@ init_use_script_ptys(ndc_t) +@@ -251,7 +260,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -7519,8 +7525,20 @@ index c295d2e..4f84e9c 100644 /usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0) /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) +diff --git a/blueman.if b/blueman.if +index 16ec525..1dd4059 100644 +--- a/blueman.if ++++ b/blueman.if +@@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',` + + allow $1 blueman_t:dbus send_msg; + allow blueman_t $1:dbus send_msg; ++ ps_process_pattern(blueman_t, $1) + ') + + ######################################## diff --git a/blueman.te b/blueman.te -index bc5c984..0beaf43 100644 +index bc5c984..d8af68f 100644 --- a/blueman.te +++ b/blueman.te @@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4) @@ -7542,7 +7560,12 @@ index bc5c984..0beaf43 100644 allow blueman_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) -@@ -45,25 +46,35 @@ dev_rw_wireless(blueman_t) +@@ -41,29 +42,40 @@ corecmd_exec_bin(blueman_t) + dev_read_rand(blueman_t) + dev_read_urand(blueman_t) + dev_rw_wireless(blueman_t) ++dev_rwx_zero(blueman_t) + domain_use_interactive_fds(blueman_t) files_list_tmp(blueman_t) @@ -11018,7 +11041,7 @@ index 717ea0b..22e0385 100644 /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) /var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) diff --git a/colord.if b/colord.if -index 8e27a37..fa2c3cb 100644 +index 8e27a37..825f537 100644 --- a/colord.if +++ b/colord.if @@ -1,4 +1,4 @@ @@ -11035,7 +11058,15 @@ index 8e27a37..fa2c3cb 100644 domtrans_pattern($1, colord_exec_t, colord_t) ') -@@ -58,3 +57,26 @@ interface(`colord_read_lib_files',` +@@ -38,6 +37,7 @@ interface(`colord_dbus_chat',` + + allow $1 colord_t:dbus send_msg; + allow colord_t $1:dbus send_msg; ++ ps_process_pattern(colord_t, $1) + ') + + ###################################### +@@ -58,3 +58,26 @@ interface(`colord_read_lib_files',` files_search_var_lib($1) read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) ') @@ -11063,7 +11094,7 @@ index 8e27a37..fa2c3cb 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 09f18e2..6846284 100644 +index 09f18e2..e891ec4 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.0.2) @@ -11099,7 +11130,7 @@ index 09f18e2..6846284 100644 manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) -@@ -74,22 +81,20 @@ dev_read_video_dev(colord_t) +@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t) dev_write_video_dev(colord_t) dev_rw_printer(colord_t) dev_read_rand(colord_t) @@ -11121,10 +11152,11 @@ index 09f18e2..6846284 100644 fs_search_all(colord_t) fs_dontaudit_getattr_all_fs(colord_t) +fs_getattr_tmpfs(colord_t) ++fs_read_cgroup_files(colord_t) storage_getattr_fixed_disk_dev(colord_t) storage_getattr_removable_dev(colord_t) -@@ -98,19 +103,15 @@ storage_write_scsi_generic(colord_t) +@@ -98,25 +104,28 @@ storage_write_scsi_generic(colord_t) auth_use_nsswitch(colord_t) @@ -11150,20 +11182,20 @@ index 09f18e2..6846284 100644 optional_policy(` cups_read_config(colord_t) -@@ -120,6 +121,12 @@ optional_policy(` - ') - - optional_policy(` -+ gnome_read_home_icc_data_content(colord_t) -+ # Fixes lots of breakage in F16 on upgrade -+ gnome_read_generic_data_home_files(colord_t) + cups_read_rw_config(colord_t) + cups_stream_connect(colord_t) + cups_dbus_chat(colord_t) ++ cups_read_state(colord_t) +') + +optional_policy(` - policykit_dbus_chat(colord_t) - policykit_domtrans_auth(colord_t) - policykit_read_lib(colord_t) -@@ -133,3 +140,14 @@ optional_policy(` ++ gnome_read_home_icc_data_content(colord_t) ++ # Fixes lots of breakage in F16 on upgrade ++ gnome_read_generic_data_home_files(colord_t) + ') + + optional_policy(` +@@ -133,3 +142,14 @@ optional_policy(` optional_policy(` udev_read_db(colord_t) ') @@ -15101,7 +15133,7 @@ index 949011e..f3c8888 100644 +/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/cups.if b/cups.if -index 06da9a0..1a6b35f 100644 +index 06da9a0..f0f1da3 100644 --- a/cups.if +++ b/cups.if @@ -15,6 +15,11 @@ @@ -15182,7 +15214,7 @@ index 06da9a0..1a6b35f 100644 init_labeled_script_domtrans($1, cupsd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 cupsd_initrc_exec_t system_r; -@@ -353,8 +389,42 @@ interface(`cups_admin',` +@@ -353,8 +389,61 @@ interface(`cups_admin',` files_list_tmp($1) admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t }) @@ -15226,6 +15258,25 @@ index 06da9a0..1a6b35f 100644 + files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf") + files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf") + corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf") ++') ++ ++######################################## ++## ++## Allow the domain to read cups state files in /proc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cups_read_state',` ++ gen_require(` ++ type cupsd_t; ++ ') ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te index 9f34c2e..c7a0a97 100644 @@ -21308,7 +21359,7 @@ index 5cf6ac6..839999e 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index c8014f8..95f0a0b 100644 +index c8014f8..1072fcb 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t) @@ -21333,12 +21384,13 @@ index c8014f8..95f0a0b 100644 dontaudit firewalld_t self:capability sys_tty_config; allow firewalld_t self:fifo_file rw_fifo_file_perms; allow firewalld_t self:unix_stream_socket { accept listen }; -@@ -40,8 +49,16 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms; +@@ -40,8 +49,17 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms; allow firewalld_t firewalld_var_log_t:file setattr_file_perms; logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) +manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t) +files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file) ++allow firewalld_t firewalld_tmp_t:file execute; + +manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t) +fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file) @@ -21350,7 +21402,7 @@ index c8014f8..95f0a0b 100644 kernel_read_network_state(firewalld_t) kernel_read_system_state(firewalld_t) -@@ -53,20 +70,17 @@ dev_read_urand(firewalld_t) +@@ -53,20 +71,17 @@ dev_read_urand(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -21828,7 +21880,7 @@ index d062080..e098a40 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index e50f33c..45c02b7 100644 +index e50f33c..ee708c7 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) @@ -21925,7 +21977,7 @@ index e50f33c..45c02b7 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -255,31 +262,39 @@ sysnet_use_ldap(ftpd_t) +@@ -255,31 +262,40 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -21960,6 +22012,7 @@ index e50f33c..45c02b7 100644 +tunable_policy(`ftpd_full_access',` allow ftpd_t self:capability { dac_override dac_read_search }; - files_manage_non_auth_files(ftpd_t) ++ files_manage_non_security_dirs(ftpd_t) + files_manage_non_security_files(ftpd_t) +') + @@ -21972,7 +22025,7 @@ index e50f33c..45c02b7 100644 ') tunable_policy(`ftpd_use_passive_mode',` -@@ -299,9 +314,9 @@ tunable_policy(`ftpd_connect_db',` +@@ -299,9 +315,9 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) @@ -21985,7 +22038,7 @@ index e50f33c..45c02b7 100644 ') tunable_policy(`ftp_home_dir',` -@@ -360,7 +375,7 @@ optional_policy(` +@@ -360,7 +376,7 @@ optional_policy(` selinux_validate_context(ftpd_t) kerberos_keytab_template(ftpd, ftpd_t) @@ -21994,7 +22047,7 @@ index e50f33c..45c02b7 100644 ') optional_policy(` -@@ -410,21 +425,20 @@ optional_policy(` +@@ -410,21 +426,20 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -22018,7 +22071,7 @@ index e50f33c..45c02b7 100644 miscfiles_read_public_files(anon_sftpd_t) -@@ -437,10 +451,22 @@ tunable_policy(`sftpd_anon_write',` +@@ -437,10 +452,23 @@ tunable_policy(`sftpd_anon_write',` # Sftpd local policy # @@ -22031,6 +22084,7 @@ index e50f33c..45c02b7 100644 +tunable_policy(`sftpd_full_access',` + allow sftpd_t self:capability { dac_override dac_read_search }; + fs_read_noxattr_fs_files(sftpd_t) ++ files_manage_non_security_dirs(sftpd_t) + files_manage_non_security_files(sftpd_t) +') + @@ -22042,7 +22096,7 @@ index e50f33c..45c02b7 100644 tunable_policy(`sftpd_enable_homedirs',` allow sftpd_t self:capability { dac_override dac_read_search }; -@@ -475,21 +501,11 @@ tunable_policy(`sftpd_anon_write',` +@@ -475,21 +503,11 @@ tunable_policy(`sftpd_anon_write',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -24886,7 +24940,7 @@ index d03fd43..f73c152 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 20f726b..311d9cc 100644 +index 20f726b..dde0180 100644 --- a/gnome.te +++ b/gnome.te @@ -1,18 +1,36 @@ @@ -24930,7 +24984,7 @@ index 20f726b..311d9cc 100644 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -29,107 +47,226 @@ type gconfd_exec_t; +@@ -29,107 +47,227 @@ type gconfd_exec_t; typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; userdom_user_application_domain(gconfd_t, gconfd_exec_t) @@ -25152,6 +25206,7 @@ index 20f726b..311d9cc 100644 +allow gkeyringd_domain gconf_home_t:dir create_dir_perms; +filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share") +filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings") ++filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings") +filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings") -manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) @@ -25278,10 +25333,10 @@ index 3f55702..25c7ab8 100644 ## ## diff --git a/gnomeclock.te b/gnomeclock.te -index 6d79eb5..174b784 100644 +index 6d79eb5..c728009 100644 --- a/gnomeclock.te +++ b/gnomeclock.te -@@ -1,86 +1,90 @@ +@@ -1,86 +1,99 @@ -policy_module(gnomeclock, 1.0.5) +policy_module(gnomeclock, 1.0.0) @@ -25297,6 +25352,9 @@ index 6d79eb5..174b784 100644 -init_system_domain(gnomeclock_t, gnomeclock_exec_t) -role gnomeclock_roles types gnomeclock_t; +init_daemon_domain(gnomeclock_t, gnomeclock_exec_t) ++ ++type gnomeclock_tmp_t; ++files_tmp_file(gnomeclock_tmp_t) ######################################## # @@ -25311,6 +25369,11 @@ index 6d79eb5..174b784 100644 -allow gnomeclock_t self:unix_stream_socket { accept listen }; +allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; +allow gnomeclock_t self:unix_dgram_socket create_socket_perms; ++ ++manage_dirs_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t) ++manage_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t) ++manage_lnk_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t) ++files_tmp_filetrans(gnomeclock_t, gnomeclock_tmp_t, { file dir }) kernel_read_system_state(gnomeclock_t) @@ -25322,13 +25385,13 @@ index 6d79eb5..174b784 100644 -corenet_all_recvfrom_netlabel(gnomeclock_t) -corenet_tcp_sendrecv_generic_if(gnomeclock_t) -corenet_tcp_sendrecv_generic_node(gnomeclock_t) -- ++corenet_tcp_connect_time_port(gnomeclock_t) + -# tcp:37 (time) -corenet_sendrecv_inetd_child_client_packets(gnomeclock_t) -corenet_tcp_connect_inetd_child_port(gnomeclock_t) -corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t) -+corenet_tcp_connect_time_port(gnomeclock_t) - +- -dev_read_sysfs(gnomeclock_t) -dev_read_urand(gnomeclock_t) dev_rw_realtime_clock(gnomeclock_t) @@ -25369,24 +25432,25 @@ index 6d79eb5..174b784 100644 - dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) + consolekit_dbus_chat(gnomeclock_t) +') -+ -+optional_policy(` -+ consoletype_exec(gnomeclock_t) -+') - optional_policy(` - consolekit_dbus_chat(gnomeclock_t) - ') +optional_policy(` -+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) ++ consoletype_exec(gnomeclock_t) +') - optional_policy(` - policykit_dbus_chat(gnomeclock_t) - ') +optional_policy(` ++dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) ++') ++ ++optional_policy(` + gnome_manage_usr_config(gnomeclock_t) + gnome_manage_home_config(gnomeclock_t) ++ gnome_filetrans_admin_home_content(gnomeclock_t) ') optional_policy(` @@ -25718,7 +25782,7 @@ index 180f1b7..951b790 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 44cf341..391e8e6 100644 +index 44cf341..74366a2 100644 --- a/gpg.te +++ b/gpg.te @@ -1,47 +1,47 @@ @@ -25790,7 +25854,7 @@ index 44cf341..391e8e6 100644 type gpg_secret_t; typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; -@@ -52,112 +52,107 @@ type gpg_helper_t; +@@ -52,112 +52,115 @@ type gpg_helper_t; type gpg_helper_exec_t; typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; @@ -25866,6 +25930,7 @@ index 44cf341..391e8e6 100644 +userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg") kernel_read_sysctl(gpg_t) ++kernel_getattr_core_if(gpg_t) corecmd_exec_shell(gpg_t) corecmd_exec_bin(gpg_t) @@ -25891,22 +25956,25 @@ index 44cf341..391e8e6 100644 -files_read_usr_files(gpg_t) -files_dontaudit_search_var(gpg_t) +dev_read_generic_usb_dev(gpg_t) ++dev_dontaudit_getattr_all(gpg_t) fs_getattr_xattr_fs(gpg_t) fs_list_inotifyfs(gpg_t) domain_use_interactive_fds(gpg_t) +-auth_use_nsswitch(gpg_t) +files_dontaudit_search_var(gpg_t) -+ - auth_use_nsswitch(gpg_t) - logging_send_syslog_msg(gpg_t) +-logging_send_syslog_msg(gpg_t) ++auth_use_nsswitch(gpg_t) -miscfiles_read_localization(gpg_t) -- ++init_dontaudit_getattr_initctl(gpg_t) + -userdom_use_user_terminals(gpg_t) -- ++logging_send_syslog_msg(gpg_t) + -userdom_manage_user_tmp_files(gpg_t) +userdom_use_inherited_user_terminals(gpg_t) +# sign/encrypt user files @@ -25921,19 +25989,20 @@ index 44cf341..391e8e6 100644 - fs_manage_nfs_dirs(gpg_t) - fs_manage_nfs_files(gpg_t) -') -- ++mta_manage_config(gpg_t) ++mta_read_spool(gpg_t) + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gpg_t) - fs_manage_cifs_files(gpg_t) -') -+mta_manage_config(gpg_t) -+mta_read_spool(gpg_t) ++userdom_home_manager(gpg_t) --optional_policy(` + optional_policy(` - gnome_read_generic_home_content(gpg_t) - gnome_stream_connect_all_gkeyringd(gpg_t) --') -+userdom_home_manager(gpg_t) ++ gpm_dontaudit_getattr_gpmctl(gpg_t) + ') optional_policy(` - mozilla_dontaudit_rw_user_home_files(gpg_t) @@ -25949,7 +26018,7 @@ index 44cf341..391e8e6 100644 ') optional_policy(` -@@ -165,37 +160,51 @@ optional_policy(` +@@ -165,37 +168,51 @@ optional_policy(` ') optional_policy(` @@ -26012,7 +26081,7 @@ index 44cf341..391e8e6 100644 tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -207,29 +216,33 @@ tunable_policy(`use_samba_home_dirs',` +@@ -207,29 +224,33 @@ tunable_policy(`use_samba_home_dirs',` ######################################## # @@ -26053,7 +26122,7 @@ index 44cf341..391e8e6 100644 corecmd_exec_shell(gpg_agent_t) dev_read_rand(gpg_agent_t) -@@ -239,32 +252,27 @@ domain_use_interactive_fds(gpg_agent_t) +@@ -239,32 +260,27 @@ domain_use_interactive_fds(gpg_agent_t) fs_dontaudit_list_inotifyfs(gpg_agent_t) @@ -26095,7 +26164,7 @@ index 44cf341..391e8e6 100644 optional_policy(` mozilla_dontaudit_rw_user_home_files(gpg_agent_t) -@@ -277,8 +285,17 @@ optional_policy(` +@@ -277,8 +293,17 @@ optional_policy(` allow gpg_pinentry_t self:process { getcap getsched setsched signal }; allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; @@ -26114,7 +26183,7 @@ index 44cf341..391e8e6 100644 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) -@@ -287,53 +304,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +@@ -287,53 +312,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) @@ -30127,17 +30196,59 @@ index ea64ed5..e60f701 100644 optional_policy(` dbus_system_bus_client(kismet_t) +diff --git a/ksmtuned.fc b/ksmtuned.fc +index e736c45..4b1e1e4 100644 +--- a/ksmtuned.fc ++++ b/ksmtuned.fc +@@ -1,5 +1,7 @@ + /etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) + ++/usr/lib/systemd/system/ksmtuned.* -- gen_context(system_u:object_r:ksmtuned_unit_file_t,s0) ++ + /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) + + /var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) diff --git a/ksmtuned.if b/ksmtuned.if -index c530214..b949a9f 100644 +index c530214..a3984cb 100644 --- a/ksmtuned.if +++ b/ksmtuned.if -@@ -57,17 +57,15 @@ interface(`ksmtuned_initrc_domtrans',` +@@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',` + init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t) + ') + ++####################################### ++## ++## Execute ksmtuned server in the ksmtunedd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ksmtuned_systemctl',` ++ gen_require(` ++ type ksmtuned_unit_file_t; ++ type ksmtuned_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 ksmtuned_unit_file_t:file read_file_perms; ++ allow $1 ksmtuned_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ksmtuned_t) ++') ++ + ######################################## + ## + ## All of the rules required to +@@ -57,21 +80,25 @@ interface(`ksmtuned_initrc_domtrans',` # interface(`ksmtuned_admin',` gen_require(` - type ksmtuned_t, ksmtuned_var_run_t; - type ksmtuned_initrc_exec_t, ksmtuned_log_t; -+ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t; ++ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t; ') - ksmtuned_initrc_domtrans($1) @@ -30155,11 +30266,49 @@ index c530214..b949a9f 100644 files_list_pids($1) admin_pattern($1, ksmtuned_var_run_t) + + logging_search_logs($1) + admin_pattern($1, ksmtuned_log_t) ++ ++ ksmtuned_systemctl($1) ++ admin_pattern($1, ksmtuned_unit_file_t) ++ allow $1 ksmtuned_unit_file_t:service all_service_perms; ++ ++ + ') diff --git a/ksmtuned.te b/ksmtuned.te -index c1539b5..a090996 100644 +index c1539b5..fd0a17f 100644 --- a/ksmtuned.te +++ b/ksmtuned.te -@@ -43,6 +43,7 @@ corecmd_exec_shell(ksmtuned_t) +@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.0.1) + # Declarations + # + ++## ++##

++## Allow ksmtuned to use nfs file systems ++##

++## ++gen_tunable(ksmtuned_use_nfs, false) ++ ++## ++##

++## Allow ksmtuned to use cifs/Samba file systems ++##

++## ++gen_tunable(ksmtuned_use_cifs, false) ++ + type ksmtuned_t; + type ksmtuned_exec_t; + init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) + ++type ksmtuned_unit_file_t; ++systemd_unit_file(ksmtuned_unit_file_t) ++ + type ksmtuned_initrc_exec_t; + init_script_file(ksmtuned_initrc_exec_t) + +@@ -43,6 +60,7 @@ corecmd_exec_shell(ksmtuned_t) dev_rw_sysfs(ksmtuned_t) domain_read_all_domains_state(ksmtuned_t) @@ -30167,12 +30316,19 @@ index c1539b5..a090996 100644 mls_file_read_to_clearance(ksmtuned_t) -@@ -51,5 +52,3 @@ term_use_all_terms(ksmtuned_t) - auth_use_nsswitch(ksmtuned_t) +@@ -52,4 +70,11 @@ auth_use_nsswitch(ksmtuned_t) logging_send_syslog_msg(ksmtuned_t) -- + -miscfiles_read_localization(ksmtuned_t) ++tunable_policy(`ksmtuned_use_nfs',` ++ fs_read_nfs_files(ksmtuned_t) ++') ++ ++tunable_policy(`ksmtuned_use_cifs',` ++ fs_read_cifs_files(ksmtuned_t) ++ samba_read_share_files(ksmtuned_t) ++') diff --git a/ktalk.te b/ktalk.te index 2cf3815..2c4c979 100644 --- a/ktalk.te @@ -31233,7 +31389,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index 7bab8e5..3a2c50c 100644 +index 7bab8e5..5c6ac99 100644 --- a/logrotate.te +++ b/logrotate.te @@ -1,20 +1,18 @@ @@ -31382,6 +31538,8 @@ index 7bab8e5..3a2c50c 100644 logging_exec_all_logs(logrotate_t) -miscfiles_read_localization(logrotate_t) +- +-seutil_dontaudit_read_config(logrotate_t) +systemd_exec_systemctl(logrotate_t) +systemd_getattr_unit_files(logrotate_t) +systemd_start_all_unit_files(logrotate_t) @@ -31389,8 +31547,6 @@ index 7bab8e5..3a2c50c 100644 +systemd_status_all_unit_files(logrotate_t) +init_stream_connect(logrotate_t) --seutil_dontaudit_read_config(logrotate_t) -- -userdom_use_user_terminals(logrotate_t) +userdom_use_inherited_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) @@ -31438,7 +31594,7 @@ index 7bab8e5..3a2c50c 100644 ') optional_policy(` -@@ -198,17 +214,14 @@ optional_policy(` +@@ -198,21 +214,22 @@ optional_policy(` ') optional_policy(` @@ -31451,18 +31607,28 @@ index 7bab8e5..3a2c50c 100644 optional_policy(` - openvswitch_read_pid_files(logrotate_t) - openvswitch_domtrans(logrotate_t) --') -- --optional_policy(` -- polipo_log_filetrans_log(logrotate_t, file, "polipo") + polipo_named_filetrans_log_files(logrotate_t) ') optional_policy(` -@@ -228,10 +241,16 @@ optional_policy(` +- polipo_log_filetrans_log(logrotate_t, file, "polipo") ++ psad_domtrans(logrotate_t) ') optional_policy(` +- psad_domtrans(logrotate_t) ++ raid_domtrans_mdadm(logrotate_t) + ') + + optional_policy(` +@@ -228,10 +245,20 @@ optional_policy(` + ') + + optional_policy(` ++ openshift_manage_lib_files(logrotate_t) ++') ++ ++optional_policy(` + openvswitch_read_pid_files(logrotate_t) + openvswitch_domtrans(logrotate_t) +') @@ -31476,7 +31642,7 @@ index 7bab8e5..3a2c50c 100644 su_exec(logrotate_t) ') -@@ -241,13 +260,11 @@ optional_policy(` +@@ -241,13 +268,11 @@ optional_policy(` ####################################### # @@ -31496,7 +31662,7 @@ index 7bab8e5..3a2c50c 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index 4256a4c..2d6adaf 100644 +index 4256a4c..8023bf3 100644 --- a/logwatch.te +++ b/logwatch.te @@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6) @@ -31537,7 +31703,18 @@ index 4256a4c..2d6adaf 100644 mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) mta_getattr_spool(logwatch_t) -@@ -164,6 +165,12 @@ dev_read_sysfs(logwatch_mail_t) +@@ -137,6 +138,10 @@ optional_policy(` + ') + + optional_policy(` ++ raid_access_check_mdadm(logwatch_t) ++') ++ ++optional_policy(` + rpc_search_nfs_state_data(logwatch_t) + ') + +@@ -164,6 +169,12 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) @@ -34351,10 +34528,10 @@ index 4462c0e..84944d1 100644 userdom_dontaudit_use_unpriv_user_fds(monopd_t) diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..0fa08be 100644 +index 6ffaba2..4cecf11 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,58 @@ +@@ -1,38 +1,59 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -34386,6 +34563,7 @@ index 6ffaba2..0fa08be 100644 +HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -34448,7 +34626,7 @@ index 6ffaba2..0fa08be 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..110cdc6 100644 +index 6194b80..84438b1 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -35069,7 +35247,7 @@ index 6194b80..110cdc6 100644 ## ## ## -@@ -530,45 +430,45 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +430,46 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -35133,6 +35311,7 @@ index 6194b80..110cdc6 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata") @@ -35140,7 +35319,7 @@ index 6194b80..110cdc6 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..d579caa 100644 +index 6a306ee..b745274 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -35666,7 +35845,7 @@ index 6a306ee..d579caa 100644 kernel_read_all_sysctls(mozilla_plugin_t) kernel_read_system_state(mozilla_plugin_t) -@@ -366,155 +372,109 @@ kernel_dontaudit_getattr_core_if(mozilla_plugin_t) +@@ -366,155 +372,110 @@ kernel_dontaudit_getattr_core_if(mozilla_plugin_t) corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) @@ -35772,6 +35951,7 @@ index 6a306ee..d579caa 100644 -dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t) -dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t) -dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t) ++dev_rwx_zero(mozilla_plugin_t) +dev_dontaudit_rw_dri(mozilla_plugin_t) +dev_dontaudit_getattr_all(mozilla_plugin_t) @@ -35880,7 +36060,7 @@ index 6a306ee..d579caa 100644 ') optional_policy(` -@@ -523,36 +483,43 @@ optional_policy(` +@@ -523,36 +484,43 @@ optional_policy(` ') optional_policy(` @@ -35938,7 +36118,7 @@ index 6a306ee..d579caa 100644 ') optional_policy(` -@@ -560,7 +527,7 @@ optional_policy(` +@@ -560,7 +528,7 @@ optional_policy(` ') optional_policy(` @@ -35947,7 +36127,7 @@ index 6a306ee..d579caa 100644 ') optional_policy(` -@@ -568,108 +535,100 @@ optional_policy(` +@@ -568,108 +536,100 @@ optional_policy(` ') optional_policy(` @@ -46309,10 +46489,10 @@ index 0000000..98ce2c3 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..4fe3c71 +index 0000000..c69ca3f --- /dev/null +++ b/openshift.te -@@ -0,0 +1,377 @@ +@@ -0,0 +1,378 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -46428,8 +46608,9 @@ index 0000000..4fe3c71 +allow openshift_domain self:shm create_shm_perms; +allow openshift_domain self:sem create_sem_perms; +dontaudit openshift_domain self:dir write; -+ ++dontaudit openshift_t self:unix_stream_socket recvfrom; +dontaudit openshift_domain self:netlink_tcpdiag_socket create; ++dontaudit openshift_domain self:netlink_route_socket nlmsg_write; +allow openshift_domain self:tcp_socket create_stream_socket_perms; +allow openshift_domain self:fifo_file manage_fifo_file_perms; +allow openshift_domain self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -59066,10 +59247,10 @@ index cd51b96..f7e9c70 100644 + admin_pattern($1, qpidd_var_run_t) ') diff --git a/qpid.te b/qpid.te -index 76f5b39..a5ba415 100644 +index 76f5b39..599b6cd 100644 --- a/qpid.te +++ b/qpid.te -@@ -37,37 +37,37 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) +@@ -37,37 +37,40 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file }) @@ -59098,15 +59279,17 @@ index 76f5b39..a5ba415 100644 corenet_tcp_bind_amqp_port(qpidd_t) corenet_tcp_sendrecv_amqp_port(qpidd_t) -+ +corenet_tcp_bind_matahari_port(qpidd_t) +corenet_tcp_connect_matahari_port(qpidd_t) + dev_read_sysfs(qpidd_t) dev_read_urand(qpidd_t) ++dev_read_rand(qpidd_t) -files_read_etc_files(qpidd_t) -- ++# needed by ssl ++files_list_tmp(qpidd_t) + logging_send_syslog_msg(qpidd_t) -miscfiles_read_localization(qpidd_t) @@ -60034,7 +60217,7 @@ index 5806046..01ca7cb 100644 /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) diff --git a/raid.if b/raid.if -index 951db7f..db0d815 100644 +index 951db7f..6d6ec1d 100644 --- a/raid.if +++ b/raid.if @@ -1,9 +1,8 @@ @@ -60092,7 +60275,7 @@ index 951db7f..db0d815 100644 ## ## ## -@@ -57,47 +55,39 @@ interface(`raid_run_mdadm',` +@@ -57,47 +55,58 @@ interface(`raid_run_mdadm',` ## ## # @@ -60147,25 +60330,44 @@ index 951db7f..db0d815 100644 - domain_system_change_exemption($1) - role_transition $2 mdadm_initrc_exec_t system_r; - allow $2 system_r; -- -- files_search_pids($1) -- admin_pattern($1, mdadm_var_run_t) -- -- raid_run_mdadm($2, $1) + # FIXME: maybe should have a type_transition. not + # clear what this is doing, from the original + # mdadm policy + allow $1 mdadm_var_run_t:file manage_file_perms; ++') + +- files_search_pids($1) +- admin_pattern($1, mdadm_var_run_t) ++####################################### ++## ++## Check access to the mdadm executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`raid_access_check_mdadm',` ++ gen_require(` ++ type mdadm_exec_t; ++ ') + +- raid_run_mdadm($2, $1) ++ corecmd_search_bin($1) ++ allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ') diff --git a/raid.te b/raid.te -index 2c1730b..d9f7a3a 100644 +index 2c1730b..fd31eb5 100644 --- a/raid.te +++ b/raid.te -@@ -26,7 +26,7 @@ dev_associate(mdadm_var_run_t) +@@ -25,8 +25,8 @@ dev_associate(mdadm_var_run_t) + # allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; - dontaudit mdadm_t self:capability sys_tty_config; +-dontaudit mdadm_t self:capability sys_tty_config; -allow mdadm_t self:process { getsched setsched signal_perms }; ++dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace }; +allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal }; allow mdadm_t self:fifo_file rw_fifo_file_perms; allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -66241,7 +66443,7 @@ index f1140ef..6bde558 100644 - rsync_run($1, $2) -') diff --git a/rsync.te b/rsync.te -index e3e7c96..8fdd060 100644 +index e3e7c96..f3932af 100644 --- a/rsync.te +++ b/rsync.te @@ -1,4 +1,4 @@ @@ -66250,7 +66452,7 @@ index e3e7c96..8fdd060 100644 ######################################## # -@@ -6,67 +6,52 @@ policy_module(rsync, 1.12.2) +@@ -6,67 +6,60 @@ policy_module(rsync, 1.12.2) # ## @@ -66306,28 +66508,34 @@ index e3e7c96..8fdd060 100644 gen_tunable(rsync_export_all_ro, false) ## --##

--## Determine whether rsync can modify --## public files used for public file --## transfer services. Directories/Files must --## be labeled public_content_rw_t. --##

+##

+## Allow rsync to modify public files +## used for public file transfer services. Files/Directories must be +## labeled public_content_rw_t. +##

++## ++gen_tunable(rsync_anon_write, false) ++ ++## + ##

+-## Determine whether rsync can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. ++## Allow rsync server to manage all files/directories on the system. + ##

## -gen_tunable(allow_rsync_anon_write, false) -- ++gen_tunable(rsync_full_access, false) + -attribute_role rsync_roles; -+gen_tunable(rsync_anon_write, false) type rsync_t; type rsync_exec_t; - init_daemon_domain(rsync_t, rsync_exec_t) +-init_daemon_domain(rsync_t, rsync_exec_t) -application_domain(rsync_t, rsync_exec_t) -role rsync_roles types rsync_t; ++init_domain(rsync_t, rsync_exec_t) +application_executable_file(rsync_exec_t) +role system_r types rsync_t; @@ -66339,21 +66547,21 @@ index e3e7c96..8fdd060 100644 files_type(rsync_data_t) type rsync_log_t; -@@ -86,15 +71,22 @@ files_pid_file(rsync_var_run_t) +@@ -86,15 +79,22 @@ files_pid_file(rsync_var_run_t) allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; -allow rsync_t self:tcp_socket { accept listen }; +allow rsync_t self:tcp_socket create_stream_socket_perms; +allow rsync_t self:udp_socket connected_socket_perms; -+ + +-allow rsync_t rsync_etc_t:file read_file_perms; +# for identd +# cjp: this should probably only be inetd_child_t rules? +# search home and kerberos also. +allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +#end for identd - --allow rsync_t rsync_etc_t:file read_file_perms; ++ +read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) allow rsync_t rsync_data_t:dir list_dir_perms; @@ -66367,7 +66575,7 @@ index e3e7c96..8fdd060 100644 logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,91 +100,69 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,91 +108,76 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -66403,31 +66611,39 @@ index e3e7c96..8fdd060 100644 miscfiles_read_public_files(rsync_t) -tunable_policy(`allow_rsync_anon_write',` +- miscfiles_manage_public_files(rsync_t) +userdom_home_manager(rsync_t) + -+tunable_policy(`rsync_anon_write',` - miscfiles_manage_public_files(rsync_t) ++optional_policy(` ++ daemontools_service_domain(rsync_t, rsync_exec_t) ') -tunable_policy(`rsync_client',` - corenet_sendrecv_rsync_client_packets(rsync_t) - corenet_tcp_connect_rsync_port(rsync_t) +optional_policy(` -+ daemontools_service_domain(rsync_t, rsync_exec_t) ++ kerberos_use(rsync_t) +') - corenet_sendrecv_ssh_client_packets(rsync_t) - corenet_tcp_connect_ssh_port(rsync_t) - corenet_tcp_sendrecv_ssh_port(rsync_t) +optional_policy(` -+ kerberos_use(rsync_t) ++ inetd_service_domain(rsync_t, rsync_exec_t) +') - manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t) - manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) - manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -+optional_policy(` -+ inetd_service_domain(rsync_t, rsync_exec_t) ++tunable_policy(`rsync_anon_write',` ++ miscfiles_manage_public_files(rsync_t) ++') ++ ++tunable_policy(`rsync_full_access',` ++ allow rsync_t self:capability { dac_override dac_read_search }; ++ files_manage_non_security_dirs(rsync_t) ++ files_manage_non_security_files(rsync_t) ++ #files_relabel_non_security_files(rsync_t) ') tunable_policy(`rsync_export_all_ro',` @@ -70721,7 +70937,7 @@ index c78a569..9007451 100644 - allow sectoolm_t $2:unix_dgram_socket sendto; -') diff --git a/sectoolm.te b/sectoolm.te -index 8193bf1..ffa81dd 100644 +index 8193bf1..b6a0bbd 100644 --- a/sectoolm.te +++ b/sectoolm.te @@ -1,4 +1,4 @@ @@ -70747,7 +70963,8 @@ index 8193bf1..ffa81dd 100644 +# sectool local policy # - allow sectoolm_t self:capability { dac_override net_admin sys_nice }; +-allow sectoolm_t self:capability { dac_override net_admin sys_nice }; ++allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; allow sectoolm_t self:process { getcap getsched signull setsched }; dontaudit sectoolm_t self:process { execstack execmem }; allow sectoolm_t self:fifo_file rw_fifo_file_perms; @@ -71107,7 +71324,7 @@ index 88e753f..ca74cd9 100644 + admin_pattern($1, mail_spool_t) ') diff --git a/sendmail.te b/sendmail.te -index 5f35d78..9bef62c 100644 +index 5f35d78..c2eb07e 100644 --- a/sendmail.te +++ b/sendmail.te @@ -1,18 +1,10 @@ @@ -71130,7 +71347,7 @@ index 5f35d78..9bef62c 100644 type sendmail_log_t; logging_log_file(sendmail_log_t) -@@ -26,27 +18,25 @@ type sendmail_t; +@@ -26,27 +18,26 @@ type sendmail_t; mta_sendmail_mailserver(sendmail_t) mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -71150,6 +71367,7 @@ index 5f35d78..9bef62c 100644 -allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config }; +allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; ++dontaudit sendmail_t self:capability net_admin; allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; -allow sendmail_t self:unix_stream_socket { accept listen }; @@ -71168,7 +71386,7 @@ index 5f35d78..9bef62c 100644 logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir }) manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) -@@ -58,33 +48,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) +@@ -58,33 +49,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) kernel_read_network_state(sendmail_t) kernel_read_kernel_sysctls(sendmail_t) @@ -71206,7 +71424,7 @@ index 5f35d78..9bef62c 100644 fs_getattr_all_fs(sendmail_t) fs_search_auto_mountpoints(sendmail_t) -@@ -93,35 +71,49 @@ fs_rw_anon_inodefs_files(sendmail_t) +@@ -93,35 +72,49 @@ fs_rw_anon_inodefs_files(sendmail_t) term_dontaudit_use_console(sendmail_t) term_dontaudit_use_generic_ptys(sendmail_t) @@ -71262,7 +71480,7 @@ index 5f35d78..9bef62c 100644 ') optional_policy(` -@@ -166,6 +158,11 @@ optional_policy(` +@@ -166,6 +159,11 @@ optional_policy(` ') optional_policy(` @@ -71274,7 +71492,7 @@ index 5f35d78..9bef62c 100644 postfix_domtrans_postdrop(sendmail_t) postfix_domtrans_master(sendmail_t) postfix_domtrans_postqueue(sendmail_t) -@@ -187,21 +184,13 @@ optional_policy(` +@@ -187,21 +185,13 @@ optional_policy(` ') optional_policy(` @@ -75508,10 +75726,10 @@ index 0000000..80c6480 +') diff --git a/stapserver.te b/stapserver.te new file mode 100644 -index 0000000..79eac2b +index 0000000..3ac6ad7 --- /dev/null +++ b/stapserver.te -@@ -0,0 +1,99 @@ +@@ -0,0 +1,107 @@ +policy_module(stapserver, 1.0.0) + +######################################## @@ -75532,6 +75750,9 @@ index 0000000..79eac2b +type stapserver_var_run_t; +files_pid_file(stapserver_var_run_t) + ++type stapserver_tmp_t; ++files_tmp_file(stapserver_tmp_t) ++ +######################################## +# +# stapserver local policy @@ -75557,6 +75778,11 @@ index 0000000..79eac2b +manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) + ++manage_dirs_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) ++manage_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) ++manage_lnk_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) ++files_tmp_filetrans(stapserver_t, stapserver_tmp_t, { file dir }) ++ +manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) +manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) +files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) @@ -77838,10 +78064,10 @@ index 0000000..555b49e +files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file }) diff --git a/thumb.fc b/thumb.fc new file mode 100644 -index 0000000..059e12c +index 0000000..601aea3 --- /dev/null +++ b/thumb.fc -@@ -0,0 +1,16 @@ +@@ -0,0 +1,17 @@ +HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) +HOME_DIR/\.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) +HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0) @@ -77856,14 +78082,15 @@ index 0000000..059e12c +/usr/bin/whaaw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) +/usr/bin/[^/]*thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) +/usr/bin/ffmpegthumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) ++/usr/bin/mate-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0) + +/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0) diff --git a/thumb.if b/thumb.if new file mode 100644 -index 0000000..4902155 +index 0000000..72c42ad --- /dev/null +++ b/thumb.if -@@ -0,0 +1,128 @@ +@@ -0,0 +1,126 @@ + +## policy for thumb + @@ -77938,12 +78165,9 @@ index 0000000..4902155 + class dbus send_msg; + ') + -+ role $1 types thumb_t; -+ -+ thumb_domtrans($2) ++ thumb_run($2, $1) + + ps_process_pattern($2, thumb_t) -+ allow $2 thumb_t:process signal; + allow thumb_t $2:unix_stream_socket connectto; + + allow $2 thumb_t:dbus send_msg; @@ -77970,6 +78194,7 @@ index 0000000..4902155 + + allow $1 thumb_t:dbus send_msg; + allow thumb_t $1:dbus send_msg; ++ ps_process_pattern(thumb_t, $1) +') + +######################################## @@ -77994,10 +78219,10 @@ index 0000000..4902155 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..aab66c4 +index 0000000..4f8e329 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,127 @@ +@@ -0,0 +1,132 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -78125,6 +78350,11 @@ index 0000000..aab66c4 +optional_policy(` + nscd_dontaudit_write_sock_file(thumb_t) +') ++ ++tunable_policy(`nis_enabled',` ++ corenet_dontaudit_udp_bind_all_ports(thumb_t) ++ corenet_dontaudit_udp_bind_generic_node(thumb_t) ++') diff --git a/thunderbird.te b/thunderbird.te index 4257ede..5b3949a 100644 --- a/thunderbird.te @@ -82251,7 +82481,7 @@ index 9dec06c..d8a2b54 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 1f22fba..c566b8b 100644 +index 1f22fba..ff76d37 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -82545,9 +82775,7 @@ index 1f22fba..c566b8b 100644 -append_files_pattern(virt_domain, virt_log_t, virt_log_t) - -append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - +- -kernel_read_system_state(virt_domain) - -fs_getattr_xattr_fs(virt_domain) @@ -82604,7 +82832,9 @@ index 1f22fba..c566b8b 100644 - -storage_raw_write_removable_device(virt_domain) -storage_raw_read_removable_device(virt_domain) -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -term_use_all_terms(virt_domain) -term_getattr_pty_fs(virt_domain) -term_use_generic_ptys(virt_domain) @@ -82722,7 +82952,9 @@ index 1f22fba..c566b8b 100644 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") - -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) -- ++allow svirt_tcg_t self:process { execmem execstack }; ++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; + -corenet_udp_sendrecv_generic_if(svirt_t) -corenet_udp_sendrecv_generic_node(svirt_t) -corenet_udp_sendrecv_all_ports(svirt_t) @@ -82742,9 +82974,7 @@ index 1f22fba..c566b8b 100644 -corenet_sendrecv_all_server_packets(svirt_t) -corenet_udp_bind_all_ports(svirt_t) -corenet_tcp_bind_all_ports(svirt_t) -+allow svirt_tcg_t self:process { execmem execstack }; -+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; - +- -corenet_sendrecv_all_client_packets(svirt_t) -corenet_tcp_connect_all_ports(svirt_t) +corenet_udp_sendrecv_generic_if(svirt_tcg_t) @@ -82885,7 +83115,15 @@ index 1f22fba..c566b8b 100644 kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -520,22 +345,12 @@ corecmd_exec_shell(virtd_t) +@@ -513,6 +338,7 @@ kernel_read_kernel_sysctls(virtd_t) + kernel_request_load_module(virtd_t) + kernel_search_debugfs(virtd_t) + kernel_setsched(virtd_t) ++kernel_write_proc_files(virtd_t) + + corecmd_exec_bin(virtd_t) + corecmd_exec_shell(virtd_t) +@@ -520,22 +346,12 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -82909,7 +83147,7 @@ index 1f22fba..c566b8b 100644 corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) -@@ -548,22 +363,22 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +364,22 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -82937,7 +83175,7 @@ index 1f22fba..c566b8b 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +409,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +410,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -82957,7 +83195,7 @@ index 1f22fba..c566b8b 100644 selinux_validate_context(virtd_t) -@@ -613,18 +431,24 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +432,24 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -82992,7 +83230,7 @@ index 1f22fba..c566b8b 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +457,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +458,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -83001,7 +83239,7 @@ index 1f22fba..c566b8b 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -646,107 +470,326 @@ optional_policy(` +@@ -646,107 +471,326 @@ optional_policy(` consoletype_exec(virtd_t) ') @@ -83385,7 +83623,7 @@ index 1f22fba..c566b8b 100644 manage_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -@@ -758,23 +801,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -758,23 +802,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -83394,27 +83632,27 @@ index 1f22fba..c566b8b 100644 -manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +- +-allow virsh_t svirt_lxc_domain:process transition; +- +-can_exec(virsh_t, virsh_exec_t) +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +virt_filetrans_named_content(virsh_t) --dontaudit virsh_t virt_var_lib_t:file read_file_perms; -+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms; - --allow virsh_t svirt_lxc_domain:process transition; -- --can_exec(virsh_t, virsh_exec_t) -- -virt_domtrans(virsh_t) -virt_manage_images(virsh_t) -virt_manage_config(virsh_t) -virt_stream_connect(virsh_t) -- ++dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms; + -kernel_read_crypto_sysctls(virsh_t) kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +819,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +820,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -83441,7 +83679,7 @@ index 1f22fba..c566b8b 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +839,21 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +840,21 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -83472,7 +83710,7 @@ index 1f22fba..c566b8b 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,6 +871,10 @@ optional_policy(` +@@ -847,6 +872,10 @@ optional_policy(` ') optional_policy(` @@ -83483,7 +83721,7 @@ index 1f22fba..c566b8b 100644 rpm_exec(virsh_t) ') -@@ -854,7 +882,7 @@ optional_policy(` +@@ -854,7 +883,7 @@ optional_policy(` xen_manage_image_dirs(virsh_t) xen_append_log(virsh_t) xen_domtrans(virsh_t) @@ -83492,7 +83730,7 @@ index 1f22fba..c566b8b 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,34 +907,39 @@ optional_policy(` +@@ -879,34 +908,39 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -83528,7 +83766,7 @@ index 1f22fba..c566b8b 100644 manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) +domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) -+allow virtd_t virtd_lxc_t:process { signal signull sigkill }; ++allow virtd_t virtd_lxc_t:process { getattr signal signull sigkill }; + allow virtd_lxc_t virt_var_run_t:dir search_dir_perms; -manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) @@ -83542,7 +83780,7 @@ index 1f22fba..c566b8b 100644 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +949,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +950,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; @@ -83558,7 +83796,7 @@ index 1f22fba..c566b8b 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,10 +969,8 @@ dev_read_urand(virtd_lxc_t) +@@ -933,10 +970,8 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -83569,7 +83807,7 @@ index 1f22fba..c566b8b 100644 files_relabel_rootfs(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t) -@@ -955,15 +989,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,15 +990,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -83588,7 +83826,7 @@ index 1f22fba..c566b8b 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,20 +1003,38 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,20 +1004,38 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -83633,7 +83871,7 @@ index 1f22fba..c566b8b 100644 allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; -@@ -995,19 +1043,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,19 +1044,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -83653,7 +83891,7 @@ index 1f22fba..c566b8b 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1050,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1051,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -83672,7 +83910,7 @@ index 1f22fba..c566b8b 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1069,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1070,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -83699,7 +83937,7 @@ index 1f22fba..c566b8b 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,11 +1094,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,11 +1095,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -83716,7 +83954,7 @@ index 1f22fba..c566b8b 100644 optional_policy(` udev_read_pid_files(svirt_lxc_domain) -@@ -1078,81 +1112,63 @@ optional_policy(` +@@ -1078,81 +1113,63 @@ optional_policy(` apache_read_sys_content(svirt_lxc_domain) ') @@ -83821,7 +84059,7 @@ index 1f22fba..c566b8b 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1181,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1182,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -83836,7 +84074,7 @@ index 1f22fba..c566b8b 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1199,8 @@ optional_policy(` +@@ -1183,9 +1200,8 @@ optional_policy(` ######################################## # @@ -83847,7 +84085,7 @@ index 1f22fba..c566b8b 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1213,65 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1214,65 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -83914,7 +84152,7 @@ index 1f22fba..c566b8b 100644 + +type svirt_socket_t; +role system_r types svirt_socket_t; -+allow svirt_t svirt_socket_t:unix_stream_socket connectto; ++allow svirt_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; diff --git a/vlock.te b/vlock.te index 9ead775..b5285e7 100644 --- a/vlock.te @@ -84202,7 +84440,7 @@ index 7a7f342..afedcba 100644 ## ## diff --git a/vpn.te b/vpn.te -index 9329eae..83fa097 100644 +index 9329eae..824e86f 100644 --- a/vpn.te +++ b/vpn.te @@ -1,4 +1,4 @@ @@ -84211,7 +84449,7 @@ index 9329eae..83fa097 100644 ######################################## # -@@ -6,12 +6,12 @@ policy_module(vpn, 1.15.1) +@@ -6,6 +6,7 @@ policy_module(vpn, 1.15.1) # attribute_role vpnc_roles; @@ -84219,13 +84457,7 @@ index 9329eae..83fa097 100644 type vpnc_t; type vpnc_exec_t; - init_system_domain(vpnc_t, vpnc_exec_t) - application_domain(vpnc_t, vpnc_exec_t) --role vpnc_roles types vpnc_t; - - type vpnc_tmp_t; - files_tmp_file(vpnc_tmp_t) -@@ -28,9 +28,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n +@@ -28,9 +29,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n allow vpnc_t self:process { getsched signal }; allow vpnc_t self:fifo_file rw_fifo_file_perms; allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; @@ -84240,7 +84472,7 @@ index 9329eae..83fa097 100644 allow vpnc_t self:socket create_socket_perms; manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) -@@ -47,7 +51,6 @@ kernel_read_all_sysctls(vpnc_t) +@@ -47,7 +52,6 @@ kernel_read_all_sysctls(vpnc_t) kernel_request_load_module(vpnc_t) kernel_rw_net_sysctls(vpnc_t) @@ -84248,7 +84480,7 @@ index 9329eae..83fa097 100644 corenet_all_recvfrom_netlabel(vpnc_t) corenet_tcp_sendrecv_generic_if(vpnc_t) corenet_udp_sendrecv_generic_if(vpnc_t) -@@ -58,38 +61,32 @@ corenet_raw_sendrecv_generic_node(vpnc_t) +@@ -58,38 +62,32 @@ corenet_raw_sendrecv_generic_node(vpnc_t) corenet_tcp_sendrecv_all_ports(vpnc_t) corenet_udp_sendrecv_all_ports(vpnc_t) corenet_udp_bind_generic_node(vpnc_t) @@ -84298,7 +84530,7 @@ index 9329eae..83fa097 100644 auth_use_nsswitch(vpnc_t) -@@ -103,16 +100,15 @@ locallogin_use_fds(vpnc_t) +@@ -103,16 +101,15 @@ locallogin_use_fds(vpnc_t) logging_send_syslog_msg(vpnc_t) logging_dontaudit_search_logs(vpnc_t) @@ -84318,7 +84550,7 @@ index 9329eae..83fa097 100644 optional_policy(` dbus_system_bus_client(vpnc_t) -@@ -125,7 +121,3 @@ optional_policy(` +@@ -125,7 +122,3 @@ optional_policy(` optional_policy(` networkmanager_attach_tun_iface(vpnc_t) ') @@ -86840,7 +87072,7 @@ index 36e32df..3d08962 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) ') diff --git a/zarafa.te b/zarafa.te -index a4479b1..15774aa 100644 +index a4479b1..1d12d58 100644 --- a/zarafa.te +++ b/zarafa.te @@ -1,4 +1,4 @@ @@ -86868,7 +87100,7 @@ index a4479b1..15774aa 100644 zarafa_domain_template(gateway) zarafa_domain_template(ical) zarafa_domain_template(indexer) -@@ -43,61 +38,77 @@ files_tmp_file(zarafa_var_lib_t) +@@ -43,61 +38,74 @@ files_tmp_file(zarafa_var_lib_t) ######################################## # @@ -86881,17 +87113,16 @@ index a4479b1..15774aa 100644 files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) +auth_use_nsswitch(zarafa_deliver_t) ++ ++corenet_tcp_bind_lmtp_port(zarafa_deliver_t) + ######################################## # -# Gateway local policy +# zarafa_gateway local policy # - +- -corenet_all_recvfrom_unlabeled(zarafa_gateway_t) -+allow zarafa_gateway_t self:capability { kill }; -+allow zarafa_gateway_t self:process setrlimit; -+ corenet_all_recvfrom_netlabel(zarafa_gateway_t) corenet_tcp_sendrecv_generic_if(zarafa_gateway_t) corenet_tcp_sendrecv_generic_node(zarafa_gateway_t) @@ -86959,13 +87190,12 @@ index a4479b1..15774aa 100644 +# zarafa_server local policy # -+allow zarafa_server_t self:capability { kill net_bind_service }; -+allow zarafa_server_t self:process setrlimit; ++allow zarafa_server_t self:capability net_bind_service; + manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) -@@ -109,70 +120,84 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file } +@@ -109,70 +117,78 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file } stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) @@ -87009,8 +87239,6 @@ index a4479b1..15774aa 100644 +# zarafa_spooler local policy # -+allow zarafa_spooler_t self:capability { kill }; -+ can_exec(zarafa_spooler_t, zarafa_spooler_exec_t) -corenet_all_recvfrom_unlabeled(zarafa_spooler_t) @@ -87024,25 +87252,18 @@ index a4479b1..15774aa 100644 -corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t) + +auth_use_nsswitch(zarafa_spooler_t) - - ######################################## - # --# Zarafa domain local policy ++ ++######################################## ++# +# zarafa_gateway local policy +# -+ -+allow zarafa_gateway_t self:capability { kill }; -+allow zarafa_gateway_t self:process setrlimit; -+ +corenet_tcp_bind_pop_port(zarafa_gateway_t) + +####################################### +# +# zarafa-ical local policy - # - --allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; --allow zarafa_domain self:process { setrlimit signal }; ++# ++ +corenet_tcp_bind_http_cache_port(zarafa_ical_t) + +###################################### @@ -87050,15 +87271,17 @@ index a4479b1..15774aa 100644 +# zarafa-monitor local policy +# + -+ -+######################################## -+# + + ######################################## + # +-# Zarafa domain local policy +# zarafa domains local policy -+# -+ + # + +# bad permission on /etc/zarafa -+allow zarafa_domain self:capability { dac_override chown setgid setuid }; -+allow zarafa_domain self:process signal; + allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; +-allow zarafa_domain self:process { setrlimit signal }; ++allow zarafa_domain self:process { signal_perms setrlimit }; allow zarafa_domain self:fifo_file rw_fifo_file_perms; -allow zarafa_domain self:tcp_socket { accept listen }; -allow zarafa_domain self:unix_stream_socket { accept listen }; diff --git a/selinux-policy.spec b/selinux-policy.spec index 051fb217..442add0c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -524,6 +524,37 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jan 23 2013 Miroslav Grepl 3.12.1-6 +- kde gnomeclock wants to write content to /tmp +- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde +- Allow blueman_t to rwx zero_device_t, for some kind of jre +- Allow mozilla_plugin_t to rwx zero_device_t, for some kind of jre +- Ftp full access should be allowed to create directories as well as files +- Add boolean to allow rsync_full_acces, so that an rsync server can write all +- over the local machine +- logrotate needs to rotate logs in openshift directories, needs back port to RHEL6 +- Add missing vpnc_roles type line +- Allow stapserver to write content in /tmp +- Allow gnome keyring to create keyrings dir in ~/.local/share +- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on +- Add interface to colord_t dbus_chat to allow it to read remote process state +- Allow colord_t to read cupsd_t state +- Add mate-thumbnail-font as thumnailer +- Allow sectoolm to sys_ptrace since it is looking at other proceses /proc data. +- Allow qpidd to list /tmp. Needed by ssl +- Only allow init_t to transition to rsync_t domain, not initrc_t. This should be back ported to F17, F18 +- - Added systemd support for ksmtuned +- Added booleans + ksmtuned_use_nfs + ksmtuned_use_cifs +- firewalld seems to be creating mmap files which it needs to execute in /run /tmp and /dev/shm. Would like to clean this up but for now we will allow +- Looks like qpidd_t needs to read /dev/random +- Lots of probing avc's caused by execugting gpg from staff_t +- Dontaudit senmail triggering a net_admin avc +- Change thumb_role to use thumb_run, not sure why we have a thumb_role, needs back port +- Logwatch does access check on mdadm binary +- Add raid_access_check_mdadm() iterface + * Wed Jan 16 2013 Miroslav Grepl 3.12.1-5 - Fix systemd_manage_unit_symlinks() interface - Call systemd_manage_unit_symlinks(() which is correct interface @@ -544,6 +575,15 @@ SELinux Reference policy mls base module. - mythtv policy - Update mandb_admin() interface - Allow dsspam to listen on own tpc_socket +- seutil_filetrans_named_content needs to be optional +- Allow sysadm_t to execute content in his homedir +- Add attach_queue to tun_socket, new patch from Paul Moore +- Change most of selinux configuration types to security_file_type. +- Add filename transition rules for selinux configuration +- ssh into a box with -X -Y requires ssh_use_ptys +- Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on +- Allow all unpriv userdomains to send dbus messages to hostnamed and timedated +- New allow rules found by Tom London for systemd_hostnamed * Mon Jan 14 2013 Miroslav Grepl 3.12.1-4 - Allow systemd-tmpfiles to relabel lpd spool files