tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Break the semanage man page into different man pages per category.

Browse source 
This adds a lot of new man pages but cleans up the descriptions and makes it
much easier to handle.
This commit is contained in:
Dan Walsh 2013-10-11 08:34:44 -04:00 committed by Stephen Smalley
parent a9dfbeeb72
commit 1925e1e91d
14 changed files with 729 additions and 189 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
policycoreutils/semanage/Makefile
View file

@ -17,7 +17,7 @@ install: all
[ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8
-mkdir -p $(SBINDIR)
install -m 755 semanage $(SBINDIR)
install -m 644 semanage.8 $(MANDIR)/man8
install -m 644 *.8 $(MANDIR)/man8
test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages
install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages
-mkdir -p $(BASHCOMPLETIONDIR)

61
policycoreutils/semanage/semanage-boolean.8 Normal file
View file

@ -0,0 +1,61 @@
.TH "semanage-boolean" "8" "20130617" "" ""
.SH "NAME"
semanage boolean\- SELinux Policy Management boolean tool
.SH "SYNOPSIS"
.B semanage boolean [\-h] [\-n] [\-N] [\-s STORE] [ \-\-extract | \-\-deleteall | \-\-list [\-C] | \-\-modify ( \-\-on | \-\-off ) boolean ]
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
from policy sources. semanage boolean command controls the settings of booleans in SELinux policy. booleans are if\-then\-else rules written in SELinux Policy. They can be used to customize the way that SELinux Policy rules effect a confined domain.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
.TP
.I \-N, \-\-noreload
Do not reload policy after commit
.TP
.I \-S STORE, \-\-store STORE
Select an alternate SELinux Policy Store to manage
.TP
.I \-C, \-\-locallist
List local customizations
.TP
.I \-m, \-\-modify
Modify a record of the specified object type
.TP
.I \-l, \-\-list
List records of the specified object type
.TP
.I \-E, \-\-extract
Extract customizable commands, for use within a transaction
.TP
.I \-D, \-\-deleteall
Remove all local customizations
.TP
.I \-1, \-\-on
Enable the boolean
.TP
.I \-0, \-\-off
Disable the boolean
.SH EXAMPLE
.nf
Turn on the apache can send mail boolan
# semanage boolean \-m \-\-on httpd_can_sendmail
List customized booleans
# semanage boolean \-l \-C
.SH "SEE ALSO"
.B selinux (8),
.B semanage (8)
.B setsebool (8)
.B getsebool (8)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>

34
policycoreutils/semanage/semanage-dontaudit.8 Normal file
View file

@ -0,0 +1,34 @@
.TH "semanage-dontaudit" "8" "20130617" "" ""
.SH "NAME"
.B semanage dontaudit\- SELinux Policy Management dontaudit tool
.SH "SYNOPSIS"
.B semanage dontaudit [\-h] [\-S STORE] [\-N] {on,off}
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
from policy sources. semanage dontaudit toggles whether or not dontaudit rules will be in the policy. Policy writers use dontaudit rules to cause
confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Some times dontaudit rules can cause bugs in applications but policy writers will not relize it since the AVC is not audited. Turning off dontaudit rules with this command to see if the kernel is blocking an access.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
show this help message and exit
.TP
.I \-S STORE, \-\-store STORE
Select an alternate SELinux Policy Store to manage
.TP
.I \-N, \-\-noreload
Do not reload the policy after commit
.SH EXAMPLE
.nf
Turn off dontaudit rules
# semanage dontaudit off
.SH "SEE ALSO"
.B selinux (8),
.B semanage (8)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>

37
policycoreutils/semanage/semanage-export.8 Normal file
View file

@ -0,0 +1,37 @@
.TH "semanage-export" "8" "20130617" "" ""
.SH "NAME"
.B semanage export\- SELinux Policy Management import tool
.SH "SYNOPSIS"
.B semanage export [\-h] [\-S STORE] [\-f OUTPUT_FILE]
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a hole group of semanage commands within a file and apply them to a machine in a single transaction.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
show this help message and exit
.TP
.I \-S STORE, \-\-store STORE
Select an alternate SELinux Policy Store to manage
.TP
.I \-f OUTPUT_FILE, \-\-output_file OUTPUT_FILE
Output file
.SH EXAMPLE
.nf
Import semanage modifications from another machine
# semanage export -f semanage.mods
# scp semanage.mod remotemachine:
# ssh remotemachine
# semanage import -f semanage.mods
.SH "SEE ALSO"
.B selinux (8),
.B semanage (8),
.B semanage-import (8)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>

87
policycoreutils/semanage/semanage-fcontext.8 Normal file
View file

@ -0,0 +1,87 @@
.TH "semanage-fcontext" "8" "20130617" "" ""
.SH "NAME"
semanage fcontext\- SELinux Policy Management file context tool
.SH "SYNOPSIS"
.B semanage fcontext [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) | \-\-delete ( \-t TYPE \-f FTYPE | \-e EQUAL ) FILE_SPEC ) | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) ]
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
from policy sources. semanage fcontext is used to manage the default
file system labeling on an SELinux system. This command maps file paths using regular expressions to SELinux labels.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
.TP
.I \-N, \-\-noreload
Do not reload policy after commit
.TP
.I \-C, \-\-locallist
List local customizations
.TP
.I \-S STORE, \-\-store STORE
Select an alternate SELinux Policy Store to manage
.TP
.I \-a, \-\-add
Add a record of the specified object type
.TP
.I \-d, \-\-delete
Delete a record of the specified object type
.TP
.I \-m, \-\-modify
Modify a record of the specified object type
.TP
.I \-l, \-\-list
List records of the specified object type
.TP
.I \-E, \-\-extract
Extract customizable commands, for use within a transaction
.TP
.I \-D, \-\-deleteall
Remove all local customizations
.TP
.I \-e EQUAL, \-\-equal EQUAL
Substitute target path with sourcepath when generating default label. This is used with fcontext. Requires source and target path arguments. The context labeling for the target subtree is made equivalent to that defined for the source.
.TP
.I \-f [{a,f,d,c,b,s,l,p}], \-\-ftype [{a,f,d,c,b,s,l,p}]
File Type. This is used with fcontext. Requires a file type as shown in the mode field by ls, e.g. use 'd' to match only directories or 'f' to match only regular files. The following file type options can be passed: f (regular file),d (directory),c (character device), b (block device),s (socket),l (symbolic link),p (named pipe). If you do not specify a file type, the file type will default to "all files".
.TP
.I \-s SEUSER, \-\-seuser SEUSER
SELinux user name
.TP
.I \-t TYPE, \-\-type TYPE
SELinux Type for the object
.TP
.I \-r RANGE, \-\-range RANGE
MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
.SH EXAMPLE
.nf
.I remember to run restorecon after you set the file context
Add file-context for everything under /web
# semanage fcontext \-a \-t httpd_sys_content_t "/web(/.*)?"
# restorecon \-R \-v /web
Substitute /home1 with /home when setting file context
# semanage fcontext \-a \-e /home /home1
# restorecon \-R \-v /home1
For home directories under top level directory, for example /disk6/home,
execute the following commands.
# semanage fcontext \-a \-t home_root_t "/disk6"
# semanage fcontext \-a \-e /home /disk6/home
# restorecon \-R \-v /disk6
.SH "SEE ALSO"
.B selinux (8),
.B semanage (8)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>

36
policycoreutils/semanage/semanage-import.8 Normal file
View file

@ -0,0 +1,36 @@
.TH "semanage-import" "8" "20130617" "" ""
.SH "NAME"
.B semanage import\- SELinux Policy Management import tool
.SH "SYNOPSIS"
.B semanage import [\-h] [\-N] [\-S STORE] [\-f INPUT_FILE]
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a hole group of semanage commands within a file and apply them to a machine in a single transaction.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
show this help message and exit
.TP
.I \-N, \-\-noreload
Do not reload policy after commit
.TP
.I \-S STORE, \-\-store STORE
Select an alternate SELinux Policy Store to manage
.TP
.I \-f INPUT_FILE, \-\-input_file INPUT_FILE
Input file
.SH EXAMPLE
.nf
Import semanage modifications from another machine
# semanage import -f semanage.mods
.SH "SEE ALSO"
.B selinux (8),
.B semanage (8),
.B semanage-export (8)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>

63
policycoreutils/semanage/semanage-interface.8 Normal file
View file

@ -0,0 +1,63 @@
.TH "semanage-interface" "8" "20130617" "" ""
.SH "NAME"
.B semanage interface\- SELinux Policy Management network interface tool
.SH "SYNOPSIS"
.B semanage interface [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-t TYPE \-r RANGE interface | \-\-delete interface | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-r RANGE interface ]
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
from policy sources. semanage interface controls the labels assigned to network interfaces.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
.TP
.I \-N, \-\-noreload
Do not reload policy after commit
.TP
.I \-S STORE, \-\-store STORE
Select an alternate SELinux Policy Store to manage
.TP
.I \-C, \-\-locallist
List local customizations
.TP
.I \-a, \-\-add
Add a record of the specified object type
.TP
.I \-d, \-\-delete
Delete a record of the specified object type
.TP
.I \-m, \-\-modify
Modify a record of the specified object type
.TP
.I \-l, \-\-list
List records of the specified object type
.TP
.I \-E, \-\-extract
Extract customizable commands, for use within a transaction
.TP
.I \-D, \-\-deleteall
Remove all local customizations
.TP
.I \-t TYPE, \-\-type TYPE
SELinux type for the object
.TP
.I \-r RANGE, \-\-range RANGE
MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
.SH EXAMPLE
.nf
list all interface defitions
# semanage interface -l
.SH "SEE ALSO"
.B selinux (8),
.B semanage (8)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>

68
policycoreutils/semanage/semanage-login.8 Normal file
View file

@ -0,0 +1,68 @@
.TH "semanage-login" "8" "20130617" "" ""
.SH "NAME"
.B semanage login\- SELinux Policy Management linux user to SELinux User mapping tool
.SH "SYNOPSIS"
.B semanage login [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-s SEUSER \-r RANGE LOGIN | \-\-delete LOGIN | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-s SEUSER \-r RANGE LOGIN ]
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
from policy sources. semanage login controls the mapping between a Linux User and the SELinux User. It can be used to turn on confined users. For example you could define that a particular user or group of users will login to a system as the user_u user. Prefix the group name with a '%' sign to indicate a group name.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
.TP
.I \-N, \-\-noreload
Do not reload policy after commit
.TP
.I \-C, \-\-locallist
List local customizations
.TP
.I \-S STORE, \-\-store STORE
Select an alternate SELinux Policy Store to manage
.TP
.I \-a, \-\-add
Add a record of the specified object type
.TP
.I \-d, \-\-delete
Delete a record of the specified object type
.TP
.I \-m, \-\-modify
Modify a record of the specified object type
.TP
.I \-l, \-\-list
List records of the specified object type
.TP
.I \-E, \-\-extract
Extract customizable commands, for use within a transaction
.TP
.I \-D, \-\-deleteall
Remove all local customizations
.TP
.I \-s SEUSER, \-\-seuser SEUSER
SELinux user name
.TP
.I \-r RANGE, \-\-range RANGE
MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
.SH EXAMPLE
.nf
Modify the default user on the system to the guest_u user
# semanage login -m -s guest_u __default__
Assign gijoe user on an MLS machine a range and to the staff_u user
# semanage login -a -s staff_u -rSystemLow-Secret gijoe
Assign all users in the engineering group to the staff_u user
# semanage login -a -s staff_u %engineering
.SH "SEE ALSO"
.B selinux (8),
.B semanage (8),
.B semanage-user (8)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>

60
policycoreutils/semanage/semanage-module.8 Normal file
View file

@ -0,0 +1,60 @@
.TH "semanage-module" "8" "20130617" "" ""
.SH "NAME"
.B semanage module\\- SELinux Policy Management module mapping tool
.SH "SYNOPSIS"
.B semanage module [\-h] [\-n] [\-N] [\-S STORE] (\-a | \-r | \-e | \-d | \-\-extract | \-\-list [\-C] | \-\-deleteall) [module_name]
.SH "DESCRIPTION"
semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage module installs, removes, disables SELinux Policy modules.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
.TP
.I \-N, \-\-noreload
Do not reload policy after commit
.TP
.I \-S STORE, \-\-store STORE
Select an alternate SELinux Policy Store to manage
.TP
.I \-a, \-\-add
Install specified module
.TP
.I \-r, \-\-remove
Remove specified module
.TP
.I \-d \-\-disable
Disable specified module
.TP
.I \-e \-\-enable
Enable specified module
.TP
.I \-E, \-\-extract
Extract customizable commands, for use within a transaction
.TP
.I \-l, \-\-list
List records of the specified object type
.TP
.I \-C, \-\-locallist
List local customizations
.SH EXAMPLE
.nf
List all modules
# semanage module \-l
Disable unconfined module
# semanage module \-\-disable unconfined
Install custom apache policy module
# semanage module \-a myapache
.SH "SEE ALSO"
.B selinux (8),
.B semanage (8)
.B semodule (8)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>

58
policycoreutils/semanage/semanage-node.8 Normal file
View file

@ -0,0 +1,58 @@
.TH "semanage-node" "8" "20130617" "" ""
.SH "NAME"
.B semanage node\- SELinux Policy Management node mapping tool
.SH "SYNOPSIS"
.B semanage node [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node | \-\-delete \-M NETMASK \-p PROTOCOL node | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node ]
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
from policy sources. semanage controls the ipaddress to node type definitions.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
.TP
.I \-N, \-\-noreload
Do not reload policy after commit
.TP
.I \-S STORE, \-\-store STORE
Select an alternate SELinux Policy Store to manage
.TP
.I \-C, \-\-locallist
List local customizations
.TP
.I \-a, \-\-add
Add a record of the specified object type
.TP
.I \-d, \-\-delete
Delete a record of the specified object type
.TP
.I \-m, \-\-modify
Modify a record of the specified object type
.TP
.I \-l, \-\-list
List records of the specified object type
.TP
.I \-E, \-\-extract
Extract customizable commands, for use within a transaction
.TP
.I \-D, \-\-deleteall
Remove all local customizations
.TP
.I \-M NETMASK, \-\-netmask NETMASK
Network Mask
.TP
.I \-t TYPE, \-\-type TYPE
SELinux type for the object
.TP
.I \-r RANGE, \-\-range RANGE
MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
.TP
.I \-p PROTO, \-\-proto PROTO
Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).

45
policycoreutils/semanage/semanage-permissive.8 Normal file
View file

@ -0,0 +1,45 @@
.TH "semanage-permissive" "8" "20130617" "" ""
.SH "NAME"
.B semanage permissive \- SELinux Policy Management permissive mapping tool
.SH "SYNOPSIS"
.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type]
.SH "DESCRIPTION"
semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
show this help message and exit
.TP
.I \-a, \-\-add
Add a record of the specified object type
.TP
.I \-d, \-\-delete
Delete a record of the specified object type
.TP
.I \-l, \-\-list
List records of the specified object type
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
.TP
.I \-N, \-\-noreload
Do not reload the policy after commit
.TP
.I \-S STORE, \-\-store STORE
Select an alternate SELinux Policy Store to manage
.SH EXAMPLE
.nf
List all permissive modules
# semanage permissive \-l
Make httpd_t (Web Server) a permissive domain
# semanage permissive \-a httpd_t
.SH "SEE ALSO"
.B selinux (8),
.B semanage (8)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>

68
policycoreutils/semanage/semanage-port.8 Normal file
View file

@ -0,0 +1,68 @@
.TH "semanage-port" "8" "20130617" "" ""
.SH "NAME"
.B semanage port\- SELinux Policy Management port mapping tool
.SH "SYNOPSIS"
.B semanage port [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range | \-\-delete \-p PROTOCOL port_name | port_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range ]
.SH "DESCRIPTION"
semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage port controls the port number to port type defitions.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
.TP
.I \-N, \-\-noreload
Do not reload policy after commit
.TP
.I \-S STORE, \-\-store STORE
Select an alternate SELinux Policy Store to manage
.TP
.I \-C, \-\-locallist
List local customizations
.TP
.I \-a, \-\-add
Add a record of the specified object type
.TP
.I \-d, \-\-delete
Delete a record of the specified object type
.TP
.I \-m, \-\-modify
Modify a record of the specified object type
.TP
.I \-l, \-\-list
List records of the specified object type
.TP
.I \-E, \-\-extract
Extract customizable commands, for use within a transaction
.TP
.I \-D, \-\-deleteall
Remove all local customizations
.TP
.I \-t TYPE, \-\-type TYPE
SELinux type for the object
.TP
.I \-r RANGE, \-\-range RANGE
MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
.TP
.I \-p PROTO, \-\-proto PROTO
Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).
.SH EXAMPLE
.nf
List all port defitions
# semanage port \-l
Allow Apache to listen on tcp port 81
# semanage port \-a \-t http_port_t \-p tcp 81
Allow sshd to listen on tcp port 8991
# semanage port \-a \-t ssh_port_t \-p tcp 8991
.SH "SEE ALSO"
.B selinux (8),
.B semanage (8)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>

71
policycoreutils/semanage/semanage-user.8 Normal file
View file

@ -0,0 +1,71 @@
.TH "semanage-user" "8" "20130617" "" ""
.SH "NAME"
.B semanage user\- SELinux Policy Management SELinux User mapping tool
.SH "SYNOPSIS"
.B semanage user [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name) | \-\-delete selinux_name | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name ) ]
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
from policy sources. semanage user controls the mapping between an SELinux User and the roles and MLS/MCS levels.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
.TP
.I \-N, \-\-noreload
Do not reload policy after commit
.TP
.I \-S STORE, \-\-store STORE
Select an alternate SELinux Policy Store to manage
.TP
.I \-C, \-\-locallist
List local customizations
.TP
.I \-a, \-\-add
Add a record of the specified object type
.TP
.I \-d, \-\-delete
Delete a record of the specified object type
.TP
.I \-m, \-\-modify
Modify a record of the specified object type
.TP
.I \-l, \-\-list
List records of the specified object type
.TP
.I \-E, \-\-extract
Extract customizable commands, for use within a transaction
.TP
.I \-D, \-\-deleteall
Remove all local customizations
.TP
.I \-L LEVEL, \-\-level LEVEL
Default SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only)
.TP
.I \-r RANGE, \-\-range RANGE
MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
.TP
.I \-R [ROLES], \-\-roles [ROLES]
SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
.SH EXAMPLE
.nf
List SELinux users
# semanage user \-l
Modify groups for staff_u user
# semanage user \-m \-R "system_r unconfined_r staff_r" staff_u
Add level for TopSecret Users
# semanage user \-a \-R "staff_r" -rs0-TopSecret topsecret_u
.SH "SEE ALSO"
.B selinux (8),
.B semanage (8)
.B semanage\-login (8)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>

228
policycoreutils/semanage/semanage.8
View file

@ -3,70 +3,45 @@
semanage \- SELinux Policy Management tool
.SH "SYNOPSIS"
.B semanage {import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit}
...
.B positional arguments:
.B import
Output local customizations
.br
.B semanage [ -S store ] -o [ output_file | - ]
Input local customizations
.br
.B semanage [ -S store ] -i [ input_file | - ]
.B export
Output local customizations
Manage booleans. Booleans allow the administrator to modify the confinement of
processes based on his configuration.
.br
.B semanage boolean [\-S store] \-{d|m|l|D} [\-nN] [\-\-on|\-\-off|\-\1|\-0] -F boolean | boolean_file
.B login
Manage login mappings between linux users and SELinux confined users
.B user
Manage SELinux confined users (Roles and levels for an SELinux user)
.br
.B semanage user [\-S store] \-{a|d|m|l|D} [\-LnNPrR] selinux_name
Manage login mappings between linux users and SELinux confined users.
.br
.B semanage login [\-S store] \-{a|d|m|l|D} [\-nNrs] login_name | %groupname
Manage policy modules.
.br
.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] [\-N] module_name
.B port
Manage network port type definitions
.br
.B semanage port [\-S store] \-{a|d|m|l|D} [\-nNrt] [\-p proto] port | port_range
.br
.B interface
Manage network interface type definitions
.br
.B semanage interface [\-S store] \-{a|d|m|l|D} [\-nNrt] interface_spec
.B module
Manage SELinux policy modules
.B node
Manage network node type definitions
.br
.B semanage node [\-S store] -{a|d|m|l|D} [-nNrt] [ -p protocol ] [-M netmask] address
.br
.B fcontext
Manage file context mapping definitions
.br
.B semanage fcontext [\-S store] \-{l} [\-Cn]
.br
.B semanage fcontext [\-S store] \-D [\-N]
.br
.B semanage fcontext [\-S store] \-{a|d|m} [\-Nfrst] file_spec
.br
.B semanage fcontext [\-S store] \-{a|d|m} \-e replacement target
.br
Manage processes type enforcement mode
.br
.B semanage permissive [\-S store] \-{a|d|l|D} [\-nN] type
.br
.B boolean
Manage booleans to selectively enable functionality
.B permissive
Manage process type enforcement mode
.B dontaudit
Disable/Enable dontaudit rules in policy
.br
.B semanage dontaudit [\-N] [\-S store] [ on | off ]
.P
Execute multiple commands within a single transaction.
.br
.B semanage [\-S store] [\-N] \-i command-file
.br
.SH "DESCRIPTION"
semanage is used to configure certain elements of
@ -87,147 +62,23 @@ modification.
.SH "OPTIONS"
.TP
.I \-a, \-\-add
Add a OBJECT record NAME
.TP
.I \-d, \-\-delete
Delete a OBJECT record NAME
.TP
.I \-D, \-\-deleteall
Remove all OBJECTS local customizations
.TP
.I \-\-disable
Disable a policy module, requires -m option
.I \-h, \-\-help
List help information
Currently modules only.
.TP
.I \-\-enable
Enable a disabled policy module, requires -m option
Currently modules only.
.TP
.I \-e, \-\-equal
Substitute target path with sourcepath when generating default label. This is used with
fcontext. Requires source and target path arguments. The context
labeling for the target subtree is made equivalent to that
defined for the source.
.TP
.I \-f, \-\-ftype
File Type. This is used with fcontext.
Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
.TP
.I \-F, \-\-file
Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format.
Currently booleans only.
.TP
.I \-h, \-\-help
display this message
.TP
.I \-l, \-\-list
List the OBJECTS
.TP
.I \-C, \-\-locallist
List only locally defined settings, not base policy settings.
.TP
.I \-L, \-\-level
Default SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only)
.TP
.I \-m, \-\-modify
Modify a OBJECT record NAME
.TP
.I \-M, \-\-mask
Network Mask
.TP
.I \-n, \-\-noheading
Do not print heading when listing OBJECTS.
.TP
.B \-N,\-\-noreload
do not reload policy after commit
.TP
.I \-p, \-\-proto
Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).
.TP
.I \-r, \-\-range
MLS/MCS Security Range (MLS/MCS Systems only)
SELinux Range for SELinux login mapping defaults to the SELinux user record range.
SELinux Range for SELinux user defaults to s0.
.TP
.I \-R, \-\-roles
SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
.TP
.I \-P, \-\-prefix
SELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories.
.TP
.I \-s, \-\-seuser
SELinux user name
.TP
.I \-S, \-\-store
Select and alternate SELinux store to manage
.TP
.I \-t, \-\-type
SELinux Type for the object
.TP
.I \-i, \-\-input
Take a set of commands from a specified file and load them in a single
transaction.
.TP
.I \-o, \-\-output
Output all local customizations into a file. This file than can be used with the semanage -i command to customize other machines to match the local machine.
.SH EXAMPLE
.nf
.B SELinux user
List SELinux users
# semanage user -l
.B SELinux login
Change joe to login as staff_u
# semanage login -a -s staff_u joe
Change the group clerks to login as user_u
# semanage login -a -s user_u %clerks
.B File contexts
.i remember to run restorecon after you set the file context
Add file-context for everything under /web
# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# restorecon -R -v /web
Substitute /home1 with /home when setting file context
# semanage fcontext -a -e /home /home1
# restorecon -R -v /home1
For home directories under top level directory, for example /disk6/home,
execute the following commands.
# semanage fcontext -a -t home_root_t "/disk6"
# semanage fcontext -a -e /home /disk6/home
# restorecon -R -v /disk6
.B Port contexts
Allow Apache to listen on tcp port 81
# semanage port -a -t http_port_t -p tcp 81
.B Change apache to a permissive domain
# semanage permissive -a httpd_t
.B Turn off dontaudit rules
# semanage dontaudit off
.B Managing multiple machines
Multiple machines that need the same customizations.
Extract customizations off first machine, copy them
to second and import them.
# semanage -o /tmp/local.selinux
# scp /tmp/local.selinux secondmachine:/tmp
# ssh secondmachine
# semanage -i /tmp/local.selinux
If these customizations include file context, you need to apply the
context using restorecon.
.fi
.SH "SEE ALSO"
.B selinux (8),
.B semanage-boolean (8),
.B semanage-dontaudit (8),
.B semanage-export (8),
.B semanage-fcontext (8),
.B semanage-import (8),
.B semanage-interface (8),
.B semanage-login (8),
.B semanage-module (8),
.B semanage-node (8),
.B semanage-permissive (8),
.B semanage-port (8),
.B semanage-user (8)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
@ -235,3 +86,4 @@ This man page was written by Daniel Walsh <dwalsh@redhat.com>
and Russell Coker <rcoker@redhat.com>.
.br
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
usage: semanage [-h]