From 9ba137b17b1585c26aff89e86317fb0d7436a45b Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jul 23 2012 15:47:41 +0000 Subject: * Mon Jul 23 2012 Miroslav Grepl 3.11.0-12 - Add interface to dontaudit getattr access on sysctls - Allow sshd to execute /bin/login - Looks like xdm is recreating the xdm directory in ~/.cache/ on login - Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jou - Fix semanage to work with unconfined domain disabled on F18 - Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls - Virt seems to be using lock files - Dovecot seems to be searching directories of every mountpoint - Allow jockey to read random/urandom, execute shell and install third-part - Add aditional params to allow cachedfiles to manage its content - gpg agent needs to read /dev/random - The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd w - Add a bunch of dontaudit rules to quiet svirt_lxc domains - Additional perms needed to run svirt_lxc domains - Allow cgclear to read cgconfig - Allow sys_ptrace capability for snmp - Allow freshclam to read /proc - Allow procmail to manage /home/user/Maildir content - Allow NM to execute wpa_cli - Allow amavis to read clamd system state - Regenerate man page --- diff --git a/genman.py b/genman.py index e652ba7..3b649ca 100755 --- a/genman.py +++ b/genman.py @@ -275,7 +275,7 @@ The following process types are defined for %(domainname)s: self.fd.write(""" .PP Note: -.B semanage permississive -a PROCESS_TYPE +.B semanage permissive -a PROCESS_TYPE can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. """) diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 0f15e94..4eeafb0 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -60,23 +60,33 @@ index 313d837..ef3c532 100644 ######################################## diff --git a/man/man8/NetworkManager_selinux.8 b/man/man8/NetworkManager_selinux.8 new file mode 100644 -index 0000000..74ab63c +index 0000000..5b84384 --- /dev/null +++ b/man/man8/NetworkManager_selinux.8 -@@ -0,0 +1,169 @@ +@@ -0,0 +1,175 @@ +.TH "NetworkManager_selinux" "8" "NetworkManager" "dwalsh@redhat.com" "NetworkManager SELinux Policy documentation" +.SH "NAME" +NetworkManager_selinux \- Security Enhanced Linux Policy for the NetworkManager processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B NetworkManager -+(Manager for dynamically switching between networks) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the NetworkManager processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the NetworkManager_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the NetworkManager_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -160,10 +170,6 @@ index 0000000..74ab63c + +- Set files with the NetworkManager_unit_file_t type, if you want to treat the files as NetworkManager unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/NetworkManager\.service, /lib/systemd/system/NetworkManager\.service + +.EX +.PP @@ -175,7 +181,7 @@ index 0000000..74ab63c +.br +.TP 5 +Paths: -+/etc/wicd/wired-settings.conf, /var/lib/wicd(/.*)?, /etc/wicd/manager-settings.conf, /etc/wicd/wireless-settings.conf, /var/lib/NetworkManager(/.*)? ++/etc/wicd/wired-settings.conf, /var/lib/wicd(/.*)?, /etc/dhcp/wired-settings.conf, /etc/dhcp/wireless-settings.conf, /etc/wicd/manager-settings.conf, /etc/dhcp/manager-settings.conf, /etc/wicd/wireless-settings.conf, /var/lib/NetworkManager(/.*)? + +.EX +.PP @@ -190,7 +196,7 @@ index 0000000..74ab63c +/var/run/nm-dhclient.*, /var/run/wpa_supplicant(/.*)?, /var/run/NetworkManager\.pid, /var/run/wpa_supplicant-global, /var/run/nm-dns-dnsmasq\.conf, /var/run/NetworkManager(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -235,24 +241,18 @@ index 0000000..74ab63c +selinux(8), NetworkManager(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/abrt_selinux.8 b/man/man8/abrt_selinux.8 new file mode 100644 -index 0000000..1acfb1b +index 0000000..94f9d06 --- /dev/null +++ b/man/man8/abrt_selinux.8 -@@ -0,0 +1,250 @@ +@@ -0,0 +1,272 @@ +.TH "abrt_selinux" "8" "abrt" "dwalsh@redhat.com" "abrt SELinux Policy documentation" +.SH "NAME" +abrt_selinux \- Security Enhanced Linux Policy for the abrt processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B abrt -+(ABRT - automated bug-reporting tool) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the abrt processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. abrt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt with the tightest access possible. + @@ -264,6 +264,22 @@ index 0000000..1acfb1b +.B setsebool -P abrt_handle_event 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the abrt_helper_t, abrt_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the abrt_helper_t, abrt_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. +.TP @@ -275,7 +291,7 @@ index 0000000..1acfb1b +.B restorecon -F -R -v /var/abrt +.pp +.TP -+Allow abrt servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_abrt_anon_write boolean to be set. ++Allow abrt servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_abrtd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/abrt/incoming(/.*)?" @@ -324,6 +340,10 @@ index 0000000..1acfb1b + +- Set files with the abrt_exec_t type, if you want to transition an executable to the abrt_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/abrtd, /usr/sbin/abrt-dbus + +.EX +.PP @@ -441,8 +461,16 @@ index 0000000..1acfb1b +Paths: +/var/run/abrtd?\.socket, /var/run/abrtd?\.lock, /var/run/abrt(/.*)?, /var/run/abrt\.pid + ++.EX +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B abrt_watch_log_exec_t ++.EE ++ ++- Set files with the abrt_watch_log_exec_t type, if you want to transition an executable to the abrt_watch_log_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -459,7 +487,7 @@ index 0000000..1acfb1b +The following process types are defined for abrt: + +.EX -+.B abrt_handle_event_t, abrt_helper_t, abrt_retrace_coredump_t, abrt_t, abrt_retrace_worker_t, abrt_dump_oops_t ++.B abrt_handle_event_t, abrt_helper_t, abrt_retrace_coredump_t, abrt_t, abrt_retrace_worker_t, abrt_dump_oops_t, abrt_watch_log_t +.EE +.PP +Note: @@ -492,23 +520,33 @@ index 0000000..1acfb1b \ No newline at end of file diff --git a/man/man8/accountsd_selinux.8 b/man/man8/accountsd_selinux.8 new file mode 100644 -index 0000000..4fe880f +index 0000000..bf2e9e9 --- /dev/null +++ b/man/man8/accountsd_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,103 @@ +.TH "accountsd_selinux" "8" "accountsd" "dwalsh@redhat.com" "accountsd SELinux Policy documentation" +.SH "NAME" +accountsd_selinux \- Security Enhanced Linux Policy for the accountsd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B accountsd -+(AccountsService and daemon for manipulating user account information via D-Bus) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the accountsd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the accountsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the accountsd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -546,7 +584,7 @@ index 0000000..4fe880f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -591,23 +629,33 @@ index 0000000..4fe880f +selinux(8), accountsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/acct_selinux.8 b/man/man8/acct_selinux.8 new file mode 100644 -index 0000000..323cee4 +index 0000000..66a28c5 --- /dev/null +++ b/man/man8/acct_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,103 @@ +.TH "acct_selinux" "8" "acct" "dwalsh@redhat.com" "acct SELinux Policy documentation" +.SH "NAME" +acct_selinux \- Security Enhanced Linux Policy for the acct processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B acct -+(Berkeley process accounting) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the acct processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the acct_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the acct_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -645,7 +693,7 @@ index 0000000..323cee4 +/usr/sbin/accton, /sbin/accton, /etc/cron\.(daily|monthly)/acct + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -690,23 +738,19 @@ index 0000000..323cee4 +selinux(8), acct(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/afs_selinux.8 b/man/man8/afs_selinux.8 new file mode 100644 -index 0000000..7832fa4 +index 0000000..e64fee6 --- /dev/null +++ b/man/man8/afs_selinux.8 -@@ -0,0 +1,294 @@ +@@ -0,0 +1,292 @@ +.TH "afs_selinux" "8" "afs" "dwalsh@redhat.com" "afs SELinux Policy documentation" +.SH "NAME" +afs_selinux \- Security Enhanced Linux Policy for the afs processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B afs -+(Andrew Filesystem server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the afs processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -864,7 +908,7 @@ index 0000000..7832fa4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -891,7 +935,7 @@ index 0000000..7832fa4 + + +Default Defined Ports: -+tcp 8021 ++udp 7007 +.EE + +.EX @@ -902,7 +946,7 @@ index 0000000..7832fa4 + + +Default Defined Ports: -+tcp 8021 ++udp 7001 +.EE + +.EX @@ -913,7 +957,9 @@ index 0000000..7832fa4 + + +Default Defined Ports: -+tcp 8021 ++tcp 2040 ++.EE ++udp 7000,7005 +.EE + +.EX @@ -924,7 +970,7 @@ index 0000000..7832fa4 + + +Default Defined Ports: -+tcp 8021 ++udp 7004 +.EE + +.EX @@ -935,7 +981,7 @@ index 0000000..7832fa4 + + +Default Defined Ports: -+tcp 8021 ++udp 7002 +.EE + +.EX @@ -946,7 +992,7 @@ index 0000000..7832fa4 + + +Default Defined Ports: -+tcp 8021 ++udp 7003 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -990,23 +1036,19 @@ index 0000000..7832fa4 +selinux(8), afs(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/aiccu_selinux.8 b/man/man8/aiccu_selinux.8 new file mode 100644 -index 0000000..efc06eb +index 0000000..0125c48 --- /dev/null +++ b/man/man8/aiccu_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "aiccu_selinux" "8" "aiccu" "dwalsh@redhat.com" "aiccu SELinux Policy documentation" +.SH "NAME" +aiccu_selinux \- Security Enhanced Linux Policy for the aiccu processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B aiccu -+(Automatic IPv6 Connectivity Client Utility) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the aiccu processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1052,7 +1094,7 @@ index 0000000..efc06eb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1097,23 +1139,19 @@ index 0000000..efc06eb +selinux(8), aiccu(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/aide_selinux.8 b/man/man8/aide_selinux.8 new file mode 100644 -index 0000000..0863697 +index 0000000..bc35581 --- /dev/null +++ b/man/man8/aide_selinux.8 -@@ -0,0 +1,97 @@ +@@ -0,0 +1,93 @@ +.TH "aide_selinux" "8" "aide" "dwalsh@redhat.com" "aide SELinux Policy documentation" +.SH "NAME" +aide_selinux \- Security Enhanced Linux Policy for the aide processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B aide -+(Aide filesystem integrity checker) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the aide processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1155,7 +1193,7 @@ index 0000000..0863697 +/var/log/aide\.log, /var/log/aide(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1200,23 +1238,33 @@ index 0000000..0863697 +selinux(8), aide(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/aisexec_selinux.8 b/man/man8/aisexec_selinux.8 new file mode 100644 -index 0000000..8d4a539 +index 0000000..a60f9af --- /dev/null +++ b/man/man8/aisexec_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,135 @@ +.TH "aisexec_selinux" "8" "aisexec" "dwalsh@redhat.com" "aisexec SELinux Policy documentation" +.SH "NAME" +aisexec_selinux \- Security Enhanced Linux Policy for the aisexec processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B aisexec -+(Aisexec Cluster Engine) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the aisexec processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the aisexec_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the aisexec_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1286,7 +1334,7 @@ index 0000000..8d4a539 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1331,23 +1379,33 @@ index 0000000..8d4a539 +selinux(8), aisexec(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ajaxterm_selinux.8 b/man/man8/ajaxterm_selinux.8 new file mode 100644 -index 0000000..3ff7f95 +index 0000000..8f28524 --- /dev/null +++ b/man/man8/ajaxterm_selinux.8 -@@ -0,0 +1,119 @@ +@@ -0,0 +1,129 @@ +.TH "ajaxterm_selinux" "8" "ajaxterm" "dwalsh@redhat.com" "ajaxterm SELinux Policy documentation" +.SH "NAME" +ajaxterm_selinux \- Security Enhanced Linux Policy for the ajaxterm processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ajaxterm -+(policy for ajaxterm) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ajaxterm processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ajaxterm_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ajaxterm_ssh_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1385,7 +1443,7 @@ index 0000000..3ff7f95 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1412,7 +1470,7 @@ index 0000000..3ff7f95 + + +Default Defined Ports: -+tcp 8021 ++tcp 8022 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -1456,23 +1514,33 @@ index 0000000..3ff7f95 +selinux(8), ajaxterm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/alsa_selinux.8 b/man/man8/alsa_selinux.8 new file mode 100644 -index 0000000..9a8a29d +index 0000000..bd81e5b --- /dev/null +++ b/man/man8/alsa_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,135 @@ +.TH "alsa_selinux" "8" "alsa" "dwalsh@redhat.com" "alsa SELinux Policy documentation" +.SH "NAME" +alsa_selinux \- Security Enhanced Linux Policy for the alsa processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B alsa -+(Ainit ALSA configuration tool) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the alsa processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the alsa_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the alsa_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1542,7 +1610,7 @@ index 0000000..9a8a29d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1587,23 +1655,33 @@ index 0000000..9a8a29d +selinux(8), alsa(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/amanda_selinux.8 b/man/man8/amanda_selinux.8 new file mode 100644 -index 0000000..1ada188 +index 0000000..d765f49 --- /dev/null +++ b/man/man8/amanda_selinux.8 -@@ -0,0 +1,219 @@ +@@ -0,0 +1,231 @@ +.TH "amanda_selinux" "8" "amanda" "dwalsh@redhat.com" "amanda SELinux Policy documentation" +.SH "NAME" +amanda_selinux \- Security Enhanced Linux Policy for the amanda processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B amanda -+(Advanced Maryland Automatic Network Disk Archiver) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the amanda processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amanda_recover_t, amanda_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the amanda_recover_t, amanda_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1738,10 +1816,10 @@ index 0000000..1ada188 +.br +.TP 5 +Paths: -+/var/lib/amanda, /var/lib/amanda/[^/]+/index(/.*)? ++/var/lib/amanda/[^/]+/index(/.*)?, /var/lib/amanda + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1768,7 +1846,9 @@ index 0000000..1ada188 + + +Default Defined Ports: -+tcp 8021 ++tcp 10080-10083 ++.EE ++udp 10080-10082 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -1812,26 +1892,33 @@ index 0000000..1ada188 +selinux(8), amanda(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/amavis_selinux.8 b/man/man8/amavis_selinux.8 new file mode 100644 -index 0000000..52d2f0d +index 0000000..ebcadc1 --- /dev/null +++ b/man/man8/amavis_selinux.8 -@@ -0,0 +1,193 @@ +@@ -0,0 +1,204 @@ +.TH "amavis_selinux" "8" "amavis" "dwalsh@redhat.com" "amavis SELinux Policy documentation" +.SH "NAME" +amavis_selinux \- Security Enhanced Linux Policy for the amavis processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B amavis -+( -+Daemon that interfaces mail transfer agents and content -+checkers, such as virus scanners. -+) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the amavis processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the amavis_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the amavis_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1854,7 +1941,7 @@ index 0000000..52d2f0d +.br +.TP 5 +Paths: -+/etc/amavis\.conf, /etc/amavisd(/.*)? ++/etc/amavisd(/.*)?, /etc/amavis(d)?\.conf + +.EX +.PP @@ -1875,6 +1962,10 @@ index 0000000..52d2f0d + +- Set files with the amavis_initrc_exec_t type, if you want to transition an executable to the amavis_initrc_t domain. + ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/amavis, /etc/rc\.d/init\.d/amavisd-snmp + +.EX +.PP @@ -1929,7 +2020,7 @@ index 0000000..52d2f0d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1956,7 +2047,7 @@ index 0000000..52d2f0d + + +Default Defined Ports: -+tcp 8021 ++tcp 10024 +.EE + +.EX @@ -1967,7 +2058,7 @@ index 0000000..52d2f0d + + +Default Defined Ports: -+tcp 8021 ++tcp 10025 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -2011,23 +2102,19 @@ index 0000000..52d2f0d +selinux(8), amavis(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/amtu_selinux.8 b/man/man8/amtu_selinux.8 new file mode 100644 -index 0000000..511f260 +index 0000000..fe1dc7f --- /dev/null +++ b/man/man8/amtu_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "amtu_selinux" "8" "amtu" "dwalsh@redhat.com" "amtu SELinux Policy documentation" +.SH "NAME" +amtu_selinux \- Security Enhanced Linux Policy for the amtu processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B amtu -+(Abstract Machine Test Utility) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the amtu processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2049,7 +2136,7 @@ index 0000000..511f260 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2094,23 +2181,19 @@ index 0000000..511f260 +selinux(8), amtu(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/apcupsd_selinux.8 b/man/man8/apcupsd_selinux.8 new file mode 100644 -index 0000000..dab6c6a +index 0000000..068751c --- /dev/null +++ b/man/man8/apcupsd_selinux.8 -@@ -0,0 +1,159 @@ +@@ -0,0 +1,157 @@ +.TH "apcupsd_selinux" "8" "apcupsd" "dwalsh@redhat.com" "apcupsd SELinux Policy documentation" +.SH "NAME" +apcupsd_selinux \- Security Enhanced Linux Policy for the apcupsd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B apcupsd -+(APC UPS monitoring daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the apcupsd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2188,7 +2271,7 @@ index 0000000..dab6c6a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2215,7 +2298,9 @@ index 0000000..dab6c6a + + +Default Defined Ports: -+tcp 8021 ++tcp 3551 ++.EE ++udp 3551 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -2259,23 +2344,33 @@ index 0000000..dab6c6a +selinux(8), apcupsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/apm_selinux.8 b/man/man8/apm_selinux.8 new file mode 100644 -index 0000000..1c6243c +index 0000000..dbcd6c3 --- /dev/null +++ b/man/man8/apm_selinux.8 -@@ -0,0 +1,133 @@ +@@ -0,0 +1,143 @@ +.TH "apm_selinux" "8" "apm" "dwalsh@redhat.com" "apm SELinux Policy documentation" +.SH "NAME" +apm_selinux \- Security Enhanced Linux Policy for the apm processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B apm -+(Advanced power management daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the apm processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2353,7 +2448,7 @@ index 0000000..1c6243c +/var/run/\.?acpid\.socket, /var/run/apmd\.pid, /var/run/powersaved\.pid, /var/run/powersave_socket + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2398,17 +2493,33 @@ index 0000000..1c6243c +selinux(8), apm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/apmd_selinux.8 b/man/man8/apmd_selinux.8 new file mode 100644 -index 0000000..6449d94 +index 0000000..0683b40 --- /dev/null +++ b/man/man8/apmd_selinux.8 -@@ -0,0 +1,127 @@ +@@ -0,0 +1,135 @@ +.TH "apmd_selinux" "8" "apmd" "dwalsh@redhat.com" "apmd SELinux Policy documentation" +.SH "NAME" +apmd_selinux \- Security Enhanced Linux Policy for the apmd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the apmd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2423,14 +2534,6 @@ index 0000000..6449d94 + +.EX +.PP -+.B apm_exec_t -+.EE -+ -+- Set files with the apm_exec_t type, if you want to transition an executable to the apm_t domain. -+ -+ -+.EX -+.PP +.B apmd_exec_t +.EE + @@ -2486,7 +2589,7 @@ index 0000000..6449d94 +/var/run/\.?acpid\.socket, /var/run/apmd\.pid, /var/run/powersaved\.pid, /var/run/powersave_socket + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2531,23 +2634,33 @@ index 0000000..6449d94 +selinux(8), apmd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/arpwatch_selinux.8 b/man/man8/arpwatch_selinux.8 new file mode 100644 -index 0000000..8052609 +index 0000000..7be1bb4 --- /dev/null +++ b/man/man8/arpwatch_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,131 @@ +.TH "arpwatch_selinux" "8" "arpwatch" "dwalsh@redhat.com" "arpwatch SELinux Policy documentation" +.SH "NAME" +arpwatch_selinux \- Security Enhanced Linux Policy for the arpwatch processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B arpwatch -+(Ethernet activity monitor) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the arpwatch processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the arpwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the arpwatch_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2613,7 +2726,7 @@ index 0000000..8052609 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2658,23 +2771,33 @@ index 0000000..8052609 +selinux(8), arpwatch(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/asterisk_selinux.8 b/man/man8/asterisk_selinux.8 new file mode 100644 -index 0000000..c00565c +index 0000000..2b02b78 --- /dev/null +++ b/man/man8/asterisk_selinux.8 -@@ -0,0 +1,167 @@ +@@ -0,0 +1,179 @@ +.TH "asterisk_selinux" "8" "asterisk" "dwalsh@redhat.com" "asterisk SELinux Policy documentation" +.SH "NAME" +asterisk_selinux \- Security Enhanced Linux Policy for the asterisk processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B asterisk -+(Asterisk IP telephony server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the asterisk processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the asterisk_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the asterisk_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2760,7 +2883,7 @@ index 0000000..c00565c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2787,7 +2910,9 @@ index 0000000..c00565c + + +Default Defined Ports: -+tcp 8021 ++tcp 1720 ++.EE ++udp 2427,2727,4569 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -2831,17 +2956,33 @@ index 0000000..c00565c +selinux(8), asterisk(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/audisp_selinux.8 b/man/man8/audisp_selinux.8 new file mode 100644 -index 0000000..dc30264 +index 0000000..b3fc950 --- /dev/null +++ b/man/man8/audisp_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,111 @@ +.TH "audisp_selinux" "8" "audisp" "dwalsh@redhat.com" "audisp SELinux Policy documentation" +.SH "NAME" +audisp_selinux \- Security Enhanced Linux Policy for the audisp processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the audisp processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the audisp_t, audisp_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the audisp_t, audisp_remote_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2887,7 +3028,7 @@ index 0000000..dc30264 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3003,17 +3144,19 @@ index 0000000..cba947e +selinux(8), semanage(8). diff --git a/man/man8/auditctl_selinux.8 b/man/man8/auditctl_selinux.8 new file mode 100644 -index 0000000..96a49e6 +index 0000000..b939685 --- /dev/null +++ b/man/man8/auditctl_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +.TH "auditctl_selinux" "8" "auditctl" "dwalsh@redhat.com" "auditctl SELinux Policy documentation" +.SH "NAME" +auditctl_selinux \- Security Enhanced Linux Policy for the auditctl processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the auditctl processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3039,7 +3182,7 @@ index 0000000..96a49e6 +/sbin/auditctl, /usr/sbin/auditctl + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3084,17 +3227,33 @@ index 0000000..96a49e6 +selinux(8), auditctl(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/auditd_selinux.8 b/man/man8/auditd_selinux.8 new file mode 100644 -index 0000000..50c15c2 +index 0000000..6f8783b --- /dev/null +++ b/man/man8/auditd_selinux.8 -@@ -0,0 +1,157 @@ +@@ -0,0 +1,165 @@ +.TH "auditd_selinux" "8" "auditd" "dwalsh@redhat.com" "auditd SELinux Policy documentation" +.SH "NAME" +auditd_selinux \- Security Enhanced Linux Policy for the auditd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the auditd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3109,14 +3268,6 @@ index 0000000..50c15c2 + +.EX +.PP -+.B audit_spool_t -+.EE -+ -+- Set files with the audit_spool_t type, if you want to store the audit files under the /var/spool directory. -+ -+ -+.EX -+.PP +.B auditd_etc_t +.EE + @@ -3176,7 +3327,7 @@ index 0000000..50c15c2 +/var/run/audit_events, /var/run/auditd_sock, /var/run/auditd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3203,7 +3354,7 @@ index 0000000..50c15c2 + + +Default Defined Ports: -+tcp 8021 ++tcp 60 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -3247,23 +3398,33 @@ index 0000000..50c15c2 +selinux(8), auditd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/automount_selinux.8 b/man/man8/automount_selinux.8 new file mode 100644 -index 0000000..ff75942 +index 0000000..31985a4 --- /dev/null +++ b/man/man8/automount_selinux.8 -@@ -0,0 +1,129 @@ +@@ -0,0 +1,139 @@ +.TH "automount_selinux" "8" "automount" "dwalsh@redhat.com" "automount SELinux Policy documentation" +.SH "NAME" +automount_selinux \- Security Enhanced Linux Policy for the automount processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B automount -+(Filesystem automounter service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the automount processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the automount_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the automount_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3337,7 +3498,7 @@ index 0000000..ff75942 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3382,24 +3543,18 @@ index 0000000..ff75942 +selinux(8), automount(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/avahi_selinux.8 b/man/man8/avahi_selinux.8 new file mode 100644 -index 0000000..f489dad +index 0000000..97fc5cf --- /dev/null +++ b/man/man8/avahi_selinux.8 -@@ -0,0 +1,128 @@ +@@ -0,0 +1,138 @@ +.TH "avahi_selinux" "8" "avahi" "dwalsh@redhat.com" "avahi SELinux Policy documentation" +.SH "NAME" +avahi_selinux \- Security Enhanced Linux Policy for the avahi processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B avahi -+(mDNS/DNS-SD daemon implementing Apple ZeroConf architecture) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the avahi processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. avahi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run avahi with the tightest access possible. + @@ -3411,6 +3566,22 @@ index 0000000..f489dad +.B setsebool -P httpd_dbus_avahi 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the avahi_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the avahi_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -3467,7 +3638,7 @@ index 0000000..f489dad + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3517,26 +3688,19 @@ index 0000000..f489dad \ No newline at end of file diff --git a/man/man8/awstats_selinux.8 b/man/man8/awstats_selinux.8 new file mode 100644 -index 0000000..b76d620 +index 0000000..37d4a5d --- /dev/null +++ b/man/man8/awstats_selinux.8 -@@ -0,0 +1,96 @@ +@@ -0,0 +1,89 @@ +.TH "awstats_selinux" "8" "awstats" "dwalsh@redhat.com" "awstats SELinux Policy documentation" +.SH "NAME" +awstats_selinux \- Security Enhanced Linux Policy for the awstats processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B awstats -+( -+AWStats is a free powerful and featureful tool that generates advanced -+web, streaming, ftp or mail server statistics, graphically. -+) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the awstats processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3574,7 +3738,7 @@ index 0000000..b76d620 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3619,23 +3783,33 @@ index 0000000..b76d620 +selinux(8), awstats(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/bcfg2_selinux.8 b/man/man8/bcfg2_selinux.8 new file mode 100644 -index 0000000..fcb6393 +index 0000000..b1f3146 --- /dev/null +++ b/man/man8/bcfg2_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,119 @@ +.TH "bcfg2_selinux" "8" "bcfg2" "dwalsh@redhat.com" "bcfg2 SELinux Policy documentation" +.SH "NAME" +bcfg2_selinux \- Security Enhanced Linux Policy for the bcfg2 processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B bcfg2 -+(policy for bcfg2) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the bcfg2 processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bcfg2_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the bcfg2_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3680,8 +3854,16 @@ index 0000000..fcb6393 +- Set files with the bcfg2_var_lib_t type, if you want to store the bcfg2 files under the /var/lib directory. + + ++.EX ++.PP ++.B bcfg2_var_run_t ++.EE ++ ++- Set files with the bcfg2_var_run_t type, if you want to store the bcfg2 files under the /run directory. ++ ++ +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3726,23 +3908,33 @@ index 0000000..fcb6393 +selinux(8), bcfg2(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/bitlbee_selinux.8 b/man/man8/bitlbee_selinux.8 new file mode 100644 -index 0000000..7c1b8b9 +index 0000000..4d6b678 --- /dev/null +++ b/man/man8/bitlbee_selinux.8 -@@ -0,0 +1,133 @@ +@@ -0,0 +1,143 @@ +.TH "bitlbee_selinux" "8" "bitlbee" "dwalsh@redhat.com" "bitlbee SELinux Policy documentation" +.SH "NAME" +bitlbee_selinux \- Security Enhanced Linux Policy for the bitlbee processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B bitlbee -+(Bitlbee service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the bitlbee processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bitlbee_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the bitlbee_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3820,7 +4012,7 @@ index 0000000..7c1b8b9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3865,17 +4057,17 @@ index 0000000..7c1b8b9 +selinux(8), bitlbee(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/blktap_selinux.8 b/man/man8/blktap_selinux.8 new file mode 100644 -index 0000000..4a344b5 +index 0000000..be40148 --- /dev/null +++ b/man/man8/blktap_selinux.8 -@@ -0,0 +1,98 @@ +@@ -0,0 +1,100 @@ +.TH "blktap_selinux" "8" "blktap" "dwalsh@redhat.com" "blktap SELinux Policy documentation" +.SH "NAME" +blktap_selinux \- Security Enhanced Linux Policy for the blktap processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the blktap processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. blktap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run blktap with the tightest access possible. @@ -3888,6 +4080,8 @@ index 0000000..4a344b5 +.B setsebool -P xend_run_blktap 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -3920,7 +4114,7 @@ index 0000000..4a344b5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3970,23 +4164,33 @@ index 0000000..4a344b5 \ No newline at end of file diff --git a/man/man8/blueman_selinux.8 b/man/man8/blueman_selinux.8 new file mode 100644 -index 0000000..834703f +index 0000000..50e8fa0 --- /dev/null +++ b/man/man8/blueman_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,95 @@ +.TH "blueman_selinux" "8" "blueman" "dwalsh@redhat.com" "blueman SELinux Policy documentation" +.SH "NAME" +blueman_selinux \- Security Enhanced Linux Policy for the blueman processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B blueman -+(policy for blueman) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the blueman processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the blueman_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the blueman_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -4007,8 +4211,16 @@ index 0000000..834703f +- Set files with the blueman_exec_t type, if you want to transition an executable to the blueman_t domain. + + ++.EX +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B blueman_var_lib_t ++.EE ++ ++- Set files with the blueman_var_lib_t type, if you want to store the blueman files under the /var/lib directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4053,35 +4265,45 @@ index 0000000..834703f +selinux(8), blueman(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/bluetooth_selinux.8 b/man/man8/bluetooth_selinux.8 new file mode 100644 -index 0000000..d344b7b +index 0000000..7f82ebf --- /dev/null +++ b/man/man8/bluetooth_selinux.8 -@@ -0,0 +1,184 @@ +@@ -0,0 +1,202 @@ +.TH "bluetooth_selinux" "8" "bluetooth" "dwalsh@redhat.com" "bluetooth SELinux Policy documentation" +.SH "NAME" +bluetooth_selinux \- Security Enhanced Linux Policy for the bluetooth processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B bluetooth -+(Bluetooth tools and system services) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the bluetooth processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. bluetooth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bluetooth with the tightest access possible. + + +.PP -+If you want to allow xguest users to use blue tooth device, you must turn on the xguest_use_bluetooth boolean. ++If you want to allow xguest to use blue tooth device, you must turn on the xguest_use_bluetooth boolean. + +.EX +.B setsebool -P xguest_use_bluetooth 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bluetooth_t, bluetooth_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the bluetooth_t, bluetooth_helper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -4167,6 +4389,14 @@ index 0000000..d344b7b + +.EX +.PP ++.B bluetooth_tmp_t ++.EE ++ ++- Set files with the bluetooth_tmp_t type, if you want to store bluetooth temporary files in the /tmp directories. ++ ++ ++.EX ++.PP +.B bluetooth_unit_file_t +.EE + @@ -4194,7 +4424,7 @@ index 0000000..d344b7b +/var/run/bluetoothd_address, /var/run/sdp + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4244,23 +4474,19 @@ index 0000000..d344b7b \ No newline at end of file diff --git a/man/man8/boinc_selinux.8 b/man/man8/boinc_selinux.8 new file mode 100644 -index 0000000..ae842c8 +index 0000000..685379f --- /dev/null +++ b/man/man8/boinc_selinux.8 -@@ -0,0 +1,166 @@ +@@ -0,0 +1,178 @@ +.TH "boinc_selinux" "8" "boinc" "dwalsh@redhat.com" "boinc SELinux Policy documentation" +.SH "NAME" +boinc_selinux \- Security Enhanced Linux Policy for the boinc processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B boinc -+(policy for boinc) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the boinc processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -4291,6 +4517,14 @@ index 0000000..ae842c8 + +.EX +.PP ++.B boinc_log_t ++.EE ++ ++- Set files with the boinc_log_t type, if you want to treat the data as boinc log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP +.B boinc_project_tmp_t +.EE + @@ -4327,6 +4561,14 @@ index 0000000..ae842c8 + +.EX +.PP ++.B boinc_unit_file_t ++.EE ++ ++- Set files with the boinc_unit_file_t type, if you want to treat the files as boinc unit content. ++ ++ ++.EX ++.PP +.B boinc_var_lib_t +.EE + @@ -4334,7 +4576,7 @@ index 0000000..ae842c8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4361,7 +4603,7 @@ index 0000000..ae842c8 + + +Default Defined Ports: -+tcp 8021 ++tcp 1043 +.EE + +.EX @@ -4372,7 +4614,7 @@ index 0000000..ae842c8 + + +Default Defined Ports: -+tcp 8021 ++tcp 31416 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -4416,24 +4658,18 @@ index 0000000..ae842c8 +selinux(8), boinc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/bootloader_selinux.8 b/man/man8/bootloader_selinux.8 new file mode 100644 -index 0000000..892a587 +index 0000000..eec1cec --- /dev/null +++ b/man/man8/bootloader_selinux.8 -@@ -0,0 +1,116 @@ +@@ -0,0 +1,134 @@ +.TH "bootloader_selinux" "8" "bootloader" "dwalsh@redhat.com" "bootloader SELinux Policy documentation" +.SH "NAME" +bootloader_selinux \- Security Enhanced Linux Policy for the bootloader processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B bootloader -+(Policy for the kernel modules, kernel image, and bootloader) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the bootloader processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. bootloader policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bootloader with the tightest access possible. + @@ -4445,6 +4681,22 @@ index 0000000..892a587 +.B setsebool -P xdm_exec_bootloader 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the bootloader_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the bootloader_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -4466,7 +4718,7 @@ index 0000000..892a587 +.br +.TP 5 +Paths: -+/etc/yaboot\.conf.*, /etc/default/grub, /etc/lilo\.conf.* ++/etc/zipl\.conf.*, /etc/yaboot\.conf.*, /etc/default/grub, /etc/lilo\.conf.* + +.EX +.PP @@ -4478,7 +4730,7 @@ index 0000000..892a587 +.br +.TP 5 +Paths: -+/usr/sbin/ybin.*, /usr/sbin/grub.*, /sbin/lilo.*, /sbin/ybin.*, /usr/sbin/lilo.*, /sbin/grub.* ++/usr/sbin/ybin.*, /usr/sbin/zipl, /sbin/lilo.*, /sbin/ybin.*, /usr/sbin/lilo.*, /sbin/grub.*, /sbin/zipl, /usr/sbin/grub.* + +.EX +.PP @@ -4488,8 +4740,16 @@ index 0000000..892a587 +- Set files with the bootloader_tmp_t type, if you want to store bootloader temporary files in the /tmp directories. + + ++.EX +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B bootloader_var_run_t ++.EE ++ ++- Set files with the bootloader_var_run_t type, if you want to store the bootloader files under the /run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4539,23 +4799,19 @@ index 0000000..892a587 \ No newline at end of file diff --git a/man/man8/brctl_selinux.8 b/man/man8/brctl_selinux.8 new file mode 100644 -index 0000000..664324c +index 0000000..c101394 --- /dev/null +++ b/man/man8/brctl_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "brctl_selinux" "8" "brctl" "dwalsh@redhat.com" "brctl SELinux Policy documentation" +.SH "NAME" +brctl_selinux \- Security Enhanced Linux Policy for the brctl processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B brctl -+(Utilities for configuring the linux ethernet bridge) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the brctl processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -4577,7 +4833,7 @@ index 0000000..664324c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4622,23 +4878,19 @@ index 0000000..664324c +selinux(8), brctl(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cachefilesd_selinux.8 b/man/man8/cachefilesd_selinux.8 new file mode 100644 -index 0000000..03e5916 +index 0000000..ae12188 --- /dev/null +++ b/man/man8/cachefilesd_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,85 @@ +.TH "cachefilesd_selinux" "8" "cachefilesd" "dwalsh@redhat.com" "cachefilesd SELinux Policy documentation" +.SH "NAME" +cachefilesd_selinux \- Security Enhanced Linux Policy for the cachefilesd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cachefilesd -+(policy for cachefilesd) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cachefilesd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -4653,18 +4905,6 @@ index 0000000..03e5916 + +.EX +.PP -+.B cachefiles_var_t -+.EE -+ -+- Set files with the cachefiles_var_t type, if you want to store the cachef files under the /var directory. -+ -+.br -+.TP 5 -+Paths: -+/var/run/cachefilesd\.pid, /var/fscache(/.*)?, /var/cache/fscache(/.*)? -+ -+.EX -+.PP +.B cachefilesd_exec_t +.EE + @@ -4684,7 +4924,7 @@ index 0000000..03e5916 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4729,23 +4969,33 @@ index 0000000..03e5916 +selinux(8), cachefilesd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/calamaris_selinux.8 b/man/man8/calamaris_selinux.8 new file mode 100644 -index 0000000..831d1b4 +index 0000000..49eff66 --- /dev/null +++ b/man/man8/calamaris_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,103 @@ +.TH "calamaris_selinux" "8" "calamaris" "dwalsh@redhat.com" "calamaris SELinux Policy documentation" +.SH "NAME" +calamaris_selinux \- Security Enhanced Linux Policy for the calamaris processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B calamaris -+(Squid log analysis) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the calamaris processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the calamaris_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the calamaris_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -4783,7 +5033,7 @@ index 0000000..831d1b4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4828,23 +5078,33 @@ index 0000000..831d1b4 +selinux(8), calamaris(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/callweaver_selinux.8 b/man/man8/callweaver_selinux.8 new file mode 100644 -index 0000000..00210e6 +index 0000000..c6d08e9 --- /dev/null +++ b/man/man8/callweaver_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,127 @@ +.TH "callweaver_selinux" "8" "callweaver" "dwalsh@redhat.com" "callweaver SELinux Policy documentation" +.SH "NAME" +callweaver_selinux \- Security Enhanced Linux Policy for the callweaver processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B callweaver -+(Open source PBX project) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the callweaver processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the callweaver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the callweaver_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -4906,7 +5166,7 @@ index 0000000..00210e6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4951,23 +5211,19 @@ index 0000000..00210e6 +selinux(8), callweaver(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/canna_selinux.8 b/man/man8/canna_selinux.8 new file mode 100644 -index 0000000..f254edc +index 0000000..82b8b66 --- /dev/null +++ b/man/man8/canna_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,121 @@ +.TH "canna_selinux" "8" "canna" "dwalsh@redhat.com" "canna SELinux Policy documentation" +.SH "NAME" +canna_selinux \- Security Enhanced Linux Policy for the canna processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B canna -+(Canna - kana-kanji conversion server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the canna processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5037,7 +5293,7 @@ index 0000000..f254edc +/var/run/\.iroha_unix/.*, /var/run/wnn-unix(/.*)?, /var/run/\.iroha_unix + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5082,17 +5338,19 @@ index 0000000..f254edc +selinux(8), canna(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cardmgr_selinux.8 b/man/man8/cardmgr_selinux.8 new file mode 100644 -index 0000000..a494bcb +index 0000000..9b896dc --- /dev/null +++ b/man/man8/cardmgr_selinux.8 -@@ -0,0 +1,111 @@ +@@ -0,0 +1,113 @@ +.TH "cardmgr_selinux" "8" "cardmgr" "dwalsh@redhat.com" "cardmgr SELinux Policy documentation" +.SH "NAME" +cardmgr_selinux \- Security Enhanced Linux Policy for the cardmgr processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the cardmgr processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5154,7 +5412,7 @@ index 0000000..a494bcb +/var/run/cardmgr\.pid, /var/run/stab, /var/lib/pcmcia(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5199,23 +5457,19 @@ index 0000000..a494bcb +selinux(8), cardmgr(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ccs_selinux.8 b/man/man8/ccs_selinux.8 new file mode 100644 -index 0000000..d2d4fde +index 0000000..e068e54 --- /dev/null +++ b/man/man8/ccs_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,121 @@ +.TH "ccs_selinux" "8" "ccs" "dwalsh@redhat.com" "ccs SELinux Policy documentation" +.SH "NAME" +ccs_selinux \- Security Enhanced Linux Policy for the ccs processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ccs -+(Cluster Configuration System) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ccs processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5285,7 +5539,7 @@ index 0000000..d2d4fde +/var/run/cluster/ccsd\.pid, /var/run/cluster/ccsd\.sock + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5330,17 +5584,33 @@ index 0000000..d2d4fde +selinux(8), ccs(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cdcc_selinux.8 b/man/man8/cdcc_selinux.8 new file mode 100644 -index 0000000..217f349 +index 0000000..34e2704 --- /dev/null +++ b/man/man8/cdcc_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,95 @@ +.TH "cdcc_selinux" "8" "cdcc" "dwalsh@redhat.com" "cdcc SELinux Policy documentation" +.SH "NAME" +cdcc_selinux \- Security Enhanced Linux Policy for the cdcc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the cdcc processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cdcc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the cdcc_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5370,7 +5640,7 @@ index 0000000..217f349 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5415,24 +5685,18 @@ index 0000000..217f349 +selinux(8), cdcc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cdrecord_selinux.8 b/man/man8/cdrecord_selinux.8 new file mode 100644 -index 0000000..db2a2e1 +index 0000000..85cb1a9 --- /dev/null +++ b/man/man8/cdrecord_selinux.8 -@@ -0,0 +1,96 @@ +@@ -0,0 +1,92 @@ +.TH "cdrecord_selinux" "8" "cdrecord" "dwalsh@redhat.com" "cdrecord SELinux Policy documentation" +.SH "NAME" +cdrecord_selinux \- Security Enhanced Linux Policy for the cdrecord processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cdrecord -+(Policy for cdrecord) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cdrecord processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. cdrecord policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cdrecord with the tightest access possible. + @@ -5444,6 +5708,8 @@ index 0000000..db2a2e1 +.B setsebool -P cdrecord_read_content 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -5468,7 +5734,7 @@ index 0000000..db2a2e1 +/usr/bin/cdrecord, /usr/bin/wodim, /usr/bin/growisofs + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5518,23 +5784,33 @@ index 0000000..db2a2e1 \ No newline at end of file diff --git a/man/man8/certmaster_selinux.8 b/man/man8/certmaster_selinux.8 new file mode 100644 -index 0000000..bf4f6c4 +index 0000000..66afecb --- /dev/null +++ b/man/man8/certmaster_selinux.8 -@@ -0,0 +1,143 @@ +@@ -0,0 +1,153 @@ +.TH "certmaster_selinux" "8" "certmaster" "dwalsh@redhat.com" "certmaster SELinux Policy documentation" +.SH "NAME" +certmaster_selinux \- Security Enhanced Linux Policy for the certmaster processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B certmaster -+(Certmaster SSL certificate distribution service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the certmaster processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the certmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the certmaster_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5596,7 +5872,7 @@ index 0000000..bf4f6c4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5623,7 +5899,7 @@ index 0000000..bf4f6c4 + + +Default Defined Ports: -+tcp 8021 ++tcp 51235 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -5667,23 +5943,33 @@ index 0000000..bf4f6c4 +selinux(8), certmaster(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/certmonger_selinux.8 b/man/man8/certmonger_selinux.8 new file mode 100644 -index 0000000..2f01973 +index 0000000..a543011 --- /dev/null +++ b/man/man8/certmonger_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,119 @@ +.TH "certmonger_selinux" "8" "certmonger" "dwalsh@redhat.com" "certmonger SELinux Policy documentation" +.SH "NAME" +certmonger_selinux \- Security Enhanced Linux Policy for the certmonger processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B certmonger -+(Certificate status monitor and PKI enrollment client) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the certmonger processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the certmonger_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the certmonger_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5737,7 +6023,7 @@ index 0000000..2f01973 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5754,7 +6040,7 @@ index 0000000..2f01973 +The following process types are defined for certmonger: + +.EX -+.B certmonger_t ++.B certmonger_unconfined_t, certmonger_t +.EE +.PP +Note: @@ -5782,23 +6068,19 @@ index 0000000..2f01973 +selinux(8), certmonger(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/certwatch_selinux.8 b/man/man8/certwatch_selinux.8 new file mode 100644 -index 0000000..612259c +index 0000000..089cf20 --- /dev/null +++ b/man/man8/certwatch_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "certwatch_selinux" "8" "certwatch" "dwalsh@redhat.com" "certwatch SELinux Policy documentation" +.SH "NAME" +certwatch_selinux \- Security Enhanced Linux Policy for the certwatch processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B certwatch -+(Digital Certificate Tracking) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the certwatch processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5820,7 +6102,7 @@ index 0000000..612259c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5865,23 +6147,33 @@ index 0000000..612259c +selinux(8), certwatch(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cfengine_selinux.8 b/man/man8/cfengine_selinux.8 new file mode 100644 -index 0000000..0831deb +index 0000000..216eb67 --- /dev/null +++ b/man/man8/cfengine_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,131 @@ +.TH "cfengine_selinux" "8" "cfengine" "dwalsh@redhat.com" "cfengine SELinux Policy documentation" +.SH "NAME" +cfengine_selinux \- Security Enhanced Linux Policy for the cfengine processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cfengine -+(policy for cfengine) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cfengine processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cfengine_execd_t, cfengine_monitord_t, cfengine_serverd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cfengine_execd_t, cfengine_monitord_t, cfengine_serverd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5938,8 +6230,16 @@ index 0000000..0831deb +- Set files with the cfengine_var_lib_t type, if you want to store the cfengine files under the /var/lib directory. + + ++.EX +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B cfengine_var_log_t ++.EE ++ ++- Set files with the cfengine_var_log_t type, if you want to treat the data as cfengine var log data, usually stored under the /var/log directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5984,17 +6284,19 @@ index 0000000..0831deb +selinux(8), cfengine(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cgclear_selinux.8 b/man/man8/cgclear_selinux.8 new file mode 100644 -index 0000000..8dc7a1f +index 0000000..2629bba --- /dev/null +++ b/man/man8/cgclear_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +.TH "cgclear_selinux" "8" "cgclear" "dwalsh@redhat.com" "cgclear SELinux Policy documentation" +.SH "NAME" +cgclear_selinux \- Security Enhanced Linux Policy for the cgclear processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the cgclear processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6020,7 +6322,7 @@ index 0000000..8dc7a1f +/sbin/cgclear, /usr/sbin/cgclear + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6065,17 +6367,33 @@ index 0000000..8dc7a1f +selinux(8), cgclear(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cgconfig_selinux.8 b/man/man8/cgconfig_selinux.8 new file mode 100644 -index 0000000..bf8323b +index 0000000..b643891 --- /dev/null +++ b/man/man8/cgconfig_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,111 @@ +.TH "cgconfig_selinux" "8" "cgconfig" "dwalsh@redhat.com" "cgconfig SELinux Policy documentation" +.SH "NAME" +cgconfig_selinux \- Security Enhanced Linux Policy for the cgconfig processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the cgconfig processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cgconfig_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6121,7 +6439,7 @@ index 0000000..bf8323b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6166,17 +6484,33 @@ index 0000000..bf8323b +selinux(8), cgconfig(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cgred_selinux.8 b/man/man8/cgred_selinux.8 new file mode 100644 -index 0000000..8cf1b40 +index 0000000..cf5a223 --- /dev/null +++ b/man/man8/cgred_selinux.8 -@@ -0,0 +1,99 @@ +@@ -0,0 +1,115 @@ +.TH "cgred_selinux" "8" "cgred" "dwalsh@redhat.com" "cgred SELinux Policy documentation" +.SH "NAME" +cgred_selinux \- Security Enhanced Linux Policy for the cgred processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the cgred processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cgred_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the cgred_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6226,7 +6560,7 @@ index 0000000..8cf1b40 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6271,17 +6605,19 @@ index 0000000..8cf1b40 +selinux(8), cgred(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/checkpc_selinux.8 b/man/man8/checkpc_selinux.8 new file mode 100644 -index 0000000..5c6fcde +index 0000000..9bcb086 --- /dev/null +++ b/man/man8/checkpc_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,81 @@ +.TH "checkpc_selinux" "8" "checkpc" "dwalsh@redhat.com" "checkpc SELinux Policy documentation" +.SH "NAME" +checkpc_selinux \- Security Enhanced Linux Policy for the checkpc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the checkpc processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6311,7 +6647,7 @@ index 0000000..5c6fcde + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6356,17 +6692,19 @@ index 0000000..5c6fcde +selinux(8), checkpc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/checkpolicy_selinux.8 b/man/man8/checkpolicy_selinux.8 new file mode 100644 -index 0000000..b67fcc4 +index 0000000..1ca072a --- /dev/null +++ b/man/man8/checkpolicy_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,73 @@ +.TH "checkpolicy_selinux" "8" "checkpolicy" "dwalsh@redhat.com" "checkpolicy SELinux Policy documentation" +.SH "NAME" +checkpolicy_selinux \- Security Enhanced Linux Policy for the checkpolicy processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the checkpolicy processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6388,7 +6726,7 @@ index 0000000..b67fcc4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6433,17 +6771,33 @@ index 0000000..b67fcc4 +selinux(8), checkpolicy(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/chfn_selinux.8 b/man/man8/chfn_selinux.8 new file mode 100644 -index 0000000..c81760f +index 0000000..808065f --- /dev/null +++ b/man/man8/chfn_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,91 @@ +.TH "chfn_selinux" "8" "chfn" "dwalsh@redhat.com" "chfn SELinux Policy documentation" +.SH "NAME" +chfn_selinux \- Security Enhanced Linux Policy for the chfn processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the chfn processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chfn_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the chfn_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6469,7 +6823,7 @@ index 0000000..c81760f +/usr/bin/chfn, /usr/bin/chsh + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6514,17 +6868,33 @@ index 0000000..c81760f +selinux(8), chfn(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/chkpwd_selinux.8 b/man/man8/chkpwd_selinux.8 new file mode 100644 -index 0000000..03d8e09 +index 0000000..2974237 --- /dev/null +++ b/man/man8/chkpwd_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,91 @@ +.TH "chkpwd_selinux" "8" "chkpwd" "dwalsh@redhat.com" "chkpwd SELinux Policy documentation" +.SH "NAME" +chkpwd_selinux \- Security Enhanced Linux Policy for the chkpwd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the chkpwd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chkpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the chkpwd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6547,10 +6917,10 @@ index 0000000..03d8e09 +.br +.TP 5 +Paths: -+/sbin/unix_verify, /sbin/unix_chkpwd, /usr/sbin/unix_verify, /usr/sbin/validate, /usr/sbin/unix_chkpwd ++/sbin/unix_chkpwd, /usr/sbin/unix_verify, /usr/sbin/validate, /sbin/unix_verify, /usr/sbin/unix_chkpwd + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6595,24 +6965,18 @@ index 0000000..03d8e09 +selinux(8), chkpwd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/chrome_selinux.8 b/man/man8/chrome_selinux.8 new file mode 100644 -index 0000000..e83770b +index 0000000..fec6ea8 --- /dev/null +++ b/man/man8/chrome_selinux.8 -@@ -0,0 +1,124 @@ +@@ -0,0 +1,120 @@ +.TH "chrome_selinux" "8" "chrome" "dwalsh@redhat.com" "chrome SELinux Policy documentation" +.SH "NAME" +chrome_selinux \- Security Enhanced Linux Policy for the chrome processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B chrome -+(policy for chrome) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the chrome processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. chrome policy is extremely flexible and has several booleans that allow you to manipulate the policy and run chrome with the tightest access possible. + @@ -6624,6 +6988,8 @@ index 0000000..e83770b +.B setsebool -P unconfined_chrome_sandbox_transition 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -6657,7 +7023,7 @@ index 0000000..e83770b +.br +.TP 5 +Paths: -+/usr/lib/chromium-browser/nacl_helper_bootstrap, /opt/google/chrome/nacl_helper_bootstrap ++/opt/google/chrome/nacl_helper_bootstrap, /usr/lib/chromium-browser/nacl_helper_bootstrap + +.EX +.PP @@ -6676,7 +7042,7 @@ index 0000000..e83770b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6726,23 +7092,33 @@ index 0000000..e83770b \ No newline at end of file diff --git a/man/man8/chronyd_selinux.8 b/man/man8/chronyd_selinux.8 new file mode 100644 -index 0000000..b178fb9 +index 0000000..90b125c --- /dev/null +++ b/man/man8/chronyd_selinux.8 -@@ -0,0 +1,167 @@ +@@ -0,0 +1,173 @@ +.TH "chronyd_selinux" "8" "chronyd" "dwalsh@redhat.com" "chronyd SELinux Policy documentation" +.SH "NAME" +chronyd_selinux \- Security Enhanced Linux Policy for the chronyd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B chronyd -+(Chrony NTP background daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the chronyd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the chronyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the chronyd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6794,10 +7170,6 @@ index 0000000..b178fb9 + +- Set files with the chronyd_unit_file_t type, if you want to treat the files as chronyd unit content. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/system/chrony.*, /usr/lib/systemd/system/chronyd.* + +.EX +.PP @@ -6828,7 +7200,7 @@ index 0000000..b178fb9 +/var/run/chronyd(/.*), /var/run/chronyd\.sock, /var/run/chronyd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6855,7 +7227,7 @@ index 0000000..b178fb9 + + +Default Defined Ports: -+tcp 8021 ++udp 323 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -6899,17 +7271,19 @@ index 0000000..b178fb9 +selinux(8), chronyd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ciped_selinux.8 b/man/man8/ciped_selinux.8 new file mode 100644 -index 0000000..e387cea +index 0000000..27d1a6b --- /dev/null +++ b/man/man8/ciped_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,73 @@ +.TH "ciped_selinux" "8" "ciped" "dwalsh@redhat.com" "ciped SELinux Policy documentation" +.SH "NAME" +ciped_selinux \- Security Enhanced Linux Policy for the ciped processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ciped processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6931,7 +7305,7 @@ index 0000000..e387cea + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6976,17 +7350,17 @@ index 0000000..e387cea +selinux(8), ciped(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/clamd_selinux.8 b/man/man8/clamd_selinux.8 new file mode 100644 -index 0000000..7ffdf73 +index 0000000..e453e16 --- /dev/null +++ b/man/man8/clamd_selinux.8 -@@ -0,0 +1,183 @@ +@@ -0,0 +1,214 @@ +.TH "clamd_selinux" "8" "clamd" "dwalsh@redhat.com" "clamd SELinux Policy documentation" +.SH "NAME" +clamd_selinux \- Security Enhanced Linux Policy for the clamd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the clamd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. clamd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clamd with the tightest access possible. @@ -7000,12 +7374,35 @@ index 0000000..7ffdf73 +.EE + +.PP ++If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. ++ ++.EX ++.B setsebool -P clamscan_can_scan_system 1 ++.EE ++ ++.PP +If you want to allow clamd to use JIT compile, you must turn on the clamd_use_jit boolean. + +.EX +.B setsebool -P clamd_use_jit 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the clamd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the clamd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -7055,6 +7452,14 @@ index 0000000..7ffdf73 + +.EX +.PP ++.B clamd_unit_file_t ++.EE ++ ++- Set files with the clamd_unit_file_t type, if you want to treat the files as clamd unit content. ++ ++ ++.EX ++.PP +.B clamd_var_lib_t +.EE + @@ -7090,7 +7495,7 @@ index 0000000..7ffdf73 +/var/run/amavis(d)?/clamd\.pid, /var/run/clamd.*, /var/run/clamav.*, /var/spool/MailScanner(/.*)?, /var/spool/amavisd/clamd\.sock + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7117,7 +7522,7 @@ index 0000000..7ffdf73 + + +Default Defined Ports: -+tcp 8021 ++tcp 3310 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -7166,17 +7571,17 @@ index 0000000..7ffdf73 \ No newline at end of file diff --git a/man/man8/clamscan_selinux.8 b/man/man8/clamscan_selinux.8 new file mode 100644 -index 0000000..4b82f56 +index 0000000..dd41fa2 --- /dev/null +++ b/man/man8/clamscan_selinux.8 -@@ -0,0 +1,98 @@ +@@ -0,0 +1,107 @@ +.TH "clamscan_selinux" "8" "clamscan" "dwalsh@redhat.com" "clamscan SELinux Policy documentation" +.SH "NAME" +clamscan_selinux \- Security Enhanced Linux Policy for the clamscan processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the clamscan processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. clamscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clamscan with the tightest access possible. @@ -7189,6 +7594,15 @@ index 0000000..4b82f56 +.B setsebool -P clamscan_read_user_content 1 +.EE + ++.PP ++If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. ++ ++.EX ++.B setsebool -P clamscan_can_scan_system 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -7221,7 +7635,7 @@ index 0000000..4b82f56 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7271,23 +7685,19 @@ index 0000000..4b82f56 \ No newline at end of file diff --git a/man/man8/clogd_selinux.8 b/man/man8/clogd_selinux.8 new file mode 100644 -index 0000000..c68d541 +index 0000000..2ec309f --- /dev/null +++ b/man/man8/clogd_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,89 @@ +.TH "clogd_selinux" "8" "clogd" "dwalsh@redhat.com" "clogd SELinux Policy documentation" +.SH "NAME" +clogd_selinux \- Security Enhanced Linux Policy for the clogd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B clogd -+(clogd - Clustered Mirror Log Server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the clogd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -7325,7 +7735,7 @@ index 0000000..c68d541 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7370,17 +7780,33 @@ index 0000000..c68d541 +selinux(8), clogd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/clvmd_selinux.8 b/man/man8/clvmd_selinux.8 new file mode 100644 -index 0000000..f25da6c +index 0000000..980ca0c --- /dev/null +++ b/man/man8/clvmd_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,111 @@ +.TH "clvmd_selinux" "8" "clvmd" "dwalsh@redhat.com" "clvmd SELinux Policy documentation" +.SH "NAME" +clvmd_selinux \- Security Enhanced Linux Policy for the clvmd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the clvmd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the clvmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the clvmd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -7426,7 +7852,7 @@ index 0000000..f25da6c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7471,23 +7897,19 @@ index 0000000..f25da6c +selinux(8), clvmd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cmirrord_selinux.8 b/man/man8/cmirrord_selinux.8 new file mode 100644 -index 0000000..056abd4 +index 0000000..4d708d4 --- /dev/null +++ b/man/man8/cmirrord_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "cmirrord_selinux" "8" "cmirrord" "dwalsh@redhat.com" "cmirrord SELinux Policy documentation" +.SH "NAME" +cmirrord_selinux \- Security Enhanced Linux Policy for the cmirrord processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cmirrord -+(Cluster mirror log daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cmirrord processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -7533,7 +7955,7 @@ index 0000000..056abd4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7578,17 +8000,17 @@ index 0000000..056abd4 +selinux(8), cmirrord(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cobblerd_selinux.8 b/man/man8/cobblerd_selinux.8 new file mode 100644 -index 0000000..9a63029 +index 0000000..0f5ed2b --- /dev/null +++ b/man/man8/cobblerd_selinux.8 -@@ -0,0 +1,211 @@ +@@ -0,0 +1,177 @@ +.TH "cobblerd_selinux" "8" "cobblerd" "dwalsh@redhat.com" "cobblerd SELinux Policy documentation" +.SH "NAME" +cobblerd_selinux \- Security Enhanced Linux Policy for the cobblerd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the cobblerd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. cobblerd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cobblerd with the tightest access possible. @@ -7622,6 +8044,8 @@ index 0000000..9a63029 +.B setsebool -P cobbler_use_cifs 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. +.TP @@ -7633,7 +8057,7 @@ index 0000000..9a63029 +.B restorecon -F -R -v /var/cobblerd +.pp +.TP -+Allow cobblerd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_cobblerd_anon_write boolean to be set. ++Allow cobblerd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_cobblerdd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/cobblerd/incoming(/.*)?" @@ -7661,42 +8085,6 @@ index 0000000..9a63029 + +.EX +.PP -+.B cobbler_etc_t -+.EE -+ -+- Set files with the cobbler_etc_t type, if you want to store cobbler files in the /etc directories. -+ -+ -+.EX -+.PP -+.B cobbler_tmp_t -+.EE -+ -+- Set files with the cobbler_tmp_t type, if you want to store cobbler temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B cobbler_var_lib_t -+.EE -+ -+- Set files with the cobbler_var_lib_t type, if you want to store the cobbler files under the /var/lib directory. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/cobbler(/.*)?, /var/www/cobbler/images(/.*)?, /var/www/cobbler/repo_mirror(/.*)?, /var/lib/tftpboot/pxelinux\.cfg(/.*)?, /var/lib/tftpboot/memdisk, /var/lib/tftpboot/s390x(/.*)?, /var/www/cobbler/links(/.*)?, /var/lib/tftpboot/menu\.c32, /var/lib/tftpboot/yaboot, /var/www/cobbler/localmirror(/.*)?, /var/www/cobbler/ks_mirror(/.*)?, /var/lib/tftpboot/grub(/.*)?, /var/www/cobbler/pub(/.*)?, /var/lib/tftpboot/ppc(/.*)?, /var/lib/tftpboot/pxelinux\.0, /var/lib/tftpboot/images(/.*)?, /var/lib/tftpboot/etc(/.*)?, /var/www/cobbler/rendered(/.*)? -+ -+.EX -+.PP -+.B cobbler_var_log_t -+.EE -+ -+- Set files with the cobbler_var_log_t type, if you want to treat the data as cobbler var log data, usually stored under the /var/log directory. -+ -+ -+.EX -+.PP +.B cobblerd_exec_t +.EE + @@ -7720,7 +8108,7 @@ index 0000000..9a63029 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7747,7 +8135,7 @@ index 0000000..9a63029 + + +Default Defined Ports: -+tcp 8021 ++tcp 25151 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -7796,24 +8184,18 @@ index 0000000..9a63029 \ No newline at end of file diff --git a/man/man8/collectd_selinux.8 b/man/man8/collectd_selinux.8 new file mode 100644 -index 0000000..6210747 +index 0000000..7e335f5 --- /dev/null +++ b/man/man8/collectd_selinux.8 -@@ -0,0 +1,124 @@ +@@ -0,0 +1,120 @@ +.TH "collectd_selinux" "8" "collectd" "dwalsh@redhat.com" "collectd SELinux Policy documentation" +.SH "NAME" +collectd_selinux \- Security Enhanced Linux Policy for the collectd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B collectd -+(policy for collectd) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the collectd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. collectd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run collectd with the tightest access possible. + @@ -7825,6 +8207,8 @@ index 0000000..6210747 +.B setsebool -P collectd_can_network_connect 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -7877,7 +8261,7 @@ index 0000000..6210747 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7927,23 +8311,33 @@ index 0000000..6210747 \ No newline at end of file diff --git a/man/man8/colord_selinux.8 b/man/man8/colord_selinux.8 new file mode 100644 -index 0000000..7ed4ac6 +index 0000000..96370fd --- /dev/null +++ b/man/man8/colord_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,127 @@ +.TH "colord_selinux" "8" "colord" "dwalsh@redhat.com" "colord SELinux Policy documentation" +.SH "NAME" +colord_selinux \- Security Enhanced Linux Policy for the colord processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B colord -+(GNOME color manager) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the colord processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the colord_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the colord_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8005,7 +8399,7 @@ index 0000000..7ed4ac6 +/var/lib/color(/.*)?, /var/lib/colord(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8050,23 +8444,33 @@ index 0000000..7ed4ac6 +selinux(8), colord(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/comsat_selinux.8 b/man/man8/comsat_selinux.8 new file mode 100644 -index 0000000..da3d8e9 +index 0000000..1ccb87c --- /dev/null +++ b/man/man8/comsat_selinux.8 -@@ -0,0 +1,119 @@ +@@ -0,0 +1,129 @@ +.TH "comsat_selinux" "8" "comsat" "dwalsh@redhat.com" "comsat SELinux Policy documentation" +.SH "NAME" +comsat_selinux \- Security Enhanced Linux Policy for the comsat processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B comsat -+(Comsat, a biff server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the comsat processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the comsat_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the comsat_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8104,7 +8508,7 @@ index 0000000..da3d8e9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8131,7 +8535,7 @@ index 0000000..da3d8e9 + + +Default Defined Ports: -+tcp 8021 ++udp 512 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -8175,23 +8579,33 @@ index 0000000..da3d8e9 +selinux(8), comsat(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/consolekit_selinux.8 b/man/man8/consolekit_selinux.8 new file mode 100644 -index 0000000..cac5397 +index 0000000..bd653a4 --- /dev/null +++ b/man/man8/consolekit_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,123 @@ +.TH "consolekit_selinux" "8" "consolekit" "dwalsh@redhat.com" "consolekit SELinux Policy documentation" +.SH "NAME" +consolekit_selinux \- Security Enhanced Linux Policy for the consolekit processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B consolekit -+(Framework for facilitating multiple user sessions on desktops) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the consolekit processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the consolekit_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the consolekit_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8249,7 +8663,7 @@ index 0000000..cac5397 +/var/run/console-kit-daemon\.pid, /var/run/ConsoleKit(/.*)?, /var/run/consolekit\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8294,25 +8708,19 @@ index 0000000..cac5397 +selinux(8), consolekit(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/consoletype_selinux.8 b/man/man8/consoletype_selinux.8 new file mode 100644 -index 0000000..931d27b +index 0000000..db62abe --- /dev/null +++ b/man/man8/consoletype_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,77 @@ +.TH "consoletype_selinux" "8" "consoletype" "dwalsh@redhat.com" "consoletype SELinux Policy documentation" +.SH "NAME" +consoletype_selinux \- Security Enhanced Linux Policy for the consoletype processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B consoletype -+( -+Determine of the console connected to the controlling terminal. -+) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the consoletype processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8338,7 +8746,7 @@ index 0000000..931d27b +/usr/sbin/consoletype, /sbin/consoletype + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8383,23 +8791,33 @@ index 0000000..931d27b +selinux(8), consoletype(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/corosync_selinux.8 b/man/man8/corosync_selinux.8 new file mode 100644 -index 0000000..a20c704 +index 0000000..c32c2ce --- /dev/null +++ b/man/man8/corosync_selinux.8 -@@ -0,0 +1,149 @@ +@@ -0,0 +1,159 @@ +.TH "corosync_selinux" "8" "corosync" "dwalsh@redhat.com" "corosync SELinux Policy documentation" +.SH "NAME" +corosync_selinux \- Security Enhanced Linux Policy for the corosync processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B corosync -+(Corosync Cluster Engine) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the corosync processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the corosync_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the corosync_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8470,7 +8888,7 @@ index 0000000..a20c704 +.br +.TP 5 +Paths: -+/var/lib/corosync(/.*)?, /usr/lib(64)?/heartbeat(/.*)? ++/var/lib/heartbeat(/.*)?, /var/lib/corosync(/.*)? + +.EX +.PP @@ -8490,10 +8908,10 @@ index 0000000..a20c704 +.br +.TP 5 +Paths: -+/var/run/hearbeat(/.*)?, /var/run/corosync\.pid, /var/run/cman_.* ++/var/run/rsctmp(/.*)?, /var/run/corosync\.pid, /var/run/cman_.*, /var/run/heartbeat(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8538,23 +8956,33 @@ index 0000000..a20c704 +selinux(8), corosync(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/couchdb_selinux.8 b/man/man8/couchdb_selinux.8 new file mode 100644 -index 0000000..61ec71c +index 0000000..9ced651 --- /dev/null +++ b/man/man8/couchdb_selinux.8 -@@ -0,0 +1,151 @@ +@@ -0,0 +1,163 @@ +.TH "couchdb_selinux" "8" "couchdb" "dwalsh@redhat.com" "couchdb SELinux Policy documentation" +.SH "NAME" +couchdb_selinux \- Security Enhanced Linux Policy for the couchdb processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B couchdb -+(policy for couchdb) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the couchdb processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the couchdb_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the couchdb_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8624,7 +9052,7 @@ index 0000000..61ec71c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8651,7 +9079,9 @@ index 0000000..61ec71c + + +Default Defined Ports: -+tcp 8021 ++tcp 5984 ++.EE ++udp 5984 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -8695,23 +9125,33 @@ index 0000000..61ec71c +selinux(8), couchdb(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/courier_selinux.8 b/man/man8/courier_selinux.8 new file mode 100644 -index 0000000..3dc9d81 +index 0000000..9f3c497 --- /dev/null +++ b/man/man8/courier_selinux.8 -@@ -0,0 +1,165 @@ +@@ -0,0 +1,183 @@ +.TH "courier_selinux" "8" "courier" "dwalsh@redhat.com" "courier SELinux Policy documentation" +.SH "NAME" +courier_selinux \- Security Enhanced Linux Policy for the courier processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B courier -+(Courier IMAP and POP3 email servers) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the courier processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the courier_authdaemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the courier_authdaemon_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8731,6 +9171,10 @@ index 0000000..3dc9d81 + +- Set files with the courier_authdaemon_exec_t type, if you want to transition an executable to the courier_authdaemon_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/authdaemond, /usr/lib/courier/authlib/.* + +.EX +.PP @@ -8742,7 +9186,7 @@ index 0000000..3dc9d81 +.br +.TP 5 +Paths: -+/usr/lib/courier/rootcerts(/.*)?, /etc/courier(/.*)? ++/usr/lib/courier/rootcerts(/.*)?, /etc/courier(/.*)?, /etc/courier-imap(/.*)? + +.EX +.PP @@ -8811,6 +9255,10 @@ index 0000000..3dc9d81 + +- Set files with the courier_var_lib_t type, if you want to store the courier files under the /var/lib directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/courier(/.*)?, /var/lib/courier-imap(/.*)? + +.EX +.PP @@ -8821,7 +9269,7 @@ index 0000000..3dc9d81 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8866,23 +9314,19 @@ index 0000000..3dc9d81 +selinux(8), courier(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cpucontrol_selinux.8 b/man/man8/cpucontrol_selinux.8 new file mode 100644 -index 0000000..e50677e +index 0000000..b16af55 --- /dev/null +++ b/man/man8/cpucontrol_selinux.8 -@@ -0,0 +1,89 @@ +@@ -0,0 +1,85 @@ +.TH "cpucontrol_selinux" "8" "cpucontrol" "dwalsh@redhat.com" "cpucontrol SELinux Policy documentation" +.SH "NAME" +cpucontrol_selinux \- Security Enhanced Linux Policy for the cpucontrol processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cpucontrol -+(Services for loading CPU microcode and CPU frequency scaling) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cpucontrol processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8916,7 +9360,7 @@ index 0000000..e50677e +/sbin/microcode_ctl, /usr/sbin/microcode_ctl + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8961,23 +9405,19 @@ index 0000000..e50677e +selinux(8), cpucontrol(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cpufreqselector_selinux.8 b/man/man8/cpufreqselector_selinux.8 new file mode 100644 -index 0000000..e7b10a3 +index 0000000..2f76dc7 --- /dev/null +++ b/man/man8/cpufreqselector_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "cpufreqselector_selinux" "8" "cpufreqselector" "dwalsh@redhat.com" "cpufreqselector SELinux Policy documentation" +.SH "NAME" +cpufreqselector_selinux \- Security Enhanced Linux Policy for the cpufreqselector processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cpufreqselector -+(Command-line CPU frequency settings) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cpufreqselector processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8999,7 +9439,7 @@ index 0000000..e7b10a3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9044,17 +9484,19 @@ index 0000000..e7b10a3 +selinux(8), cpufreqselector(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cpuspeed_selinux.8 b/man/man8/cpuspeed_selinux.8 new file mode 100644 -index 0000000..8142e64 +index 0000000..91ed60d --- /dev/null +++ b/man/man8/cpuspeed_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,85 @@ +.TH "cpuspeed_selinux" "8" "cpuspeed" "dwalsh@redhat.com" "cpuspeed SELinux Policy documentation" +.SH "NAME" +cpuspeed_selinux \- Security Enhanced Linux Policy for the cpuspeed processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the cpuspeed processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9088,7 +9530,7 @@ index 0000000..8142e64 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9133,17 +9575,19 @@ index 0000000..8142e64 +selinux(8), cpuspeed(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/crack_selinux.8 b/man/man8/crack_selinux.8 new file mode 100644 -index 0000000..328fc4d +index 0000000..c17fa55 --- /dev/null +++ b/man/man8/crack_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "crack_selinux" "8" "crack" "dwalsh@redhat.com" "crack SELinux Policy documentation" +.SH "NAME" +crack_selinux \- Security Enhanced Linux Policy for the crack processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the crack processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9189,7 +9633,7 @@ index 0000000..328fc4d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9234,17 +9678,17 @@ index 0000000..328fc4d +selinux(8), crack(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/crond_selinux.8 b/man/man8/crond_selinux.8 new file mode 100644 -index 0000000..b717fd8 +index 0000000..dcd4b550 --- /dev/null +++ b/man/man8/crond_selinux.8 -@@ -0,0 +1,173 @@ +@@ -0,0 +1,153 @@ +.TH "crond_selinux" "8" "crond" "dwalsh@redhat.com" "crond SELinux Policy documentation" +.SH "NAME" +crond_selinux \- Security Enhanced Linux Policy for the crond processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the crond processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. crond policy is extremely flexible and has several booleans that allow you to manipulate the policy and run crond with the tightest access possible. @@ -9264,51 +9708,31 @@ index 0000000..b717fd8 +.B setsebool -P cron_can_relabel 1 +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux crond policy is very flexible allowing users to setup their crond processes in as secure a method as possible. -+.PP -+The following file types are defined for crond: -+ ++.SH NSSWITCH DOMAIN + -+.EX +.PP -+.B cron_log_t -+.EE -+ -+- Set files with the cron_log_t type, if you want to treat the data as cron log data, usually stored under the /var/log directory. -+ ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the crontab_t, crond_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B cron_spool_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the cron_spool_t type, if you want to store the cron files under the /var/spool directory. -+ -+.br -+.TP 5 -+Paths: -+/var/spool/fcron, /var/spool/cron/crontabs -+ -+.EX +.PP -+.B cron_var_lib_t -+.EE -+ -+- Set files with the cron_var_lib_t type, if you want to store the cron files under the /var/lib directory. -+ ++If you want to allow confined applications to run with kerberos for the crontab_t, crond_t, you must turn on the kerberos_enabled boolean. + +.EX -+.PP -+.B cron_var_run_t ++setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the cron_var_run_t type, if you want to store the cron files under the /run directory. ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux crond policy is very flexible allowing users to setup their crond processes in as secure a method as possible. ++.PP ++The following file types are defined for crond: + + +.EX @@ -9349,7 +9773,7 @@ index 0000000..b717fd8 +.br +.TP 5 +Paths: -+/lib/systemd/system/atd\.service, /usr/lib/systemd/system/crond\.service, /lib/systemd/system/crond\.service ++/usr/lib/systemd/system/crond.*, /usr/lib/systemd/system/atd.* + +.EX +.PP @@ -9364,7 +9788,7 @@ index 0000000..b717fd8 +/var/run/crond?\.pid, /var/run/.*cron.*, /var/run/fcron\.pid, /var/run/crond?\.reboot, /var/run/fcron\.fifo, /var/run/atd\.pid, /var/run/anacron\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9414,17 +9838,33 @@ index 0000000..b717fd8 \ No newline at end of file diff --git a/man/man8/crontab_selinux.8 b/man/man8/crontab_selinux.8 new file mode 100644 -index 0000000..3de534f +index 0000000..f33b2b3 --- /dev/null +++ b/man/man8/crontab_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,99 @@ +.TH "crontab_selinux" "8" "crontab" "dwalsh@redhat.com" "crontab SELinux Policy documentation" +.SH "NAME" +crontab_selinux \- Security Enhanced Linux Policy for the crontab processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the crontab processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the crontab_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the crontab_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9447,7 +9887,7 @@ index 0000000..3de534f +.br +.TP 5 +Paths: -+/usr/bin/(f)?crontab, /usr/bin/at ++/usr/bin/(f)?crontab, /usr/sbin/fcronsighup, /usr/bin/at + +.EX +.PP @@ -9458,7 +9898,7 @@ index 0000000..3de534f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9503,23 +9943,19 @@ index 0000000..3de534f +selinux(8), crontab(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ctdbd_selinux.8 b/man/man8/ctdbd_selinux.8 new file mode 100644 -index 0000000..1da47eb +index 0000000..569b571 --- /dev/null +++ b/man/man8/ctdbd_selinux.8 -@@ -0,0 +1,155 @@ +@@ -0,0 +1,153 @@ +.TH "ctdbd_selinux" "8" "ctdbd" "dwalsh@redhat.com" "ctdbd SELinux Policy documentation" +.SH "NAME" +ctdbd_selinux \- Security Enhanced Linux Policy for the ctdbd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ctdbd -+(policy for ctdbd) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ctdbd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9593,7 +10029,7 @@ index 0000000..1da47eb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9620,7 +10056,9 @@ index 0000000..1da47eb + + +Default Defined Ports: -+tcp 8021 ++tcp 4379 ++.EE ++udp 4379 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -9664,23 +10102,33 @@ index 0000000..1da47eb +selinux(8), ctdbd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cups_selinux.8 b/man/man8/cups_selinux.8 new file mode 100644 -index 0000000..8bedca4 +index 0000000..7d0d815 --- /dev/null +++ b/man/man8/cups_selinux.8 -@@ -0,0 +1,225 @@ +@@ -0,0 +1,235 @@ +.TH "cups_selinux" "8" "cups" "dwalsh@redhat.com" "cups SELinux Policy documentation" +.SH "NAME" +cups_selinux \- Security Enhanced Linux Policy for the cups processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cups -+(Common UNIX printing system) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cups processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9783,7 +10231,7 @@ index 0000000..8bedca4 +.br +.TP 5 +Paths: -+/var/log/cups(/.*)?, /usr/local/Brother/fax/.*\.log, /var/log/turboprint.* ++/var/log/cups(/.*)?, /var/log/turboprint.*, /usr/local/Brother/fax/.*\.log + +.EX +.PP @@ -9819,7 +10267,7 @@ index 0000000..8bedca4 +.br +.TP 5 +Paths: -+/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /etc/cups/subscriptions.*, /usr/local/Brother/(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/lib/cups/certs, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids ++/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /etc/cups/subscriptions.*, /opt/brother/Printers(.*/)?inf(/.*)?, /usr/local/Brother/(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?, /var/lib/cups/certs, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids + +.EX +.PP @@ -9850,7 +10298,7 @@ index 0000000..8bedca4 +/var/ccpd(/.*)?, /var/ekpd(/.*)?, /var/turboprint(/.*)?, /var/run/cups(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9895,7 +10343,7 @@ index 0000000..8bedca4 +selinux(8), cups(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cupsd_selinux.8 b/man/man8/cupsd_selinux.8 new file mode 100644 -index 0000000..2ce03af +index 0000000..c5695a9 --- /dev/null +++ b/man/man8/cupsd_selinux.8 @@ -0,0 +1,219 @@ @@ -9904,8 +10352,24 @@ index 0000000..2ce03af +cupsd_selinux \- Security Enhanced Linux Policy for the cupsd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the cupsd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9920,22 +10384,6 @@ index 0000000..2ce03af + +.EX +.PP -+.B cups_pdf_exec_t -+.EE -+ -+- Set files with the cups_pdf_exec_t type, if you want to transition an executable to the cups_pdf_t domain. -+ -+ -+.EX -+.PP -+.B cups_pdf_tmp_t -+.EE -+ -+- Set files with the cups_pdf_tmp_t type, if you want to store cups pdf temporary files in the /tmp directories. -+ -+ -+.EX -+.PP +.B cupsd_config_exec_t +.EE + @@ -10008,7 +10456,7 @@ index 0000000..2ce03af +.br +.TP 5 +Paths: -+/var/log/cups(/.*)?, /usr/local/Brother/fax/.*\.log, /var/log/turboprint.* ++/var/log/cups(/.*)?, /var/log/turboprint.*, /usr/local/Brother/fax/.*\.log + +.EX +.PP @@ -10044,7 +10492,7 @@ index 0000000..2ce03af +.br +.TP 5 +Paths: -+/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /etc/cups/subscriptions.*, /usr/local/Brother/(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/lib/cups/certs, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids ++/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /etc/cups/subscriptions.*, /opt/brother/Printers(.*/)?inf(/.*)?, /usr/local/Brother/(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?, /var/lib/cups/certs, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids + +.EX +.PP @@ -10075,7 +10523,7 @@ index 0000000..2ce03af +/var/ccpd(/.*)?, /var/ekpd(/.*)?, /var/turboprint(/.*)?, /var/run/cups(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10120,33 +10568,43 @@ index 0000000..2ce03af +selinux(8), cupsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cvs_selinux.8 b/man/man8/cvs_selinux.8 new file mode 100644 -index 0000000..5047556 +index 0000000..f98abb8 --- /dev/null +++ b/man/man8/cvs_selinux.8 -@@ -0,0 +1,162 @@ +@@ -0,0 +1,174 @@ +.TH "cvs_selinux" "8" "cvs" "dwalsh@redhat.com" "cvs SELinux Policy documentation" +.SH "NAME" +cvs_selinux \- Security Enhanced Linux Policy for the cvs processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cvs -+(Concurrent versions system) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cvs processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. cvs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cvs with the tightest access possible. + + +.PP -+If you want to allow cvs daemon to read shado, you must turn on the allow_cvs_read_shadow boolean. ++If you want to allow cvs daemon to read shado, you must turn on the cvs_read_shadow boolean. ++ ++.EX ++.B setsebool -P cvs_read_shadow 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cvs_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cvs_t, you must turn on the kerberos_enabled boolean. + +.EX -+.B setsebool -P allow_cvs_read_shadow 1 ++setsebool -P kerberos_enabled 1 +.EE + +.SH FILE CONTEXTS @@ -10213,7 +10671,7 @@ index 0000000..5047556 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10240,7 +10698,9 @@ index 0000000..5047556 + + +Default Defined Ports: -+tcp 8021 ++tcp 2401 ++.EE ++udp 2401 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -10289,23 +10749,19 @@ index 0000000..5047556 \ No newline at end of file diff --git a/man/man8/cyphesis_selinux.8 b/man/man8/cyphesis_selinux.8 new file mode 100644 -index 0000000..25cbcca +index 0000000..d1d00eb --- /dev/null +++ b/man/man8/cyphesis_selinux.8 -@@ -0,0 +1,127 @@ +@@ -0,0 +1,125 @@ +.TH "cyphesis_selinux" "8" "cyphesis" "dwalsh@redhat.com" "cyphesis SELinux Policy documentation" +.SH "NAME" +cyphesis_selinux \- Security Enhanced Linux Policy for the cyphesis processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cyphesis -+(Cyphesis WorldForge game server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cyphesis processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10351,7 +10807,7 @@ index 0000000..25cbcca + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10378,7 +10834,9 @@ index 0000000..25cbcca + + +Default Defined Ports: -+tcp 8021 ++tcp 6767,6769,6780-6799 ++.EE ++udp 32771 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -10422,23 +10880,33 @@ index 0000000..25cbcca +selinux(8), cyphesis(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cyrus_selinux.8 b/man/man8/cyrus_selinux.8 new file mode 100644 -index 0000000..d9b68c2 +index 0000000..952bce0 --- /dev/null +++ b/man/man8/cyrus_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,135 @@ +.TH "cyrus_selinux" "8" "cyrus" "dwalsh@redhat.com" "cyrus SELinux Policy documentation" +.SH "NAME" +cyrus_selinux \- Security Enhanced Linux Policy for the cyrus processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cyrus -+(Cyrus is an IMAP service intended to be run on sealed servers) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cyrus processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the cyrus_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the cyrus_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10508,7 +10976,7 @@ index 0000000..d9b68c2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10624,17 +11092,33 @@ index 0000000..4bbec80 +selinux(8), semanage(8). diff --git a/man/man8/dbskkd_selinux.8 b/man/man8/dbskkd_selinux.8 new file mode 100644 -index 0000000..224a13a +index 0000000..c242885 --- /dev/null +++ b/man/man8/dbskkd_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,129 @@ +.TH "dbskkd_selinux" "8" "dbskkd" "dwalsh@redhat.com" "dbskkd SELinux Policy documentation" +.SH "NAME" +dbskkd_selinux \- Security Enhanced Linux Policy for the dbskkd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the dbskkd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dbskkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dbskkd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10672,7 +11156,7 @@ index 0000000..224a13a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10699,7 +11183,7 @@ index 0000000..224a13a + + +Default Defined Ports: -+tcp 8021 ++tcp 1178 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -10743,23 +11227,33 @@ index 0000000..224a13a +selinux(8), dbskkd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dcc_selinux.8 b/man/man8/dcc_selinux.8 new file mode 100644 -index 0000000..ac78346 +index 0000000..70d5d78 --- /dev/null +++ b/man/man8/dcc_selinux.8 -@@ -0,0 +1,246 @@ +@@ -0,0 +1,258 @@ +.TH "dcc_selinux" "8" "dcc" "dwalsh@redhat.com" "dcc SELinux Policy documentation" +.SH "NAME" +dcc_selinux \- Security Enhanced Linux Policy for the dcc processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dcc -+(Distributed checksum clearinghouse spam filtering) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dcc processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10913,7 +11407,7 @@ index 0000000..ac78346 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10940,7 +11434,7 @@ index 0000000..ac78346 + + +Default Defined Ports: -+tcp 8021 ++udp 6276,6277 +.EE + +.EX @@ -10951,7 +11445,9 @@ index 0000000..ac78346 + + +Default Defined Ports: -+tcp 8021 ++tcp 5679 ++.EE ++udp 5679 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -10995,92 +11491,44 @@ index 0000000..ac78346 +selinux(8), dcc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dccd_selinux.8 b/man/man8/dccd_selinux.8 new file mode 100644 -index 0000000..2da502a +index 0000000..04f1603 --- /dev/null +++ b/man/man8/dccd_selinux.8 -@@ -0,0 +1,188 @@ +@@ -0,0 +1,142 @@ +.TH "dccd_selinux" "8" "dccd" "dwalsh@redhat.com" "dccd SELinux Policy documentation" +.SH "NAME" +dccd_selinux \- Security Enhanced Linux Policy for the dccd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the dccd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible. -+.PP -+The following file types are defined for dccd: -+ ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B dcc_client_exec_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the dcc_client_exec_t type, if you want to transition an executable to the dcc_client_t domain. -+ -+ -+.EX +.PP -+.B dcc_client_map_t -+.EE -+ -+- Set files with the dcc_client_map_t type, if you want to treat the files as dcc client map data. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/dcc/map, /etc/dcc/map, /var/run/dcc/map, /var/dcc/map ++If you want to allow confined applications to run with kerberos for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the kerberos_enabled boolean. + +.EX -+.PP -+.B dcc_client_tmp_t ++setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the dcc_client_tmp_t type, if you want to store dcc client temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B dcc_dbclean_exec_t -+.EE -+ -+- Set files with the dcc_dbclean_exec_t type, if you want to transition an executable to the dcc_dbclean_t domain. -+ -+ -+.EX -+.PP -+.B dcc_dbclean_tmp_t -+.EE -+ -+- Set files with the dcc_dbclean_tmp_t type, if you want to store dcc dbclean temporary files in the /tmp directories. -+ -+ -+.EX ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. +.PP -+.B dcc_var_run_t -+.EE -+ -+- Set files with the dcc_var_run_t type, if you want to store the dcc files under the /run directory. -+ -+ -+.EX ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP -+.B dcc_var_t -+.EE -+ -+- Set files with the dcc_var_t type, if you want to store the files under the /var directory. ++Policy governs the access confined processes have to these files. ++SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible. ++.PP ++The following file types are defined for dccd: + -+.br -+.TP 5 -+Paths: -+/etc/dcc(/.*)?, /var/dcc(/.*)?, /var/lib/dcc(/.*)? + +.EX +.PP @@ -11107,7 +11555,7 @@ index 0000000..2da502a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11134,7 +11582,7 @@ index 0000000..2da502a + + +Default Defined Ports: -+tcp 8021 ++udp 6276,6277 +.EE + +.EX @@ -11145,7 +11593,9 @@ index 0000000..2da502a + + +Default Defined Ports: -+tcp 8021 ++tcp 5679 ++.EE ++udp 5679 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -11189,17 +11639,33 @@ index 0000000..2da502a +selinux(8), dccd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dccifd_selinux.8 b/man/man8/dccifd_selinux.8 new file mode 100644 -index 0000000..c80e92b +index 0000000..833573b --- /dev/null +++ b/man/man8/dccifd_selinux.8 -@@ -0,0 +1,91 @@ +@@ -0,0 +1,107 @@ +.TH "dccifd_selinux" "8" "dccifd" "dwalsh@redhat.com" "dccifd SELinux Policy documentation" +.SH "NAME" +dccifd_selinux \- Security Enhanced Linux Policy for the dccifd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the dccifd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccifd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dccifd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11241,7 +11707,7 @@ index 0000000..c80e92b +/etc/dcc/dccifd, /var/run/dcc/dccifd + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11286,17 +11752,33 @@ index 0000000..c80e92b +selinux(8), dccifd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dccm_selinux.8 b/man/man8/dccm_selinux.8 new file mode 100644 -index 0000000..a9a2caa +index 0000000..a6c45e9 --- /dev/null +++ b/man/man8/dccm_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,131 @@ +.TH "dccm_selinux" "8" "dccm" "dwalsh@redhat.com" "dccm SELinux Policy documentation" +.SH "NAME" +dccm_selinux \- Security Enhanced Linux Policy for the dccm processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the dccm processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dccm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the dccm_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11334,7 +11816,7 @@ index 0000000..a9a2caa + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11361,7 +11843,9 @@ index 0000000..a9a2caa + + +Default Defined Ports: -+tcp 8021 ++tcp 5679 ++.EE ++udp 5679 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -11405,17 +11889,19 @@ index 0000000..a9a2caa +selinux(8), dccm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dcerpcd_selinux.8 b/man/man8/dcerpcd_selinux.8 new file mode 100644 -index 0000000..7e28fe1 +index 0000000..6cbed0f --- /dev/null +++ b/man/man8/dcerpcd_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "dcerpcd_selinux" "8" "dcerpcd" "dwalsh@redhat.com" "dcerpcd SELinux Policy documentation" +.SH "NAME" +dcerpcd_selinux \- Security Enhanced Linux Policy for the dcerpcd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the dcerpcd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11461,7 +11947,7 @@ index 0000000..7e28fe1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11506,23 +11992,19 @@ index 0000000..7e28fe1 +selinux(8), dcerpcd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ddclient_selinux.8 b/man/man8/ddclient_selinux.8 new file mode 100644 -index 0000000..13df14d +index 0000000..7682599 --- /dev/null +++ b/man/man8/ddclient_selinux.8 -@@ -0,0 +1,145 @@ +@@ -0,0 +1,141 @@ +.TH "ddclient_selinux" "8" "ddclient" "dwalsh@redhat.com" "ddclient SELinux Policy documentation" +.SH "NAME" +ddclient_selinux \- Security Enhanced Linux Policy for the ddclient processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ddclient -+(Update dynamic IP address at DynDNS.org) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ddclient processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11612,7 +12094,7 @@ index 0000000..13df14d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11657,17 +12139,33 @@ index 0000000..13df14d +selinux(8), ddclient(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/deltacloudd_selinux.8 b/man/man8/deltacloudd_selinux.8 new file mode 100644 -index 0000000..7d2381f +index 0000000..8a55ce3 --- /dev/null +++ b/man/man8/deltacloudd_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,111 @@ +.TH "deltacloudd_selinux" "8" "deltacloudd" "dwalsh@redhat.com" "deltacloudd SELinux Policy documentation" +.SH "NAME" +deltacloudd_selinux \- Security Enhanced Linux Policy for the deltacloudd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the deltacloudd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the deltacloudd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the deltacloudd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11713,7 +12211,7 @@ index 0000000..7d2381f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11758,23 +12256,33 @@ index 0000000..7d2381f +selinux(8), deltacloudd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/denyhosts_selinux.8 b/man/man8/denyhosts_selinux.8 new file mode 100644 -index 0000000..ff32a2b +index 0000000..35b4039 --- /dev/null +++ b/man/man8/denyhosts_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,119 @@ +.TH "denyhosts_selinux" "8" "denyhosts" "dwalsh@redhat.com" "denyhosts SELinux Policy documentation" +.SH "NAME" +denyhosts_selinux \- Security Enhanced Linux Policy for the denyhosts processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B denyhosts -+(DenyHosts SSH dictionary attack mitigation) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the denyhosts processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the denyhosts_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the denyhosts_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11828,7 +12336,7 @@ index 0000000..ff32a2b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11873,17 +12381,19 @@ index 0000000..ff32a2b +selinux(8), denyhosts(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/depmod_selinux.8 b/man/man8/depmod_selinux.8 new file mode 100644 -index 0000000..b5dcbff +index 0000000..49b8acb --- /dev/null +++ b/man/man8/depmod_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +.TH "depmod_selinux" "8" "depmod" "dwalsh@redhat.com" "depmod SELinux Policy documentation" +.SH "NAME" +depmod_selinux \- Security Enhanced Linux Policy for the depmod processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the depmod processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11909,7 +12419,7 @@ index 0000000..b5dcbff +/sbin/depmod.*, /usr/sbin/depmod.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11954,23 +12464,33 @@ index 0000000..b5dcbff +selinux(8), depmod(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/devicekit_selinux.8 b/man/man8/devicekit_selinux.8 new file mode 100644 -index 0000000..fbd38fb +index 0000000..f60f7aa --- /dev/null +++ b/man/man8/devicekit_selinux.8 -@@ -0,0 +1,145 @@ +@@ -0,0 +1,155 @@ +.TH "devicekit_selinux" "8" "devicekit" "dwalsh@redhat.com" "devicekit SELinux Policy documentation" +.SH "NAME" +devicekit_selinux \- Security Enhanced Linux Policy for the devicekit processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B devicekit -+(Devicekit modular hardware abstraction layer) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the devicekit processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the devicekit_disk_t, devicekit_power_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the devicekit_disk_t, devicekit_power_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11993,7 +12513,7 @@ index 0000000..fbd38fb +.br +.TP 5 +Paths: -+/usr/lib/udev/udisks-part-id, /lib/udisks2/udisksd, /usr/lib/udisks2/udisksd, /lib/udev/udisks-part-id, /usr/libexec/devkit-disks-daemon, /usr/libexec/udisks-daemon ++/usr/lib/udisks/udisks-daemon, /usr/lib/udev/udisks-part-id, /usr/libexec/devkit-disks-daemon, /lib/udisks2/udisksd, /usr/lib/udisks2/udisksd, /lib/udev/udisks-part-id, /usr/libexec/udisks-daemon + +.EX +.PP @@ -12060,7 +12580,7 @@ index 0000000..fbd38fb +/var/run/upower(/.*)?, /var/run/udisks.*, /var/run/devkit(/.*)?, /var/run/DeviceKit-disks(/.*)?, /var/run/pm-utils(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12105,17 +12625,17 @@ index 0000000..fbd38fb +selinux(8), devicekit(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dhcpc_selinux.8 b/man/man8/dhcpc_selinux.8 new file mode 100644 -index 0000000..b805e27 +index 0000000..06082f5 --- /dev/null +++ b/man/man8/dhcpc_selinux.8 -@@ -0,0 +1,152 @@ +@@ -0,0 +1,174 @@ +.TH "dhcpc_selinux" "8" "dhcpc" "dwalsh@redhat.com" "dhcpc SELinux Policy documentation" +.SH "NAME" +dhcpc_selinux \- Security Enhanced Linux Policy for the dhcpc processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the dhcpc processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. dhcpc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpc with the tightest access possible. @@ -12128,6 +12648,22 @@ index 0000000..b805e27 +.B setsebool -P dhcpc_exec_iptables 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dhcpc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -12149,7 +12685,7 @@ index 0000000..b805e27 +.br +.TP 5 +Paths: -+/sbin/dhcpcd, /usr/sbin/pump, /sbin/dhclient.*, /usr/sbin/dhcpcd, /sbin/pump, /usr/sbin/dhclient.*, /usr/sbin/dhcdbd, /sbin/dhcdbd ++/usr/sbin/dhcpcd, /sbin/dhcpcd, /usr/sbin/pump, /sbin/dhclient.*, /usr/sbin/dhclient.*, /sbin/pump, /usr/sbin/dhcdbd, /sbin/dhcdbd + +.EX +.PP @@ -12186,9 +12722,13 @@ index 0000000..b805e27 + +- Set files with the dhcpc_var_run_t type, if you want to store the dhcpc files under the /run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/dhclient.*, /var/run/dhcpcd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12215,7 +12755,9 @@ index 0000000..b805e27 + + +Default Defined Ports: -+tcp 8021 ++tcp 68,546 ++.EE ++udp 68,546 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -12264,17 +12806,17 @@ index 0000000..b805e27 \ No newline at end of file diff --git a/man/man8/dhcpd_selinux.8 b/man/man8/dhcpd_selinux.8 new file mode 100644 -index 0000000..db3ea11 +index 0000000..073af6e --- /dev/null +++ b/man/man8/dhcpd_selinux.8 -@@ -0,0 +1,191 @@ +@@ -0,0 +1,194 @@ +.TH "dhcpd_selinux" "8" "dhcpd" "dwalsh@redhat.com" "dhcpd SELinux Policy documentation" +.SH "NAME" +dhcpd_selinux \- Security Enhanced Linux Policy for the dhcpd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the dhcpd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. dhcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpd with the tightest access possible. @@ -12287,35 +12829,38 @@ index 0000000..db3ea11 +.B setsebool -P dhcpc_exec_iptables 1 +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP -+Policy governs the access confined processes have to these files. -+SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible. -+.PP -+The following file types are defined for dhcpd: -+ ++If you want to allow DHCP daemon to use LDAP backend, you must turn on the dhcpd_use_ldap boolean. + +.EX -+.PP -+.B dhcp_etc_t ++.B setsebool -P dhcpd_use_ldap 1 +.EE + -+- Set files with the dhcp_etc_t type, if you want to store dhcp files in the /etc directories. ++.SH NSSWITCH DOMAIN + -+.br -+.TP 5 -+Paths: -+/etc/dhcp3(/.*)?, /etc/dhcp3?/dhclient.*, /etc/dhcpd(6)?\.conf, /etc/dhcpc.*, /etc/dhclient-script, /etc/dhclient.*conf, /etc/dhcp/dhcpd(6)?\.conf ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dhcpd_t, dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ +.PP -+.B dhcp_state_t ++If you want to allow confined applications to run with kerberos for the dhcpd_t, dhcpc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the dhcp_state_t type, if you want to treat the files as dhcp state data. ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible. ++.PP ++The following file types are defined for dhcpd: + + +.EX @@ -12361,10 +12906,6 @@ index 0000000..db3ea11 + +- Set files with the dhcpd_unit_file_t type, if you want to treat the files as dhcpd unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/dhcpcd.*, /lib/systemd/system/dhcpcd.* + +.EX +.PP @@ -12375,7 +12916,7 @@ index 0000000..db3ea11 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12402,7 +12943,9 @@ index 0000000..db3ea11 + + +Default Defined Ports: -+tcp 8021 ++tcp 68,546 ++.EE ++udp 68,546 +.EE + +.EX @@ -12413,7 +12956,9 @@ index 0000000..db3ea11 + + +Default Defined Ports: -+tcp 8021 ++tcp 547,548,647,847,7911 ++.EE ++udp 67,547,548,647,847 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -12462,23 +13007,33 @@ index 0000000..db3ea11 \ No newline at end of file diff --git a/man/man8/dictd_selinux.8 b/man/man8/dictd_selinux.8 new file mode 100644 -index 0000000..53e911a +index 0000000..cfa1980 --- /dev/null +++ b/man/man8/dictd_selinux.8 -@@ -0,0 +1,135 @@ +@@ -0,0 +1,145 @@ +.TH "dictd_selinux" "8" "dictd" "dwalsh@redhat.com" "dictd SELinux Policy documentation" +.SH "NAME" +dictd_selinux \- Security Enhanced Linux Policy for the dictd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dictd -+(Dictionary daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dictd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dictd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dictd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -12532,7 +13087,7 @@ index 0000000..53e911a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12559,7 +13114,7 @@ index 0000000..53e911a + + +Default Defined Ports: -+tcp 8021 ++tcp 2628 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -12603,23 +13158,33 @@ index 0000000..53e911a +selinux(8), dictd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dirsrv_selinux.8 b/man/man8/dirsrv_selinux.8 new file mode 100644 -index 0000000..7c06f47 +index 0000000..1c30463 --- /dev/null +++ b/man/man8/dirsrv_selinux.8 -@@ -0,0 +1,217 @@ +@@ -0,0 +1,227 @@ +.TH "dirsrv_selinux" "8" "dirsrv" "dwalsh@redhat.com" "dirsrv SELinux Policy documentation" +.SH "NAME" +dirsrv_selinux \- Security Enhanced Linux Policy for the dirsrv processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dirsrv -+(policy for dirsrv) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dirsrv processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dirsrv_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dirsrv_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -12781,7 +13346,7 @@ index 0000000..7c06f47 +/usr/lib/dirsrv/cgi-bin/ds_remove, /usr/lib/dirsrv/cgi-bin/ds_create + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12826,17 +13391,19 @@ index 0000000..7c06f47 +selinux(8), dirsrv(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dirsrvadmin_selinux.8 b/man/man8/dirsrvadmin_selinux.8 new file mode 100644 -index 0000000..f314f5a +index 0000000..1566389 --- /dev/null +++ b/man/man8/dirsrvadmin_selinux.8 -@@ -0,0 +1,115 @@ +@@ -0,0 +1,117 @@ +.TH "dirsrvadmin_selinux" "8" "dirsrvadmin" "dwalsh@redhat.com" "dirsrvadmin SELinux Policy documentation" +.SH "NAME" +dirsrvadmin_selinux \- Security Enhanced Linux Policy for the dirsrvadmin processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the dirsrvadmin processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -12902,7 +13469,7 @@ index 0000000..f314f5a +/usr/lib/dirsrv/cgi-bin/ds_remove, /usr/lib/dirsrv/cgi-bin/ds_create + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12947,17 +13514,19 @@ index 0000000..f314f5a +selinux(8), dirsrvadmin(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/disk_selinux.8 b/man/man8/disk_selinux.8 new file mode 100644 -index 0000000..d3d396c +index 0000000..ebf8c64 --- /dev/null +++ b/man/man8/disk_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,85 @@ +.TH "disk_selinux" "8" "disk" "dwalsh@redhat.com" "disk SELinux Policy documentation" +.SH "NAME" +disk_selinux \- Security Enhanced Linux Policy for the disk processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the disk processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -12991,7 +13560,7 @@ index 0000000..d3d396c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13036,23 +13605,33 @@ index 0000000..d3d396c +selinux(8), disk(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dkim_selinux.8 b/man/man8/dkim_selinux.8 new file mode 100644 -index 0000000..ff5f6d1 +index 0000000..6927ca6 --- /dev/null +++ b/man/man8/dkim_selinux.8 -@@ -0,0 +1,97 @@ +@@ -0,0 +1,107 @@ +.TH "dkim_selinux" "8" "dkim" "dwalsh@redhat.com" "dkim SELinux Policy documentation" +.SH "NAME" +dkim_selinux \- Security Enhanced Linux Policy for the dkim processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dkim -+(DomainKeys Identified Mail milter) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dkim processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dkim_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dkim_milter_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13094,7 +13673,7 @@ index 0000000..ff5f6d1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13139,17 +13718,19 @@ index 0000000..ff5f6d1 +selinux(8), dkim(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dlm_selinux.8 b/man/man8/dlm_selinux.8 new file mode 100644 -index 0000000..d1bdbac +index 0000000..a848021 --- /dev/null +++ b/man/man8/dlm_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "dlm_selinux" "8" "dlm" "dwalsh@redhat.com" "dlm SELinux Policy documentation" +.SH "NAME" +dlm_selinux \- Security Enhanced Linux Policy for the dlm processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the dlm processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13195,7 +13776,7 @@ index 0000000..d1bdbac + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13240,24 +13821,18 @@ index 0000000..d1bdbac +selinux(8), dlm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dmesg_selinux.8 b/man/man8/dmesg_selinux.8 new file mode 100644 -index 0000000..7ba27b0 +index 0000000..34ef559 --- /dev/null +++ b/man/man8/dmesg_selinux.8 -@@ -0,0 +1,96 @@ +@@ -0,0 +1,92 @@ +.TH "dmesg_selinux" "8" "dmesg" "dwalsh@redhat.com" "dmesg SELinux Policy documentation" +.SH "NAME" +dmesg_selinux \- Security Enhanced Linux Policy for the dmesg processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dmesg -+(Policy for dmesg) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dmesg processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. dmesg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dmesg with the tightest access possible. + @@ -13269,6 +13844,8 @@ index 0000000..7ba27b0 +.B setsebool -P user_dmesg 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -13293,7 +13870,7 @@ index 0000000..7ba27b0 +/usr/bin/dmesg, /bin/dmesg + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13343,23 +13920,19 @@ index 0000000..7ba27b0 \ No newline at end of file diff --git a/man/man8/dmidecode_selinux.8 b/man/man8/dmidecode_selinux.8 new file mode 100644 -index 0000000..d2c6acf +index 0000000..b39aa66 --- /dev/null +++ b/man/man8/dmidecode_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,77 @@ +.TH "dmidecode_selinux" "8" "dmidecode" "dwalsh@redhat.com" "dmidecode SELinux Policy documentation" +.SH "NAME" +dmidecode_selinux \- Security Enhanced Linux Policy for the dmidecode processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dmidecode -+(Decode DMI data for x86/ia64 bioses) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dmidecode processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13382,10 +13955,10 @@ index 0000000..d2c6acf +.br +.TP 5 +Paths: -+/usr/sbin/ownership, /usr/sbin/dmidecode, /usr/sbin/vpddecode ++/usr/sbin/dmidecode, /usr/sbin/vpddecode, /usr/sbin/ownership + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13430,23 +14003,33 @@ index 0000000..d2c6acf +selinux(8), dmidecode(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dnsmasq_selinux.8 b/man/man8/dnsmasq_selinux.8 new file mode 100644 -index 0000000..2913852 +index 0000000..5c245ca --- /dev/null +++ b/man/man8/dnsmasq_selinux.8 -@@ -0,0 +1,137 @@ +@@ -0,0 +1,143 @@ +.TH "dnsmasq_selinux" "8" "dnsmasq" "dwalsh@redhat.com" "dnsmasq SELinux Policy documentation" +.SH "NAME" +dnsmasq_selinux \- Security Enhanced Linux Policy for the dnsmasq processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dnsmasq -+(dnsmasq DNS forwarder and DHCP server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dnsmasq processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dnsmasq_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dnsmasq_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13502,10 +14085,6 @@ index 0000000..2913852 + +- Set files with the dnsmasq_unit_file_t type, if you want to treat the files as dnsmasq unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/dnsmasq.*, /lib/systemd/system/dnsmasq.* + +.EX +.PP @@ -13528,7 +14107,7 @@ index 0000000..2913852 +/var/run/dnsmasq\.pid, /var/run/libvirt/network(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13573,23 +14152,19 @@ index 0000000..2913852 +selinux(8), dnsmasq(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dnssec_selinux.8 b/man/man8/dnssec_selinux.8 new file mode 100644 -index 0000000..c8a6a53 +index 0000000..2e5ce91 --- /dev/null +++ b/man/man8/dnssec_selinux.8 -@@ -0,0 +1,123 @@ +@@ -0,0 +1,119 @@ +.TH "dnssec_selinux" "8" "dnssec" "dwalsh@redhat.com" "dnssec SELinux Policy documentation" +.SH "NAME" +dnssec_selinux \- Security Enhanced Linux Policy for the dnssec processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dnssec -+(policy for dnssec_trigger) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dnssec processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13631,7 +14206,7 @@ index 0000000..c8a6a53 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13658,7 +14233,7 @@ index 0000000..c8a6a53 + + +Default Defined Ports: -+tcp 8021 ++tcp 8955 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -13702,23 +14277,33 @@ index 0000000..c8a6a53 +selinux(8), dnssec(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dovecot_selinux.8 b/man/man8/dovecot_selinux.8 new file mode 100644 -index 0000000..9dccfb5 +index 0000000..17a5b07 --- /dev/null +++ b/man/man8/dovecot_selinux.8 -@@ -0,0 +1,213 @@ +@@ -0,0 +1,223 @@ +.TH "dovecot_selinux" "8" "dovecot" "dwalsh@redhat.com" "dovecot SELinux Policy documentation" +.SH "NAME" +dovecot_selinux \- Security Enhanced Linux Policy for the dovecot processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dovecot -+(Dovecot POP and IMAP mail server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dovecot processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13761,7 +14346,7 @@ index 0000000..9dccfb5 +.br +.TP 5 +Paths: -+/usr/share/ssl/private/dovecot\.pem, /etc/pki/dovecot(/.*)?, /usr/share/ssl/certs/dovecot\.pem ++/usr/share/ssl/certs/dovecot\.pem, /usr/share/ssl/private/dovecot\.pem, /etc/pki/dovecot(/.*)? + +.EX +.PP @@ -13876,7 +14461,7 @@ index 0000000..9dccfb5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13921,23 +14506,19 @@ index 0000000..9dccfb5 +selinux(8), dovecot(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/drbd_selinux.8 b/man/man8/drbd_selinux.8 new file mode 100644 -index 0000000..9cd65f4 +index 0000000..c0f3851 --- /dev/null +++ b/man/man8/drbd_selinux.8 -@@ -0,0 +1,97 @@ +@@ -0,0 +1,93 @@ +.TH "drbd_selinux" "8" "drbd" "dwalsh@redhat.com" "drbd SELinux Policy documentation" +.SH "NAME" +drbd_selinux \- Security Enhanced Linux Policy for the drbd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B drbd -+(policy for drbd) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the drbd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13979,7 +14560,7 @@ index 0000000..9cd65f4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14024,23 +14605,33 @@ index 0000000..9cd65f4 +selinux(8), drbd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dspam_selinux.8 b/man/man8/dspam_selinux.8 new file mode 100644 -index 0000000..fba374b +index 0000000..0d25038 --- /dev/null +++ b/man/man8/dspam_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,127 @@ +.TH "dspam_selinux" "8" "dspam" "dwalsh@redhat.com" "dspam SELinux Policy documentation" +.SH "NAME" +dspam_selinux \- Security Enhanced Linux Policy for the dspam processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dspam -+(policy for dspam) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dspam processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dspam_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the dspam_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -14102,7 +14693,7 @@ index 0000000..fba374b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14147,24 +14738,18 @@ index 0000000..fba374b +selinux(8), dspam(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/entropyd_selinux.8 b/man/man8/entropyd_selinux.8 new file mode 100644 -index 0000000..907170c +index 0000000..5be048a --- /dev/null +++ b/man/man8/entropyd_selinux.8 -@@ -0,0 +1,108 @@ +@@ -0,0 +1,118 @@ +.TH "entropyd_selinux" "8" "entropyd" "dwalsh@redhat.com" "entropyd SELinux Policy documentation" +.SH "NAME" +entropyd_selinux \- Security Enhanced Linux Policy for the entropyd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B entropyd -+(Generate entropy from audio input) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the entropyd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. entropyd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run entropyd with the tightest access possible. + @@ -14176,6 +14761,22 @@ index 0000000..907170c +.B setsebool -P entropyd_use_audio 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the entropyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the entropyd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -14212,7 +14813,7 @@ index 0000000..907170c +/var/run/audio-entropyd\.pid, /var/run/haveged\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14262,17 +14863,19 @@ index 0000000..907170c \ No newline at end of file diff --git a/man/man8/eventlogd_selinux.8 b/man/man8/eventlogd_selinux.8 new file mode 100644 -index 0000000..01e8f18 +index 0000000..781e7e8 --- /dev/null +++ b/man/man8/eventlogd_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "eventlogd_selinux" "8" "eventlogd" "dwalsh@redhat.com" "eventlogd SELinux Policy documentation" +.SH "NAME" +eventlogd_selinux \- Security Enhanced Linux Policy for the eventlogd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the eventlogd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -14318,7 +14921,7 @@ index 0000000..01e8f18 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14363,17 +14966,19 @@ index 0000000..01e8f18 +selinux(8), eventlogd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/evtchnd_selinux.8 b/man/man8/evtchnd_selinux.8 new file mode 100644 -index 0000000..fc58144 +index 0000000..e804c60 --- /dev/null +++ b/man/man8/evtchnd_selinux.8 -@@ -0,0 +1,91 @@ +@@ -0,0 +1,93 @@ +.TH "evtchnd_selinux" "8" "evtchnd" "dwalsh@redhat.com" "evtchnd SELinux Policy documentation" +.SH "NAME" +evtchnd_selinux \- Security Enhanced Linux Policy for the evtchnd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the evtchnd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -14415,7 +15020,7 @@ index 0000000..fc58144 +/var/run/evtchnd, /var/run/evtchnd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14460,24 +15065,18 @@ index 0000000..fc58144 +selinux(8), evtchnd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/exim_selinux.8 b/man/man8/exim_selinux.8 new file mode 100644 -index 0000000..bb54ea6 +index 0000000..c27392c --- /dev/null +++ b/man/man8/exim_selinux.8 -@@ -0,0 +1,158 @@ +@@ -0,0 +1,168 @@ +.TH "exim_selinux" "8" "exim" "dwalsh@redhat.com" "exim SELinux Policy documentation" +.SH "NAME" +exim_selinux \- Security Enhanced Linux Policy for the exim processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B exim -+(Exim mail transfer agent) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the exim processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. exim policy is extremely flexible and has several booleans that allow you to manipulate the policy and run exim with the tightest access possible. + @@ -14490,7 +15089,7 @@ index 0000000..bb54ea6 +.EE + +.PP -+If you want to allow exim to connect to databases (PostgreSQL, MySQL, you must turn on the exim_can_connect_db boolean. ++If you want to allow exim to connect to databases (postgres, mysql, you must turn on the exim_can_connect_db boolean. + +.EX +.B setsebool -P exim_can_connect_db 1 @@ -14503,6 +15102,22 @@ index 0000000..bb54ea6 +.B setsebool -P exim_manage_user_files 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the exim_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the exim_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -14575,7 +15190,7 @@ index 0000000..bb54ea6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14625,23 +15240,33 @@ index 0000000..bb54ea6 \ No newline at end of file diff --git a/man/man8/fail2ban_selinux.8 b/man/man8/fail2ban_selinux.8 new file mode 100644 -index 0000000..8084e6e +index 0000000..d44f080 --- /dev/null +++ b/man/man8/fail2ban_selinux.8 -@@ -0,0 +1,129 @@ +@@ -0,0 +1,139 @@ +.TH "fail2ban_selinux" "8" "fail2ban" "dwalsh@redhat.com" "fail2ban SELinux Policy documentation" +.SH "NAME" +fail2ban_selinux \- Security Enhanced Linux Policy for the fail2ban processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B fail2ban -+(Update firewall filtering to ban IP addresses with too many password failures) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the fail2ban processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fail2ban_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the fail2ban_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -14715,7 +15340,7 @@ index 0000000..8084e6e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14760,23 +15385,19 @@ index 0000000..8084e6e +selinux(8), fail2ban(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fcoemon_selinux.8 b/man/man8/fcoemon_selinux.8 new file mode 100644 -index 0000000..7f07e27 +index 0000000..f3611a7 --- /dev/null +++ b/man/man8/fcoemon_selinux.8 -@@ -0,0 +1,89 @@ +@@ -0,0 +1,85 @@ +.TH "fcoemon_selinux" "8" "fcoemon" "dwalsh@redhat.com" "fcoemon SELinux Policy documentation" +.SH "NAME" +fcoemon_selinux \- Security Enhanced Linux Policy for the fcoemon processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B fcoemon -+(policy for fcoemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the fcoemon processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -14810,7 +15431,7 @@ index 0000000..7f07e27 +/var/run/fcm(/.*)?, /var/run/fcoemon\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14855,17 +15476,17 @@ index 0000000..7f07e27 +selinux(8), fcoemon(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fenced_selinux.8 b/man/man8/fenced_selinux.8 new file mode 100644 -index 0000000..8a95cd7 +index 0000000..c0f5224 --- /dev/null +++ b/man/man8/fenced_selinux.8 -@@ -0,0 +1,141 @@ +@@ -0,0 +1,157 @@ +.TH "fenced_selinux" "8" "fenced" "dwalsh@redhat.com" "fenced SELinux Policy documentation" +.SH "NAME" +fenced_selinux \- Security Enhanced Linux Policy for the fenced processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the fenced processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. fenced policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fenced with the tightest access possible. @@ -14885,6 +15506,22 @@ index 0000000..8a95cd7 +.B setsebool -P fenced_can_network_connect 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fenced_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the fenced_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -14906,7 +15543,7 @@ index 0000000..8a95cd7 +.br +.TP 5 +Paths: -+/usr/sbin/fence_node, /usr/sbin/fence_tool, /usr/sbin/fenced ++/usr/sbin/fence_tool, /usr/sbin/fence_node, /usr/sbin/fenced + +.EX +.PP @@ -14953,7 +15590,7 @@ index 0000000..8a95cd7 +/var/run/cluster/fenced_override, /var/run/cluster/fence_scsi.*, /var/run/fenced\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15003,7 +15640,7 @@ index 0000000..8a95cd7 \ No newline at end of file diff --git a/man/man8/fetchmail_selinux.8 b/man/man8/fetchmail_selinux.8 new file mode 100644 -index 0000000..65f9aa3 +index 0000000..8ede23f --- /dev/null +++ b/man/man8/fetchmail_selinux.8 @@ -0,0 +1,109 @@ @@ -15012,14 +15649,10 @@ index 0000000..65f9aa3 +fetchmail_selinux \- Security Enhanced Linux Policy for the fetchmail processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B fetchmail -+(Remote-mail retrieval and forwarding utility) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the fetchmail processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15063,6 +15696,10 @@ index 0000000..65f9aa3 + +- Set files with the fetchmail_uidl_cache_t type, if you want to store the files under the /var/cache directory. + ++.br ++.TP 5 ++Paths: ++/var/lib/fetchmail(/.*)?, /var/mail/\.fetchmail-UIDL-cache + +.EX +.PP @@ -15073,7 +15710,7 @@ index 0000000..65f9aa3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15118,17 +15755,33 @@ index 0000000..65f9aa3 +selinux(8), fetchmail(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fingerd_selinux.8 b/man/man8/fingerd_selinux.8 new file mode 100644 -index 0000000..b1c9f85 +index 0000000..ad1ac54 --- /dev/null +++ b/man/man8/fingerd_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,141 @@ +.TH "fingerd_selinux" "8" "fingerd" "dwalsh@redhat.com" "fingerd SELinux Policy documentation" +.SH "NAME" +fingerd_selinux \- Security Enhanced Linux Policy for the fingerd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the fingerd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fingerd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the fingerd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15178,7 +15831,7 @@ index 0000000..b1c9f85 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15205,7 +15858,7 @@ index 0000000..b1c9f85 + + +Default Defined Ports: -+tcp 8021 ++tcp 79 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -15249,23 +15902,33 @@ index 0000000..b1c9f85 +selinux(8), fingerd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/firewalld_selinux.8 b/man/man8/firewalld_selinux.8 new file mode 100644 -index 0000000..c6d98d6 +index 0000000..7171c2f --- /dev/null +++ b/man/man8/firewalld_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,131 @@ +.TH "firewalld_selinux" "8" "firewalld" "dwalsh@redhat.com" "firewalld SELinux Policy documentation" +.SH "NAME" +firewalld_selinux \- Security Enhanced Linux Policy for the firewalld processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B firewalld -+(policy for firewalld) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the firewalld processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15328,10 +15991,10 @@ index 0000000..c6d98d6 +.br +.TP 5 +Paths: -+/var/run/firewalld(/.*)?, /var/run/firewalld\.pid ++/var/run/firewalld\.pid, /var/run/firewalld(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15376,23 +16039,33 @@ index 0000000..c6d98d6 +selinux(8), firewalld(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/firewallgui_selinux.8 b/man/man8/firewallgui_selinux.8 new file mode 100644 -index 0000000..6fd604e +index 0000000..26dd213 --- /dev/null +++ b/man/man8/firewallgui_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,95 @@ +.TH "firewallgui_selinux" "8" "firewallgui" "dwalsh@redhat.com" "firewallgui SELinux Policy documentation" +.SH "NAME" +firewallgui_selinux \- Security Enhanced Linux Policy for the firewallgui processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B firewallgui -+(policy for firewallgui) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the firewallgui processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15422,7 +16095,7 @@ index 0000000..6fd604e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15467,26 +16140,19 @@ index 0000000..6fd604e +selinux(8), firewallgui(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/firstboot_selinux.8 b/man/man8/firstboot_selinux.8 new file mode 100644 -index 0000000..b1bbe5c +index 0000000..b6706ee --- /dev/null +++ b/man/man8/firstboot_selinux.8 -@@ -0,0 +1,100 @@ +@@ -0,0 +1,85 @@ +.TH "firstboot_selinux" "8" "firstboot" "dwalsh@redhat.com" "firstboot SELinux Policy documentation" +.SH "NAME" +firstboot_selinux \- Security Enhanced Linux Policy for the firstboot processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B firstboot -+( -+Final system configuration run during the first boot -+after installation of Red Hat/Fedora systems. -+) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the firstboot processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15519,16 +16185,8 @@ index 0000000..b1bbe5c +Paths: +/usr/share/firstboot/firstboot\.py, /usr/sbin/firstboot + -+.EX -+.PP -+.B firstboot_tmp_t -+.EE -+ -+- Set files with the firstboot_tmp_t type, if you want to store firstboot temporary files in the /tmp directories. -+ -+ +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15573,17 +16231,19 @@ index 0000000..b1bbe5c +selinux(8), firstboot(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/foghorn_selinux.8 b/man/man8/foghorn_selinux.8 new file mode 100644 -index 0000000..828ba62 +index 0000000..a9d286f --- /dev/null +++ b/man/man8/foghorn_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "foghorn_selinux" "8" "foghorn" "dwalsh@redhat.com" "foghorn SELinux Policy documentation" +.SH "NAME" +foghorn_selinux \- Security Enhanced Linux Policy for the foghorn processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the foghorn processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15629,7 +16289,7 @@ index 0000000..828ba62 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15674,23 +16334,33 @@ index 0000000..828ba62 +selinux(8), foghorn(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fprintd_selinux.8 b/man/man8/fprintd_selinux.8 new file mode 100644 -index 0000000..cd72389 +index 0000000..8195c2b --- /dev/null +++ b/man/man8/fprintd_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,95 @@ +.TH "fprintd_selinux" "8" "fprintd" "dwalsh@redhat.com" "fprintd SELinux Policy documentation" +.SH "NAME" +fprintd_selinux \- Security Enhanced Linux Policy for the fprintd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B fprintd -+(DBus fingerprint reader service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the fprintd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the fprintd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the fprintd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15720,7 +16390,7 @@ index 0000000..cd72389 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15765,17 +16435,33 @@ index 0000000..cd72389 +selinux(8), fprintd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/freshclam_selinux.8 b/man/man8/freshclam_selinux.8 new file mode 100644 -index 0000000..f012b28 +index 0000000..b282ccc --- /dev/null +++ b/man/man8/freshclam_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,99 @@ +.TH "freshclam_selinux" "8" "freshclam" "dwalsh@redhat.com" "freshclam SELinux Policy documentation" +.SH "NAME" +freshclam_selinux \- Security Enhanced Linux Policy for the freshclam processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the freshclam processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the freshclam_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the freshclam_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15809,7 +16495,7 @@ index 0000000..f012b28 +/var/log/clamav/freshclam.*, /var/log/freshclam.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15854,17 +16540,19 @@ index 0000000..f012b28 +selinux(8), freshclam(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fsadm_selinux.8 b/man/man8/fsadm_selinux.8 new file mode 100644 -index 0000000..9400571 +index 0000000..1b3d83f --- /dev/null +++ b/man/man8/fsadm_selinux.8 -@@ -0,0 +1,91 @@ +@@ -0,0 +1,93 @@ +.TH "fsadm_selinux" "8" "fsadm" "dwalsh@redhat.com" "fsadm SELinux Policy documentation" +.SH "NAME" +fsadm_selinux \- Security Enhanced Linux Policy for the fsadm processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the fsadm processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15887,7 +16575,7 @@ index 0000000..9400571 +.br +.TP 5 +Paths: -+/sbin/partx, /usr/sbin/fdisk, /sbin/mkfs.*, /sbin/blockdev, /usr/sbin/sfdisk, /sbin/dumpe2fs, /sbin/mkdosfs, /sbin/mke2fs, /sbin/e4fsck, /usr/sbin/dosfsck, /usr/sbin/blockdev, /usr/sbin/lsraid, /usr/bin/partition_uuid, /sbin/raidautorun, /usr/sbin/findfs, /usr/sbin/scsi_info, /usr/sbin/raidstart, /sbin/mkreiserfs, /sbin/sfdisk, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/sbin/partx, /usr/sbin/resize.*fs, /usr/sbin/fsck.*, /usr/sbin/dumpe2fs, /usr/sbin/mkdosfs, /sbin/blkid, /usr/sbin/hdparm, /sbin/make_reiser4, /sbin/dump, /sbin/swapon.*, /usr/sbin/jfs_.*, /usr/bin/scsi_unique_id, /sbin/findfs, /usr/sbin/smartctl, /usr/bin/syslinux, /usr/sbin/blkid, /usr/sbin/mke2fs, /sbin/tune2fs, /sbin/losetup.*, /sbin/resize.*fs, /usr/sbin/tune2fs, /usr/lib/systemd/systemd-fsck, /sbin/parted, /sbin/partprobe, /sbin/dosfsck, /usr/sbin/mkfs.*, /sbin/e2label, /lib/systemd/systemd-fsck, /usr/sbin/reiserfs(ck|tune), /sbin/mkraid, /sbin/install-mbr, /sbin/scsi_info, /sbin/e2fsck, /sbin/fsck.*, /usr/sbin/install-mbr, /usr/sbin/clubufflush, /sbin/jfs_.*, /sbin/raidstart, /sbin/lsraid, /usr/sbin/losetup.*, /usr/sbin/mkreiserfs, /usr/sbin/swapon.*, /usr/sbin/e2fsck, /sbin/reiserfs(ck|tune), /usr/sbin/e4fsck, /usr/sbin/dump, /usr/sbin/partprobe, /sbin/fdisk, /usr/sbin/e2label, /usr/sbin/parted, /usr/bin/raw, /sbin/mke4fs, /usr/sbin/cfdisk, /usr/sbin/mke4fs, /sbin/cfdisk, /usr/sbin/mkraid, /sbin/hdparm ++/sbin/partx, /usr/sbin/fdisk, /sbin/mkfs.*, /sbin/blockdev, /usr/sbin/sfdisk, /sbin/dumpe2fs, /sbin/mkdosfs, /usr/sbin/mke2fs, /sbin/mke2fs, /sbin/e4fsck, /usr/sbin/dosfsck, /usr/sbin/blockdev, /sbin/dosfsck, /usr/sbin/lsraid, /usr/bin/partition_uuid, /sbin/raidautorun, /usr/sbin/findfs, /usr/sbin/scsi_info, /sbin/resize.*fs, /usr/sbin/raidstart, /sbin/mkreiserfs, /sbin/sfdisk, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/sbin/partx, /usr/sbin/resize.*fs, /usr/sbin/fsck.*, /usr/sbin/dumpe2fs, /sbin/tune2fs, /usr/sbin/mkdosfs, /sbin/blkid, /usr/sbin/hdparm, /sbin/make_reiser4, /sbin/dump, /sbin/swapon.*, /usr/sbin/jfs_.*, /usr/bin/scsi_unique_id, /sbin/findfs, /usr/sbin/smartctl, /usr/bin/syslinux, /usr/sbin/blkid, /sbin/losetup.*, /usr/sbin/tune2fs, /usr/lib/systemd/systemd-fsck, /sbin/parted, /sbin/partprobe, /usr/sbin/mkfs.*, /sbin/e2label, /usr/sbin/reiserfs(ck|tune), /sbin/mkraid, /sbin/install-mbr, /sbin/scsi_info, /sbin/fsck.*, /usr/sbin/install-mbr, /usr/sbin/clubufflush, /sbin/jfs_.*, /usr/sbin/mke4fs, /sbin/raidstart, /sbin/lsraid, /usr/sbin/losetup.*, /usr/sbin/mkreiserfs, /usr/sbin/swapon.*, /usr/sbin/e2fsck, /sbin/reiserfs(ck|tune), /usr/sbin/e4fsck, /usr/sbin/dump, /usr/sbin/partprobe, /sbin/fdisk, /sbin/e2fsck, /usr/sbin/e2label, /usr/sbin/parted, /usr/bin/raw, /sbin/mke4fs, /usr/sbin/cfdisk, /sbin/cfdisk, /usr/sbin/mkraid, /sbin/hdparm + +.EX +.PP @@ -15906,7 +16594,7 @@ index 0000000..9400571 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15951,17 +16639,19 @@ index 0000000..9400571 +selinux(8), fsadm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fsdaemon_selinux.8 b/man/man8/fsdaemon_selinux.8 new file mode 100644 -index 0000000..0f3466e +index 0000000..c1d45a3 --- /dev/null +++ b/man/man8/fsdaemon_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "fsdaemon_selinux" "8" "fsdaemon" "dwalsh@redhat.com" "fsdaemon SELinux Policy documentation" +.SH "NAME" +fsdaemon_selinux \- Security Enhanced Linux Policy for the fsdaemon processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the fsdaemon processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -16007,7 +16697,7 @@ index 0000000..0f3466e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16051,10 +16741,10 @@ index 0000000..0f3466e +.SH "SEE ALSO" +selinux(8), fsdaemon(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8 -index 5bebd82..c617a6e 100644 +index 5bebd82..3fad4c1 100644 --- a/man/man8/ftpd_selinux.8 +++ b/man/man8/ftpd_selinux.8 -@@ -1,65 +1,321 @@ +@@ -1,65 +1,346 @@ -.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation" +.TH "ftpd_selinux" "8" "ftpd" "dwalsh@redhat.com" "ftpd SELinux Policy documentation" .SH "NAME" @@ -16063,8 +16753,8 @@ index 5bebd82..c617a6e 100644 +ftpd_selinux \- Security Enhanced Linux Policy for the ftpd processes .SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the ftpd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. ftpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ftpd with the tightest access possible. @@ -16083,10 +16773,10 @@ index 5bebd82..c617a6e 100644 -SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files. -.TP -Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type. -+If you want to allow ftp servers to login to local users and read/write all files on the system, governed by DAC, you must turn on the allow_ftpd_full_access boolean. ++If you want to allow ftp servers to use cifs used for public file transfer services, you must turn on the ftpd_use_cifs boolean. + +.EX -+.B setsebool -P allow_ftpd_full_access 1 ++.B setsebool -P ftpd_use_cifs 1 +.EE + .PP @@ -16097,10 +16787,10 @@ index 5bebd82..c617a6e 100644 -restorecon -F -R -v /var/ftp -.TP -Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set. -+If you want to allow ftp servers to connect to mysql database port, you must turn on the ftpd_connect_db boolean. ++If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. + +.EX -+.B setsebool -P ftpd_connect_db 1 ++.B setsebool -P sftpd_write_ssh_home 1 +.EE + .PP @@ -16109,10 +16799,10 @@ index 5bebd82..c617a6e 100644 -.TP -.B -restorecon -F -R -v /var/ftp/incoming -+If you want to allow ftp servers to use cifs used for public file transfer services, you must turn on the allow_ftpd_use_cifs boolean. ++If you want to allow ftp servers to connect to mysql database port, you must turn on the ftpd_connect_db boolean. + +.EX -+.B setsebool -P allow_ftpd_use_cifs 1 ++.B setsebool -P ftpd_connect_db 1 +.EE -.SH BOOLEANS @@ -16120,10 +16810,10 @@ index 5bebd82..c617a6e 100644 -SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool. -.TP -Allow ftp servers to read and write files with the public_content_rw_t file type. -+If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the allow_ftpd_use_nfs boolean. ++If you want to allow ftp servers to login to local users and read/write all files on the system, governed by DAC, you must turn on the ftpd_full_access boolean. + +.EX -+.B setsebool -P allow_ftpd_use_nfs 1 ++.B setsebool -P ftpd_full_access 1 +.EE + .PP @@ -16151,6 +16841,20 @@ index 5bebd82..c617a6e 100644 .PP -.B -setsebool -P allow_ftpd_full_access on ++If you want to allow ftp servers to use bind to all unreserved ports for passive mod, you must turn on the ftpd_use_passive_mode boolean. ++ ++.EX ++.B setsebool -P ftpd_use_passive_mode 1 ++.EE ++ ++.PP ++If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean. ++ ++.EX ++.B setsebool -P ftpd_use_nfs 1 ++.EE ++ ++.PP +If you want to allow sftp-internal to login to local users and read/write all files on the system, governed by DAC, you must turn on the sftpd_full_access boolean. + +.EX @@ -16171,11 +16875,20 @@ index 5bebd82..c617a6e 100644 +.B setsebool -P httpd_enable_ftp_server 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.PP -+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.B setsebool -P sftpd_write_ssh_home 1 ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ftpd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 +.EE + +.SH SHARING FILES @@ -16192,7 +16905,7 @@ index 5bebd82..c617a6e 100644 +.pp .TP -Allow ftp servers to use nfs for public file transfer services. -+Allow ftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set. ++Allow ftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpdd_anon_write boolean to be set. .PP .B -setsebool -P allow_ftpd_use_nfs on @@ -16214,14 +16927,14 @@ index 5bebd82..c617a6e 100644 +.EE + +.PP -+If you want to allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the allow_ftpd_anon_write boolean. ++If you want to allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the ftpd_anon_write boolean. + +.EX -+.B setsebool -P allow_ftpd_anon_write 1 ++.B setsebool -P ftpd_anon_write 1 +.EE + +.PP -+If you want to allow anon internal-sftp to upload files, used for public file transfer services, directories must be labeled public_content_rw_t., you must turn on the sftpd_anon_write boolean. ++If you want to allow anon internal-sftp to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the sftpd_anon_write boolean. + +.EX +.B setsebool -P sftpd_anon_write 1 @@ -16319,11 +17032,10 @@ index 5bebd82..c617a6e 100644 + + +.EX - .PP ++.PP +.B ftpdctl_exec_t +.EE - --selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8) ++ +- Set files with the ftpdctl_exec_t type, if you want to transition an executable to the ftpdctl_t domain. + + @@ -16336,7 +17048,7 @@ index 5bebd82..c617a6e 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16344,7 +17056,7 @@ index 5bebd82..c617a6e 100644 + +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. -+.PP + .PP +You can see the types associated with a port by using the following command: + +.B semanage port -l @@ -16363,9 +17075,10 @@ index 5bebd82..c617a6e 100644 + + +Default Defined Ports: -+tcp 8021 ++tcp 20 +.EE -+ + +-selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8) +.EX +.TP 5 +.B ftp_port_t @@ -16374,7 +17087,9 @@ index 5bebd82..c617a6e 100644 + + +Default Defined Ports: -+tcp 8021 ++tcp 21,990 ++.EE ++udp 990 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -16423,17 +17138,19 @@ index 5bebd82..c617a6e 100644 \ No newline at end of file diff --git a/man/man8/ftpdctl_selinux.8 b/man/man8/ftpdctl_selinux.8 new file mode 100644 -index 0000000..8903b4b +index 0000000..205df84 --- /dev/null +++ b/man/man8/ftpdctl_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,81 @@ +.TH "ftpdctl_selinux" "8" "ftpdctl" "dwalsh@redhat.com" "ftpdctl SELinux Policy documentation" +.SH "NAME" +ftpdctl_selinux \- Security Enhanced Linux Policy for the ftpdctl processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ftpdctl processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -16463,7 +17180,7 @@ index 0000000..8903b4b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16508,23 +17225,19 @@ index 0000000..8903b4b +selinux(8), ftpdctl(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/games_selinux.8 b/man/man8/games_selinux.8 new file mode 100644 -index 0000000..4ba69f7 +index 0000000..b8b7acb --- /dev/null +++ b/man/man8/games_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,113 @@ +.TH "games_selinux" "8" "games" "dwalsh@redhat.com" "games SELinux Policy documentation" +.SH "NAME" +games_selinux \- Security Enhanced Linux Policy for the games processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B games -+(Games) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the games processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -16559,7 +17272,7 @@ index 0000000..4ba69f7 +.br +.TP 5 +Paths: -+/usr/bin/sol, /usr/bin/blackjack, /usr/bin/micq, /usr/bin/gnome-stones, /usr/bin/gnotski, /usr/bin/kshisen, /usr/bin/klickety, /usr/bin/lskat, /usr/bin/atlantik, /usr/bin/ksame, /usr/bin/kgoldrunner, /usr/bin/lskatproc, /usr/bin/gataxx, /usr/bin/katomic, /usr/bin/Maelstrom, /usr/bin/ksmiletris, /usr/bin/gnotravex, /usr/bin/ksirtet, /usr/bin/ktuberling, /usr/bin/kbounce, /usr/bin/kenolaba, /usr/bin/kmahjongg, /usr/bin/ksnake, /usr/games/.*, /usr/bin/gnobots2, /usr/bin/civserver.*, /usr/bin/civclient.*, /usr/bin/kwin4, /usr/bin/ktron, /usr/bin/mahjongg, /usr/bin/kbackgammon, /usr/bin/kblackbox, /usr/bin/kjumpingcube, /usr/bin/gnect, /usr/bin/kbattleship, /usr/bin/same-gnome, /usr/bin/kasteroids, /usr/bin/ksokoban, /usr/bin/kolf, /usr/bin/konquest, /usr/bin/kreversi, /usr/bin/kpoker, /usr/lib/games(/.*)?, /usr/bin/glines, /usr/bin/kfouleggs, /usr/bin/kmines, /usr/bin/gnibbles, /usr/bin/kspaceduel, /usr/bin/gnomine, /usr/bin/kpat, /usr/bin/iagno, /usr/bin/gtali, /usr/bin/klines, /usr/bin/kwin4proc ++/usr/bin/sol, /usr/bin/blackjack, /usr/bin/micq, /usr/bin/gnotski, /usr/bin/kshisen, /usr/bin/klickety, /usr/bin/lskat, /usr/bin/atlantik, /usr/bin/ksame, /usr/bin/kgoldrunner, /usr/bin/lskatproc, /usr/bin/gataxx, /usr/bin/katomic, /usr/bin/Maelstrom, /usr/bin/ksmiletris, /usr/bin/gnotravex, /usr/bin/ksirtet, /usr/bin/kbattleship, /usr/bin/ktuberling, /usr/bin/kenolaba, /usr/bin/kmahjongg, /usr/bin/ksnake, /usr/games/.*, /usr/bin/gnobots2, /usr/bin/civserver.*, /usr/bin/civclient.*, /usr/bin/kbounce, /usr/bin/kwin4, /usr/bin/ktron, /usr/bin/mahjongg, /usr/bin/kbackgammon, /usr/bin/kblackbox, /usr/bin/kjumpingcube, /usr/bin/gnomine, /usr/bin/gnect, /usr/bin/same-gnome, /usr/bin/kasteroids, /usr/bin/ksokoban, /usr/bin/kolf, /usr/bin/konquest, /usr/bin/kreversi, /usr/bin/kpoker, /usr/lib/games(/.*)?, /usr/bin/glines, /usr/bin/kfouleggs, /usr/bin/kmines, /usr/bin/gnibbles, /usr/bin/kspaceduel, /usr/bin/kpat, /usr/bin/iagno, /usr/bin/gtali, /usr/bin/klines, /usr/bin/kwin4proc, /usr/bin/gnome-stones + +.EX +.PP @@ -16586,7 +17299,7 @@ index 0000000..4ba69f7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16631,17 +17344,19 @@ index 0000000..4ba69f7 +selinux(8), games(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gconfd_selinux.8 b/man/man8/gconfd_selinux.8 new file mode 100644 -index 0000000..6146c3a +index 0000000..60a90d3 --- /dev/null +++ b/man/man8/gconfd_selinux.8 -@@ -0,0 +1,107 @@ +@@ -0,0 +1,81 @@ +.TH "gconfd_selinux" "8" "gconfd" "dwalsh@redhat.com" "gconfd SELinux Policy documentation" +.SH "NAME" +gconfd_selinux \- Security Enhanced Linux Policy for the gconfd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the gconfd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -16656,34 +17371,6 @@ index 0000000..6146c3a + +.EX +.PP -+.B gconf_etc_t -+.EE -+ -+- Set files with the gconf_etc_t type, if you want to store gconf files in the /etc directories. -+ -+ -+.EX -+.PP -+.B gconf_home_t -+.EE -+ -+- Set files with the gconf_home_t type, if you want to store gconf files in the users home directory. -+ -+.br -+.TP 5 -+Paths: -+/root/\.gconf(d)?(/.*)?, /root/\.local.* -+ -+.EX -+.PP -+.B gconf_tmp_t -+.EE -+ -+- Set files with the gconf_tmp_t type, if you want to store gconf temporary files in the /tmp directories. -+ -+ -+.EX -+.PP +.B gconfd_exec_t +.EE + @@ -16699,7 +17386,7 @@ index 0000000..6146c3a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16744,17 +17431,19 @@ index 0000000..6146c3a +selinux(8), gconfd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gconfdefaultsm_selinux.8 b/man/man8/gconfdefaultsm_selinux.8 new file mode 100644 -index 0000000..71a23ac +index 0000000..57f2bed --- /dev/null +++ b/man/man8/gconfdefaultsm_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,73 @@ +.TH "gconfdefaultsm_selinux" "8" "gconfdefaultsm" "dwalsh@redhat.com" "gconfdefaultsm SELinux Policy documentation" +.SH "NAME" +gconfdefaultsm_selinux \- Security Enhanced Linux Policy for the gconfdefaultsm processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the gconfdefaultsm processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -16776,7 +17465,7 @@ index 0000000..71a23ac + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16821,23 +17510,33 @@ index 0000000..71a23ac +selinux(8), gconfdefaultsm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/getty_selinux.8 b/man/man8/getty_selinux.8 new file mode 100644 -index 0000000..85b78f2 +index 0000000..830dccf --- /dev/null +++ b/man/man8/getty_selinux.8 -@@ -0,0 +1,129 @@ +@@ -0,0 +1,139 @@ +.TH "getty_selinux" "8" "getty" "dwalsh@redhat.com" "getty SELinux Policy documentation" +.SH "NAME" +getty_selinux \- Security Enhanced Linux Policy for the getty processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B getty -+(Policy for getty) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the getty processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the getty_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the getty_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -16911,7 +17610,7 @@ index 0000000..85b78f2 +/var/spool/voice(/.*)?, /var/spool/fax(/.*)?, /var/run/mgetty\.pid.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16956,17 +17655,19 @@ index 0000000..85b78f2 +selinux(8), getty(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gfs_selinux.8 b/man/man8/gfs_selinux.8 new file mode 100644 -index 0000000..c681f11 +index 0000000..fe8cb5a --- /dev/null +++ b/man/man8/gfs_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "gfs_selinux" "8" "gfs" "dwalsh@redhat.com" "gfs SELinux Policy documentation" +.SH "NAME" +gfs_selinux \- Security Enhanced Linux Policy for the gfs processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the gfs processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -17012,7 +17713,7 @@ index 0000000..c681f11 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17246,24 +17947,18 @@ index 0000000..6031c31 +selinux(8), semanage(8). diff --git a/man/man8/gitosis_selinux.8 b/man/man8/gitosis_selinux.8 new file mode 100644 -index 0000000..0db16b5 +index 0000000..7bad946 --- /dev/null +++ b/man/man8/gitosis_selinux.8 -@@ -0,0 +1,108 @@ +@@ -0,0 +1,104 @@ +.TH "gitosis_selinux" "8" "gitosis" "dwalsh@redhat.com" "gitosis SELinux Policy documentation" +.SH "NAME" +gitosis_selinux \- Security Enhanced Linux Policy for the gitosis processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B gitosis -+(Tools for managing and hosting git repositories) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the gitosis processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. gitosis policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gitosis with the tightest access possible. + @@ -17275,6 +17970,8 @@ index 0000000..0db16b5 +.B setsebool -P gitosis_can_sendmail 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -17311,7 +18008,7 @@ index 0000000..0db16b5 +/var/lib/gitolite(/.*)?, /var/lib/gitosis(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17361,23 +18058,19 @@ index 0000000..0db16b5 \ No newline at end of file diff --git a/man/man8/glance_selinux.8 b/man/man8/glance_selinux.8 new file mode 100644 -index 0000000..5fe5fae +index 0000000..b34e8f0 --- /dev/null +++ b/man/man8/glance_selinux.8 -@@ -0,0 +1,167 @@ +@@ -0,0 +1,178 @@ +.TH "glance_selinux" "8" "glance" "dwalsh@redhat.com" "glance SELinux Policy documentation" +.SH "NAME" +glance_selinux \- Security Enhanced Linux Policy for the glance processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B glance -+(policy for glance) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the glance processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -17463,7 +18156,7 @@ index 0000000..5fe5fae + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17484,13 +18177,28 @@ index 0000000..5fe5fae + +.EX +.TP 5 ++.B glance_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 9292 ++.EE ++udp 9292 ++.EE ++ ++.EX ++.TP 5 +.B glance_registry_port_t +.TP 10 +.EE + + +Default Defined Ports: -+tcp 8021 ++tcp 9191 ++.EE ++udp 9191 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -17534,23 +18242,33 @@ index 0000000..5fe5fae +selinux(8), glance(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gnomeclock_selinux.8 b/man/man8/gnomeclock_selinux.8 new file mode 100644 -index 0000000..9664dd6 +index 0000000..03f43f2 --- /dev/null +++ b/man/man8/gnomeclock_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,91 @@ +.TH "gnomeclock_selinux" "8" "gnomeclock" "dwalsh@redhat.com" "gnomeclock SELinux Policy documentation" +.SH "NAME" +gnomeclock_selinux \- Security Enhanced Linux Policy for the gnomeclock processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B gnomeclock -+(Gnome clock handler for setting the time) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the gnomeclock processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gnomeclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the gnomeclock_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -17576,7 +18294,7 @@ index 0000000..9664dd6 +/usr/libexec/gsd-datetime-mechanism, /usr/libexec/kde(3|4)/kcmdatetimehelper, /usr/libexec/gnome-clock-applet-mechanism + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17621,17 +18339,19 @@ index 0000000..9664dd6 +selinux(8), gnomeclock(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gnomesystemmm_selinux.8 b/man/man8/gnomesystemmm_selinux.8 new file mode 100644 -index 0000000..d92b3e4 +index 0000000..d4a95e3 --- /dev/null +++ b/man/man8/gnomesystemmm_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +.TH "gnomesystemmm_selinux" "8" "gnomesystemmm" "dwalsh@redhat.com" "gnomesystemmm SELinux Policy documentation" +.SH "NAME" +gnomesystemmm_selinux \- Security Enhanced Linux Policy for the gnomesystemmm processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the gnomesystemmm processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -17657,7 +18377,7 @@ index 0000000..d92b3e4 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper, /usr/libexec/gnome-system-monitor-mechanism + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17702,24 +18422,18 @@ index 0000000..d92b3e4 +selinux(8), gnomesystemmm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gpg_selinux.8 b/man/man8/gpg_selinux.8 new file mode 100644 -index 0000000..9072646 +index 0000000..b15e6a9 --- /dev/null +++ b/man/man8/gpg_selinux.8 -@@ -0,0 +1,177 @@ +@@ -0,0 +1,187 @@ +.TH "gpg_selinux" "8" "gpg" "dwalsh@redhat.com" "gpg SELinux Policy documentation" +.SH "NAME" +gpg_selinux \- Security Enhanced Linux Policy for the gpg processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B gpg -+(Policy for GNU Privacy Guard and related programs) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the gpg processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. gpg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg with the tightest access possible. + @@ -17732,12 +18446,28 @@ index 0000000..9072646 +.EE + +.PP -+If you want to allow httpd to run gpg in gpg-web domai, you must turn on the httpd_use_gpg boolean. ++If you want to allow httpd to run gp, you must turn on the httpd_use_gpg boolean. + +.EX +.B setsebool -P httpd_use_gpg 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. +.TP @@ -17749,7 +18479,7 @@ index 0000000..9072646 +.B restorecon -F -R -v /var/gpg +.pp +.TP -+Allow gpg servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_gpg_anon_write boolean to be set. ++Allow gpg servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_gpgd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/gpg/incoming(/.*)?" @@ -17801,7 +18531,7 @@ index 0000000..9072646 +.br +.TP 5 +Paths: -+/usr/bin/gpg(2)?, /usr/bin/kgpg, /usr/lib/gnupg/.* ++/usr/bin/gpgsm, /usr/bin/gpg(2)?, /usr/bin/kgpg, /usr/lib/gnupg/.* + +.EX +.PP @@ -17836,7 +18566,7 @@ index 0000000..9072646 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17886,23 +18616,19 @@ index 0000000..9072646 \ No newline at end of file diff --git a/man/man8/gpm_selinux.8 b/man/man8/gpm_selinux.8 new file mode 100644 -index 0000000..7c67dba +index 0000000..2aec05b --- /dev/null +++ b/man/man8/gpm_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,109 @@ +.TH "gpm_selinux" "8" "gpm" "dwalsh@redhat.com" "gpm SELinux Policy documentation" +.SH "NAME" +gpm_selinux \- Security Enhanced Linux Policy for the gpm processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B gpm -+(General Purpose Mouse driver) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the gpm processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -17960,7 +18686,7 @@ index 0000000..7c67dba +/dev/gpmctl, /dev/gpmdata + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18005,23 +18731,33 @@ index 0000000..7c67dba +selinux(8), gpm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gpsd_selinux.8 b/man/man8/gpsd_selinux.8 new file mode 100644 -index 0000000..804e552 +index 0000000..766d1fa --- /dev/null +++ b/man/man8/gpsd_selinux.8 -@@ -0,0 +1,131 @@ +@@ -0,0 +1,141 @@ +.TH "gpsd_selinux" "8" "gpsd" "dwalsh@redhat.com" "gpsd SELinux Policy documentation" +.SH "NAME" +gpsd_selinux \- Security Enhanced Linux Policy for the gpsd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B gpsd -+(gpsd monitor daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the gpsd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gpsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the gpsd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -18071,7 +18807,7 @@ index 0000000..804e552 +/var/run/gpsd\.sock, /var/run/gpsd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18098,7 +18834,7 @@ index 0000000..804e552 + + +Default Defined Ports: -+tcp 8021 ++tcp 2947 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -18142,17 +18878,33 @@ index 0000000..804e552 +selinux(8), gpsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/greylist_selinux.8 b/man/man8/greylist_selinux.8 new file mode 100644 -index 0000000..893c92e +index 0000000..0401fa8 --- /dev/null +++ b/man/man8/greylist_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,99 @@ +.TH "greylist_selinux" "8" "greylist" "dwalsh@redhat.com" "greylist SELinux Policy documentation" +.SH "NAME" +greylist_selinux \- Security Enhanced Linux Policy for the greylist processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the greylist processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the greylist_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the greylist_milter_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -18186,7 +18938,7 @@ index 0000000..893c92e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18231,17 +18983,33 @@ index 0000000..893c92e +selinux(8), greylist(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/groupadd_selinux.8 b/man/man8/groupadd_selinux.8 new file mode 100644 -index 0000000..7774b5f +index 0000000..ca51fb6 --- /dev/null +++ b/man/man8/groupadd_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,91 @@ +.TH "groupadd_selinux" "8" "groupadd" "dwalsh@redhat.com" "groupadd SELinux Policy documentation" +.SH "NAME" +groupadd_selinux \- Security Enhanced Linux Policy for the groupadd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the groupadd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the groupadd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -18267,7 +19035,7 @@ index 0000000..7774b5f +/usr/sbin/gpasswd, /usr/bin/gpasswd, /usr/sbin/groupdel, /usr/sbin/groupadd, /usr/sbin/groupmod + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18312,17 +19080,33 @@ index 0000000..7774b5f +selinux(8), groupadd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/groupd_selinux.8 b/man/man8/groupd_selinux.8 new file mode 100644 -index 0000000..7285b15 +index 0000000..6c0c46a --- /dev/null +++ b/man/man8/groupd_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,111 @@ +.TH "groupd_selinux" "8" "groupd" "dwalsh@redhat.com" "groupd SELinux Policy documentation" +.SH "NAME" +groupd_selinux \- Security Enhanced Linux Policy for the groupd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the groupd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the groupadd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -18368,7 +19152,7 @@ index 0000000..7285b15 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18413,27 +19197,43 @@ index 0000000..7285b15 +selinux(8), groupd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gssd_selinux.8 b/man/man8/gssd_selinux.8 new file mode 100644 -index 0000000..2e36991 +index 0000000..1188efb --- /dev/null +++ b/man/man8/gssd_selinux.8 -@@ -0,0 +1,106 @@ +@@ -0,0 +1,122 @@ +.TH "gssd_selinux" "8" "gssd" "dwalsh@redhat.com" "gssd SELinux Policy documentation" +.SH "NAME" +gssd_selinux \- Security Enhanced Linux Policy for the gssd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the gssd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. gssd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gssd with the tightest access possible. + + +.PP -+If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the allow_gssd_read_tmp boolean. ++If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean. ++ ++.EX ++.B setsebool -P gssd_read_tmp 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the gssd_t, you must turn on the kerberos_enabled boolean. + +.EX -+.B setsebool -P allow_gssd_read_tmp 1 ++setsebool -P kerberos_enabled 1 +.EE + +.SH FILE CONTEXTS @@ -18476,7 +19276,7 @@ index 0000000..2e36991 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18720,23 +19520,19 @@ index 0000000..faeeaf7 +selinux(8), semanage(8). diff --git a/man/man8/hddtemp_selinux.8 b/man/man8/hddtemp_selinux.8 new file mode 100644 -index 0000000..132cb89 +index 0000000..feb44f3 --- /dev/null +++ b/man/man8/hddtemp_selinux.8 -@@ -0,0 +1,119 @@ +@@ -0,0 +1,115 @@ +.TH "hddtemp_selinux" "8" "hddtemp" "dwalsh@redhat.com" "hddtemp SELinux Policy documentation" +.SH "NAME" +hddtemp_selinux \- Security Enhanced Linux Policy for the hddtemp processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B hddtemp -+(hddtemp hard disk temperature tool running as a daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the hddtemp processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -18774,7 +19570,7 @@ index 0000000..132cb89 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18801,7 +19597,7 @@ index 0000000..132cb89 + + +Default Defined Ports: -+tcp 8021 ++tcp 7634 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -18845,23 +19641,19 @@ index 0000000..132cb89 +selinux(8), hddtemp(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/hostname_selinux.8 b/man/man8/hostname_selinux.8 new file mode 100644 -index 0000000..519b849 +index 0000000..2aa7e5a --- /dev/null +++ b/man/man8/hostname_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,77 @@ +.TH "hostname_selinux" "8" "hostname" "dwalsh@redhat.com" "hostname SELinux Policy documentation" +.SH "NAME" +hostname_selinux \- Security Enhanced Linux Policy for the hostname processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B hostname -+(Policy for changing the system host name) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the hostname processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -18887,7 +19679,7 @@ index 0000000..519b849 +/bin/hostname, /usr/bin/hostname + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18932,17 +19724,19 @@ index 0000000..519b849 +selinux(8), hostname(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/hplip_selinux.8 b/man/man8/hplip_selinux.8 new file mode 100644 -index 0000000..05353ce +index 0000000..2f01849 --- /dev/null +++ b/man/man8/hplip_selinux.8 -@@ -0,0 +1,137 @@ +@@ -0,0 +1,139 @@ +.TH "hplip_selinux" "8" "hplip" "dwalsh@redhat.com" "hplip SELinux Policy documentation" +.SH "NAME" +hplip_selinux \- Security Enhanced Linux Policy for the hplip processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the hplip processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -19004,7 +19798,7 @@ index 0000000..05353ce +/var/run/hp.*\.pid, /var/run/hp.*\.port + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -19031,7 +19825,7 @@ index 0000000..05353ce + + +Default Defined Ports: -+tcp 8021 ++tcp 1782,2207,2208,8290,50000,50002,8292,9100,9101,9102,9220,9221,9222,9280,9281,9282,9290,9291 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -19074,10 +19868,10 @@ index 0000000..05353ce +.SH "SEE ALSO" +selinux(8), hplip(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 -index 16e8b13..335b09f 100644 +index 16e8b13..4a9dd69 100644 --- a/man/man8/httpd_selinux.8 +++ b/man/man8/httpd_selinux.8 -@@ -1,120 +1,1514 @@ +@@ -1,120 +1,1581 @@ -.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation" -.de EX -.nf @@ -19094,15 +19888,14 @@ index 16e8b13..335b09f 100644 .SH "DESCRIPTION" -Security-Enhanced Linux secures the httpd server via flexible mandatory access -+ -+SELinux Linux secures -+.B httpd -+(Apache web server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the httpd processes via flexible mandatory access control. -.SH FILE_CONTEXTS -+ -+ +-SELinux requires files to have an extended attribute to define the file type. +-Policy governs the access daemons have to these files. +-SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible. +-.PP +-The following file contexts types are defined for httpd: + +.SH BOOLEANS +SELinux policy is customizable based on least access required. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. @@ -19116,6 +19909,13 @@ index 16e8b13..335b09f 100644 +.EE + +.PP ++If you want to allow httpd to communicate with oddjob to start up a servic, you must turn on the httpd_use_oddjob boolean. ++ ++.EX ++.B setsebool -P httpd_use_oddjob 1 ++.EE ++ ++.PP +If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean. + +.EX @@ -19123,14 +19923,14 @@ index 16e8b13..335b09f 100644 +.EE + +.PP -+If you want to allow httpd to run gpg in gpg-web domai, you must turn on the httpd_use_gpg boolean. ++If you want to allow httpd to run gp, you must turn on the httpd_use_gpg boolean. + +.EX +.B setsebool -P httpd_use_gpg 1 +.EE + +.PP -+If you want to allow httpd to execute cgi script, you must turn on the httpd_enable_cgi boolean. ++If you want to allow httpd cgi suppor, you must turn on the httpd_enable_cgi boolean. + +.EX +.B setsebool -P httpd_enable_cgi 1 @@ -19144,10 +19944,17 @@ index 16e8b13..335b09f 100644 +.EE + +.PP -+If you want to allow Apache to use mod_auth_pa, you must turn on the allow_httpd_mod_auth_pam boolean. ++If you want to allow httpd processes to manage IPA conten, you must turn on the httpd_manage_ipa boolean. + +.EX -+.B setsebool -P allow_httpd_mod_auth_pam 1 ++.B setsebool -P httpd_manage_ipa 1 ++.EE ++ ++.PP ++If you want to allow Apache to run in stickshift mode, not transition to passenge, you must turn on the httpd_run_stickshift boolean. ++ ++.EX ++.B setsebool -P httpd_run_stickshift 1 +.EE + +.PP @@ -19172,7 +19979,14 @@ index 16e8b13..335b09f 100644 +.EE + +.PP -+If you want to allow HTTPD scripts and modules to connect to the network using any TCP port, you must turn on the httpd_can_network_connect boolean. ++If you want to allow Apache to use mod_auth_pa, you must turn on the httpd_mod_auth_pam boolean. ++ ++.EX ++.B setsebool -P httpd_mod_auth_pam 1 ++.EE ++ ++.PP ++If you want to allow HTTPD scripts and modules to connect to the network using TCP, you must turn on the httpd_can_network_connect boolean. + +.EX +.B setsebool -P httpd_can_network_connect 1 @@ -19186,17 +20000,17 @@ index 16e8b13..335b09f 100644 +.EE + +.PP -+If you want to allow httpd to connect to the ldap por, you must turn on the httpd_can_connect_ldap boolean. ++If you want to allow httpd to access cifs file system, you must turn on the httpd_use_fusefs boolean. + +.EX -+.B setsebool -P httpd_can_connect_ldap 1 ++.B setsebool -P httpd_use_fusefs 1 +.EE + +.PP -+If you want to allow Apache to use mod_auth_ntlm_winbin, you must turn on the allow_httpd_mod_auth_ntlm_winbind boolean. ++If you want to allow Apache to use mod_auth_ntlm_winbin, you must turn on the httpd_mod_auth_ntlm_winbind boolean. + +.EX -+.B setsebool -P allow_httpd_mod_auth_ntlm_winbind 1 ++.B setsebool -P httpd_mod_auth_ntlm_winbind 1 +.EE + +.PP @@ -19207,6 +20021,13 @@ index 16e8b13..335b09f 100644 +.EE + +.PP ++If you want to allow HTTPD to connect to port 80 for graceful shutdow, you must turn on the httpd_graceful_shutdown boolean. ++ ++.EX ++.B setsebool -P httpd_graceful_shutdown 1 ++.EE ++ ++.PP +If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral port, you must turn on the httpd_can_connect_ftp boolean. + +.EX @@ -19235,13 +20056,6 @@ index 16e8b13..335b09f 100644 +.EE + +.PP -+If you want to allow httpd processes to manage IPA conten, you must turn on the httpd_manage_ipa boolean. -+ -+.EX -+.B setsebool -P httpd_manage_ipa 1 -+.EE -+ -+.PP +If you want to allow http daemon to send mai, you must turn on the httpd_can_sendmail boolean. + +.EX @@ -19256,6 +20070,16 @@ index 16e8b13..335b09f 100644 +.EE + +.PP ++If you want to allow httpd to connect to the ldap por, you must turn on the httpd_can_connect_ldap boolean. ++ + .EX +-httpd_sys_content_t +-.EE +-- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access. ++.B setsebool -P httpd_can_connect_ldap 1 ++.EE ++ ++.PP +If you want to allow http daemon to check spa, you must turn on the httpd_can_check_spam boolean. + +.EX @@ -19291,27 +20115,63 @@ index 16e8b13..335b09f 100644 +.EE + +.PP -+If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean. ++If you want to allow httpd to access openstack port, you must turn on the httpd_use_openstack boolean. + +.EX ++.B setsebool -P httpd_use_openstack 1 ++.EE ++ ++.PP ++If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean. ++ + .EX +-httpd_sys_script_exec_t +-.EE +-- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. +.B setsebool -P httpd_enable_ftp_server 1 +.EE + +.PP +If you want to allow http daemon to connect to zabbi, you must turn on the httpd_can_connect_zabbix boolean. + -+.EX + .EX +-httpd_sys_content_rw_t +.B setsebool -P httpd_can_connect_zabbix 1 -+.EE + .EE +-- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. + +.PP -+If you want to allow httpd daemon to change system limit, you must turn on the httpd_setrlimit boolean. ++If you want to allow httpd daemon to change its resource limit, you must turn on the httpd_setrlimit boolean. + -+.EX + .EX +-httpd_sys_content_ra_t +.B setsebool -P httpd_setrlimit 1 + .EE +-- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ + .EX +-httpd_unconfined_script_exec_t +-.EE +-- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+.SH SHARING FILES ++.PP ++If you want to allow confined applications to run with kerberos for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the kerberos_enabled boolean. + +-.SH NOTE +-With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + + .SH SHARING FILES +-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. +.TP +Allow httpd servers to read the /var/httpd directory by adding the public_content_t file type to the directory and by restoring the file type. @@ -19322,7 +20182,7 @@ index 16e8b13..335b09f 100644 +.B restorecon -F -R -v /var/httpd +.pp +.TP -+Allow httpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpd_anon_write boolean to be set. ++Allow httpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpdd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?" @@ -19331,48 +20191,45 @@ index 16e8b13..335b09f 100644 + + +.PP -+If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the allow_httpd_sys_script_anon_write boolean. -+ -+.EX -+.B setsebool -P allow_httpd_sys_script_anon_write 1 -+.EE -+ ++If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the httpd_sys_script_anon_write boolean. + + .EX +-setsebool -P allow_httpd_anon_write=1 ++.B setsebool -P httpd_sys_script_anon_write 1 + .EE + +-or +.PP -+If you want to allow Apache to modify public files used for public file transfer services, directories/files must be labeled public_content_rw_t., you must turn on the allow_httpd_anon_write boolean. -+ -+.EX -+.B setsebool -P allow_httpd_anon_write 1 -+.EE -+ ++If you want to allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_content_rw_t., you must turn on the httpd_anon_write boolean. + + .EX +-setsebool -P allow_httpd_sys_script_anon_write=1 ++.B setsebool -P httpd_anon_write 1 + .EE + +-.SH BOOLEANS +-SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. +.SH FILE CONTEXTS - SELinux requires files to have an extended attribute to define the file type. --Policy governs the access daemons have to these files. --SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible. ++SELinux requires files to have an extended attribute to define the file type. +.PP +You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP +Policy governs the access confined processes have to these files. +SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible. - .PP --The following file contexts types are defined for httpd: ++.PP +The following file types are defined for httpd: + + - .EX --httpd_sys_content_t --.EE --- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access. -+.PP ++.EX + .PP +-httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this +.B httpd_apcupsd_cgi_content_t +.EE + +- Set files with the httpd_apcupsd_cgi_content_t type, if you want to treat the files as httpd apcupsd cgi content. + + - .EX --httpd_sys_script_exec_t --.EE --- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. ++.EX +.PP +.B httpd_apcupsd_cgi_htaccess_t +.EE @@ -19380,77 +20237,67 @@ index 16e8b13..335b09f 100644 +- Set files with the httpd_apcupsd_cgi_htaccess_t type, if you want to treat the file as a httpd apcupsd cgi access file. + + - .EX --httpd_sys_content_rw_t ++.EX +.PP +.B httpd_apcupsd_cgi_ra_content_t - .EE --- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. -+ -+- Set files with the httpd_apcupsd_cgi_ra_content_t type, if you want to treat the files as httpd apcupsd cgi read/append content. ++.EE + ++- Set files with the httpd_apcupsd_cgi_ra_content_t type, if you want to treat the files as httpd apcupsd cgi read/append content. + + .EX --httpd_sys_content_ra_t +-setsebool -P httpd_enable_cgi 1 +.PP +.B httpd_apcupsd_cgi_rw_content_t .EE --- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access. -+ + +- Set files with the httpd_apcupsd_cgi_rw_content_t type, if you want to treat the files as httpd apcupsd cgi read/write content. + + - .EX --httpd_unconfined_script_exec_t --.EE --- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. -+.PP ++.EX + .PP +-SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. +.B httpd_apcupsd_cgi_script_exec_t +.EE - --.SH NOTE --With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. ++ +- Set files with the httpd_apcupsd_cgi_script_exec_t type, if you want to transition an executable to the httpd_apcupsd_cgi_script_t domain. - --.SH SHARING FILES --If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: ++ +.br +.TP 5 +Paths: -+/var/www/apcupsd/upsfstats\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/apcupsd/multimon\.cgi, /var/www/cgi-bin/apcgui(/.*)? ++/var/www/apcupsd/upsfstats\.cgi, /var/www/apcupsd/multimon\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/cgi-bin/apcgui(/.*)? .EX --setsebool -P allow_httpd_anon_write=1 +-setsebool -P httpd_enable_homedirs 1 +-chcon -R -t httpd_sys_content_t ~user/public_html +.PP +.B httpd_awstats_content_t .EE --or +- Set files with the httpd_awstats_content_t type, if you want to treat the files as httpd awstats content. + - - .EX --setsebool -P allow_httpd_sys_script_anon_write=1 -+.PP ++ ++.EX + .PP +-SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. +.B httpd_awstats_htaccess_t - .EE - --.SH BOOLEANS --SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. -+- Set files with the httpd_awstats_htaccess_t type, if you want to treat the file as a httpd awstats access file. ++.EE + ++- Set files with the httpd_awstats_htaccess_t type, if you want to treat the file as a httpd awstats access file. + -+.EX + + .EX +-setsebool -P httpd_tty_comm 1 +.PP +.B httpd_awstats_ra_content_t -+.EE -+ -+- Set files with the httpd_awstats_ra_content_t type, if you want to treat the files as httpd awstats read/append content. + .EE + ++- Set files with the httpd_awstats_ra_content_t type, if you want to treat the files as httpd awstats read/append content. + + +.EX .PP --httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this +-httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another. +.B httpd_awstats_rw_content_t +.EE + @@ -19458,7 +20305,7 @@ index 16e8b13..335b09f 100644 + .EX --setsebool -P httpd_enable_cgi 1 +-setsebool -P httpd_unified 0 +.PP +.B httpd_awstats_script_exec_t .EE @@ -19468,7 +20315,7 @@ index 16e8b13..335b09f 100644 + +.EX .PP --SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. +-SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean. +.B httpd_bugzilla_content_t +.EE + @@ -19476,54 +20323,60 @@ index 16e8b13..335b09f 100644 + .EX --setsebool -P httpd_enable_homedirs 1 --chcon -R -t httpd_sys_content_t ~user/public_html -+.PP -+.B httpd_bugzilla_htaccess_t - .EE - -+- Set files with the httpd_bugzilla_htaccess_t type, if you want to treat the file as a httpd bugzilla access file. -+ -+ -+.EX +-setsebool -P httpd_can_sendmail 1 .PP --SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. -+.B httpd_bugzilla_ra_content_t +-httpd can be configured to turn off internal scripting (PHP). PHP and other +-loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts. ++.B httpd_bugzilla_htaccess_t +.EE + -+- Set files with the httpd_bugzilla_ra_content_t type, if you want to treat the files as httpd bugzilla read/append content. ++- Set files with the httpd_bugzilla_htaccess_t type, if you want to treat the file as a httpd bugzilla access file. + .EX --setsebool -P httpd_tty_comm 1 +-setsebool -P httpd_builtin_scripting 0 +.PP -+.B httpd_bugzilla_rw_content_t ++.B httpd_bugzilla_ra_content_t .EE -+- Set files with the httpd_bugzilla_rw_content_t type, if you want to treat the files as httpd bugzilla read/write content. ++- Set files with the httpd_bugzilla_ra_content_t type, if you want to treat the files as httpd bugzilla read/append content. + + +.EX .PP --httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another. -+.B httpd_bugzilla_script_exec_t +-SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. +-This would prevent a hacker from breaking into you httpd server and attacking +-other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. ++.B httpd_bugzilla_rw_content_t +.EE + -+- Set files with the httpd_bugzilla_script_exec_t type, if you want to transition an executable to the httpd_bugzilla_script_t domain. ++- Set files with the httpd_bugzilla_rw_content_t type, if you want to treat the files as httpd bugzilla read/write content. + .EX --setsebool -P httpd_unified 0 +-setsebool -P httpd_can_network_connect 1 +.PP -+.B httpd_bugzilla_tmp_t ++.B httpd_bugzilla_script_exec_t .EE -+- Set files with the httpd_bugzilla_tmp_t type, if you want to store httpd bugzilla temporary files in the /tmp directories. ++- Set files with the httpd_bugzilla_script_exec_t type, if you want to transition an executable to the httpd_bugzilla_script_t domain. + + +.EX .PP --SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean. +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +-.SH AUTHOR +-This manual page was written by Dan Walsh . ++.B httpd_bugzilla_tmp_t ++.EE + +-.SH "SEE ALSO" +-selinux(8), httpd(8), chcon(1), setsebool(8) ++- Set files with the httpd_bugzilla_tmp_t type, if you want to store httpd bugzilla temporary files in the /tmp directories. + + ++.EX ++.PP +.B httpd_cache_t +.EE + @@ -19532,61 +20385,48 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/var/cache/php-.*, /var/cache/mediawiki(/.*)?, /var/cache/lighttpd(/.*)?, /var/cache/php-mmcache(/.*)?, /var/cache/mod_gnutls(/.*)?, /var/cache/mod_ssl(/.*)?, /var/cache/jetty(/.*)?, /var/cache/mod_.*, /var/cache/ssl.*\.sem, /var/cache/httpd(/.*)?, /var/cache/rt3(/.*)?, /var/cache/php-eaccelerator(/.*)?, /var/cache/mason(/.*)?, /var/cache/mod_proxy(/.*)? - - .EX --setsebool -P httpd_can_sendmail 1 - .PP --httpd can be configured to turn off internal scripting (PHP). PHP and other --loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts. ++/var/cache/php-.*, /var/cache/mediawiki(/.*)?, /var/cache/lighttpd(/.*)?, /var/cache/php-mmcache(/.*)?, /var/cache/mod_gnutls(/.*)?, /var/cache/mod_ssl(/.*)?, /var/cache/mod_.*, /var/cache/ssl.*\.sem, /var/cache/httpd(/.*)?, /var/cache/rt3(/.*)?, /var/cache/php-eaccelerator(/.*)?, /var/cache/mason(/.*)?, /var/cache/mod_proxy(/.*)? ++ ++.EX ++.PP +.B httpd_cobbler_content_t +.EE + +- Set files with the httpd_cobbler_content_t type, if you want to treat the files as httpd cobbler content. + - - .EX --setsebool -P httpd_builtin_scripting 0 ++ ++.EX +.PP +.B httpd_cobbler_htaccess_t - .EE - ++.EE ++ +- Set files with the httpd_cobbler_htaccess_t type, if you want to treat the file as a httpd cobbler access file. + + +.EX - .PP --SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. --This would prevent a hacker from breaking into you httpd server and attacking --other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. ++.PP +.B httpd_cobbler_ra_content_t +.EE + -+- Set files with the httpd_cobbler_ra_content_t type, if you want to treat the files as httpd cobbler read/append content. ++- Set files with the httpd_cobbler_ra_content_t type, if you want to treat the files as httpd cobbler read/append content. + - - .EX --setsebool -P httpd_can_network_connect 1 ++ ++.EX +.PP +.B httpd_cobbler_rw_content_t - .EE - ++.EE ++ +- Set files with the httpd_cobbler_rw_content_t type, if you want to treat the files as httpd cobbler read/write content. + + +.EX - .PP --system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR --This manual page was written by Dan Walsh . ++.PP +.B httpd_cobbler_script_exec_t +.EE - --.SH "SEE ALSO" --selinux(8), httpd(8), chcon(1), setsebool(8) ++ +- Set files with the httpd_cobbler_script_exec_t type, if you want to transition an executable to the httpd_cobbler_script_t domain. - - ++ ++ +.EX +.PP +.B httpd_collectd_content_t @@ -19608,7 +20448,7 @@ index 16e8b13..335b09f 100644 +.B httpd_collectd_ra_content_t +.EE + -+- Set files with the httpd_collectd_ra_content_t type, if you want to treat the files as httpd collectd read/append content. ++- Set files with the httpd_collectd_ra_content_t type, if you want to treat the files as httpd collectd read/append content. + + +.EX @@ -19637,7 +20477,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/etc/vhosts, /etc/httpd(/.*)?, /etc/apache(2)?(/.*)?, /etc/apache-ssl(2)?(/.*)?, /etc/lighttpd(/.*)?, /var/lib/stickshift/.httpd.d(/.*)?, /etc/cherokee(/.*)? ++/etc/vhosts, /etc/httpd(/.*)?, /etc/apache(2)?(/.*)?, /etc/apache-ssl(2)?(/.*)?, /etc/lighttpd(/.*)?, /etc/cherokee(/.*)? + +.EX +.PP @@ -19660,7 +20500,7 @@ index 16e8b13..335b09f 100644 +.B httpd_cvs_ra_content_t +.EE + -+- Set files with the httpd_cvs_ra_content_t type, if you want to treat the files as httpd cvs read/append content. ++- Set files with the httpd_cvs_ra_content_t type, if you want to treat the files as httpd cvs read/append content. + + +.EX @@ -19704,7 +20544,7 @@ index 16e8b13..335b09f 100644 +.B httpd_dirsrvadmin_ra_content_t +.EE + -+- Set files with the httpd_dirsrvadmin_ra_content_t type, if you want to treat the files as httpd dirsrvadmin read/append content. ++- Set files with the httpd_dirsrvadmin_ra_content_t type, if you want to treat the files as httpd dirsrvadmin read/append content. + + +.EX @@ -19748,7 +20588,7 @@ index 16e8b13..335b09f 100644 +.B httpd_dspam_ra_content_t +.EE + -+- Set files with the httpd_dspam_ra_content_t type, if you want to treat the files as httpd dspam read/append content. ++- Set files with the httpd_dspam_ra_content_t type, if you want to treat the files as httpd dspam read/append content. + + +.EX @@ -19777,7 +20617,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/usr/sbin/apache(2)?, /usr/bin/mongrel_rails, /usr/lib/apache-ssl/.+, /usr/sbin/httpd\.event, /usr/sbin/httpd(\.worker)?, /usr/sbin/cherokee, /usr/sbin/apache-ssl(2)?, /usr/sbin/lighttpd ++/usr/sbin/apache(2)?, /usr/share/jetty/bin/jetty.sh, /usr/bin/mongrel_rails, /usr/lib/apache-ssl/.+, /usr/sbin/httpd\.event, /usr/sbin/httpd(\.worker)?, /usr/sbin/cherokee, /usr/sbin/apache-ssl(2)?, /usr/sbin/lighttpd + +.EX +.PP @@ -19800,7 +20640,7 @@ index 16e8b13..335b09f 100644 +.B httpd_git_ra_content_t +.EE + -+- Set files with the httpd_git_ra_content_t type, if you want to treat the files as httpd git read/append content. ++- Set files with the httpd_git_ra_content_t type, if you want to treat the files as httpd git read/append content. + + +.EX @@ -19825,7 +20665,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/var/www/gitweb-caching/gitweb\.cgi, /var/www/cgi-bin/cgit, /var/www/git/gitweb\.cgi ++/var/www/git/gitweb\.cgi, /var/www/cgi-bin/cgit, /var/www/gitweb-caching/gitweb\.cgi + +.EX +.PP @@ -19857,63 +20697,75 @@ index 16e8b13..335b09f 100644 + +.EX +.PP -+.B httpd_libra_content_t ++.B httpd_lock_t +.EE + -+- Set files with the httpd_libra_content_t type, if you want to treat the files as httpd libra content. ++- Set files with the httpd_lock_t type, if you want to treat the files as httpd lock data, stored under the /var/lock directory + + +.EX +.PP -+.B httpd_libra_htaccess_t ++.B httpd_log_t +.EE + -+- Set files with the httpd_libra_htaccess_t type, if you want to treat the file as a httpd libra access file. ++- Set files with the httpd_log_t type, if you want to treat the data as httpd log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/apache-ssl(2)?(/.*)?, /var/log/httpd(/.*)?, /var/log/apache(2)?(/.*)?, /var/log/cherokee(/.*)?, /var/log/roundcubemail(/.*)?, /var/log/cgiwrap\.log.*, /var/log/lighttpd(/.*)?, /var/www(/.*)?/logs(/.*)?, /var/log/suphp\.log, /var/log/cacti(/.*)?, /var/log/dirsrv/admin-serv(/.*)?, /etc/httpd/logs + +.EX +.PP -+.B httpd_libra_ra_content_t ++.B httpd_man2html_content_t +.EE + -+- Set files with the httpd_libra_ra_content_t type, if you want to treat the files as httpd libra read/append content. ++- Set files with the httpd_man2html_content_t type, if you want to treat the files as httpd man2html content. + + +.EX +.PP -+.B httpd_libra_rw_content_t ++.B httpd_man2html_htaccess_t +.EE + -+- Set files with the httpd_libra_rw_content_t type, if you want to treat the files as httpd libra read/write content. ++- Set files with the httpd_man2html_htaccess_t type, if you want to treat the file as a httpd man2html access file. + + +.EX +.PP -+.B httpd_libra_script_exec_t ++.B httpd_man2html_ra_content_t +.EE + -+- Set files with the httpd_libra_script_exec_t type, if you want to transition an executable to the httpd_libra_script_t domain. ++- Set files with the httpd_man2html_ra_content_t type, if you want to treat the files as httpd man2html read/append content. + + +.EX +.PP -+.B httpd_lock_t ++.B httpd_man2html_rw_content_t +.EE + -+- Set files with the httpd_lock_t type, if you want to treat the files as httpd lock data, stored under the /var/lock directory ++- Set files with the httpd_man2html_rw_content_t type, if you want to treat the files as httpd man2html read/write content. + + +.EX +.PP -+.B httpd_log_t ++.B httpd_man2html_script_cache_t +.EE + -+- Set files with the httpd_log_t type, if you want to treat the data as httpd log data, usually stored under the /var/log directory. ++- Set files with the httpd_man2html_script_cache_t type, if you want to store the files under the /var/cache directory. ++ ++ ++.EX ++.PP ++.B httpd_man2html_script_exec_t ++.EE ++ ++- Set files with the httpd_man2html_script_exec_t type, if you want to transition an executable to the httpd_man2html_script_t domain. + +.br +.TP 5 +Paths: -+/var/log/apache-ssl(2)?(/.*)?, /var/log/httpd(/.*)?, /var/log/apache(2)?(/.*)?, /var/log/cherokee(/.*)?, /var/log/roundcubemail(/.*)?, /var/log/cgiwrap\.log.*, /var/log/lighttpd(/.*)?, /var/log/suphp\.log, /var/log/cacti(/.*)?, /var/log/dirsrv/admin-serv(/.*)?, /etc/httpd/logs, /var/log/jetty(/.*)? ++/usr/lib/man2html/cgi-bin/man/manwhatis, /usr/lib/man2html/cgi-bin/man/man2html, /usr/lib/man2html/cgi-bin/man/mansec + +.EX +.PP @@ -19940,7 +20792,7 @@ index 16e8b13..335b09f 100644 +.B httpd_mediawiki_ra_content_t +.EE + -+- Set files with the httpd_mediawiki_ra_content_t type, if you want to treat the files as httpd mediawiki read/append content. ++- Set files with the httpd_mediawiki_ra_content_t type, if you want to treat the files as httpd mediawiki read/append content. + + +.EX @@ -19961,7 +20813,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tes ++/usr/lib/mediawiki/math/texvc, /usr/lib/mediawiki/math/texvc_tex, /usr/lib/mediawiki/math/texvc_tes + +.EX +.PP @@ -19996,7 +20848,7 @@ index 16e8b13..335b09f 100644 +.B httpd_mojomojo_ra_content_t +.EE + -+- Set files with the httpd_mojomojo_ra_content_t type, if you want to treat the files as httpd mojomojo read/append content. ++- Set files with the httpd_mojomojo_ra_content_t type, if you want to treat the files as httpd mojomojo read/append content. + + +.EX @@ -20044,7 +20896,7 @@ index 16e8b13..335b09f 100644 +.B httpd_munin_ra_content_t +.EE + -+- Set files with the httpd_munin_ra_content_t type, if you want to treat the files as httpd munin read/append content. ++- Set files with the httpd_munin_ra_content_t type, if you want to treat the files as httpd munin read/append content. + + +.EX @@ -20084,7 +20936,7 @@ index 16e8b13..335b09f 100644 +.B httpd_nagios_ra_content_t +.EE + -+- Set files with the httpd_nagios_ra_content_t type, if you want to treat the files as httpd nagios read/append content. ++- Set files with the httpd_nagios_ra_content_t type, if you want to treat the files as httpd nagios read/append content. + + +.EX @@ -20128,7 +20980,7 @@ index 16e8b13..335b09f 100644 +.B httpd_nutups_cgi_ra_content_t +.EE + -+- Set files with the httpd_nutups_cgi_ra_content_t type, if you want to treat the files as httpd nutups cgi read/append content. ++- Set files with the httpd_nutups_cgi_ra_content_t type, if you want to treat the files as httpd nutups cgi read/append content. + + +.EX @@ -20196,7 +21048,7 @@ index 16e8b13..335b09f 100644 +.B httpd_prewikka_ra_content_t +.EE + -+- Set files with the httpd_prewikka_ra_content_t type, if you want to treat the files as httpd prewikka read/append content. ++- Set files with the httpd_prewikka_ra_content_t type, if you want to treat the files as httpd prewikka read/append content. + + +.EX @@ -20244,7 +21096,7 @@ index 16e8b13..335b09f 100644 +.B httpd_smokeping_cgi_ra_content_t +.EE + -+- Set files with the httpd_smokeping_cgi_ra_content_t type, if you want to treat the files as httpd smokeping cgi read/append content. ++- Set files with the httpd_smokeping_cgi_ra_content_t type, if you want to treat the files as httpd smokeping cgi read/append content. + + +.EX @@ -20284,7 +21136,7 @@ index 16e8b13..335b09f 100644 +.B httpd_squid_ra_content_t +.EE + -+- Set files with the httpd_squid_ra_content_t type, if you want to treat the files as httpd squid read/append content. ++- Set files with the httpd_squid_ra_content_t type, if you want to treat the files as httpd squid read/append content. + + +.EX @@ -20341,7 +21193,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/usr/share/icecast(/.*)?, /usr/share/htdig(/.*)?, /etc/htdig(/.*)?, /var/www/svn/conf(/.*)?, /usr/share/doc/ghc/html(/.*)?, /usr/share/mythtv/data(/.*)?, /var/lib/htdig(/.*)?, /srv/gallery2(/.*)?, /srv/([^/]*/)?www(/.*)?, /usr/share/ntop/html(/.*)?, /usr/share/mythweb(/.*)?, /var/lib/cacti/rra(/.*)?, /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-policy[^/]*/html(/.*)?, /usr/share/drupal.*, /var/lib/trac(/.*)?, /var/www(/.*)?, /var/www/icons(/.*)? ++/usr/share/icecast(/.*)?, /usr/share/htdig(/.*)?, /etc/htdig(/.*)?, /var/www/svn/conf(/.*)?, /usr/share/doc/ghc/html(/.*)?, /usr/share/mythtv/data(/.*)?, /var/lib/htdig(/.*)?, /srv/gallery2(/.*)?, /srv/([^/]*/)?www(/.*)?, /usr/share/ntop/html(/.*)?, /usr/share/mythweb(/.*)?, /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-policy[^/]*/html(/.*)?, /usr/share/drupal.*, /var/lib/cacti/rra(/.*)?, /var/lib/trac(/.*)?, /var/www(/.*)?, /var/www/icons(/.*)? + +.EX +.PP @@ -20356,7 +21208,7 @@ index 16e8b13..335b09f 100644 +.B httpd_sys_ra_content_t +.EE + -+- Set files with the httpd_sys_ra_content_t type, if you want to treat the files as httpd sys read/append content. ++- Set files with the httpd_sys_ra_content_t type, if you want to treat the files as httpd sys read/append content. + + +.EX @@ -20369,7 +21221,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/var/spool/viewvc(/.*)?, /etc/WebCalendar(/.*)?, /etc/mock/koji(/.*)?, /var/lib/svn(/.*)?, /var/spool/gosa(/.*)?, /etc/zabbix/web(/.*)?, /var/lib/pootle/po(/.*)?, /etc/drupal.*, /var/www/gallery/albums(/.*)?, /usr/share/wordpress/wp-content/uploads(/.*)?, /var/www/html/configuration\.php, /usr/share/wordpress/wp-content/upgrade(/.*)?, /var/lib/drupal.*, /usr/share/wordpress-mu/wp-content(/.*)?, /var/lib/dokuwiki(/.*)?, /var/www/moodledata(/.*)?, /var/www/svn(/.*)?, /var/www/html/wp-content(/.*)? ++/var/www/html/[^/]*/sites/default/settings\.php, /var/spool/viewvc(/.*)?, /etc/WebCalendar(/.*)?, /etc/mock/koji(/.*)?, /var/lib/svn(/.*)?, /var/spool/gosa(/.*)?, /etc/zabbix/web(/.*)?, /var/lib/pootle/po(/.*)?, /etc/drupal.*, /var/www/gallery/albums(/.*)?, /usr/share/wordpress/wp-content/uploads(/.*)?, /var/www/html/configuration\.php, /usr/share/wordpress/wp-content/upgrade(/.*)?, /var/lib/drupal.*, /usr/share/wordpress-mu/wp-content(/.*)?, /var/lib/dokuwiki(/.*)?, /var/www/moodledata(/.*)?, /var/www/html/[^/]*/sites/default/files(/.*)?, /var/www/svn(/.*)?, /var/www/html/wp-content(/.*)? + +.EX +.PP @@ -20381,7 +21233,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/var/www/svn/hooks(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress/.*\.php, /usr/lib/cgi-bin(/.*)?, /var/www/perl(/.*)?, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/wordpress-mu/wp-config\.php, /var/www/html/[^/]*/cgi-bin(/.*)?, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)? ++/var/www/svn/hooks(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress/.*\.php, /usr/lib/cgi-bin(/.*)?, /var/www/perl(/.*)?, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/wordpress-mu/wp-config\.php, /var/www/html/[^/]*/cgi-bin(/.*)?, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /usr/share/wordpress/wp-includes/.*\.php + +.EX +.PP @@ -20401,6 +21253,14 @@ index 16e8b13..335b09f 100644 + +.EX +.PP ++.B httpd_unconfined_script_exec_t ++.EE ++ ++- Set files with the httpd_unconfined_script_exec_t type, if you want to transition an executable to the httpd_unconfined_script_t domain. ++ ++ ++.EX ++.PP +.B httpd_unit_file_t +.EE + @@ -20409,7 +21269,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/usr/lib/systemd/system/httpd.?\.service, /lib/systemd/system/jetty.*\.service, /lib/systemd/system/httpd.*\.service ++/usr/lib/systemd/system/httpd.*, /usr/lib/systemd/system/jetty.* + +.EX +.PP @@ -20432,7 +21292,7 @@ index 16e8b13..335b09f 100644 +.B httpd_user_ra_content_t +.EE + -+- Set files with the httpd_user_ra_content_t type, if you want to treat the files as httpd user read/append content. ++- Set files with the httpd_user_ra_content_t type, if you want to treat the files as httpd user read/append content. + + +.EX @@ -20461,7 +21321,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/var/lib/rt3/data/RT-Shredder(/.*)?, /var/lib/jetty(/.*)?, /var/lib/httpd(/.*)?, /var/lib/cherokee(/.*)?, /var/lib/dav(/.*)? ++/var/lib/rt3/data/RT-Shredder(/.*)?, /var/lib/lighttpd(/.*)?, /var/lib/httpd(/.*)?, /var/lib/cherokee(/.*)?, /var/lib/dav(/.*)? + +.EX +.PP @@ -20473,7 +21333,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/var/run/mod_.*, /var/run/wsgi.*, /var/run/apache.*, /var/run/jetty(/.*)?, /var/run/gcache_port, /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?, /var/run/httpd.*, /var/run/dirsrv/admin-serv.*, /var/lib/php/session(/.*)?, /var/run/lighttpd(/.*)? ++/var/run/mod_.*, /var/run/wsgi.*, /var/run/apache.*, /var/run/cherokee\.pid, /var/run/gcache_port, /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?, /var/run/httpd.*, /var/run/dirsrv/admin-serv.*, /var/lib/php/session(/.*)?, /var/run/lighttpd(/.*)? + +.EX +.PP @@ -20496,7 +21356,7 @@ index 16e8b13..335b09f 100644 +.B httpd_w3c_validator_ra_content_t +.EE + -+- Set files with the httpd_w3c_validator_ra_content_t type, if you want to treat the files as httpd w3c validator read/append content. ++- Set files with the httpd_w3c_validator_ra_content_t type, if you want to treat the files as httpd w3c validator read/append content. + + +.EX @@ -20548,7 +21408,7 @@ index 16e8b13..335b09f 100644 +.B httpd_zoneminder_ra_content_t +.EE + -+- Set files with the httpd_zoneminder_ra_content_t type, if you want to treat the files as httpd zoneminder read/append content. ++- Set files with the httpd_zoneminder_ra_content_t type, if you want to treat the files as httpd zoneminder read/append content. + + +.EX @@ -20568,7 +21428,7 @@ index 16e8b13..335b09f 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -20595,7 +21455,9 @@ index 16e8b13..335b09f 100644 + + +Default Defined Ports: -+tcp 8021 ++tcp 8080,8118,10001-10010 ++.EE ++udp 3130 +.EE + +.EX @@ -20606,7 +21468,7 @@ index 16e8b13..335b09f 100644 + + +Default Defined Ports: -+tcp 8021 ++tcp 80,443,488,8008,8009,8443 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -20619,7 +21481,7 @@ index 16e8b13..335b09f 100644 +The following process types are defined for httpd: + +.EX -+.B httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_mojomojo_script_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_libra_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_zoneminder_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_t, httpd_passwd_t, httpd_helper_t, httpd_squid_script_t, httpd_cobbler_script_t, httpd_mediawiki_script_t ++.B httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_mojomojo_script_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_zoneminder_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_unconfined_script_t, httpd_t, httpd_man2html_script_t, httpd_passwd_t, httpd_helper_t, httpd_squid_script_t, httpd_cobbler_script_t, httpd_mediawiki_script_t +.EE +.PP +Note: @@ -20655,17 +21517,33 @@ index 16e8b13..335b09f 100644 \ No newline at end of file diff --git a/man/man8/hwclock_selinux.8 b/man/man8/hwclock_selinux.8 new file mode 100644 -index 0000000..1928dc4 +index 0000000..52d3a13 --- /dev/null +++ b/man/man8/hwclock_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,91 @@ +.TH "hwclock_selinux" "8" "hwclock" "dwalsh@redhat.com" "hwclock SELinux Policy documentation" +.SH "NAME" +hwclock_selinux \- Security Enhanced Linux Policy for the hwclock processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the hwclock processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the hwclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the hwclock_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -20691,7 +21569,7 @@ index 0000000..1928dc4 +/usr/sbin/hwclock, /sbin/hwclock + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -20736,17 +21614,19 @@ index 0000000..1928dc4 +selinux(8), hwclock(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/iceauth_selinux.8 b/man/man8/iceauth_selinux.8 new file mode 100644 -index 0000000..53e495f +index 0000000..0db3d9c --- /dev/null +++ b/man/man8/iceauth_selinux.8 -@@ -0,0 +1,87 @@ +@@ -0,0 +1,89 @@ +.TH "iceauth_selinux" "8" "iceauth" "dwalsh@redhat.com" "iceauth SELinux Policy documentation" +.SH "NAME" +iceauth_selinux \- Security Enhanced Linux Policy for the iceauth processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the iceauth processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -20784,7 +21664,7 @@ index 0000000..53e495f +/root/\.DCOP.*, /root/\.ICEauthority.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -20829,24 +21709,18 @@ index 0000000..53e495f +selinux(8), iceauth(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/icecast_selinux.8 b/man/man8/icecast_selinux.8 new file mode 100644 -index 0000000..ca10859 +index 0000000..1b6f2d7 --- /dev/null +++ b/man/man8/icecast_selinux.8 -@@ -0,0 +1,116 @@ +@@ -0,0 +1,126 @@ +.TH "icecast_selinux" "8" "icecast" "dwalsh@redhat.com" "icecast SELinux Policy documentation" +.SH "NAME" +icecast_selinux \- Security Enhanced Linux Policy for the icecast processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B icecast -+( ShoutCast compatible streaming media server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the icecast processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. icecast policy is extremely flexible and has several booleans that allow you to manipulate the policy and run icecast with the tightest access possible. + @@ -20858,6 +21732,22 @@ index 0000000..ca10859 +.B setsebool -P icecast_connect_any 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the icecast_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the icecast_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -20902,7 +21792,7 @@ index 0000000..ca10859 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -20952,17 +21842,33 @@ index 0000000..ca10859 \ No newline at end of file diff --git a/man/man8/ifconfig_selinux.8 b/man/man8/ifconfig_selinux.8 new file mode 100644 -index 0000000..b2444a2 +index 0000000..4ee5d9d --- /dev/null +++ b/man/man8/ifconfig_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,91 @@ +.TH "ifconfig_selinux" "8" "ifconfig" "dwalsh@redhat.com" "ifconfig SELinux Policy documentation" +.SH "NAME" +ifconfig_selinux \- Security Enhanced Linux Policy for the ifconfig processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ifconfig processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ifconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ifconfig_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -20985,10 +21891,10 @@ index 0000000..b2444a2 +.br +.TP 5 +Paths: -+/usr/sbin/ipx_internal_net, /sbin/ipx_configure, /sbin/tc, /usr/sbin/ipx_configure, /usr/sbin/iwconfig, /usr/sbin/ipx_interface, /usr/sbin/mii-tool, /usr/sbin/ethtool, /sbin/ipx_internal_net, /usr/sbin/ifconfig, /bin/ip, /usr/bin/ip, /usr/sbin/tc, /sbin/iwconfig, /sbin/ifconfig, /sbin/mii-tool, /sbin/ethtool, /usr/sbin/ip, /sbin/ipx_interface, /sbin/ip ++/usr/sbin/ipx_internal_net, /sbin/ipx_configure, /sbin/tc, /usr/sbin/ipx_configure, /usr/sbin/iwconfig, /usr/sbin/ipx_interface, /usr/sbin/mii-tool, /usr/sbin/ethtool, /usr/sbin/ifconfig, /sbin/ipx_interface, /bin/ip, /usr/bin/ip, /usr/sbin/tc, /sbin/iwconfig, /sbin/ifconfig, /sbin/mii-tool, /sbin/ethtool, /usr/sbin/ip, /sbin/ip, /sbin/ipx_internal_net + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21033,23 +21939,33 @@ index 0000000..b2444a2 +selinux(8), ifconfig(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/inetd_selinux.8 b/man/man8/inetd_selinux.8 new file mode 100644 -index 0000000..122a8f9 +index 0000000..9753d78 --- /dev/null +++ b/man/man8/inetd_selinux.8 -@@ -0,0 +1,159 @@ +@@ -0,0 +1,171 @@ +.TH "inetd_selinux" "8" "inetd" "dwalsh@redhat.com" "inetd SELinux Policy documentation" +.SH "NAME" +inetd_selinux \- Security Enhanced Linux Policy for the inetd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B inetd -+(Internet services daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the inetd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the inetd_t, inetd_child_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the inetd_t, inetd_child_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -21127,7 +22043,7 @@ index 0000000..122a8f9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21154,7 +22070,9 @@ index 0000000..122a8f9 + + +Default Defined Ports: -+tcp 8021 ++tcp 1,9,13,19,512,543,544,891,892,2105,5666 ++.EE ++udp 1,9,13,19,891,892 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -21198,24 +22116,18 @@ index 0000000..122a8f9 +selinux(8), inetd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/init_selinux.8 b/man/man8/init_selinux.8 new file mode 100644 -index 0000000..ce0a398 +index 0000000..14f4f10 --- /dev/null +++ b/man/man8/init_selinux.8 -@@ -0,0 +1,167 @@ +@@ -0,0 +1,177 @@ +.TH "init_selinux" "8" "init" "dwalsh@redhat.com" "init SELinux Policy documentation" +.SH "NAME" +init_selinux \- Security Enhanced Linux Policy for the init processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B init -+(System initialization programs (init and init scripts)) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the init processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. init policy is extremely flexible and has several booleans that allow you to manipulate the policy and run init with the tightest access possible. + @@ -21234,6 +22146,22 @@ index 0000000..ce0a398 +.B setsebool -P init_systemd 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the init_t, initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the init_t, initrc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -21255,7 +22183,7 @@ index 0000000..ce0a398 +.br +.TP 5 +Paths: -+/usr/sbin/init(ng)?, /lib/systemd/[^/]*, /sbin/init(ng)?, /bin/systemd, /usr/lib/systemd/system-generators/[^/]*, /usr/bin/systemd, /lib/systemd/system-generators/[^/]*, /sbin/upstart, /usr/sbin/upstart, /usr/lib/systemd/[^/]* ++/usr/sbin/init(ng)?, /sbin/init(ng)?, /bin/systemd, /usr/lib/systemd/system-generators/[^/]*, /usr/bin/systemd, /sbin/upstart, /usr/sbin/upstart, /usr/lib/systemd/[^/]* + +.EX +.PP @@ -21291,7 +22219,7 @@ index 0000000..ce0a398 +.br +.TP 5 +Paths: -+/usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /usr/share/system-config-services/system-config-services-mechanism\.py, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /usr/libexec/dcc/start-.*, /usr/sbin/apachectl, /usr/sbin/restart-dirsrv, /etc/init\.d/.*, /usr/bin/sepg_ctl ++/usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/restart-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /usr/libexec/dcc/start-.*, /usr/share/system-config-services/system-config-services-mechanism\.py, /usr/sbin/apachectl, /etc/init\.d/.*, /usr/bin/sepg_ctl + +.EX +.PP @@ -21322,7 +22250,7 @@ index 0000000..ce0a398 +/var/run/setmixer_flag, /var/run/runlevel\.dir, /var/run/random-seed, /var/run/utmp + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21372,17 +22300,33 @@ index 0000000..ce0a398 \ No newline at end of file diff --git a/man/man8/initrc_selinux.8 b/man/man8/initrc_selinux.8 new file mode 100644 -index 0000000..2fa2434 +index 0000000..cd5b4cb --- /dev/null +++ b/man/man8/initrc_selinux.8 -@@ -0,0 +1,111 @@ +@@ -0,0 +1,127 @@ +.TH "initrc_selinux" "8" "initrc" "dwalsh@redhat.com" "initrc SELinux Policy documentation" +.SH "NAME" +initrc_selinux \- Security Enhanced Linux Policy for the initrc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the initrc processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the initrc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -21413,7 +22357,7 @@ index 0000000..2fa2434 +.br +.TP 5 +Paths: -+/usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /usr/share/system-config-services/system-config-services-mechanism\.py, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /usr/libexec/dcc/start-.*, /usr/sbin/apachectl, /usr/sbin/restart-dirsrv, /etc/init\.d/.*, /usr/bin/sepg_ctl ++/usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/restart-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /usr/libexec/dcc/start-.*, /usr/share/system-config-services/system-config-services-mechanism\.py, /usr/sbin/apachectl, /etc/init\.d/.*, /usr/bin/sepg_ctl + +.EX +.PP @@ -21444,7 +22388,7 @@ index 0000000..2fa2434 +/var/run/setmixer_flag, /var/run/runlevel\.dir, /var/run/random-seed, /var/run/utmp + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21489,17 +22433,19 @@ index 0000000..2fa2434 +selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/innd_selinux.8 b/man/man8/innd_selinux.8 new file mode 100644 -index 0000000..541f9e9 +index 0000000..2f7366a --- /dev/null +++ b/man/man8/innd_selinux.8 -@@ -0,0 +1,145 @@ +@@ -0,0 +1,147 @@ +.TH "innd_selinux" "8" "innd" "dwalsh@redhat.com" "innd SELinux Policy documentation" +.SH "NAME" +innd_selinux \- Security Enhanced Linux Policy for the innd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the innd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -21530,7 +22476,7 @@ index 0000000..541f9e9 +.br +.TP 5 +Paths: -+/usr/bin/suck, /usr/lib/news/bin/convdate, /usr/lib/news/bin/filechan, /usr/lib/news/bin/nntpget, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/shlock, /usr/lib/news/bin/archive, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/innd, /usr/lib/news/bin/actsync, /usr/lib/news/bin/innxbatch, /usr/bin/inews, /usr/lib/news/bin/batcher, /usr/sbin/innd.*, /usr/lib/news/bin/expire, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/ctlinnd, /usr/bin/rpost, /usr/lib/news/bin/buffchan, /etc/news/boot, /usr/lib/news/bin/ovdb_recover, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/makedbz, /usr/bin/rnews, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/getlist, /usr/lib/news/bin/sm, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/rnews, /usr/lib/news/bin/overchan, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/prunehistory, /usr/lib/news/bin/inews, /usr/lib/news/bin/shrinkfile, /usr/lib/news/bin/expireover, /usr/lib/news/bin/inndf ++/usr/bin/suck, /usr/lib/news/bin/convdate, /usr/lib/news/bin/filechan, /usr/lib/news/bin/nntpget, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/shlock, /usr/lib/news/bin/archive, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/actsync, /usr/lib/news/bin/innxbatch, /usr/bin/inews, /usr/lib/news/bin/batcher, /usr/sbin/innd.*, /usr/lib/news/bin/expire, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/ctlinnd, /usr/bin/rpost, /usr/lib/news/bin/buffchan, /usr/lib/news/bin/ovdb_recover, /etc/news/boot, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/innd, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/makedbz, /usr/bin/rnews, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/getlist, /usr/lib/news/bin/sm, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/rnews, /usr/lib/news/bin/overchan, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/prunehistory, /usr/lib/news/bin/inews, /usr/lib/news/bin/shrinkfile, /usr/lib/news/bin/expireover, /usr/lib/news/bin/inndf + +.EX +.PP @@ -21569,7 +22515,7 @@ index 0000000..541f9e9 +/var/run/innd(/.*)?, /var/run/news(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21596,7 +22542,7 @@ index 0000000..541f9e9 + + +Default Defined Ports: -+tcp 8021 ++tcp 119 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -21640,24 +22586,24 @@ index 0000000..541f9e9 +selinux(8), innd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/insmod_selinux.8 b/man/man8/insmod_selinux.8 new file mode 100644 -index 0000000..0e25a12 +index 0000000..a8b11de --- /dev/null +++ b/man/man8/insmod_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,121 @@ +.TH "insmod_selinux" "8" "insmod" "dwalsh@redhat.com" "insmod SELinux Policy documentation" +.SH "NAME" +insmod_selinux \- Security Enhanced Linux Policy for the insmod processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the insmod processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. insmod policy is extremely flexible and has several booleans that allow you to manipulate the policy and run insmod with the tightest access possible. + + +.PP -+If you want to disallow programs and users from transitioning to insmod domain, you must turn on the secure_mode_insmod boolean. ++If you want to disable kernel module loading, you must turn on the secure_mode_insmod boolean. + +.EX +.B setsebool -P secure_mode_insmod 1 @@ -21670,6 +22616,22 @@ index 0000000..0e25a12 +.B setsebool -P pppd_can_insmod 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the insmod_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the insmod_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -21691,7 +22653,7 @@ index 0000000..0e25a12 +.br +.TP 5 +Paths: -+/sbin/modprobe.*, /sbin/rmmod.*, /sbin/insmod.*, /usr/sbin/modprobe.*, /usr/bin/kmod, /usr/sbin/insmod.*, /usr/sbin/rmmod.* ++/sbin/rmmod.*, /sbin/modprobe.*, /sbin/insmod.*, /usr/sbin/modprobe.*, /usr/bin/kmod, /usr/sbin/insmod.*, /usr/sbin/rmmod.* + +.EX +.PP @@ -21702,7 +22664,7 @@ index 0000000..0e25a12 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21752,23 +22714,33 @@ index 0000000..0e25a12 \ No newline at end of file diff --git a/man/man8/ipsec_selinux.8 b/man/man8/ipsec_selinux.8 new file mode 100644 -index 0000000..3273369 +index 0000000..af875ea --- /dev/null +++ b/man/man8/ipsec_selinux.8 -@@ -0,0 +1,199 @@ +@@ -0,0 +1,211 @@ +.TH "ipsec_selinux" "8" "ipsec" "dwalsh@redhat.com" "ipsec SELinux Policy documentation" +.SH "NAME" +ipsec_selinux \- Security Enhanced Linux Policy for the ipsec processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ipsec -+(TCP/IP encryption) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ipsec processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ipsec_t, ipsec_mgmt_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ipsec_t, ipsec_mgmt_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -21827,7 +22799,7 @@ index 0000000..3273369 +.br +.TP 5 +Paths: -+/etc/ipsec\.secrets, /etc/racoon/psk\.txt, /etc/racoon/certs(/.*)?, /etc/ipsec\.d(/.*)? ++/etc/ipsec\.secrets, /etc/racoon/certs(/.*)?, /etc/racoon/psk\.txt, /etc/ipsec\.d(/.*)? + +.EX +.PP @@ -21847,7 +22819,7 @@ index 0000000..3273369 +.br +.TP 5 +Paths: -+/usr/lib/ipsec/_plutorun, /usr/libexec/ipsec/_plutoload, /usr/libexec/nm-openswan-service, /usr/lib/ipsec/_plutoload, /usr/sbin/ipsec, /usr/libexec/ipsec/_plutorun ++/usr/lib/ipsec/_plutorun, /usr/libexec/ipsec/_plutoload, /usr/libexec/nm-openswan-service, /usr/sbin/ipsec, /usr/lib/ipsec/_plutoload, /usr/libexec/ipsec/_plutorun + +.EX +.PP @@ -21886,7 +22858,7 @@ index 0000000..3273369 +/var/run/racoon\.pid, /var/run/pluto(/.*)?, /var/racoon(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21913,7 +22885,9 @@ index 0000000..3273369 + + +Default Defined Ports: -+tcp 8021 ++tcp 4500 ++.EE ++udp 4500 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -21957,24 +22931,18 @@ index 0000000..3273369 +selinux(8), ipsec(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/iptables_selinux.8 b/man/man8/iptables_selinux.8 new file mode 100644 -index 0000000..8e6b3de +index 0000000..33f44c0 --- /dev/null +++ b/man/man8/iptables_selinux.8 -@@ -0,0 +1,136 @@ +@@ -0,0 +1,146 @@ +.TH "iptables_selinux" "8" "iptables" "dwalsh@redhat.com" "iptables SELinux Policy documentation" +.SH "NAME" +iptables_selinux \- Security Enhanced Linux Policy for the iptables processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B iptables -+(Policy for iptables) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the iptables processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. iptables policy is extremely flexible and has several booleans that allow you to manipulate the policy and run iptables with the tightest access possible. + @@ -21986,6 +22954,22 @@ index 0000000..8e6b3de +.B setsebool -P dhcpc_exec_iptables 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the iptables_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the iptables_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -22007,7 +22991,7 @@ index 0000000..8e6b3de +.br +.TP 5 +Paths: -+/sbin/ebtables-restore, /usr/sbin/ipvsadm-restore, /usr/sbin/ipchains.*, /usr/sbin/ip6?tables, /sbin/ebtables, /usr/sbin/ip6?tables-restore, /usr/sbin/xtables-multi, /sbin/ipchains.*, /sbin/ip6?tables, /usr/sbin/ebtables-restore, /usr/sbin/ebtables, /sbin/ipvsadm, /usr/sbin/ipvsadm-save, /sbin/xtables-multi, /sbin/ipvsadm-restore, /usr/sbin/ip6?tables-multi, /sbin/ip6?tables-multi, /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /sbin/ip6?tables-restore ++/sbin/ebtables-restore, /usr/sbin/ipvsadm-restore, /usr/sbin/ipchains.*, /sbin/ebtables, /usr/sbin/ip6?tables, /usr/sbin/ip6?tables-restore, /usr/sbin/xtables-multi, /sbin/ipchains.*, /sbin/ip6?tables, /usr/sbin/ebtables-restore, /usr/sbin/ebtables, /sbin/ipvsadm, /usr/sbin/ipvsadm-save, /sbin/xtables-multi, /sbin/ipvsadm-restore, /usr/sbin/ip6?tables-multi, /sbin/ip6?tables-multi, /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /sbin/ip6?tables-restore + +.EX +.PP @@ -22039,7 +23023,7 @@ index 0000000..8e6b3de +.br +.TP 5 +Paths: -+/lib/systemd/system/vsftpd.*, /usr/lib/systemd/system/proftpd.*, /usr/lib/systemd/system/iptables6?.service, /lib/systemd/system/ip6tables.service, /lib/systemd/system/slapd.*, /usr/lib/systemd/system/vsftpd.*, /lib/systemd/system/ppp.*, /usr/lib/systemd/system/kdump.service, /usr/lib/systemd/system/slapd.*, /usr/lib/systemd/system/ppp.*, /lib/systemd/system/kdump.service, /lib/systemd/system/proftpd.*, /lib/systemd/system/iptables.service ++/usr/lib/systemd/system/ip6tables.*, /usr/lib/systemd/system/proftpd.*, /usr/lib/systemd/system/vsftpd.*, /usr/lib/systemd/system/slapd.*, /usr/lib/systemd/system/ppp.*, /usr/lib/systemd/system/iptables.* + +.EX +.PP @@ -22050,7 +23034,7 @@ index 0000000..8e6b3de + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22100,23 +23084,19 @@ index 0000000..8e6b3de \ No newline at end of file diff --git a/man/man8/irc_selinux.8 b/man/man8/irc_selinux.8 new file mode 100644 -index 0000000..6bd8081 +index 0000000..8742397 --- /dev/null +++ b/man/man8/irc_selinux.8 -@@ -0,0 +1,123 @@ +@@ -0,0 +1,119 @@ +.TH "irc_selinux" "8" "irc" "dwalsh@redhat.com" "irc SELinux Policy documentation" +.SH "NAME" +irc_selinux \- Security Enhanced Linux Policy for the irc processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B irc -+(IRC client policy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the irc processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -22139,7 +23119,7 @@ index 0000000..6bd8081 +.br +.TP 5 +Paths: -+/usr/bin/ircII, /usr/bin/tinyirc, /usr/bin/[st]irc ++/usr/bin/tinyirc, /usr/bin/[st]irc, /usr/bin/ircII + +.EX +.PP @@ -22158,7 +23138,7 @@ index 0000000..6bd8081 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22185,7 +23165,7 @@ index 0000000..6bd8081 + + +Default Defined Ports: -+tcp 8021 ++tcp 6667 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -22229,23 +23209,19 @@ index 0000000..6bd8081 +selinux(8), irc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/irqbalance_selinux.8 b/man/man8/irqbalance_selinux.8 new file mode 100644 -index 0000000..daf7657 +index 0000000..8cafced --- /dev/null +++ b/man/man8/irqbalance_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,81 @@ +.TH "irqbalance_selinux" "8" "irqbalance" "dwalsh@redhat.com" "irqbalance SELinux Policy documentation" +.SH "NAME" +irqbalance_selinux \- Security Enhanced Linux Policy for the irqbalance processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B irqbalance -+(IRQ balancing daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the irqbalance processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -22275,7 +23251,7 @@ index 0000000..daf7657 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22320,17 +23296,17 @@ index 0000000..daf7657 +selinux(8), irqbalance(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/irssi_selinux.8 b/man/man8/irssi_selinux.8 new file mode 100644 -index 0000000..3320869 +index 0000000..0fdedd5 --- /dev/null +++ b/man/man8/irssi_selinux.8 -@@ -0,0 +1,102 @@ +@@ -0,0 +1,118 @@ +.TH "irssi_selinux" "8" "irssi" "dwalsh@redhat.com" "irssi SELinux Policy documentation" +.SH "NAME" +irssi_selinux \- Security Enhanced Linux Policy for the irssi processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the irssi processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. irssi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run irssi with the tightest access possible. @@ -22343,6 +23319,22 @@ index 0000000..3320869 +.B setsebool -P irssi_use_full_network 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the irssi_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the irssi_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -22379,7 +23371,7 @@ index 0000000..3320869 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22429,71 +23421,43 @@ index 0000000..3320869 \ No newline at end of file diff --git a/man/man8/iscsid_selinux.8 b/man/man8/iscsid_selinux.8 new file mode 100644 -index 0000000..4f0d9c3 +index 0000000..4dea365 --- /dev/null +++ b/man/man8/iscsid_selinux.8 -@@ -0,0 +1,145 @@ +@@ -0,0 +1,117 @@ +.TH "iscsid_selinux" "8" "iscsid" "dwalsh@redhat.com" "iscsid SELinux Policy documentation" +.SH "NAME" +iscsid_selinux \- Security Enhanced Linux Policy for the iscsid processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the iscsid processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP -+Policy governs the access confined processes have to these files. -+SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible. -+.PP -+The following file types are defined for iscsid: -+ ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the iscsid_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B iscsi_lock_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the iscsi_lock_t type, if you want to treat the files as iscsi lock data, stored under the /var/lock directory -+ -+ -+.EX +.PP -+.B iscsi_log_t -+.EE -+ -+- Set files with the iscsi_log_t type, if you want to treat the data as iscsi log data, usually stored under the /var/log directory. -+ -+.br -+.TP 5 -+Paths: -+/var/log/iscsiuio\.log.*, /var/log/brcm-iscsi\.log ++If you want to allow confined applications to run with kerberos for the iscsid_t, you must turn on the kerberos_enabled boolean. + +.EX -+.PP -+.B iscsi_tmp_t ++setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the iscsi_tmp_t type, if you want to store iscsi temporary files in the /tmp directories. -+ -+ -+.EX ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. +.PP -+.B iscsi_var_lib_t -+.EE -+ -+- Set files with the iscsi_var_lib_t type, if you want to store the iscsi files under the /var/lib directory. -+ -+ -+.EX ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP -+.B iscsi_var_run_t -+.EE -+ -+- Set files with the iscsi_var_run_t type, if you want to store the iscsi files under the /run directory. ++Policy governs the access confined processes have to these files. ++SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible. ++.PP ++The following file types are defined for iscsid: + + +.EX @@ -22509,7 +23473,7 @@ index 0000000..4f0d9c3 +/sbin/brcm_iscsiuio, /sbin/iscsiuio, /usr/sbin/iscsiuio, /usr/sbin/iscsid, /usr/sbin/brcm_iscsiuio, /sbin/iscsid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22536,7 +23500,7 @@ index 0000000..4f0d9c3 + + +Default Defined Ports: -+tcp 8021 ++tcp 3260 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -22580,17 +23544,19 @@ index 0000000..4f0d9c3 +selinux(8), iscsid(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/iwhd_selinux.8 b/man/man8/iwhd_selinux.8 new file mode 100644 -index 0000000..2031201 +index 0000000..a0ae96c --- /dev/null +++ b/man/man8/iwhd_selinux.8 -@@ -0,0 +1,103 @@ +@@ -0,0 +1,105 @@ +.TH "iwhd_selinux" "8" "iwhd" "dwalsh@redhat.com" "iwhd SELinux Policy documentation" +.SH "NAME" +iwhd_selinux \- Security Enhanced Linux Policy for the iwhd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the iwhd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -22644,7 +23610,7 @@ index 0000000..2031201 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22689,17 +23655,19 @@ index 0000000..2031201 +selinux(8), iwhd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/jabberd_selinux.8 b/man/man8/jabberd_selinux.8 new file mode 100644 -index 0000000..5f3d39d +index 0000000..dd38cf4 --- /dev/null +++ b/man/man8/jabberd_selinux.8 -@@ -0,0 +1,151 @@ +@@ -0,0 +1,153 @@ +.TH "jabberd_selinux" "8" "jabberd" "dwalsh@redhat.com" "jabberd SELinux Policy documentation" +.SH "NAME" +jabberd_selinux \- Security Enhanced Linux Policy for the jabberd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the jabberd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -22753,7 +23721,7 @@ index 0000000..5f3d39d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22780,7 +23748,7 @@ index 0000000..5f3d39d + + +Default Defined Ports: -+tcp 8021 ++tcp 5222,5223 +.EE + +.EX @@ -22791,7 +23759,7 @@ index 0000000..5f3d39d + + +Default Defined Ports: -+tcp 8021 ++tcp 5269 +.EE + +.EX @@ -22802,7 +23770,7 @@ index 0000000..5f3d39d + + +Default Defined Ports: -+tcp 8021 ++tcp 5347 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -22846,23 +23814,19 @@ index 0000000..5f3d39d +selinux(8), jabberd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/jockey_selinux.8 b/man/man8/jockey_selinux.8 new file mode 100644 -index 0000000..239af62 +index 0000000..92a2c36 --- /dev/null +++ b/man/man8/jockey_selinux.8 -@@ -0,0 +1,97 @@ +@@ -0,0 +1,93 @@ +.TH "jockey_selinux" "8" "jockey" "dwalsh@redhat.com" "jockey SELinux Policy documentation" +.SH "NAME" +jockey_selinux \- Security Enhanced Linux Policy for the jockey processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B jockey -+(policy for jockey) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the jockey processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -22904,7 +23868,7 @@ index 0000000..239af62 +/var/log/jockey\.log, /var/log/jockey(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22949,17 +23913,19 @@ index 0000000..239af62 +selinux(8), jockey(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kadmind_selinux.8 b/man/man8/kadmind_selinux.8 new file mode 100644 -index 0000000..b56c5c1 +index 0000000..f5d4608 --- /dev/null +++ b/man/man8/kadmind_selinux.8 -@@ -0,0 +1,99 @@ +@@ -0,0 +1,101 @@ +.TH "kadmind_selinux" "8" "kadmind" "dwalsh@redhat.com" "kadmind SELinux Policy documentation" +.SH "NAME" +kadmind_selinux \- Security Enhanced Linux Policy for the kadmind processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the kadmind processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23009,7 +23975,7 @@ index 0000000..b56c5c1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23054,23 +24020,33 @@ index 0000000..b56c5c1 +selinux(8), kadmind(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kdump_selinux.8 b/man/man8/kdump_selinux.8 new file mode 100644 -index 0000000..b47a14d +index 0000000..f15e342 --- /dev/null +++ b/man/man8/kdump_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,155 @@ +.TH "kdump_selinux" "8" "kdump" "dwalsh@redhat.com" "kdump SELinux Policy documentation" +.SH "NAME" +kdump_selinux \- Security Enhanced Linux Policy for the kdump processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B kdump -+(Kernel crash dumping mechanism) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the kdump processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23121,6 +24097,30 @@ index 0000000..b47a14d + +.EX +.PP ++.B kdumpctl_exec_t ++.EE ++ ++- Set files with the kdumpctl_exec_t type, if you want to transition an executable to the kdumpctl_t domain. ++ ++ ++.EX ++.PP ++.B kdumpctl_tmp_t ++.EE ++ ++- Set files with the kdumpctl_tmp_t type, if you want to store kdumpctl temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B kdumpctl_unit_file_t ++.EE ++ ++- Set files with the kdumpctl_unit_file_t type, if you want to treat the files as kdumpctl unit content. ++ ++ ++.EX ++.PP +.B kdumpgui_exec_t +.EE + @@ -23136,7 +24136,7 @@ index 0000000..b47a14d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23153,7 +24153,7 @@ index 0000000..b47a14d +The following process types are defined for kdump: + +.EX -+.B kdumpgui_t, kdump_t ++.B kdumpgui_t, kdumpctl_t, kdump_t +.EE +.PP +Note: @@ -23181,23 +24181,33 @@ index 0000000..b47a14d +selinux(8), kdump(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kdumpgui_selinux.8 b/man/man8/kdumpgui_selinux.8 new file mode 100644 -index 0000000..82754b0 +index 0000000..b277343 --- /dev/null +++ b/man/man8/kdumpgui_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,95 @@ +.TH "kdumpgui_selinux" "8" "kdumpgui" "dwalsh@redhat.com" "kdumpgui SELinux Policy documentation" +.SH "NAME" +kdumpgui_selinux \- Security Enhanced Linux Policy for the kdumpgui processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B kdumpgui -+(system-config-kdump GUI) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the kdumpgui processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23227,7 +24237,7 @@ index 0000000..82754b0 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23272,23 +24282,19 @@ index 0000000..82754b0 +selinux(8), kdumpgui(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/keyboardd_selinux.8 b/man/man8/keyboardd_selinux.8 new file mode 100644 -index 0000000..782e48f +index 0000000..1eebbe8 --- /dev/null +++ b/man/man8/keyboardd_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "keyboardd_selinux" "8" "keyboardd" "dwalsh@redhat.com" "keyboardd SELinux Policy documentation" +.SH "NAME" +keyboardd_selinux \- Security Enhanced Linux Policy for the keyboardd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B keyboardd -+(policy for system-setup-keyboard daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the keyboardd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23310,7 +24316,7 @@ index 0000000..782e48f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23355,23 +24361,33 @@ index 0000000..782e48f +selinux(8), keyboardd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/keystone_selinux.8 b/man/man8/keystone_selinux.8 new file mode 100644 -index 0000000..1c2d5b6 +index 0000000..f24c690 --- /dev/null +++ b/man/man8/keystone_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,147 @@ +.TH "keystone_selinux" "8" "keystone" "dwalsh@redhat.com" "keystone SELinux Policy documentation" +.SH "NAME" +keystone_selinux \- Security Enhanced Linux Policy for the keystone processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B keystone -+(policy for keystone) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the keystone processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the keystone_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the keystone_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23425,12 +24441,37 @@ index 0000000..1c2d5b6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon +to apply the labels. + ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible. ++.PP ++The following port types are defined for keystone: ++ ++.EX ++.TP 5 ++.B keystone_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 5000 ++.EE ++udp 5000 ++.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -23459,6 +24500,9 @@ index 0000000..1c2d5b6 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage port ++can also be used to manipulate the port definitions ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -23470,23 +24514,33 @@ index 0000000..1c2d5b6 +selinux(8), keystone(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kismet_selinux.8 b/man/man8/kismet_selinux.8 new file mode 100644 -index 0000000..678bdc4 +index 0000000..d26771d --- /dev/null +++ b/man/man8/kismet_selinux.8 -@@ -0,0 +1,151 @@ +@@ -0,0 +1,161 @@ +.TH "kismet_selinux" "8" "kismet" "dwalsh@redhat.com" "kismet SELinux Policy documentation" +.SH "NAME" +kismet_selinux \- Security Enhanced Linux Policy for the kismet processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B kismet -+(Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the kismet processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the kismet_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the kismet_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23556,7 +24610,7 @@ index 0000000..678bdc4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23583,7 +24637,7 @@ index 0000000..678bdc4 + + +Default Defined Ports: -+tcp 8021 ++tcp 2501 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -23627,17 +24681,19 @@ index 0000000..678bdc4 +selinux(8), kismet(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/klogd_selinux.8 b/man/man8/klogd_selinux.8 new file mode 100644 -index 0000000..9dcdb4f +index 0000000..b0dc370 --- /dev/null +++ b/man/man8/klogd_selinux.8 -@@ -0,0 +1,91 @@ +@@ -0,0 +1,93 @@ +.TH "klogd_selinux" "8" "klogd" "dwalsh@redhat.com" "klogd SELinux Policy documentation" +.SH "NAME" +klogd_selinux \- Security Enhanced Linux Policy for the klogd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the klogd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23660,7 +24716,7 @@ index 0000000..9dcdb4f +.br +.TP 5 +Paths: -+/usr/sbin/rklogd, /sbin/klogd, /sbin/rklogd, /usr/sbin/klogd ++/usr/sbin/rklogd, /usr/sbin/klogd, /sbin/klogd, /sbin/rklogd + +.EX +.PP @@ -23679,7 +24735,7 @@ index 0000000..9dcdb4f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23724,17 +24780,19 @@ index 0000000..9dcdb4f +selinux(8), klogd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kpropd_selinux.8 b/man/man8/kpropd_selinux.8 new file mode 100644 -index 0000000..5ad7425 +index 0000000..8720d94 --- /dev/null +++ b/man/man8/kpropd_selinux.8 -@@ -0,0 +1,97 @@ +@@ -0,0 +1,99 @@ +.TH "kpropd_selinux" "8" "kpropd" "dwalsh@redhat.com" "kpropd SELinux Policy documentation" +.SH "NAME" +kpropd_selinux \- Security Enhanced Linux Policy for the kpropd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the kpropd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23756,7 +24814,7 @@ index 0000000..5ad7425 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23783,7 +24841,7 @@ index 0000000..5ad7425 + + +Default Defined Ports: -+tcp 8021 ++tcp 754 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -23827,17 +24885,19 @@ index 0000000..5ad7425 +selinux(8), kpropd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/krb5kdc_selinux.8 b/man/man8/krb5kdc_selinux.8 new file mode 100644 -index 0000000..8a01b27 +index 0000000..e96b9e3 --- /dev/null +++ b/man/man8/krb5kdc_selinux.8 -@@ -0,0 +1,131 @@ +@@ -0,0 +1,133 @@ +.TH "krb5kdc_selinux" "8" "krb5kdc" "dwalsh@redhat.com" "krb5kdc SELinux Policy documentation" +.SH "NAME" +krb5kdc_selinux \- Security Enhanced Linux Policy for the krb5kdc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the krb5kdc processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23919,7 +24979,7 @@ index 0000000..8a01b27 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23964,23 +25024,33 @@ index 0000000..8a01b27 +selinux(8), krb5kdc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ksmtuned_selinux.8 b/man/man8/ksmtuned_selinux.8 new file mode 100644 -index 0000000..5874ff2 +index 0000000..d0b751b --- /dev/null +++ b/man/man8/ksmtuned_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,111 @@ +.TH "ksmtuned_selinux" "8" "ksmtuned" "dwalsh@redhat.com" "ksmtuned SELinux Policy documentation" +.SH "NAME" +ksmtuned_selinux \- Security Enhanced Linux Policy for the ksmtuned processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ksmtuned -+(Kernel Samepage Merging (KSM) Tuning Daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ksmtuned processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ksmtuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ksmtuned_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24026,7 +25096,7 @@ index 0000000..5874ff2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24071,17 +25141,33 @@ index 0000000..5874ff2 +selinux(8), ksmtuned(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ktalkd_selinux.8 b/man/man8/ktalkd_selinux.8 new file mode 100644 -index 0000000..2b084b7 +index 0000000..2dd9ab9 --- /dev/null +++ b/man/man8/ktalkd_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,141 @@ +.TH "ktalkd_selinux" "8" "ktalkd" "dwalsh@redhat.com" "ktalkd SELinux Policy documentation" +.SH "NAME" +ktalkd_selinux \- Security Enhanced Linux Policy for the ktalkd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ktalkd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ktalkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the ktalkd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24131,7 +25217,7 @@ index 0000000..2b084b7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24158,7 +25244,7 @@ index 0000000..2b084b7 + + +Default Defined Ports: -+tcp 8021 ++udp 517,518 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -24202,23 +25288,19 @@ index 0000000..2b084b7 +selinux(8), ktalkd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/l2tpd_selinux.8 b/man/man8/l2tpd_selinux.8 new file mode 100644 -index 0000000..be9e0f9 +index 0000000..79edab7 --- /dev/null +++ b/man/man8/l2tpd_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,137 @@ +.TH "l2tpd_selinux" "8" "l2tpd" "dwalsh@redhat.com" "l2tpd SELinux Policy documentation" +.SH "NAME" +l2tpd_selinux \- Security Enhanced Linux Policy for the l2tpd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B l2tpd -+(policy for l2tpd) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the l2tpd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24241,7 +25323,7 @@ index 0000000..be9e0f9 +.br +.TP 5 +Paths: -+/usr/sbin/xl2tpd, /usr/sbin/openl2tpd ++/usr/sbin/xl2tpd, /usr/sbin/prol2tpd, /usr/sbin/openl2tpd + +.EX +.PP @@ -24253,7 +25335,15 @@ index 0000000..be9e0f9 +.br +.TP 5 +Paths: -+/etc/rc\.d/init\.d/xl2tpd, /etc/rc\.d/init\.d/openl2tpd ++/etc/rc\.d/init\.d/xl2tpd, /etc/rc\.d/init\.d/prol2tpd, /etc/rc\.d/init\.d/openl2tpd ++ ++.EX ++.PP ++.B l2tpd_tmp_t ++.EE ++ ++- Set files with the l2tpd_tmp_t type, if you want to store l2tpd temporary files in the /tmp directories. ++ + +.EX +.PP @@ -24265,15 +25355,40 @@ index 0000000..be9e0f9 +.br +.TP 5 +Paths: -+/var/run/xl2tpd(/.*)?, /var/run/xl2tpd\.pid ++/var/run/prol2tpd(/.*)?, /var/run/prol2tpd\.pid, /var/run/prol2tpd\.ctl, /var/run/xl2tpd\.pid, /var/run/openl2tpd\.pid, /var/run/xl2tpd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon +to apply the labels. + ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible. ++.PP ++The following port types are defined for l2tpd: ++ ++.EX ++.TP 5 ++.B l2tp_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 1701 ++.EE ++udp 1701 ++.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -24302,6 +25417,9 @@ index 0000000..be9e0f9 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage port ++can also be used to manipulate the port definitions ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -24313,17 +25431,19 @@ index 0000000..be9e0f9 +selinux(8), l2tpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ldconfig_selinux.8 b/man/man8/ldconfig_selinux.8 new file mode 100644 -index 0000000..488c36b +index 0000000..1e6fe8a --- /dev/null +++ b/man/man8/ldconfig_selinux.8 -@@ -0,0 +1,91 @@ +@@ -0,0 +1,93 @@ +.TH "ldconfig_selinux" "8" "ldconfig" "dwalsh@redhat.com" "ldconfig SELinux Policy documentation" +.SH "NAME" +ldconfig_selinux \- Security Enhanced Linux Policy for the ldconfig processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ldconfig processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24365,7 +25485,7 @@ index 0000000..488c36b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24589,23 +25709,19 @@ index 0000000..8b6ac6e +selinux(8), libra(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lircd_selinux.8 b/man/man8/lircd_selinux.8 new file mode 100644 -index 0000000..6b5ddb1 +index 0000000..a6199d5 --- /dev/null +++ b/man/man8/lircd_selinux.8 -@@ -0,0 +1,135 @@ +@@ -0,0 +1,131 @@ +.TH "lircd_selinux" "8" "lircd" "dwalsh@redhat.com" "lircd SELinux Policy documentation" +.SH "NAME" +lircd_selinux \- Security Enhanced Linux Policy for the lircd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B lircd -+(Linux infared remote control daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the lircd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24659,7 +25775,7 @@ index 0000000..6b5ddb1 +/var/run/lirc(/.*)?, /var/run/lircd(/.*)?, /var/run/lircd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24686,7 +25802,7 @@ index 0000000..6b5ddb1 + + +Default Defined Ports: -+tcp 8021 ++tcp 8765 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -24730,23 +25846,19 @@ index 0000000..6b5ddb1 +selinux(8), lircd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/livecd_selinux.8 b/man/man8/livecd_selinux.8 new file mode 100644 -index 0000000..01c43d5 +index 0000000..bb62485 --- /dev/null +++ b/man/man8/livecd_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,81 @@ +.TH "livecd_selinux" "8" "livecd" "dwalsh@redhat.com" "livecd SELinux Policy documentation" +.SH "NAME" +livecd_selinux \- Security Enhanced Linux Policy for the livecd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B livecd -+(Livecd tool for building alternate livecd for different os and policy versions) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the livecd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24776,7 +25888,7 @@ index 0000000..01c43d5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24821,23 +25933,19 @@ index 0000000..01c43d5 +selinux(8), livecd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lldpad_selinux.8 b/man/man8/lldpad_selinux.8 new file mode 100644 -index 0000000..25e0ebf +index 0000000..c803575 --- /dev/null +++ b/man/man8/lldpad_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,105 @@ +.TH "lldpad_selinux" "8" "lldpad" "dwalsh@redhat.com" "lldpad SELinux Policy documentation" +.SH "NAME" +lldpad_selinux \- Security Enhanced Linux Policy for the lldpad processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B lldpad -+(policy for lldpad) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the lldpad processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24891,7 +25999,7 @@ index 0000000..25e0ebf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24936,24 +26044,24 @@ index 0000000..25e0ebf +selinux(8), lldpad(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/load_selinux.8 b/man/man8/load_selinux.8 new file mode 100644 -index 0000000..27bf215 +index 0000000..633de07 --- /dev/null +++ b/man/man8/load_selinux.8 -@@ -0,0 +1,116 @@ +@@ -0,0 +1,118 @@ +.TH "load_selinux" "8" "load" "dwalsh@redhat.com" "load SELinux Policy documentation" +.SH "NAME" +load_selinux \- Security Enhanced Linux Policy for the load processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the load processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. load policy is extremely flexible and has several booleans that allow you to manipulate the policy and run load with the tightest access possible. + + +.PP -+If you want to prevent all confined domains from loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it bac, you must turn on the secure_mode_policyload boolean. ++If you want to boolean to determine whether the system permits loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back, you must turn on the secure_mode_policyload boolean. + +.EX +.B setsebool -P secure_mode_policyload 1 @@ -24973,6 +26081,8 @@ index 0000000..27bf215 +.B setsebool -P domain_kernel_load_modules 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -25006,10 +26116,10 @@ index 0000000..27bf215 +.br +.TP 5 +Paths: -+/bin/unikeys, /usr/bin/unikeys, /bin/loadkeys, /usr/bin/loadkeys ++/usr/bin/unikeys, /usr/bin/loadkeys + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25059,23 +26169,19 @@ index 0000000..27bf215 \ No newline at end of file diff --git a/man/man8/loadkeys_selinux.8 b/man/man8/loadkeys_selinux.8 new file mode 100644 -index 0000000..7ea5471 +index 0000000..82ada62 --- /dev/null +++ b/man/man8/loadkeys_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,77 @@ +.TH "loadkeys_selinux" "8" "loadkeys" "dwalsh@redhat.com" "loadkeys SELinux Policy documentation" +.SH "NAME" +loadkeys_selinux \- Security Enhanced Linux Policy for the loadkeys processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B loadkeys -+(Load keyboard mappings) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the loadkeys processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25098,10 +26204,10 @@ index 0000000..7ea5471 +.br +.TP 5 +Paths: -+/bin/unikeys, /usr/bin/unikeys, /bin/loadkeys, /usr/bin/loadkeys ++/usr/bin/unikeys, /usr/bin/loadkeys + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25146,17 +26252,33 @@ index 0000000..7ea5471 +selinux(8), loadkeys(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/locate_selinux.8 b/man/man8/locate_selinux.8 new file mode 100644 -index 0000000..d9c0a33 +index 0000000..c576322 --- /dev/null +++ b/man/man8/locate_selinux.8 -@@ -0,0 +1,87 @@ +@@ -0,0 +1,103 @@ +.TH "locate_selinux" "8" "locate" "dwalsh@redhat.com" "locate SELinux Policy documentation" +.SH "NAME" +locate_selinux \- Security Enhanced Linux Policy for the locate processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the locate processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the locate_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the locate_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25194,7 +26316,7 @@ index 0000000..d9c0a33 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25239,23 +26361,19 @@ index 0000000..d9c0a33 +selinux(8), locate(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lockdev_selinux.8 b/man/man8/lockdev_selinux.8 new file mode 100644 -index 0000000..c899a1b +index 0000000..b3a911c --- /dev/null +++ b/man/man8/lockdev_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,81 @@ +.TH "lockdev_selinux" "8" "lockdev" "dwalsh@redhat.com" "lockdev SELinux Policy documentation" +.SH "NAME" +lockdev_selinux \- Security Enhanced Linux Policy for the lockdev processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B lockdev -+(device locking policy for lockdev) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the lockdev processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25285,7 +26403,7 @@ index 0000000..c899a1b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25401,23 +26519,33 @@ index 0000000..0edd73f +selinux(8), semanage(8). diff --git a/man/man8/logrotate_selinux.8 b/man/man8/logrotate_selinux.8 new file mode 100644 -index 0000000..7f01fd7 +index 0000000..0141e19 --- /dev/null +++ b/man/man8/logrotate_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,123 @@ +.TH "logrotate_selinux" "8" "logrotate" "dwalsh@redhat.com" "logrotate SELinux Policy documentation" +.SH "NAME" +logrotate_selinux \- Security Enhanced Linux Policy for the logrotate processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B logrotate -+(Rotate and archive system logs) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the logrotate processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the logrotate_t, logrotate_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the logrotate_t, logrotate_mail_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25475,7 +26603,7 @@ index 0000000..7f01fd7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25520,23 +26648,33 @@ index 0000000..7f01fd7 +selinux(8), logrotate(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/logwatch_selinux.8 b/man/man8/logwatch_selinux.8 new file mode 100644 -index 0000000..a03fd51 +index 0000000..294e335 --- /dev/null +++ b/man/man8/logwatch_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,135 @@ +.TH "logwatch_selinux" "8" "logwatch" "dwalsh@redhat.com" "logwatch SELinux Policy documentation" +.SH "NAME" +logwatch_selinux \- Security Enhanced Linux Policy for the logwatch processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B logwatch -+(System log analyzer and reporter) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the logwatch processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the logwatch_mail_t, logwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the logwatch_mail_t, logwatch_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25559,7 +26697,7 @@ index 0000000..a03fd51 +.br +.TP 5 +Paths: -+/var/lib/epylog(/.*)?, /var/cache/logwatch(/.*)?, /var/lib/logcheck(/.*)? ++/var/lib/epylog(/.*)?, /var/lib/logcheck(/.*)?, /var/cache/logwatch(/.*)? + +.EX +.PP @@ -25606,7 +26744,7 @@ index 0000000..a03fd51 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25651,24 +26789,18 @@ index 0000000..a03fd51 +selinux(8), logwatch(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lpd_selinux.8 b/man/man8/lpd_selinux.8 new file mode 100644 -index 0000000..f69947a +index 0000000..5b5ff79 --- /dev/null +++ b/man/man8/lpd_selinux.8 -@@ -0,0 +1,112 @@ +@@ -0,0 +1,122 @@ +.TH "lpd_selinux" "8" "lpd" "dwalsh@redhat.com" "lpd SELinux Policy documentation" +.SH "NAME" +lpd_selinux \- Security Enhanced Linux Policy for the lpd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B lpd -+(Line printer daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the lpd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. lpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lpd with the tightest access possible. + @@ -25680,6 +26812,22 @@ index 0000000..f69947a +.B setsebool -P use_lpd_server 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -25717,10 +26865,10 @@ index 0000000..f69947a +.br +.TP 5 +Paths: -+/var/run/lprng(/.*)?, /var/spool/turboprint(/.*)? ++/var/spool/turboprint(/.*)?, /var/run/lprng(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25770,17 +26918,33 @@ index 0000000..f69947a \ No newline at end of file diff --git a/man/man8/lpr_selinux.8 b/man/man8/lpr_selinux.8 new file mode 100644 -index 0000000..90d47ef +index 0000000..6808de7 --- /dev/null +++ b/man/man8/lpr_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,99 @@ +.TH "lpr_selinux" "8" "lpr" "dwalsh@redhat.com" "lpr SELinux Policy documentation" +.SH "NAME" +lpr_selinux \- Security Enhanced Linux Policy for the lpr processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the lpr processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25803,7 +26967,7 @@ index 0000000..90d47ef +.br +.TP 5 +Paths: -+/usr/sbin/accept, /usr/bin/cancel(\.cups)?, /usr/bin/lp(\.cups)?, /usr/bin/lpstat(\.cups)?, /usr/sbin/lpc(\.cups)?, /usr/local/linuxprinter/bin/l?lpr, /usr/bin/lpoptions, /usr/sbin/lpadmin, /usr/sbin/lpinfo, /opt/gutenprint/s?bin(/.*)?, /usr/bin/lpr(\.cups)?, /usr/bin/lpq(\.cups)?, /usr/sbin/lpmove, /usr/bin/lprm(\.cups)? ++/usr/sbin/accept, /opt/gutenprint/s?bin(/.*)?, /usr/bin/cancel(\.cups)?, /usr/bin/lp(\.cups)?, /usr/bin/lpstat(\.cups)?, /usr/sbin/lpc(\.cups)?, /usr/local/linuxprinter/bin/l?lpr, /usr/bin/lpoptions, /usr/bin/lpq(\.cups)?, /usr/sbin/lpadmin, /usr/sbin/lpinfo, /usr/bin/lpr(\.cups)?, /usr/sbin/lpmove, /usr/bin/lprm(\.cups)? + +.EX +.PP @@ -25814,7 +26978,7 @@ index 0000000..90d47ef + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25859,17 +27023,19 @@ index 0000000..90d47ef +selinux(8), lpr(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lsassd_selinux.8 b/man/man8/lsassd_selinux.8 new file mode 100644 -index 0000000..087cd7b +index 0000000..2114550 --- /dev/null +++ b/man/man8/lsassd_selinux.8 -@@ -0,0 +1,111 @@ +@@ -0,0 +1,113 @@ +.TH "lsassd_selinux" "8" "lsassd" "dwalsh@redhat.com" "lsassd SELinux Policy documentation" +.SH "NAME" +lsassd_selinux \- Security Enhanced Linux Policy for the lsassd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the lsassd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25931,7 +27097,7 @@ index 0000000..087cd7b +/var/lib/likewise-open/rpc/lsass, /var/lib/likewise-open/\.lsassd, /var/lib/likewise-open/\.ntlmd + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25976,23 +27142,19 @@ index 0000000..087cd7b +selinux(8), lsassd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lvm_selinux.8 b/man/man8/lvm_selinux.8 new file mode 100644 -index 0000000..20c9a41 +index 0000000..e5ac861 --- /dev/null +++ b/man/man8/lvm_selinux.8 -@@ -0,0 +1,141 @@ +@@ -0,0 +1,137 @@ +.TH "lvm_selinux" "8" "lvm" "dwalsh@redhat.com" "lvm SELinux Policy documentation" +.SH "NAME" +lvm_selinux \- Security Enhanced Linux Policy for the lvm processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B lvm -+(Policy for logical volume management programs) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the lvm processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26023,7 +27185,7 @@ index 0000000..20c9a41 +.br +.TP 5 +Paths: -+/sbin/dmsetup, /usr/sbin/dmsetup, /usr/sbin/pvchange, /sbin/dmraid, /sbin/pvremove, /sbin/vgextend, /sbin/vgmerge, /sbin/vgscan\.static, /usr/sbin/pvdisplay, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /usr/sbin/vgremove, /usr/lib/lvm-10/.*, /sbin/pvs, /sbin/lvmdiskscan, /sbin/lvresize, /sbin/vgmknodes, /usr/sbin/lvdisplay, /usr/sbin/mount\.crypt, /usr/sbin/vgsplit, /usr/lib/systemd/systemd-cryptsetup, /sbin/pvmove, /sbin/multipath\.static, /usr/sbin/pvcreate, /usr/sbin/lvmdiskscan, /usr/sbin/vgcfgbackup, /usr/sbin/vgimport, /sbin/vgck, /sbin/pvscan, /usr/sbin/lvmchange, /sbin/lvreduce, /sbin/vgremove, /sbin/vgscan, /sbin/lvremove, /lib/lvm-200/.*, /usr/sbin/lvremove, /sbin/pvcreate, /usr/sbin/lvrename, /usr/sbin/lvmsadc, /usr/sbin/lvm, /usr/lib/lvm-200/.*, /usr/sbin/pvdata, /sbin/vgchange, /sbin/lvm\.static, /sbin/vgcfgbackup, /sbin/e2fsadm, /sbin/lvm, /sbin/pvdata, /usr/sbin/lvmiopversion, /usr/sbin/vgextend, /sbin/lvextend, /usr/lib/udev/udisks-lvm-pv-export, /sbin/vgcfgrestore, /usr/sbin/vgscan, /sbin/vgs, /sbin/lvmchange, /sbin/vgimport, /usr/sbin/lvscan, /usr/sbin/pvscan, /usr/sbin/vgreduce, /usr/sbin/dmsetup\.static, /usr/sbin/vgchange\.static, /usr/sbin/vgexport, /usr/sbin/lvextend, /usr/sbin/cryptsetup, /usr/sbin/dmraid, /usr/sbin/lvresize, /sbin/dmsetup\.static, /sbin/lvmsar, /usr/sbin/vgs, /usr/sbin/vgrename, /usr/sbin/lvs, /sbin/vgchange\.static, /usr/sbin/pvmove, /sbin/lvmsadc, /usr/sbin/vgmknodes, /sbin/lvmiopversion, /usr/sbin/vgscan\.static, /sbin/pvdisplay, /sbin/vgsplit, /usr/sbin/vgcfgrestore, /usr/sbin/kpartx, /sbin/cryptsetup, /usr/sbin/lvcreate, /lib/udev/udisks-lvm-pv-export, /sbin/vgwrapper, /sbin/lvchange, /sbin/pvchange, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/mount\.crypt, /sbin/vgcreate, /sbin/vgreduce, /usr/sbin/lvreduce, /usr/sbin/vgwrapper, /sbin/lvrename, /lib/systemd/systemd-cryptsetup, /sbin/multipathd, /usr/sbin/vgcreate, /usr/sbin/vgmerge, /sbin/vgexport, /usr/sbin/lvchange, /sbin/lvs, /usr/sbin/lvmsar, /usr/sbin/multipath\.static, /usr/sbin/vgdisplay, /usr/sbin/vgchange, /sbin/kpartx, /usr/sbin/pvs, /lib/lvm-10/.*, /sbin/lvscan, /sbin/lvcreate, /sbin/vgdisplay, /usr/sbin/pvremove, /usr/sbin/e2fsadm ++/sbin/dmsetup, /usr/sbin/dmsetup, /usr/sbin/pvchange, /sbin/dmraid, /sbin/pvremove, /sbin/vgextend, /sbin/vgscan\.static, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /usr/lib/lvm-10/.*, /sbin/pvs, /sbin/lvmdiskscan, /sbin/lvresize, /sbin/vgmknodes, /usr/sbin/lvdisplay, /usr/sbin/mount\.crypt, /usr/sbin/pvs, /usr/sbin/vgsplit, /usr/lib/systemd/systemd-cryptsetup, /sbin/pvmove, /sbin/multipath\.static, /usr/sbin/pvcreate, /usr/sbin/lvmdiskscan, /usr/sbin/vgcfgbackup, /usr/sbin/lvmiopversion, /usr/sbin/vgimport, /sbin/vgck, /sbin/pvscan, /usr/sbin/lvmchange, /sbin/lvreduce, /sbin/vgremove, /sbin/vgscan, /sbin/vgsplit, /lib/lvm-200/.*, /usr/sbin/lvremove, /sbin/vgmerge, /usr/sbin/vgchange\.static, /sbin/pvcreate, /usr/sbin/lvm, /usr/sbin/lvrename, /usr/sbin/lvmsadc, /usr/lib/lvm-200/.*, /usr/sbin/pvdata, /usr/sbin/lvmetad, /sbin/vgchange, /sbin/lvm\.static, /sbin/vgcfgbackup, /sbin/e2fsadm, /sbin/lvm, /sbin/pvdata, /usr/sbin/lvcreate, /usr/sbin/vgextend, /sbin/lvextend, /usr/lib/udev/udisks-lvm-pv-export, /sbin/vgcfgrestore, /usr/sbin/vgscan, /sbin/vgs, /sbin/lvmchange, /sbin/vgimport, /usr/sbin/lvscan, /usr/sbin/pvscan, /usr/sbin/vgreduce, /usr/sbin/dmsetup\.static, /usr/sbin/vgexport, /usr/sbin/lvextend, /usr/sbin/cryptsetup, /usr/sbin/dmraid, /usr/sbin/lvresize, /sbin/dmsetup\.static, /sbin/lvmsar, /usr/sbin/vgs, /usr/sbin/vgrename, /usr/sbin/lvs, /sbin/vgchange\.static, /usr/sbin/pvmove, /sbin/lvmsadc, /usr/sbin/vgmknodes, /sbin/lvmetad, /sbin/lvmiopversion, /usr/sbin/pvdisplay, /usr/sbin/vgremove, /usr/sbin/vgscan\.static, /sbin/pvdisplay, /usr/sbin/vgcfgrestore, /usr/sbin/kpartx, /sbin/cryptsetup, /lib/udev/udisks-lvm-pv-export, /sbin/vgwrapper, /sbin/lvchange, /sbin/pvchange, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/mount\.crypt, /sbin/vgcreate, /usr/sbin/vgwrapper, /sbin/vgreduce, /usr/sbin/lvreduce, /sbin/lvrename, /sbin/multipathd, /usr/sbin/vgcreate, /usr/sbin/vgmerge, /sbin/vgexport, /usr/sbin/lvchange, /sbin/lvs, /usr/sbin/lvmsar, /usr/sbin/multipath\.static, /usr/sbin/vgchange, /sbin/kpartx, /lib/lvm-10/.*, /sbin/lvscan, /sbin/lvcreate, /sbin/vgdisplay, /usr/sbin/vgdisplay, /sbin/lvremove, /usr/sbin/pvremove, /usr/sbin/e2fsadm + +.EX +.PP @@ -26078,7 +27240,7 @@ index 0000000..20c9a41 +/var/run/lvm(/.*)?, /var/run/multipathd\.sock, /var/run/dmevent.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26123,17 +27285,19 @@ index 0000000..20c9a41 +selinux(8), lvm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lwiod_selinux.8 b/man/man8/lwiod_selinux.8 new file mode 100644 -index 0000000..39b80fc +index 0000000..ac1ec18 --- /dev/null +++ b/man/man8/lwiod_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "lwiod_selinux" "8" "lwiod" "dwalsh@redhat.com" "lwiod SELinux Policy documentation" +.SH "NAME" +lwiod_selinux \- Security Enhanced Linux Policy for the lwiod processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the lwiod processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26179,7 +27343,7 @@ index 0000000..39b80fc + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26224,17 +27388,19 @@ index 0000000..39b80fc +selinux(8), lwiod(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lwregd_selinux.8 b/man/man8/lwregd_selinux.8 new file mode 100644 -index 0000000..e954cd1 +index 0000000..1498718 --- /dev/null +++ b/man/man8/lwregd_selinux.8 -@@ -0,0 +1,99 @@ +@@ -0,0 +1,101 @@ +.TH "lwregd_selinux" "8" "lwregd" "dwalsh@redhat.com" "lwregd SELinux Policy documentation" +.SH "NAME" +lwregd_selinux \- Security Enhanced Linux Policy for the lwregd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the lwregd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26284,7 +27450,7 @@ index 0000000..e954cd1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26329,17 +27495,19 @@ index 0000000..e954cd1 +selinux(8), lwregd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lwsmd_selinux.8 b/man/man8/lwsmd_selinux.8 new file mode 100644 -index 0000000..96c1b69 +index 0000000..5fc974a --- /dev/null +++ b/man/man8/lwsmd_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "lwsmd_selinux" "8" "lwsmd" "dwalsh@redhat.com" "lwsmd SELinux Policy documentation" +.SH "NAME" +lwsmd_selinux \- Security Enhanced Linux Policy for the lwsmd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the lwsmd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26385,7 +27553,7 @@ index 0000000..96c1b69 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26430,27 +27598,27 @@ index 0000000..96c1b69 +selinux(8), lwsmd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mail_selinux.8 b/man/man8/mail_selinux.8 new file mode 100644 -index 0000000..bd12996 +index 0000000..da63ab9 --- /dev/null +++ b/man/man8/mail_selinux.8 -@@ -0,0 +1,277 @@ +@@ -0,0 +1,293 @@ +.TH "mail_selinux" "8" "mail" "dwalsh@redhat.com" "mail SELinux Policy documentation" +.SH "NAME" +mail_selinux \- Security Enhanced Linux Policy for the mail processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the mail processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. mail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mail with the tightest access possible. + + +.PP -+If you want to allow postfix_local domain full write access to mail_spool directorie, you must turn on the allow_postfix_local_write_mail_spool boolean. ++If you want to allow postfix_local domain full write access to mail_spool directorie, you must turn on the postfix_local_write_mail_spool boolean. + +.EX -+.B setsebool -P allow_postfix_local_write_mail_spool 1 ++.B setsebool -P postfix_local_write_mail_spool 1 +.EE + +.PP @@ -26474,6 +27642,22 @@ index 0000000..bd12996 +.B setsebool -P gitosis_can_sendmail 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_mail_t, mailman_cgi_t, mailman_queue_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mailman_mail_t, mailman_cgi_t, mailman_queue_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -26503,7 +27687,7 @@ index 0000000..bd12996 +.br +.TP 5 +Paths: -+/root/\.forward, /root/.mailrc, /root/dead.letter ++/root/\.mailrc, /root/dead\.letter, /root/\.esmtp_queue, /root/\.forward + +.EX +.PP @@ -26638,7 +27822,7 @@ index 0000000..bd12996 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26665,7 +27849,7 @@ index 0000000..bd12996 + + +Default Defined Ports: -+tcp 8021 ++tcp 2000,3905 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -26714,23 +27898,33 @@ index 0000000..bd12996 \ No newline at end of file diff --git a/man/man8/mailman_selinux.8 b/man/man8/mailman_selinux.8 new file mode 100644 -index 0000000..2cc348b +index 0000000..02ff223 --- /dev/null +++ b/man/man8/mailman_selinux.8 -@@ -0,0 +1,169 @@ +@@ -0,0 +1,179 @@ +.TH "mailman_selinux" "8" "mailman" "dwalsh@redhat.com" "mailman SELinux Policy documentation" +.SH "NAME" +mailman_selinux \- Security Enhanced Linux Policy for the mailman processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mailman -+(Mailman is for managing electronic mail discussion and e-newsletter lists) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mailman processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mailman_mail_t, mailman_cgi_t, mailman_queue_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mailman_mail_t, mailman_cgi_t, mailman_queue_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26844,7 +28038,7 @@ index 0000000..2cc348b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26889,23 +28083,19 @@ index 0000000..2cc348b +selinux(8), mailman(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/matahari_selinux.8 b/man/man8/matahari_selinux.8 new file mode 100644 -index 0000000..6cbe09a +index 0000000..9c085f6 --- /dev/null +++ b/man/man8/matahari_selinux.8 -@@ -0,0 +1,243 @@ +@@ -0,0 +1,225 @@ +.TH "matahari_selinux" "8" "matahari" "dwalsh@redhat.com" "matahari SELinux Policy documentation" +.SH "NAME" +matahari_selinux \- Security Enhanced Linux Policy for the matahari processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B matahari -+(policy for matahari) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the matahari processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26937,10 +28127,6 @@ index 0000000..6cbe09a + +- Set files with the matahari_hostd_unit_file_t type, if you want to treat the files as matahari hostd unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/matahari-host\.service, /lib/systemd/system/matahari-host\.service + +.EX +.PP @@ -26952,7 +28138,7 @@ index 0000000..6cbe09a +.br +.TP 5 +Paths: -+/etc/rc\.d/init\.d/matahari-sysconfig, /etc/rc\.d/init\.d/matahari-host, /etc/rc\.d/init\.d/matahari-service, /etc/init.d/matahari-sysconfig-console, /etc/rc\.d/init\.d/matahari-net ++/etc/rc\.d/init\.d/matahari-sysconfig, /etc/rc\.d/init\.d/matahari-host, /etc/rc\.d/init\.d/matahari-service, /etc/rc\.d/init.d/matahari-sysconfig-console, /etc/rc\.d/init\.d/matahari-net + +.EX +.PP @@ -26964,7 +28150,7 @@ index 0000000..6cbe09a +.br +.TP 5 +Paths: -+/usr/sbin/matahari-qmf-networkd, /usr/sbin/matahari-dbus-networkd, /usr/sbin/matahari-netd ++/usr/sbin/matahari-qmf-networkd, /usr/sbin/matahari-netd, /usr/sbin/matahari-dbus-networkd + +.EX +.PP @@ -26973,10 +28159,6 @@ index 0000000..6cbe09a + +- Set files with the matahari_netd_unit_file_t type, if you want to treat the files as matahari netd unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/matahari-network\.service, /lib/systemd/system/matahari-network\.service + +.EX +.PP @@ -26993,10 +28175,6 @@ index 0000000..6cbe09a + +- Set files with the matahari_rpcd_unit_file_t type, if you want to treat the files as matahari rpcd unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/matahari-rpc.service, /lib/systemd/system/matahari-rpc.service + +.EX +.PP @@ -27017,10 +28195,6 @@ index 0000000..6cbe09a + +- Set files with the matahari_serviced_unit_file_t type, if you want to treat the files as matahari serviced unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/matahari-service\.service, /lib/systemd/system/matahari-service\.service + +.EX +.PP @@ -27032,7 +28206,7 @@ index 0000000..6cbe09a +.br +.TP 5 +Paths: -+/usr/sbin/matahari-qmf-sysconfigd, /usr/sbin/matahari-qmf-sysconfig-consoled ++/usr/sbin/matahari-qmf-sysconfig-consoled, /usr/sbin/matahari-dbus-sysconfigd, /usr/sbin/matahari-qmf-sysconfigd + +.EX +.PP @@ -27044,7 +28218,7 @@ index 0000000..6cbe09a +.br +.TP 5 +Paths: -+/usr/lib/systemd/system/matahari-sysconfig-console\.service, /lib/systemd/system/matahari-sysconfig\.service, /usr/lib/systemd/system/matahari-sysconfig\.service, /lib/systemd/system/matahari-sysconfig-console\.service ++/usr/lib/systemd/system/matahari-sysconfig-console.*, /usr/lib/systemd/system/matahari-sysconfig.* + +.EX +.PP @@ -27067,7 +28241,7 @@ index 0000000..6cbe09a +/var/run/matahari(/.*)?, /var/run/matahari\.pid, /var/run/matahari-broker\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27094,7 +28268,9 @@ index 0000000..6cbe09a + + +Default Defined Ports: -+tcp 8021 ++tcp 49000 ++.EE ++udp 49000 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -27138,23 +28314,19 @@ index 0000000..6cbe09a +selinux(8), matahari(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mcelog_selinux.8 b/man/man8/mcelog_selinux.8 new file mode 100644 -index 0000000..7292383 +index 0000000..263046c --- /dev/null +++ b/man/man8/mcelog_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,89 @@ +.TH "mcelog_selinux" "8" "mcelog" "dwalsh@redhat.com" "mcelog SELinux Policy documentation" +.SH "NAME" +mcelog_selinux \- Security Enhanced Linux Policy for the mcelog processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mcelog -+(policy for mcelog) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mcelog processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -27192,7 +28364,7 @@ index 0000000..7292383 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27237,17 +28409,33 @@ index 0000000..7292383 +selinux(8), mcelog(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mdadm_selinux.8 b/man/man8/mdadm_selinux.8 new file mode 100644 -index 0000000..ab79be5 +index 0000000..b718a98 --- /dev/null +++ b/man/man8/mdadm_selinux.8 -@@ -0,0 +1,87 @@ +@@ -0,0 +1,103 @@ +.TH "mdadm_selinux" "8" "mdadm" "dwalsh@redhat.com" "mdadm SELinux Policy documentation" +.SH "NAME" +mdadm_selinux \- Security Enhanced Linux Policy for the mdadm processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the mdadm processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mdadm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the mdadm_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -27285,7 +28473,7 @@ index 0000000..ab79be5 +/var/run/mdadm(/.*)?, /dev/md/.*, /dev/.mdadm\.map + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27330,24 +28518,18 @@ index 0000000..ab79be5 +selinux(8), mdadm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/memcached_selinux.8 b/man/man8/memcached_selinux.8 new file mode 100644 -index 0000000..62d286c +index 0000000..edd0b23 --- /dev/null +++ b/man/man8/memcached_selinux.8 -@@ -0,0 +1,138 @@ +@@ -0,0 +1,150 @@ +.TH "memcached_selinux" "8" "memcached" "dwalsh@redhat.com" "memcached SELinux Policy documentation" +.SH "NAME" +memcached_selinux \- Security Enhanced Linux Policy for the memcached processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B memcached -+(high-performance memory object caching system) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the memcached processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. memcached policy is extremely flexible and has several booleans that allow you to manipulate the policy and run memcached with the tightest access possible. + @@ -27359,6 +28541,22 @@ index 0000000..62d286c +.B setsebool -P httpd_can_network_memcache 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the memcached_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the memcached_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -27399,7 +28597,7 @@ index 0000000..62d286c +/var/run/ipa_memcached(/.*)?, /var/run/memcached(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27426,7 +28624,9 @@ index 0000000..62d286c + + +Default Defined Ports: -+tcp 8021 ++tcp 11211 ++.EE ++udp 11211 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -27475,17 +28675,19 @@ index 0000000..62d286c \ No newline at end of file diff --git a/man/man8/mencoder_selinux.8 b/man/man8/mencoder_selinux.8 new file mode 100644 -index 0000000..aa093ee +index 0000000..57779c6 --- /dev/null +++ b/man/man8/mencoder_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,73 @@ +.TH "mencoder_selinux" "8" "mencoder" "dwalsh@redhat.com" "mencoder SELinux Policy documentation" +.SH "NAME" +mencoder_selinux \- Security Enhanced Linux Policy for the mencoder processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the mencoder processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -27507,7 +28709,7 @@ index 0000000..aa093ee + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27552,24 +28754,18 @@ index 0000000..aa093ee +selinux(8), mencoder(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mock_selinux.8 b/man/man8/mock_selinux.8 new file mode 100644 -index 0000000..e7cc7e3 +index 0000000..a764af8 --- /dev/null +++ b/man/man8/mock_selinux.8 -@@ -0,0 +1,132 @@ +@@ -0,0 +1,142 @@ +.TH "mock_selinux" "8" "mock" "dwalsh@redhat.com" "mock SELinux Policy documentation" +.SH "NAME" +mock_selinux \- Security Enhanced Linux Policy for the mock processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mock -+(policy for mock) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mock processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. mock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mock with the tightest access possible. + @@ -27581,6 +28777,22 @@ index 0000000..e7cc7e3 +.B setsebool -P mock_enable_homedirs 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mock_t, mock_build_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mock_t, mock_build_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -27641,7 +28853,7 @@ index 0000000..e7cc7e3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27691,23 +28903,19 @@ index 0000000..e7cc7e3 \ No newline at end of file diff --git a/man/man8/modemmanager_selinux.8 b/man/man8/modemmanager_selinux.8 new file mode 100644 -index 0000000..3772dfe +index 0000000..144fd3c --- /dev/null +++ b/man/man8/modemmanager_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "modemmanager_selinux" "8" "modemmanager" "dwalsh@redhat.com" "modemmanager SELinux Policy documentation" +.SH "NAME" +modemmanager_selinux \- Security Enhanced Linux Policy for the modemmanager processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B modemmanager -+(Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the modemmanager processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -27729,7 +28937,7 @@ index 0000000..3772dfe + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27774,17 +28982,19 @@ index 0000000..3772dfe +selinux(8), modemmanager(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mongod_selinux.8 b/man/man8/mongod_selinux.8 new file mode 100644 -index 0000000..7282fb2 +index 0000000..b428089 --- /dev/null +++ b/man/man8/mongod_selinux.8 -@@ -0,0 +1,145 @@ +@@ -0,0 +1,151 @@ +.TH "mongod_selinux" "8" "mongod" "dwalsh@redhat.com" "mongod SELinux Policy documentation" +.SH "NAME" +mongod_selinux \- Security Enhanced Linux Policy for the mongod processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the mongod processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -27824,6 +29034,10 @@ index 0000000..7282fb2 + +- Set files with the mongod_log_t type, if you want to treat the data as mongod log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/aeolus-conductor/dbomatic\.log, /var/log/mongodb(/.*)? + +.EX +.PP @@ -27854,7 +29068,7 @@ index 0000000..7282fb2 +/var/run/mongodb(/.*)?, /var/run/aeolus/dbomatic\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27881,7 +29095,7 @@ index 0000000..7282fb2 + + +Default Defined Ports: -+tcp 8021 ++tcp 27017 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -27925,33 +29139,27 @@ index 0000000..7282fb2 +selinux(8), mongod(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mount_selinux.8 b/man/man8/mount_selinux.8 new file mode 100644 -index 0000000..9744fa7 +index 0000000..60bf2ec --- /dev/null +++ b/man/man8/mount_selinux.8 -@@ -0,0 +1,131 @@ +@@ -0,0 +1,161 @@ +.TH "mount_selinux" "8" "mount" "dwalsh@redhat.com" "mount SELinux Policy documentation" +.SH "NAME" +mount_selinux \- Security Enhanced Linux Policy for the mount processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mount -+(Policy for mount) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mount processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. mount policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mount with the tightest access possible. + + +.PP -+If you want to allow the mount command to mount any directory or file, you must turn on the allow_mount_anyfile boolean. ++If you want to allow the mount command to mount any directory or file, you must turn on the mount_anyfile boolean. + +.EX -+.B setsebool -P allow_mount_anyfile 1 ++.B setsebool -P mount_anyfile 1 +.EE + +.PP @@ -27961,6 +29169,22 @@ index 0000000..9744fa7 +.B setsebool -P xguest_mount_media 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mount_t, mount_ecryptfs_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mount_t, mount_ecryptfs_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -27974,6 +29198,26 @@ index 0000000..9744fa7 + +.EX +.PP ++.B mount_ecryptfs_exec_t ++.EE ++ ++- Set files with the mount_ecryptfs_exec_t type, if you want to transition an executable to the mount_ecryptfs_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/mount\.ecryptfs_private, /usr/sbin/mount\.ecryptfs, /usr/sbin/umount\.ecryptfs, /usr/sbin/umount\.ecryptfs_private ++ ++.EX ++.PP ++.B mount_ecryptfs_tmpfs_t ++.EE ++ ++- Set files with the mount_ecryptfs_tmpfs_t type, if you want to store mount ecryptfs files on a tmpfs file system. ++ ++ ++.EX ++.PP +.B mount_exec_t +.EE + @@ -28013,7 +29257,7 @@ index 0000000..9744fa7 +/run/mount(/.*)?, /dev/\.mount(/.*)?, /var/run/mount(/.*)?, /var/run/davfs2(/.*)?, /var/cache/davfs2(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28030,7 +29274,7 @@ index 0000000..9744fa7 +The following process types are defined for mount: + +.EX -+.B mount_t ++.B mount_t, mount_ecryptfs_t +.EE +.PP +Note: @@ -28063,24 +29307,18 @@ index 0000000..9744fa7 \ No newline at end of file diff --git a/man/man8/mozilla_selinux.8 b/man/man8/mozilla_selinux.8 new file mode 100644 -index 0000000..2b94a8b +index 0000000..64301cd --- /dev/null +++ b/man/man8/mozilla_selinux.8 -@@ -0,0 +1,179 @@ +@@ -0,0 +1,196 @@ +.TH "mozilla_selinux" "8" "mozilla" "dwalsh@redhat.com" "mozilla SELinux Policy documentation" +.SH "NAME" +mozilla_selinux \- Security Enhanced Linux Policy for the mozilla processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mozilla -+(Policy for Mozilla and related web browsers) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mozilla processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. mozilla policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mozilla with the tightest access possible. + @@ -28099,6 +29337,29 @@ index 0000000..2b94a8b +.B setsebool -P unconfined_mozilla_plugin_transition 1 +.EE + ++.PP ++If you want to allow mozilla_plugins to create random content in the users home director, you must turn on the mozilla_plugin_enable_homedirs boolean. ++ ++.EX ++.B setsebool -P mozilla_plugin_enable_homedirs 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -28199,7 +29460,7 @@ index 0000000..2b94a8b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28249,40 +29510,34 @@ index 0000000..2b94a8b \ No newline at end of file diff --git a/man/man8/mpd_selinux.8 b/man/man8/mpd_selinux.8 new file mode 100644 -index 0000000..76210f5 +index 0000000..e8c3b7f --- /dev/null +++ b/man/man8/mpd_selinux.8 -@@ -0,0 +1,206 @@ +@@ -0,0 +1,216 @@ +.TH "mpd_selinux" "8" "mpd" "dwalsh@redhat.com" "mpd SELinux Policy documentation" +.SH "NAME" +mpd_selinux \- Security Enhanced Linux Policy for the mpd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mpd -+(Music Player Daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mpd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. mpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mpd with the tightest access possible. + + +.PP -+If you want to allow mplayer executable stac, you must turn on the allow_mplayer_execstack boolean. ++If you want to allow mplayer executable stac, you must turn on the mplayer_execstack boolean. + +.EX -+.B setsebool -P allow_mplayer_execstack 1 ++.B setsebool -P mplayer_execstack 1 +.EE + +.PP -+If you want to allow all daemons to write corefiles to , you must turn on the allow_daemons_dump_core boolean. ++If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the gssd_read_tmp boolean. + +.EX -+.B setsebool -P allow_daemons_dump_core 1 ++.B setsebool -P gssd_read_tmp 1 +.EE + +.PP @@ -28300,10 +29555,26 @@ index 0000000..76210f5 +.EE + +.PP -+If you want to allow gssd to read temp directory. For access to kerberos tgt, you must turn on the allow_gssd_read_tmp boolean. ++If you want to allow all daemons to write corefiles to , you must turn on the daemons_dump_core boolean. + +.EX -+.B setsebool -P allow_gssd_read_tmp 1 ++.B setsebool -P daemons_dump_core 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mpd_t, mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mpd_t, mplayer_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 +.EE + +.SH FILE CONTEXTS @@ -28386,7 +29657,7 @@ index 0000000..76210f5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28413,7 +29684,7 @@ index 0000000..76210f5 + + +Default Defined Ports: -+tcp 8021 ++tcp 6600 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -28462,33 +29733,27 @@ index 0000000..76210f5 \ No newline at end of file diff --git a/man/man8/mplayer_selinux.8 b/man/man8/mplayer_selinux.8 new file mode 100644 -index 0000000..0098b19 +index 0000000..1413f1e --- /dev/null +++ b/man/man8/mplayer_selinux.8 -@@ -0,0 +1,127 @@ +@@ -0,0 +1,137 @@ +.TH "mplayer_selinux" "8" "mplayer" "dwalsh@redhat.com" "mplayer SELinux Policy documentation" +.SH "NAME" +mplayer_selinux \- Security Enhanced Linux Policy for the mplayer processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mplayer -+(Mplayer media player and encoder) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mplayer processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. mplayer policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mplayer with the tightest access possible. + + +.PP -+If you want to allow mplayer executable stac, you must turn on the allow_mplayer_execstack boolean. ++If you want to allow mplayer executable stac, you must turn on the mplayer_execstack boolean. + +.EX -+.B setsebool -P allow_mplayer_execstack 1 ++.B setsebool -P mplayer_execstack 1 +.EE + +.PP @@ -28498,6 +29763,22 @@ index 0000000..0098b19 +.B setsebool -P unconfined_mplayer 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mplayer_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -28546,7 +29827,7 @@ index 0000000..0098b19 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28596,23 +29877,33 @@ index 0000000..0098b19 \ No newline at end of file diff --git a/man/man8/mrtg_selinux.8 b/man/man8/mrtg_selinux.8 new file mode 100644 -index 0000000..0ca59e6 +index 0000000..cc7f765 --- /dev/null +++ b/man/man8/mrtg_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,131 @@ +.TH "mrtg_selinux" "8" "mrtg" "dwalsh@redhat.com" "mrtg SELinux Policy documentation" +.SH "NAME" +mrtg_selinux \- Security Enhanced Linux Policy for the mrtg processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mrtg -+(Network traffic graphing) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mrtg processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mrtg_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mrtg_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -28678,7 +29969,7 @@ index 0000000..0ca59e6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28723,17 +30014,17 @@ index 0000000..0ca59e6 +selinux(8), mrtg(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mscan_selinux.8 b/man/man8/mscan_selinux.8 new file mode 100644 -index 0000000..1b9091c +index 0000000..2ff3a45 --- /dev/null +++ b/man/man8/mscan_selinux.8 -@@ -0,0 +1,122 @@ +@@ -0,0 +1,145 @@ +.TH "mscan_selinux" "8" "mscan" "dwalsh@redhat.com" "mscan SELinux Policy documentation" +.SH "NAME" +mscan_selinux \- Security Enhanced Linux Policy for the mscan processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the mscan processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. mscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mscan with the tightest access possible. @@ -28746,6 +30037,29 @@ index 0000000..1b9091c +.B setsebool -P clamscan_read_user_content 1 +.EE + ++.PP ++If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. ++ ++.EX ++.B setsebool -P clamscan_can_scan_system 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mscan_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mscan_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -28802,7 +30116,7 @@ index 0000000..1b9091c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28852,23 +30166,33 @@ index 0000000..1b9091c \ No newline at end of file diff --git a/man/man8/munin_selinux.8 b/man/man8/munin_selinux.8 new file mode 100644 -index 0000000..17b161d +index 0000000..214e09d --- /dev/null +++ b/man/man8/munin_selinux.8 -@@ -0,0 +1,163 @@ +@@ -0,0 +1,175 @@ +.TH "munin_selinux" "8" "munin" "dwalsh@redhat.com" "munin SELinux Policy documentation" +.SH "NAME" +munin_selinux \- Security Enhanced Linux Policy for the munin processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B munin -+(Munin network-wide load graphing (formerly LRRD)) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the munin processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the munin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the munin_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -28950,7 +30274,7 @@ index 0000000..17b161d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28977,7 +30301,9 @@ index 0000000..17b161d + + +Default Defined Ports: -+tcp 8021 ++tcp 4949 ++.EE ++udp 4949 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -29021,34 +30347,50 @@ index 0000000..17b161d +selinux(8), munin(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mysqld_selinux.8 b/man/man8/mysqld_selinux.8 new file mode 100644 -index 0000000..9f5bb25 +index 0000000..0b738df --- /dev/null +++ b/man/man8/mysqld_selinux.8 -@@ -0,0 +1,214 @@ +@@ -0,0 +1,230 @@ +.TH "mysqld_selinux" "8" "mysqld" "dwalsh@redhat.com" "mysqld SELinux Policy documentation" +.SH "NAME" +mysqld_selinux \- Security Enhanced Linux Policy for the mysqld processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the mysqld processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. mysqld policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mysqld with the tightest access possible. + + +.PP -+If you want to allow users to connect to the local mysql serve, you must turn on the allow_user_mysql_connect boolean. ++If you want to allow mysqld to connect to all port, you must turn on the mysql_connect_any boolean. + +.EX -+.B setsebool -P allow_user_mysql_connect 1 ++.B setsebool -P mysql_connect_any 1 +.EE + +.PP -+If you want to allow mysqld to connect to all port, you must turn on the mysql_connect_any boolean. ++If you want to allow users to connect to the local mysql serve, you must turn on the user_mysql_connect boolean. + +.EX -+.B setsebool -P mysql_connect_any 1 ++.B setsebool -P user_mysql_connect 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the mysqld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mysqld_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 +.EE + +.SH FILE CONTEXTS @@ -29092,7 +30434,7 @@ index 0000000..9f5bb25 +.br +.TP 5 +Paths: -+/usr/libexec/mysqld, /usr/sbin/mysqld(-max)? ++/usr/libexec/mysqld, /usr/bin/mysql_upgrade, /usr/sbin/mysqld(-max)?, /usr/sbin/ndbd + +.EX +.PP @@ -29155,7 +30497,7 @@ index 0000000..9f5bb25 +/var/run/mysqld(/.*)?, /var/lib/mysql/mysql\.sock + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29182,7 +30524,7 @@ index 0000000..9f5bb25 + + +Default Defined Ports: -+tcp 8021 ++tcp 1186,3306,63132-63164 +.EE + +.EX @@ -29193,7 +30535,7 @@ index 0000000..9f5bb25 + + +Default Defined Ports: -+tcp 8021 ++tcp 2273 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -29242,17 +30584,19 @@ index 0000000..9f5bb25 \ No newline at end of file diff --git a/man/man8/mysqlmanagerd_selinux.8 b/man/man8/mysqlmanagerd_selinux.8 new file mode 100644 -index 0000000..6bce1f8 +index 0000000..8b2a8e0 --- /dev/null +++ b/man/man8/mysqlmanagerd_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,115 @@ +.TH "mysqlmanagerd_selinux" "8" "mysqlmanagerd" "dwalsh@redhat.com" "mysqlmanagerd SELinux Policy documentation" +.SH "NAME" +mysqlmanagerd_selinux \- Security Enhanced Linux Policy for the mysqlmanagerd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the mysqlmanagerd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -29290,7 +30634,7 @@ index 0000000..6bce1f8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29317,7 +30661,7 @@ index 0000000..6bce1f8 + + +Default Defined Ports: -+tcp 8021 ++tcp 2273 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -29361,23 +30705,33 @@ index 0000000..6bce1f8 +selinux(8), mysqlmanagerd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nagios_selinux.8 b/man/man8/nagios_selinux.8 new file mode 100644 -index 0000000..c1343c2 +index 0000000..42e0804 --- /dev/null +++ b/man/man8/nagios_selinux.8 -@@ -0,0 +1,225 @@ +@@ -0,0 +1,235 @@ +.TH "nagios_selinux" "8" "nagios" "dwalsh@redhat.com" "nagios SELinux Policy documentation" +.SH "NAME" +nagios_selinux \- Security Enhanced Linux Policy for the nagios processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B nagios -+(Net Saint / NAGIOS - network monitoring server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the nagios processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nagios_services_plugin_t, nagios_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nagios_services_plugin_t, nagios_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -29484,7 +30838,7 @@ index 0000000..c1343c2 +.br +.TP 5 +Paths: -+/usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_fping, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_mysql, /usr/lib/nagios/plugins/check_icmp, /usr/lib/nagios/plugins/check_http, /usr/lib/nagios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_mysql_query, /usr/lib/nagios/plugins/check_dns ++/usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_mysql_query, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_mysql, /usr/lib/nagios/plugins/check_icmp, /usr/lib/nagios/plugins/check_http, /usr/lib/nagios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_fping, /usr/lib/nagios/plugins/check_dns + +.EX +.PP @@ -29504,7 +30858,7 @@ index 0000000..c1343c2 +.br +.TP 5 +Paths: -+/usr/lib/nagios/plugins/check_log, /usr/lib/nagios/plugins/check_load, /usr/lib/nagios/plugins/check_flexlm, /usr/lib/nagios/plugins/check_swap, /usr/lib/nagios/plugins/check_users, /usr/lib/nagios/plugins/check_ifstatus, /usr/lib/nagios/plugins/check_ifoperstatus, /usr/lib/nagios/plugins/check_nagios, /usr/lib/nagios/plugins/check_sensors, /usr/lib/nagios/plugins/check_wave, /usr/lib/nagios/plugins/check_mrtgtraf, /usr/lib/nagios/plugins/check_nwstat, /usr/lib/nagios/plugins/check_procs, /usr/lib/nagios/plugins/check_mrtg, /usr/lib/nagios/plugins/check_overcr ++/usr/lib/nagios/plugins/check_log, /usr/lib/nagios/plugins/check_load, /usr/lib/nagios/plugins/check_nwstat, /usr/lib/nagios/plugins/check_flexlm, /usr/lib/nagios/plugins/check_swap, /usr/lib/nagios/plugins/check_users, /usr/lib/nagios/plugins/check_ifstatus, /usr/lib/nagios/plugins/check_ifoperstatus, /usr/lib/nagios/plugins/check_nagios, /usr/lib/nagios/plugins/check_wave, /usr/lib/nagios/plugins/check_mrtgtraf, /usr/lib/nagios/plugins/check_procs, /usr/lib/nagios/plugins/check_sensors, /usr/lib/nagios/plugins/check_mrtg, /usr/lib/nagios/plugins/check_overcr + +.EX +.PP @@ -29547,7 +30901,7 @@ index 0000000..c1343c2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29591,10 +30945,10 @@ index 0000000..c1343c2 +.SH "SEE ALSO" +selinux(8), nagios(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8 -index fce0b48..653c29b 100644 +index fce0b48..9f6f9d8 100644 --- a/man/man8/named_selinux.8 +++ b/man/man8/named_selinux.8 -@@ -1,30 +1,211 @@ +@@ -1,30 +1,221 @@ -.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation" -.de EX -.nf @@ -29611,15 +30965,9 @@ index fce0b48..653c29b 100644 .SH "DESCRIPTION" -Security-Enhanced Linux secures the named server via flexible mandatory access -+ -+SELinux Linux secures -+.B named -+(Berkeley internet name domain DNS server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the named processes via flexible mandatory access control. + -+ -+ .SH BOOLEANS -SELinux policy is customizable based on least access required. So by -default SELinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean. @@ -29646,6 +30994,22 @@ index fce0b48..653c29b 100644 +.B setsebool -P named_bind_http_port 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the namespace_init_t, named_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the namespace_init_t, named_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -29707,12 +31071,12 @@ index fce0b48..653c29b 100644 +.EE + +- Set files with the named_initrc_exec_t type, if you want to transition an executable to the named_initrc_t domain. -+ + +.br +.TP 5 +Paths: +/etc/rc\.d/init\.d/named, /etc/rc\.d/init\.d/unbound -+ + +.EX +.PP +.B named_keytab_t @@ -29751,15 +31115,15 @@ index fce0b48..653c29b 100644 +.br +.TP 5 +Paths: -+/lib/systemd/system/named.service, /usr/lib/systemd/system/named.service, /lib/systemd/system/unbound.service, /lib/systemd/system/unbound-keygen.service ++/usr/lib/systemd/system/unbound.*, /usr/lib/systemd/system/named.* + +.EX +.PP +.B named_var_run_t +.EE - ++ +- Set files with the named_var_run_t type, if you want to store the named files under the /run directory. - ++ +.br +.TP 5 +Paths: @@ -29778,7 +31142,7 @@ index fce0b48..653c29b 100644 +/var/named/chroot/var/named(/.*)?, /var/named(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29828,23 +31192,33 @@ index fce0b48..653c29b 100644 \ No newline at end of file diff --git a/man/man8/namespace_selinux.8 b/man/man8/namespace_selinux.8 new file mode 100644 -index 0000000..7572442 +index 0000000..75eb5b6 --- /dev/null +++ b/man/man8/namespace_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,87 @@ +.TH "namespace_selinux" "8" "namespace" "dwalsh@redhat.com" "namespace SELinux Policy documentation" +.SH "NAME" +namespace_selinux \- Security Enhanced Linux Policy for the namespace processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B namespace -+(policy for namespace) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the namespace processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the namespace_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the namespace_init_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -29866,7 +31240,7 @@ index 0000000..7572442 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29911,23 +31285,19 @@ index 0000000..7572442 +selinux(8), namespace(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ncftool_selinux.8 b/man/man8/ncftool_selinux.8 new file mode 100644 -index 0000000..394997f +index 0000000..35fe63a --- /dev/null +++ b/man/man8/ncftool_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "ncftool_selinux" "8" "ncftool" "dwalsh@redhat.com" "ncftool SELinux Policy documentation" +.SH "NAME" +ncftool_selinux \- Security Enhanced Linux Policy for the ncftool processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ncftool -+(Netcf network configuration tool (ncftool)) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ncftool processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -29949,7 +31319,7 @@ index 0000000..394997f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29994,17 +31364,33 @@ index 0000000..394997f +selinux(8), ncftool(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ndc_selinux.8 b/man/man8/ndc_selinux.8 new file mode 100644 -index 0000000..fe49fef +index 0000000..5d9e693 --- /dev/null +++ b/man/man8/ndc_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,87 @@ +.TH "ndc_selinux" "8" "ndc" "dwalsh@redhat.com" "ndc SELinux Policy documentation" +.SH "NAME" +ndc_selinux \- Security Enhanced Linux Policy for the ndc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ndc processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ndc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ndc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30026,7 +31412,7 @@ index 0000000..fe49fef + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30071,23 +31457,19 @@ index 0000000..fe49fef +selinux(8), ndc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/netlabel_selinux.8 b/man/man8/netlabel_selinux.8 new file mode 100644 -index 0000000..8d7e496 +index 0000000..ef88282 --- /dev/null +++ b/man/man8/netlabel_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,77 @@ +.TH "netlabel_selinux" "8" "netlabel" "dwalsh@redhat.com" "netlabel SELinux Policy documentation" +.SH "NAME" +netlabel_selinux \- Security Enhanced Linux Policy for the netlabel processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B netlabel -+(NetLabel/CIPSO labeled networking management) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the netlabel processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30113,7 +31495,7 @@ index 0000000..8d7e496 +/sbin/netlabelctl, /usr/sbin/netlabelctl + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30158,17 +31540,19 @@ index 0000000..8d7e496 +selinux(8), netlabel(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/netlogond_selinux.8 b/man/man8/netlogond_selinux.8 new file mode 100644 -index 0000000..3e7dc32 +index 0000000..2567762 --- /dev/null +++ b/man/man8/netlogond_selinux.8 -@@ -0,0 +1,99 @@ +@@ -0,0 +1,101 @@ +.TH "netlogond_selinux" "8" "netlogond" "dwalsh@redhat.com" "netlogond SELinux Policy documentation" +.SH "NAME" +netlogond_selinux \- Security Enhanced Linux Policy for the netlogond processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the netlogond processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30218,7 +31602,7 @@ index 0000000..3e7dc32 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30263,23 +31647,33 @@ index 0000000..3e7dc32 +selinux(8), netlogond(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/netutils_selinux.8 b/man/man8/netutils_selinux.8 new file mode 100644 -index 0000000..55eb6c1 +index 0000000..bd2a11b --- /dev/null +++ b/man/man8/netutils_selinux.8 -@@ -0,0 +1,89 @@ +@@ -0,0 +1,99 @@ +.TH "netutils_selinux" "8" "netutils" "dwalsh@redhat.com" "netutils SELinux Policy documentation" +.SH "NAME" +netutils_selinux \- Security Enhanced Linux Policy for the netutils processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B netutils -+(Network analysis utilities) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the netutils processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the netutils_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the netutils_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30313,7 +31707,7 @@ index 0000000..55eb6c1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30358,17 +31752,33 @@ index 0000000..55eb6c1 +selinux(8), netutils(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/newrole_selinux.8 b/man/man8/newrole_selinux.8 new file mode 100644 -index 0000000..bdc4376 +index 0000000..ab0d67b --- /dev/null +++ b/man/man8/newrole_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,87 @@ +.TH "newrole_selinux" "8" "newrole" "dwalsh@redhat.com" "newrole SELinux Policy documentation" +.SH "NAME" +newrole_selinux \- Security Enhanced Linux Policy for the newrole processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the newrole processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the newrole_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the newrole_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30390,7 +31800,7 @@ index 0000000..bdc4376 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30435,17 +31845,17 @@ index 0000000..bdc4376 +selinux(8), newrole(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nfsd_selinux.8 b/man/man8/nfsd_selinux.8 new file mode 100644 -index 0000000..e664bc1 +index 0000000..a1df581 --- /dev/null +++ b/man/man8/nfsd_selinux.8 -@@ -0,0 +1,284 @@ +@@ -0,0 +1,304 @@ +.TH "nfsd_selinux" "8" "nfsd" "dwalsh@redhat.com" "nfsd SELinux Policy documentation" +.SH "NAME" +nfsd_selinux \- Security Enhanced Linux Policy for the nfsd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the nfsd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. nfsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nfsd with the tightest access possible. @@ -30466,24 +31876,24 @@ index 0000000..e664bc1 +.EE + +.PP -+If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the allow_ftpd_use_nfs boolean. ++If you want to determine whether Git system daemon can access nfs file systems, you must turn on the git_system_use_nfs boolean. + +.EX -+.B setsebool -P allow_ftpd_use_nfs 1 ++.B setsebool -P git_system_use_nfs 1 +.EE + +.PP -+If you want to allow Git daemon system to access nfs file systems, you must turn on the git_system_use_nfs boolean. ++If you want to allow qemu to use nfs file system, you must turn on the qemu_use_nfs boolean. + +.EX -+.B setsebool -P git_system_use_nfs 1 ++.B setsebool -P qemu_use_nfs 1 +.EE + +.PP -+If you want to allow qemu to use nfs file system, you must turn on the qemu_use_nfs boolean. ++If you want to determine whether Git CGI can access nfs file systems, you must turn on the git_cgi_use_nfs boolean. + +.EX -+.B setsebool -P qemu_use_nfs 1 ++.B setsebool -P git_cgi_use_nfs 1 +.EE + +.PP @@ -30494,6 +31904,13 @@ index 0000000..e664bc1 +.EE + +.PP ++If you want to support NFS home directorie, you must turn on the use_nfs_home_dirs boolean. ++ ++.EX ++.B setsebool -P use_nfs_home_dirs 1 ++.EE ++ ++.PP +If you want to allow Cobbler to access nfs file systems, you must turn on the cobbler_use_nfs boolean. + +.EX @@ -30536,6 +31953,13 @@ index 0000000..e664bc1 +.EE + +.PP ++If you want to allow ftp servers to use nfs used for public file transfer services, you must turn on the ftpd_use_nfs boolean. ++ ++.EX ++.B setsebool -P ftpd_use_nfs 1 ++.EE ++ ++.PP +If you want to determine whether Polipo can access nfs file systems, you must turn on the polipo_use_nfs boolean. + +.EX @@ -30543,10 +31967,10 @@ index 0000000..e664bc1 +.EE + +.PP -+If you want to support NFS home directorie, you must turn on the use_nfs_home_dirs boolean. ++If you want to allow the portage domains to use NFS mounts (regular nfs_t, you must turn on the portage_use_nfs boolean. + +.EX -+.B setsebool -P use_nfs_home_dirs 1 ++.B setsebool -P portage_use_nfs 1 +.EE + +.PP @@ -30556,6 +31980,22 @@ index 0000000..e664bc1 +.B setsebool -P nfs_export_all_ro 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nfsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nfsd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. +.TP @@ -30567,7 +32007,7 @@ index 0000000..e664bc1 +.B restorecon -F -R -v /var/nfsd +.pp +.TP -+Allow nfsd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_nfsd_anon_write boolean to be set. ++Allow nfsd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_nfsdd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/nfsd/incoming(/.*)?" @@ -30576,10 +32016,10 @@ index 0000000..e664bc1 + + +.PP -+If you want to allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the allow_nfsd_anon_write boolean. ++If you want to allow nfs servers to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the nfsd_anon_write boolean. + +.EX -+.B setsebool -P allow_nfsd_anon_write 1 ++.B setsebool -P nfsd_anon_write 1 +.EE + +.SH FILE CONTEXTS @@ -30595,14 +32035,6 @@ index 0000000..e664bc1 + +.EX +.PP -+.B nfs_t -+.EE -+ -+- Set files with the nfs_t type, if you want to treat the files as nfs data. -+ -+ -+.EX -+.PP +.B nfsd_exec_t +.EE + @@ -30644,13 +32076,9 @@ index 0000000..e664bc1 + +- Set files with the nfsd_unit_file_t type, if you want to treat the files as nfsd unit content. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/system/nfs.*, /usr/lib/systemd/system/nfs.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30677,7 +32105,9 @@ index 0000000..e664bc1 + + +Default Defined Ports: -+tcp 8021 ++tcp 2049,20048-20049 ++.EE ++udp 2049,20048-20049 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -30835,17 +32265,33 @@ index 0000000..87983d6 +selinux(8), nginx(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nmbd_selinux.8 b/man/man8/nmbd_selinux.8 new file mode 100644 -index 0000000..bfcd1db +index 0000000..0a4ae8d --- /dev/null +++ b/man/man8/nmbd_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,125 @@ +.TH "nmbd_selinux" "8" "nmbd" "dwalsh@redhat.com" "nmbd SELinux Policy documentation" +.SH "NAME" +nmbd_selinux \- Security Enhanced Linux Policy for the nmbd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the nmbd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nmbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nmbd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30876,10 +32322,10 @@ index 0000000..bfcd1db +.br +.TP 5 +Paths: -+/var/run/samba/messages\.tdb, /var/run/samba/namelist\.debug, /var/run/nmbd(/.*)?, /var/run/samba/unexpected\.tdb, /var/run/samba/nmbd\.pid ++/var/run/samba/nmbd(/.*)?, /var/run/samba/messages\.tdb, /var/run/samba/namelist\.debug, /var/run/nmbd(/.*)?, /var/run/samba/unexpected\.tdb, /var/run/samba/nmbd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30906,7 +32352,7 @@ index 0000000..bfcd1db + + +Default Defined Ports: -+tcp 8021 ++udp 137,138 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -30950,23 +32396,33 @@ index 0000000..bfcd1db +selinux(8), nmbd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nova_selinux.8 b/man/man8/nova_selinux.8 new file mode 100644 -index 0000000..c55585f +index 0000000..33138c0 --- /dev/null +++ b/man/man8/nova_selinux.8 -@@ -0,0 +1,365 @@ +@@ -0,0 +1,383 @@ +.TH "nova_selinux" "8" "nova" "dwalsh@redhat.com" "nova SELinux Policy documentation" +.SH "NAME" +nova_selinux \- Security Enhanced Linux Policy for the nova processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B nova -+(openstack-nova) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the nova processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nova_console_t, nova_cert_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nova_console_t, nova_cert_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -31010,6 +32466,10 @@ index 0000000..c55585f + +- Set files with the nova_api_exec_t type, if you want to transition an executable to the nova_api_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/nova-api, /usr//bin/nova-api-metadata + +.EX +.PP @@ -31029,7 +32489,7 @@ index 0000000..c55585f +.br +.TP 5 +Paths: -+/usr/lib/systemd/system/openstack-nova-api\.service, /lib/systemd/system/openstack-nova-api\.service ++/usr/lib/systemd/system/openstack-nova-metadata-api.service.*, /usr/lib/systemd/system/openstack-nova-api.* + +.EX +.PP @@ -31054,10 +32514,6 @@ index 0000000..c55585f + +- Set files with the nova_cert_unit_file_t type, if you want to treat the files as nova cert unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/openstack-nova-cert\.service, /lib/systemd/system/openstack-nova-cert\.service + +.EX +.PP @@ -31085,6 +32541,30 @@ index 0000000..c55585f + +.EX +.PP ++.B nova_console_exec_t ++.EE ++ ++- Set files with the nova_console_exec_t type, if you want to transition an executable to the nova_console_t domain. ++ ++ ++.EX ++.PP ++.B nova_console_tmp_t ++.EE ++ ++- Set files with the nova_console_tmp_t type, if you want to store nova console temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B nova_console_unit_file_t ++.EE ++ ++- Set files with the nova_console_unit_file_t type, if you want to treat the files as nova console unit content. ++ ++ ++.EX ++.PP +.B nova_direct_exec_t +.EE + @@ -31106,10 +32586,6 @@ index 0000000..c55585f + +- Set files with the nova_direct_unit_file_t type, if you want to treat the files as nova direct unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/openstack-nova-ajax-console-proxy\.service, /lib/systemd/system/openstack-nova-direct-api\.service, /lib/systemd/system/openstack-nova-ajax-console-proxy\.service, /usr/lib/systemd/system/openstack-nova-direct-api\.service + +.EX +.PP @@ -31142,10 +32618,6 @@ index 0000000..c55585f + +- Set files with the nova_network_unit_file_t type, if you want to treat the files as nova network unit content. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/system/openstack-nova-network\.service, /usr/lib/systemd/system/openstack-nova-network\.service + +.EX +.PP @@ -31170,10 +32642,6 @@ index 0000000..c55585f + +- Set files with the nova_objectstore_unit_file_t type, if you want to treat the files as nova objectstore unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/openstack-nova-objectstore\.service, /lib/systemd/system/openstack-nova-objectstore\.service + +.EX +.PP @@ -31198,10 +32666,6 @@ index 0000000..c55585f + +- Set files with the nova_scheduler_unit_file_t type, if you want to treat the files as nova scheduler unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/openstack-nova-scheduler\.service, /lib/systemd/system/openstack-nova-scheduler\.service + +.EX +.PP @@ -31226,6 +32690,10 @@ index 0000000..c55585f + +- Set files with the nova_vncproxy_exec_t type, if you want to transition an executable to the nova_vncproxy_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/nova-vncproxy, /usr/bin/nova-xvpvncproxy + +.EX +.PP @@ -31245,7 +32713,7 @@ index 0000000..c55585f +.br +.TP 5 +Paths: -+/lib/systemd/system/openstack-nova-vncproxy\.service, /usr/lib/systemd/system/openstack-nova-vncproxy\.service ++/usr/lib/systemd/system/openstack-nova-xvpvncproxy.*, /usr/lib/systemd/system/openstack-nova-vncproxy.* + +.EX +.PP @@ -31270,13 +32738,9 @@ index 0000000..c55585f + +- Set files with the nova_volume_unit_file_t type, if you want to treat the files as nova volume unit content. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/system/openstack-nova-volume\.service, /usr/lib/systemd/system/openstack-nova-volume\.service + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31293,7 +32757,116 @@ index 0000000..c55585f +The following process types are defined for nova: + +.EX -+.B nova_api_t, nova_compute_t, nova_network_t, nova_objectstore_t, nova_vncproxy_t, nova_volume_t, nova_scheduler_t, nova_ajax_t, nova_cert_t, nova_direct_t ++.B nova_api_t, nova_compute_t, nova_console_t, nova_network_t, nova_objectstore_t, nova_vncproxy_t, nova_volume_t, nova_scheduler_t, nova_ajax_t, nova_cert_t, nova_direct_t ++.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), nova(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/nrpe_selinux.8 b/man/man8/nrpe_selinux.8 +new file mode 100644 +index 0000000..6652860 +--- /dev/null ++++ b/man/man8/nrpe_selinux.8 +@@ -0,0 +1,103 @@ ++.TH "nrpe_selinux" "8" "nrpe" "dwalsh@redhat.com" "nrpe SELinux Policy documentation" ++.SH "NAME" ++nrpe_selinux \- Security Enhanced Linux Policy for the nrpe processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the nrpe processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nrpe_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nrpe_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux nrpe policy is very flexible allowing users to setup their nrpe processes in as secure a method as possible. ++.PP ++The following file types are defined for nrpe: ++ ++ ++.EX ++.PP ++.B nrpe_etc_t ++.EE ++ ++- Set files with the nrpe_etc_t type, if you want to store nrpe files in the /etc directories. ++ ++ ++.EX ++.PP ++.B nrpe_exec_t ++.EE ++ ++- Set files with the nrpe_exec_t type, if you want to transition an executable to the nrpe_t domain. ++ ++ ++.EX ++.PP ++.B nrpe_var_run_t ++.EE ++ ++- Set files with the nrpe_var_run_t type, if you want to store the nrpe files under the /run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux nrpe policy is very flexible allowing users to setup their nrpe processes in as secure a method as possible. ++.PP ++The following process types are defined for nrpe: ++ ++.EX ++.B nrpe_t +.EE +.PP +Note: @@ -31318,129 +32891,46 @@ index 0000000..c55585f +This manual page was autogenerated by genman.py. + +.SH "SEE ALSO" -+selinux(8), nova(8), semanage(8), restorecon(8), chcon(1) -diff --git a/man/man8/nrpe_selinux.8 b/man/man8/nrpe_selinux.8 ++selinux(8), nrpe(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/nscd_selinux.8 b/man/man8/nscd_selinux.8 new file mode 100644 -index 0000000..f6a3c05 +index 0000000..3500305 --- /dev/null -+++ b/man/man8/nrpe_selinux.8 -@@ -0,0 +1,87 @@ -+.TH "nrpe_selinux" "8" "nrpe" "dwalsh@redhat.com" "nrpe SELinux Policy documentation" ++++ b/man/man8/nscd_selinux.8 +@@ -0,0 +1,138 @@ ++.TH "nscd_selinux" "8" "nscd" "dwalsh@redhat.com" "nscd SELinux Policy documentation" +.SH "NAME" -+nrpe_selinux \- Security Enhanced Linux Policy for the nrpe processes ++nscd_selinux \- Security Enhanced Linux Policy for the nscd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the nscd processes via flexible mandatory access ++control. + ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. nscd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nscd with the tightest access possible. + + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux nrpe policy is very flexible allowing users to setup their nrpe processes in as secure a method as possible. -+.PP -+The following file types are defined for nrpe: -+ ++If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. + +.EX -+.PP -+.B nrpe_etc_t ++.B setsebool -P nscd_use_shm 1 +.EE + -+- Set files with the nrpe_etc_t type, if you want to store nrpe files in the /etc directories. -+ ++.SH NSSWITCH DOMAIN + -+.EX +.PP -+.B nrpe_exec_t -+.EE -+ -+- Set files with the nrpe_exec_t type, if you want to transition an executable to the nrpe_t domain. -+ ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nscd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B nrpe_var_run_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the nrpe_var_run_t type, if you want to store the nrpe files under the /run directory. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP +.PP -+Policy governs the access confined processes have to files. -+SELinux nrpe policy is very flexible allowing users to setup their nrpe processes in as secure a method as possible. -+.PP -+The following process types are defined for nrpe: ++If you want to allow confined applications to run with kerberos for the nscd_t, you must turn on the kerberos_enabled boolean. + +.EX -+.B nrpe_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was autogenerated by genman.py. -+ -+.SH "SEE ALSO" -+selinux(8), nrpe(8), semanage(8), restorecon(8), chcon(1) -diff --git a/man/man8/nscd_selinux.8 b/man/man8/nscd_selinux.8 -new file mode 100644 -index 0000000..01045df ---- /dev/null -+++ b/man/man8/nscd_selinux.8 -@@ -0,0 +1,128 @@ -+.TH "nscd_selinux" "8" "nscd" "dwalsh@redhat.com" "nscd SELinux Policy documentation" -+.SH "NAME" -+nscd_selinux \- Security Enhanced Linux Policy for the nscd processes -+.SH "DESCRIPTION" -+ -+ -+SELinux Linux secures -+.B nscd -+(Name service cache daemon) -+processes via flexible mandatory access -+control. -+ -+ -+ -+.SH BOOLEANS -+SELinux policy is customizable based on least access required. nscd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nscd with the tightest access possible. -+ -+ -+.PP -+If you want to allow confined applications to use nscd shared memory, you must turn on the nscd_use_shm boolean. -+ -+.EX -+.B setsebool -P nscd_use_shm 1 ++setsebool -P kerberos_enabled 1 +.EE + +.SH FILE CONTEXTS @@ -31499,7 +32989,7 @@ index 0000000..01045df +/var/run/nscd\.pid, /var/run/nscd(/.*)?, /var/db/nscd(/.*)?, /var/run/\.nscd_socket, /var/cache/nscd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31549,23 +33039,33 @@ index 0000000..01045df \ No newline at end of file diff --git a/man/man8/nslcd_selinux.8 b/man/man8/nslcd_selinux.8 new file mode 100644 -index 0000000..a9a427d +index 0000000..0e5ecff --- /dev/null +++ b/man/man8/nslcd_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,111 @@ +.TH "nslcd_selinux" "8" "nslcd" "dwalsh@redhat.com" "nslcd SELinux Policy documentation" +.SH "NAME" +nslcd_selinux \- Security Enhanced Linux Policy for the nslcd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B nslcd -+(nslcd - local LDAP name service daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the nslcd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nslcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nslcd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -31611,7 +33111,7 @@ index 0000000..a9a427d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31656,23 +33156,33 @@ index 0000000..a9a427d +selinux(8), nslcd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ntop_selinux.8 b/man/man8/ntop_selinux.8 new file mode 100644 -index 0000000..cb7f3a4 +index 0000000..584ceae --- /dev/null +++ b/man/man8/ntop_selinux.8 -@@ -0,0 +1,143 @@ +@@ -0,0 +1,155 @@ +.TH "ntop_selinux" "8" "ntop" "dwalsh@redhat.com" "ntop SELinux Policy documentation" +.SH "NAME" +ntop_selinux \- Security Enhanced Linux Policy for the ntop processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ntop -+(Network Top) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ntop processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ntop_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ntop_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -31734,7 +33244,7 @@ index 0000000..cb7f3a4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31761,7 +33271,9 @@ index 0000000..cb7f3a4 + + +Default Defined Ports: -+tcp 8021 ++tcp 3000-3001 ++.EE ++udp 3000-3001 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -31805,7 +33317,7 @@ index 0000000..cb7f3a4 +selinux(8), ntop(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ntpd_selinux.8 b/man/man8/ntpd_selinux.8 new file mode 100644 -index 0000000..515419d +index 0000000..593a222 --- /dev/null +++ b/man/man8/ntpd_selinux.8 @@ -0,0 +1,189 @@ @@ -31814,8 +33326,24 @@ index 0000000..515419d +ntpd_selinux \- Security Enhanced Linux Policy for the ntpd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ntpd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ntpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ntpd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -31830,18 +33358,6 @@ index 0000000..515419d + +.EX +.PP -+.B ntp_drift_t -+.EE -+ -+- Set files with the ntp_drift_t type, if you want to treat the files as ntp drift data. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/ntp(/.*)?, /etc/ntp/data(/.*)? -+ -+.EX -+.PP +.B ntpd_exec_t +.EE + @@ -31907,10 +33423,6 @@ index 0000000..515419d + +- Set files with the ntpd_unit_file_t type, if you want to treat the files as ntpd unit content. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/system/ntpd\.service, /usr/lib/systemd/system/ntpd\.service + +.EX +.PP @@ -31929,7 +33441,7 @@ index 0000000..515419d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31956,7 +33468,7 @@ index 0000000..515419d + + +Default Defined Ports: -+tcp 8021 ++udp 123 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -32000,23 +33512,19 @@ index 0000000..515419d +selinux(8), ntpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/numad_selinux.8 b/man/man8/numad_selinux.8 new file mode 100644 -index 0000000..7a63255 +index 0000000..e92cd9a --- /dev/null +++ b/man/man8/numad_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "numad_selinux" "8" "numad" "dwalsh@redhat.com" "numad SELinux Policy documentation" +.SH "NAME" +numad_selinux \- Security Enhanced Linux Policy for the numad processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B numad -+(policy for numad) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the numad processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32062,7 +33570,7 @@ index 0000000..7a63255 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32107,23 +33615,33 @@ index 0000000..7a63255 +selinux(8), numad(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nut_selinux.8 b/man/man8/nut_selinux.8 new file mode 100644 -index 0000000..fe354e5 +index 0000000..57e97d3 --- /dev/null +++ b/man/man8/nut_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,123 @@ +.TH "nut_selinux" "8" "nut" "dwalsh@redhat.com" "nut SELinux Policy documentation" +.SH "NAME" +nut_selinux \- Security Enhanced Linux Policy for the nut processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B nut -+(nut - Network UPS Tools ) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the nut processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32181,7 +33699,7 @@ index 0000000..fe354e5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32226,23 +33744,33 @@ index 0000000..fe354e5 +selinux(8), nut(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nx_selinux.8 b/man/man8/nx_selinux.8 new file mode 100644 -index 0000000..ef2c5aa +index 0000000..643c0cf --- /dev/null +++ b/man/man8/nx_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,131 @@ +.TH "nx_selinux" "8" "nx" "dwalsh@redhat.com" "nx SELinux Policy documentation" +.SH "NAME" +nx_selinux \- Security Enhanced Linux Policy for the nx processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B nx -+(NX remote desktop) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the nx processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the nx_server_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nx_server_ssh_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32297,7 +33825,7 @@ index 0000000..ef2c5aa +.br +.TP 5 +Paths: -+/usr/NX/home(/.*)?, /opt/NX/home(/.*)?, /var/lib/nxserver(/.*)? ++/opt/NX/home(/.*)?, /usr/NX/home(/.*)?, /var/lib/nxserver(/.*)? + +.EX +.PP @@ -32308,7 +33836,7 @@ index 0000000..ef2c5aa + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32415,23 +33943,19 @@ index 0000000..2746ea3 +selinux(8), semanage(8). diff --git a/man/man8/obex_selinux.8 b/man/man8/obex_selinux.8 new file mode 100644 -index 0000000..a6b6598 +index 0000000..0455948 --- /dev/null +++ b/man/man8/obex_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "obex_selinux" "8" "obex" "dwalsh@redhat.com" "obex SELinux Policy documentation" +.SH "NAME" +obex_selinux \- Security Enhanced Linux Policy for the obex processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B obex -+(SELinux policy for obex-data-server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the obex processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32453,7 +33977,7 @@ index 0000000..a6b6598 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32498,27 +34022,44 @@ index 0000000..a6b6598 +selinux(8), obex(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/oddjob_selinux.8 b/man/man8/oddjob_selinux.8 new file mode 100644 -index 0000000..88a1ce7 +index 0000000..4c91162 --- /dev/null +++ b/man/man8/oddjob_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,122 @@ +.TH "oddjob_selinux" "8" "oddjob" "dwalsh@redhat.com" "oddjob SELinux Policy documentation" +.SH "NAME" +oddjob_selinux \- Security Enhanced Linux Policy for the oddjob processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B oddjob -+( -+Oddjob provides a mechanism by which unprivileged applications can -+request that specified privileged operations be performed on their -+behalf. -+) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the oddjob processes via flexible mandatory access +control. + ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. oddjob policy is extremely flexible and has several booleans that allow you to manipulate the policy and run oddjob with the tightest access possible. ++ ++ ++.PP ++If you want to allow httpd to communicate with oddjob to start up a servic, you must turn on the httpd_use_oddjob boolean. ++ ++.EX ++.B setsebool -P httpd_use_oddjob 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the oddjob_mkhomedir_t, oddjob_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the oddjob_mkhomedir_t, oddjob_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32560,7 +34101,7 @@ index 0000000..88a1ce7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32594,6 +34135,9 @@ index 0000000..88a1ce7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -32603,25 +34147,23 @@ index 0000000..88a1ce7 + +.SH "SEE ALSO" +selinux(8), oddjob(8), semanage(8), restorecon(8), chcon(1) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/openct_selinux.8 b/man/man8/openct_selinux.8 new file mode 100644 -index 0000000..b21e586 +index 0000000..f3ec094 --- /dev/null +++ b/man/man8/openct_selinux.8 -@@ -0,0 +1,89 @@ +@@ -0,0 +1,85 @@ +.TH "openct_selinux" "8" "openct" "dwalsh@redhat.com" "openct SELinux Policy documentation" +.SH "NAME" +openct_selinux \- Security Enhanced Linux Policy for the openct processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B openct -+(Service for handling smart card readers) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the openct processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32655,7 +34197,7 @@ index 0000000..b21e586 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32700,24 +34242,18 @@ index 0000000..b21e586 +selinux(8), openct(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/openvpn_selinux.8 b/man/man8/openvpn_selinux.8 new file mode 100644 -index 0000000..9a9b8b8 +index 0000000..e2527d0 --- /dev/null +++ b/man/man8/openvpn_selinux.8 -@@ -0,0 +1,166 @@ +@@ -0,0 +1,182 @@ +.TH "openvpn_selinux" "8" "openvpn" "dwalsh@redhat.com" "openvpn SELinux Policy documentation" +.SH "NAME" +openvpn_selinux \- Security Enhanced Linux Policy for the openvpn processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B openvpn -+(full-featured SSL VPN solution) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the openvpn processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. openvpn policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openvpn with the tightest access possible. + @@ -32729,6 +34265,22 @@ index 0000000..9a9b8b8 +.B setsebool -P openvpn_enable_homedirs 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the openvpn_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the openvpn_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -32795,9 +34347,13 @@ index 0000000..9a9b8b8 + +- Set files with the openvpn_var_run_t type, if you want to store the openvpn files under the /run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/openvpn(/.*)?, /var/run/openvpn\.client.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32824,7 +34380,9 @@ index 0000000..9a9b8b8 + + +Default Defined Ports: -+tcp 8021 ++tcp 1194 ++.EE ++udp 1194 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -32873,23 +34431,33 @@ index 0000000..9a9b8b8 \ No newline at end of file diff --git a/man/man8/pacemaker_selinux.8 b/man/man8/pacemaker_selinux.8 new file mode 100644 -index 0000000..a43fb5b +index 0000000..a842d3d --- /dev/null +++ b/man/man8/pacemaker_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,123 @@ +.TH "pacemaker_selinux" "8" "pacemaker" "dwalsh@redhat.com" "pacemaker SELinux Policy documentation" +.SH "NAME" +pacemaker_selinux \- Security Enhanced Linux Policy for the pacemaker processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B pacemaker -+(policy for pacemaker) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the pacemaker processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pacemaker_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the pacemaker_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32947,7 +34515,7 @@ index 0000000..a43fb5b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32992,23 +34560,19 @@ index 0000000..a43fb5b +selinux(8), pacemaker(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pads_selinux.8 b/man/man8/pads_selinux.8 new file mode 100644 -index 0000000..f2bc8e8 +index 0000000..8ebf008 --- /dev/null +++ b/man/man8/pads_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,101 @@ +.TH "pads_selinux" "8" "pads" "dwalsh@redhat.com" "pads SELinux Policy documentation" +.SH "NAME" +pads_selinux \- Security Enhanced Linux Policy for the pads processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B pads -+(Passive Asset Detection System) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the pads processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -33058,7 +34622,7 @@ index 0000000..f2bc8e8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33103,23 +34667,33 @@ index 0000000..f2bc8e8 +selinux(8), pads(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/passenger_selinux.8 b/man/man8/passenger_selinux.8 new file mode 100644 -index 0000000..872ce91 +index 0000000..2a36018 --- /dev/null +++ b/man/man8/passenger_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,127 @@ +.TH "passenger_selinux" "8" "passenger" "dwalsh@redhat.com" "passenger SELinux Policy documentation" +.SH "NAME" +passenger_selinux \- Security Enhanced Linux Policy for the passenger processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B passenger -+(Ruby on rails deployment for Apache and Nginx servers) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the passenger processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the passenger_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the passenger_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -33181,7 +34755,7 @@ index 0000000..872ce91 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33226,17 +34800,33 @@ index 0000000..872ce91 +selinux(8), passenger(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/passwd_selinux.8 b/man/man8/passwd_selinux.8 new file mode 100644 -index 0000000..71d4cc4 +index 0000000..0efdcf6 --- /dev/null +++ b/man/man8/passwd_selinux.8 -@@ -0,0 +1,87 @@ +@@ -0,0 +1,103 @@ +.TH "passwd_selinux" "8" "passwd" "dwalsh@redhat.com" "passwd SELinux Policy documentation" +.SH "NAME" +passwd_selinux \- Security Enhanced Linux Policy for the passwd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the passwd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the passwd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -33271,10 +34861,10 @@ index 0000000..71d4cc4 +.br +.TP 5 +Paths: -+/etc/passwd\.OLD, /etc/ptmptmp, /etc/passwd-?, /etc/group-? ++/etc/passwd\.OLD, /etc/ptmptmp, /etc/group[-\+]?, /etc/passwd[-\+]? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33319,23 +34909,19 @@ index 0000000..71d4cc4 +selinux(8), passwd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pcscd_selinux.8 b/man/man8/pcscd_selinux.8 new file mode 100644 -index 0000000..07f91c9 +index 0000000..f87af16 --- /dev/null +++ b/man/man8/pcscd_selinux.8 -@@ -0,0 +1,89 @@ +@@ -0,0 +1,85 @@ +.TH "pcscd_selinux" "8" "pcscd" "dwalsh@redhat.com" "pcscd SELinux Policy documentation" +.SH "NAME" +pcscd_selinux \- Security Enhanced Linux Policy for the pcscd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B pcscd -+(PCSC smart card service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the pcscd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -33369,7 +34955,7 @@ index 0000000..07f91c9 +/var/run/pcscd\.pid, /var/run/pcscd\.comm, /var/run/pcscd\.events(/.*)?, /var/run/pcscd\.pub, /var/run/pcscd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33414,23 +35000,33 @@ index 0000000..07f91c9 +selinux(8), pcscd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pegasus_selinux.8 b/man/man8/pegasus_selinux.8 new file mode 100644 -index 0000000..b015c87 +index 0000000..6a16517 --- /dev/null +++ b/man/man8/pegasus_selinux.8 -@@ -0,0 +1,162 @@ +@@ -0,0 +1,172 @@ +.TH "pegasus_selinux" "8" "pegasus" "dwalsh@redhat.com" "pegasus SELinux Policy documentation" +.SH "NAME" +pegasus_selinux \- Security Enhanced Linux Policy for the pegasus processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B pegasus -+(The Open Group Pegasus CIM/WBEM Server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the pegasus processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pegasus_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the pegasus_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -33500,7 +35096,7 @@ index 0000000..b015c87 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33527,7 +35123,7 @@ index 0000000..b015c87 + + +Default Defined Ports: -+tcp 8021 ++tcp 5988 +.EE + +.EX @@ -33538,7 +35134,7 @@ index 0000000..b015c87 + + +Default Defined Ports: -+tcp 8021 ++tcp 5989 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -33582,17 +35178,17 @@ index 0000000..b015c87 +selinux(8), pegasus(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ping_selinux.8 b/man/man8/ping_selinux.8 new file mode 100644 -index 0000000..bda0235 +index 0000000..b791a0d --- /dev/null +++ b/man/man8/ping_selinux.8 -@@ -0,0 +1,148 @@ +@@ -0,0 +1,164 @@ +.TH "ping_selinux" "8" "ping" "dwalsh@redhat.com" "ping SELinux Policy documentation" +.SH "NAME" +ping_selinux \- Security Enhanced Linux Policy for the ping processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the ping processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. ping policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ping with the tightest access possible. @@ -33605,6 +35201,22 @@ index 0000000..bda0235 +.B setsebool -P user_ping 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -33661,7 +35273,7 @@ index 0000000..bda0235 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33688,7 +35300,7 @@ index 0000000..bda0235 + + +Default Defined Ports: -+tcp 8021 ++tcp 9125 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -33737,24 +35349,18 @@ index 0000000..bda0235 \ No newline at end of file diff --git a/man/man8/pingd_selinux.8 b/man/man8/pingd_selinux.8 new file mode 100644 -index 0000000..1259587 +index 0000000..3471a77 --- /dev/null +++ b/man/man8/pingd_selinux.8 -@@ -0,0 +1,154 @@ +@@ -0,0 +1,152 @@ +.TH "pingd_selinux" "8" "pingd" "dwalsh@redhat.com" "pingd SELinux Policy documentation" +.SH "NAME" +pingd_selinux \- Security Enhanced Linux Policy for the pingd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B pingd -+(Pingd of the Whatsup cluster node up/down detection utility) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the pingd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. pingd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pingd with the tightest access possible. + @@ -33766,6 +35372,22 @@ index 0000000..1259587 +.B setsebool -P user_ping 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -33779,18 +35401,6 @@ index 0000000..1259587 + +.EX +.PP -+.B ping_exec_t -+.EE -+ -+- Set files with the ping_exec_t type, if you want to transition an executable to the ping_t domain. -+ -+.br -+.TP 5 -+Paths: -+/usr/bin/ping.*, /usr/sbin/hping2, /usr/sbin/fping.*, /bin/ping.*, /usr/sbin/send_arp -+ -+.EX -+.PP +.B pingd_etc_t +.EE + @@ -33822,7 +35432,7 @@ index 0000000..1259587 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33849,7 +35459,7 @@ index 0000000..1259587 + + +Default Defined Ports: -+tcp 8021 ++tcp 9125 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -33898,24 +35508,18 @@ index 0000000..1259587 \ No newline at end of file diff --git a/man/man8/piranha_selinux.8 b/man/man8/piranha_selinux.8 new file mode 100644 -index 0000000..cbd1451 +index 0000000..12d4be7 --- /dev/null +++ b/man/man8/piranha_selinux.8 -@@ -0,0 +1,238 @@ +@@ -0,0 +1,244 @@ +.TH "piranha_selinux" "8" "piranha" "dwalsh@redhat.com" "piranha SELinux Policy documentation" +.SH "NAME" +piranha_selinux \- Security Enhanced Linux Policy for the piranha processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B piranha -+(policy for piranha) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the piranha processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. piranha policy is extremely flexible and has several booleans that allow you to manipulate the policy and run piranha with the tightest access possible. + @@ -33927,6 +35531,22 @@ index 0000000..cbd1451 +.B setsebool -P piranha_lvs_can_network_connect 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the piranha_pulse_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the piranha_pulse_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -34037,10 +35657,6 @@ index 0000000..cbd1451 + +- Set files with the piranha_web_exec_t type, if you want to transition an executable to the piranha_web_t domain. + -+.br -+.TP 5 -+Paths: -+/usr/sbin/piranha_gui, /usr/bin/paster + +.EX +.PP @@ -34067,7 +35683,7 @@ index 0000000..cbd1451 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -34094,7 +35710,7 @@ index 0000000..cbd1451 + + +Default Defined Ports: -+tcp 8021 ++tcp 3636 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -34653,17 +36269,19 @@ index 0000000..2272c46 +selinux(8), pki(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/plymouth_selinux.8 b/man/man8/plymouth_selinux.8 new file mode 100644 -index 0000000..581c9cb +index 0000000..c24fadd --- /dev/null +++ b/man/man8/plymouth_selinux.8 -@@ -0,0 +1,119 @@ +@@ -0,0 +1,121 @@ +.TH "plymouth_selinux" "8" "plymouth" "dwalsh@redhat.com" "plymouth SELinux Policy documentation" +.SH "NAME" +plymouth_selinux \- Security Enhanced Linux Policy for the plymouth processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the plymouth processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -34686,7 +36304,7 @@ index 0000000..581c9cb +.br +.TP 5 +Paths: -+/usr/bin/plymouth, /bin/plymouth ++/bin/plymouth, /usr/bin/plymouth + +.EX +.PP @@ -34698,7 +36316,7 @@ index 0000000..581c9cb +.br +.TP 5 +Paths: -+/usr/sbin/plymouthd, /sbin/plymouthd ++/sbin/plymouthd, /usr/sbin/plymouthd + +.EX +.PP @@ -34733,7 +36351,7 @@ index 0000000..581c9cb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -34778,23 +36396,19 @@ index 0000000..581c9cb +selinux(8), plymouth(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/plymouthd_selinux.8 b/man/man8/plymouthd_selinux.8 new file mode 100644 -index 0000000..a9addd8 +index 0000000..fc2c7dc --- /dev/null +++ b/man/man8/plymouthd_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,109 @@ +.TH "plymouthd_selinux" "8" "plymouthd" "dwalsh@redhat.com" "plymouthd SELinux Policy documentation" +.SH "NAME" +plymouthd_selinux \- Security Enhanced Linux Policy for the plymouthd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B plymouthd -+(Plymouth graphical boot) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the plymouthd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -34809,18 +36423,6 @@ index 0000000..a9addd8 + +.EX +.PP -+.B plymouth_exec_t -+.EE -+ -+- Set files with the plymouth_exec_t type, if you want to transition an executable to the plymouth_t domain. -+ -+.br -+.TP 5 -+Paths: -+/usr/bin/plymouth, /bin/plymouth -+ -+.EX -+.PP +.B plymouthd_exec_t +.EE + @@ -34829,7 +36431,7 @@ index 0000000..a9addd8 +.br +.TP 5 +Paths: -+/usr/sbin/plymouthd, /sbin/plymouthd ++/sbin/plymouthd, /usr/sbin/plymouthd + +.EX +.PP @@ -34864,7 +36466,7 @@ index 0000000..a9addd8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -34909,23 +36511,19 @@ index 0000000..a9addd8 +selinux(8), plymouthd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/podsleuth_selinux.8 b/man/man8/podsleuth_selinux.8 new file mode 100644 -index 0000000..413dd33 +index 0000000..0170aa2 --- /dev/null +++ b/man/man8/podsleuth_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,101 @@ +.TH "podsleuth_selinux" "8" "podsleuth" "dwalsh@redhat.com" "podsleuth SELinux Policy documentation" +.SH "NAME" +podsleuth_selinux \- Security Enhanced Linux Policy for the podsleuth processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B podsleuth -+(Podsleuth is a tool to get information about an Apple (TM) iPod (TM)) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the podsleuth processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -34975,7 +36573,7 @@ index 0000000..413dd33 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -35020,23 +36618,33 @@ index 0000000..413dd33 +selinux(8), podsleuth(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/policykit_selinux.8 b/man/man8/policykit_selinux.8 new file mode 100644 -index 0000000..b14cbf9 +index 0000000..780f4cb --- /dev/null +++ b/man/man8/policykit_selinux.8 -@@ -0,0 +1,153 @@ +@@ -0,0 +1,163 @@ +.TH "policykit_selinux" "8" "policykit" "dwalsh@redhat.com" "policykit SELinux Policy documentation" +.SH "NAME" +policykit_selinux \- Security Enhanced Linux Policy for the policykit processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B policykit -+(Policy framework for controlling privileges for system-wide services) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the policykit processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -35059,7 +36667,7 @@ index 0000000..b14cbf9 +.br +.TP 5 +Paths: -+/usr/libexec/polkit-read-auth-helper, /usr/lib/policykit/polkit-read-auth-helper, /usr/libexec/polkit-1/polkit-agent-helper-1 ++/usr/libexec/polkit-read-auth-helper, /usr/libexec/polkit-1/polkit-agent-helper-1, /usr/lib/polkit-1/polkit-agent-helper-1, /usr/lib/policykit/polkit-read-auth-helper + +.EX +.PP @@ -35071,7 +36679,7 @@ index 0000000..b14cbf9 +.br +.TP 5 +Paths: -+/usr/libexec/polkitd.*, /usr/libexec/polkit-1/polkitd.*, /usr/lib/policykit/polkitd ++/usr/lib/polkit-1/polkitd, /usr/libexec/polkitd.*, /usr/libexec/polkit-1/polkitd.*, /usr/lib/policykit/polkitd + +.EX +.PP @@ -35134,7 +36742,7 @@ index 0000000..b14cbf9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -35179,24 +36787,18 @@ index 0000000..b14cbf9 +selinux(8), policykit(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/polipo_selinux.8 b/man/man8/polipo_selinux.8 new file mode 100644 -index 0000000..ada080b +index 0000000..c189d0d --- /dev/null +++ b/man/man8/polipo_selinux.8 -@@ -0,0 +1,191 @@ +@@ -0,0 +1,201 @@ +.TH "polipo_selinux" "8" "polipo" "dwalsh@redhat.com" "polipo SELinux Policy documentation" +.SH "NAME" +polipo_selinux \- Security Enhanced Linux Policy for the polipo processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B polipo -+(Caching web proxy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the polipo processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. polipo policy is extremely flexible and has several booleans that allow you to manipulate the policy and run polipo with the tightest access possible. + @@ -35243,6 +36845,22 @@ index 0000000..ada080b +.B setsebool -P polipo_use_nfs 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the polipo_t, polipo_session_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the polipo_t, polipo_session_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -35327,7 +36945,7 @@ index 0000000..ada080b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -35377,24 +36995,18 @@ index 0000000..ada080b \ No newline at end of file diff --git a/man/man8/portmap_selinux.8 b/man/man8/portmap_selinux.8 new file mode 100644 -index 0000000..7513001 +index 0000000..a4e94f2 --- /dev/null +++ b/man/man8/portmap_selinux.8 -@@ -0,0 +1,150 @@ +@@ -0,0 +1,162 @@ +.TH "portmap_selinux" "8" "portmap" "dwalsh@redhat.com" "portmap SELinux Policy documentation" +.SH "NAME" +portmap_selinux \- Security Enhanced Linux Policy for the portmap processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B portmap -+(RPC port mapping service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the portmap processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. portmap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run portmap with the tightest access possible. + @@ -35406,6 +37018,22 @@ index 0000000..7513001 +.B setsebool -P samba_portmapper 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the portmap_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the portmap_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -35458,7 +37086,7 @@ index 0000000..7513001 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -35485,7 +37113,9 @@ index 0000000..7513001 + + +Default Defined Ports: -+tcp 8021 ++tcp 111 ++.EE ++udp 111 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -35534,23 +37164,19 @@ index 0000000..7513001 \ No newline at end of file diff --git a/man/man8/portreserve_selinux.8 b/man/man8/portreserve_selinux.8 new file mode 100644 -index 0000000..909a5da +index 0000000..f40af74 --- /dev/null +++ b/man/man8/portreserve_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,101 @@ +.TH "portreserve_selinux" "8" "portreserve" "dwalsh@redhat.com" "portreserve SELinux Policy documentation" +.SH "NAME" +portreserve_selinux \- Security Enhanced Linux Policy for the portreserve processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B portreserve -+(Reserve well-known ports in the RPC port range) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the portreserve processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -35600,7 +37226,7 @@ index 0000000..909a5da + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -35645,33 +37271,43 @@ index 0000000..909a5da +selinux(8), portreserve(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/postfix_selinux.8 b/man/man8/postfix_selinux.8 new file mode 100644 -index 0000000..bb778bf +index 0000000..afda15b --- /dev/null +++ b/man/man8/postfix_selinux.8 -@@ -0,0 +1,422 @@ +@@ -0,0 +1,432 @@ +.TH "postfix_selinux" "8" "postfix" "dwalsh@redhat.com" "postfix SELinux Policy documentation" +.SH "NAME" +postfix_selinux \- Security Enhanced Linux Policy for the postfix processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B postfix -+(Postfix email server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the postfix processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. postfix policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix with the tightest access possible. + + +.PP -+If you want to allow postfix_local domain full write access to mail_spool directorie, you must turn on the allow_postfix_local_write_mail_spool boolean. ++If you want to allow postfix_local domain full write access to mail_spool directorie, you must turn on the postfix_local_write_mail_spool boolean. ++ ++.EX ++.B setsebool -P postfix_local_write_mail_spool 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postfix_smtp_t, postfix_map_t, postfix_showq_t, postfix_virtual_t, postfix_smtpd_t, postfix_local_t, postfix_cleanup_t, postfix_master_t, postfix_postdrop_t, postfix_pickup_t, postfix_bounce_t, postfix_qmgr_t, postfix_pipe_t, postfix_postqueue_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_smtp_t, postfix_map_t, postfix_showq_t, postfix_virtual_t, postfix_smtpd_t, postfix_local_t, postfix_cleanup_t, postfix_master_t, postfix_postdrop_t, postfix_pickup_t, postfix_bounce_t, postfix_qmgr_t, postfix_pipe_t, postfix_postqueue_t, you must turn on the kerberos_enabled boolean. + +.EX -+.B setsebool -P allow_postfix_local_write_mail_spool 1 ++setsebool -P kerberos_enabled 1 +.EE + +.SH FILE CONTEXTS @@ -35911,7 +37547,7 @@ index 0000000..bb778bf +.br +.TP 5 +Paths: -+/usr/libexec/postfix/smtp, /usr/libexec/postfix/scache, /usr/libexec/postfix/lmtp ++/usr/libexec/postfix/lmtp, /usr/libexec/postfix/smtp, /usr/libexec/postfix/scache + +.EX +.PP @@ -35998,7 +37634,7 @@ index 0000000..bb778bf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36025,7 +37661,7 @@ index 0000000..bb778bf + + +Default Defined Ports: -+tcp 8021 ++tcp 10031 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -36074,33 +37710,43 @@ index 0000000..bb778bf \ No newline at end of file diff --git a/man/man8/postgresql_selinux.8 b/man/man8/postgresql_selinux.8 new file mode 100644 -index 0000000..da21d07 +index 0000000..b21f9fe --- /dev/null +++ b/man/man8/postgresql_selinux.8 -@@ -0,0 +1,194 @@ +@@ -0,0 +1,200 @@ +.TH "postgresql_selinux" "8" "postgresql" "dwalsh@redhat.com" "postgresql SELinux Policy documentation" +.SH "NAME" +postgresql_selinux \- Security Enhanced Linux Policy for the postgresql processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B postgresql -+(PostgreSQL relational database) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the postgresql processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. postgresql policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postgresql with the tightest access possible. + + +.PP -+If you want to allow users to connect to PostgreSQ, you must turn on the allow_user_postgresql_connect boolean. ++If you want to allow users to connect to PostgreSQ, you must turn on the user_postgresql_connect boolean. + +.EX -+.B setsebool -P allow_user_postgresql_connect 1 ++.B setsebool -P user_postgresql_connect 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the postgresql_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postgresql_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 +.EE + +.SH FILE CONTEXTS @@ -36124,7 +37770,7 @@ index 0000000..da21d07 +.br +.TP 5 +Paths: -+/var/lib/pgsql/data(/.*)?, /usr/share/jonas/pgsql(/.*)?, /var/lib/postgres(ql)?(/.*)?, /var/lib/sepgsql(/.*)?, /usr/lib/pgsql/test/regress(/.*)? ++/usr/share/jonas/pgsql(/.*)?, /var/lib/postgres(ql)?(/.*)?, /var/lib/sepgsql(/.*)?, /usr/lib/pgsql/test/regress(/.*)?, /var/lib/pgsql(/.*)? + +.EX +.PP @@ -36176,7 +37822,7 @@ index 0000000..da21d07 +.br +.TP 5 +Paths: -+/var/lib/pgsql/logfile(/.*)?, /var/lib/pgsql/pgstartup\.log, /var/log/postgresql(/.*)?, /var/log/postgres\.log.*, /var/lib/sepgsql/pgstartup\.log, /var/log/rhdb/rhdb(/.*)?, /var/log/sepostgresql\.log.* ++/var/lib/pgsql/logfile(/.*)?, /var/log/postgresql(/.*)?, /var/log/postgres\.log.*, /var/lib/sepgsql/pgstartup\.log, /var/log/rhdb/rhdb(/.*)?, /var/lib/pgsql/.*\.log, /var/log/sepostgresql\.log.* + +.EX +.PP @@ -36193,13 +37839,9 @@ index 0000000..da21d07 + +- Set files with the postgresql_var_run_t type, if you want to store the postgresql files under the /run directory. + -+.br -+.TP 5 -+Paths: -+/var/run/postmaster.*, /var/run/postgresql(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36226,7 +37868,7 @@ index 0000000..da21d07 + + +Default Defined Ports: -+tcp 8021 ++tcp 5432 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -36275,23 +37917,19 @@ index 0000000..da21d07 \ No newline at end of file diff --git a/man/man8/postgrey_selinux.8 b/man/man8/postgrey_selinux.8 new file mode 100644 -index 0000000..0d3079a +index 0000000..daf4f9f --- /dev/null +++ b/man/man8/postgrey_selinux.8 -@@ -0,0 +1,147 @@ +@@ -0,0 +1,143 @@ +.TH "postgrey_selinux" "8" "postgrey" "dwalsh@redhat.com" "postgrey SELinux Policy documentation" +.SH "NAME" +postgrey_selinux \- Security Enhanced Linux Policy for the postgrey processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B postgrey -+(Postfix grey-listing server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the postgrey processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -36357,7 +37995,7 @@ index 0000000..0d3079a +/var/run/postgrey\.pid, /var/run/postgrey(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36384,7 +38022,7 @@ index 0000000..0d3079a + + +Default Defined Ports: -+tcp 8021 ++tcp 60000 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -36428,17 +38066,17 @@ index 0000000..0d3079a +selinux(8), postgrey(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pppd_selinux.8 b/man/man8/pppd_selinux.8 new file mode 100644 -index 0000000..7b27311 +index 0000000..552a6e4 --- /dev/null +++ b/man/man8/pppd_selinux.8 -@@ -0,0 +1,189 @@ +@@ -0,0 +1,205 @@ +.TH "pppd_selinux" "8" "pppd" "dwalsh@redhat.com" "pppd SELinux Policy documentation" +.SH "NAME" +pppd_selinux \- Security Enhanced Linux Policy for the pppd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the pppd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. pppd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pppd with the tightest access possible. @@ -36458,6 +38096,22 @@ index 0000000..7b27311 +.B setsebool -P pppd_can_insmod 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pppd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pppd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -36479,7 +38133,7 @@ index 0000000..7b27311 +.br +.TP 5 +Paths: -+/etc/ppp(/.*)?, /etc/ppp/peers(/.*)?, /etc/ppp/resolv\.conf ++/etc/ppp(/.*)?, /etc/ppp/resolv\.conf, /etc/ppp/peers(/.*)? + +.EX +.PP @@ -36574,7 +38228,7 @@ index 0000000..7b27311 +/var/run/pppd[0-9]*\.tdb, /var/run/ppp(/.*)?, /var/run/(i)?ppp.*pid[^/]* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36624,17 +38278,33 @@ index 0000000..7b27311 \ No newline at end of file diff --git a/man/man8/pptp_selinux.8 b/man/man8/pptp_selinux.8 new file mode 100644 -index 0000000..4f2fc1c +index 0000000..9dd5174 --- /dev/null +++ b/man/man8/pptp_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,131 @@ +.TH "pptp_selinux" "8" "pptp" "dwalsh@redhat.com" "pptp SELinux Policy documentation" +.SH "NAME" +pptp_selinux \- Security Enhanced Linux Policy for the pptp processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the pptp processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pptp_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pptp_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -36672,7 +38342,7 @@ index 0000000..4f2fc1c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36699,7 +38369,9 @@ index 0000000..4f2fc1c + + +Default Defined Ports: -+tcp 8021 ++tcp 1723 ++.EE ++udp 1723 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -36743,23 +38415,33 @@ index 0000000..4f2fc1c +selinux(8), pptp(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/prelink_selinux.8 b/man/man8/prelink_selinux.8 new file mode 100644 -index 0000000..0be2626 +index 0000000..a921aca --- /dev/null +++ b/man/man8/prelink_selinux.8 -@@ -0,0 +1,133 @@ +@@ -0,0 +1,143 @@ +.TH "prelink_selinux" "8" "prelink" "dwalsh@redhat.com" "prelink SELinux Policy documentation" +.SH "NAME" +prelink_selinux \- Security Enhanced Linux Policy for the prelink processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B prelink -+(Prelink ELF shared library mappings) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the prelink processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelink_cron_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the prelink_cron_system_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -36837,7 +38519,7 @@ index 0000000..0be2626 +/var/lib/prelink(/.*)?, /var/lib/misc/prelink.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36882,23 +38564,33 @@ index 0000000..0be2626 +selinux(8), prelink(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/prelude_selinux.8 b/man/man8/prelude_selinux.8 new file mode 100644 -index 0000000..3955442 +index 0000000..9196e90 --- /dev/null +++ b/man/man8/prelude_selinux.8 -@@ -0,0 +1,211 @@ +@@ -0,0 +1,223 @@ +.TH "prelude_selinux" "8" "prelude" "dwalsh@redhat.com" "prelude SELinux Policy documentation" +.SH "NAME" +prelude_selinux \- Security Enhanced Linux Policy for the prelude processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B prelude -+(Prelude hybrid intrusion detection system) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the prelude processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the prelude_lml_t, prelude_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the prelude_lml_t, prelude_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37028,7 +38720,7 @@ index 0000000..3955442 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37055,7 +38747,9 @@ index 0000000..3955442 + + +Default Defined Ports: -+tcp 8021 ++tcp 4690 ++.EE ++udp 4690 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -37099,24 +38793,18 @@ index 0000000..3955442 +selinux(8), prelude(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/privoxy_selinux.8 b/man/man8/privoxy_selinux.8 new file mode 100644 -index 0000000..4371077 +index 0000000..b05a252 --- /dev/null +++ b/man/man8/privoxy_selinux.8 -@@ -0,0 +1,124 @@ +@@ -0,0 +1,134 @@ +.TH "privoxy_selinux" "8" "privoxy" "dwalsh@redhat.com" "privoxy SELinux Policy documentation" +.SH "NAME" +privoxy_selinux \- Security Enhanced Linux Policy for the privoxy processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B privoxy -+(Privacy enhancing web proxy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the privoxy processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. privoxy policy is extremely flexible and has several booleans that allow you to manipulate the policy and run privoxy with the tightest access possible. + @@ -37128,6 +38816,22 @@ index 0000000..4371077 +.B setsebool -P privoxy_connect_any 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the privoxy_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the privoxy_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -37180,7 +38884,7 @@ index 0000000..4371077 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37230,23 +38934,33 @@ index 0000000..4371077 \ No newline at end of file diff --git a/man/man8/procmail_selinux.8 b/man/man8/procmail_selinux.8 new file mode 100644 -index 0000000..7a080ee +index 0000000..34df592 --- /dev/null +++ b/man/man8/procmail_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,115 @@ +.TH "procmail_selinux" "8" "procmail" "dwalsh@redhat.com" "procmail SELinux Policy documentation" +.SH "NAME" +procmail_selinux \- Security Enhanced Linux Policy for the procmail processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B procmail -+(Procmail mail delivery agent) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the procmail processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the procmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the procmail_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37296,7 +39010,7 @@ index 0000000..7a080ee + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37341,23 +39055,33 @@ index 0000000..7a080ee +selinux(8), procmail(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/psad_selinux.8 b/man/man8/psad_selinux.8 new file mode 100644 -index 0000000..f5331cf +index 0000000..bb17926 --- /dev/null +++ b/man/man8/psad_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,135 @@ +.TH "psad_selinux" "8" "psad" "dwalsh@redhat.com" "psad SELinux Policy documentation" +.SH "NAME" +psad_selinux \- Security Enhanced Linux Policy for the psad processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B psad -+(Intrusion Detection and Log Analysis with iptables) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the psad processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the psad_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the psad_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37427,7 +39151,7 @@ index 0000000..f5331cf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37472,17 +39196,19 @@ index 0000000..f5331cf +selinux(8), psad(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ptal_selinux.8 b/man/man8/ptal_selinux.8 new file mode 100644 -index 0000000..679eb3c +index 0000000..9b67e7c --- /dev/null +++ b/man/man8/ptal_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,123 @@ +.TH "ptal_selinux" "8" "ptal" "dwalsh@redhat.com" "ptal SELinux Policy documentation" +.SH "NAME" +ptal_selinux \- Security Enhanced Linux Policy for the ptal processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ptal processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37528,7 +39254,7 @@ index 0000000..679eb3c +/var/run/ptal-mlcd(/.*)?, /var/run/ptal-printd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37555,7 +39281,7 @@ index 0000000..679eb3c + + +Default Defined Ports: -+tcp 8021 ++tcp 5703 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -37599,23 +39325,19 @@ index 0000000..679eb3c +selinux(8), ptal(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ptchown_selinux.8 b/man/man8/ptchown_selinux.8 new file mode 100644 -index 0000000..3e1f7ab +index 0000000..2616592 --- /dev/null +++ b/man/man8/ptchown_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "ptchown_selinux" "8" "ptchown" "dwalsh@redhat.com" "ptchown SELinux Policy documentation" +.SH "NAME" +ptchown_selinux \- Security Enhanced Linux Policy for the ptchown processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ptchown -+(helper function for grantpt(3), changes ownship and permissions of pseudotty) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ptchown processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37637,7 +39359,7 @@ index 0000000..3e1f7ab + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37682,23 +39404,19 @@ index 0000000..3e1f7ab +selinux(8), ptchown(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/publicfile_selinux.8 b/man/man8/publicfile_selinux.8 new file mode 100644 -index 0000000..0235c45 +index 0000000..ac2f1cb --- /dev/null +++ b/man/man8/publicfile_selinux.8 -@@ -0,0 +1,89 @@ +@@ -0,0 +1,85 @@ +.TH "publicfile_selinux" "8" "publicfile" "dwalsh@redhat.com" "publicfile SELinux Policy documentation" +.SH "NAME" +publicfile_selinux \- Security Enhanced Linux Policy for the publicfile processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B publicfile -+(publicfile supplies files to the public through HTTP and FTP) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the publicfile processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37732,7 +39450,7 @@ index 0000000..0235c45 +/usr/bin/httpd, /usr/bin/ftpd + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37777,23 +39495,33 @@ index 0000000..0235c45 +selinux(8), publicfile(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pulseaudio_selinux.8 b/man/man8/pulseaudio_selinux.8 new file mode 100644 -index 0000000..8ca72d3 +index 0000000..20f71d7 --- /dev/null +++ b/man/man8/pulseaudio_selinux.8 -@@ -0,0 +1,139 @@ +@@ -0,0 +1,151 @@ +.TH "pulseaudio_selinux" "8" "pulseaudio" "dwalsh@redhat.com" "pulseaudio SELinux Policy documentation" +.SH "NAME" +pulseaudio_selinux \- Security Enhanced Linux Policy for the pulseaudio processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B pulseaudio -+(Pulseaudio network sound server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the pulseaudio processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pulseaudio_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pulseaudio_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37824,7 +39552,7 @@ index 0000000..8ca72d3 +.br +.TP 5 +Paths: -+/root/\.pulse-cookie, /root/\.pulse(/.*)? ++/root/\.pulse-cookie, /root/\.pulse(/.*)?, /root/\.esd_auth + +.EX +.PP @@ -37851,7 +39579,7 @@ index 0000000..8ca72d3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37878,7 +39606,9 @@ index 0000000..8ca72d3 + + +Default Defined Ports: -+tcp 8021 ++tcp 4713 ++.EE ++udp 4713 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -37922,24 +39652,18 @@ index 0000000..8ca72d3 +selinux(8), pulseaudio(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/puppet_selinux.8 b/man/man8/puppet_selinux.8 new file mode 100644 -index 0000000..c558047 +index 0000000..5541ffe --- /dev/null +++ b/man/man8/puppet_selinux.8 -@@ -0,0 +1,205 @@ +@@ -0,0 +1,215 @@ +.TH "puppet_selinux" "8" "puppet" "dwalsh@redhat.com" "puppet SELinux Policy documentation" +.SH "NAME" +puppet_selinux \- Security Enhanced Linux Policy for the puppet processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B puppet -+(Puppet client daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the puppet processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. puppet policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppet with the tightest access possible. + @@ -37958,6 +39682,22 @@ index 0000000..c558047 +.B setsebool -P puppetmaster_use_db 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the puppetmaster_t, puppet_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the puppetmaster_t, puppet_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -38058,7 +39798,7 @@ index 0000000..c558047 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38085,7 +39825,7 @@ index 0000000..c558047 + + +Default Defined Ports: -+tcp 8021 ++tcp 8140 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -38134,17 +39874,19 @@ index 0000000..c558047 \ No newline at end of file diff --git a/man/man8/puppetca_selinux.8 b/man/man8/puppetca_selinux.8 new file mode 100644 -index 0000000..eb647c7 +index 0000000..7e4543c --- /dev/null +++ b/man/man8/puppetca_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,73 @@ +.TH "puppetca_selinux" "8" "puppetca" "dwalsh@redhat.com" "puppetca SELinux Policy documentation" +.SH "NAME" +puppetca_selinux \- Security Enhanced Linux Policy for the puppetca processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the puppetca processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -38166,7 +39908,7 @@ index 0000000..eb647c7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38211,17 +39953,17 @@ index 0000000..eb647c7 +selinux(8), puppetca(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/puppetmaster_selinux.8 b/man/man8/puppetmaster_selinux.8 new file mode 100644 -index 0000000..5d07daa +index 0000000..e707626 --- /dev/null +++ b/man/man8/puppetmaster_selinux.8 -@@ -0,0 +1,102 @@ +@@ -0,0 +1,118 @@ +.TH "puppetmaster_selinux" "8" "puppetmaster" "dwalsh@redhat.com" "puppetmaster SELinux Policy documentation" +.SH "NAME" +puppetmaster_selinux \- Security Enhanced Linux Policy for the puppetmaster processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the puppetmaster processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. puppetmaster policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppetmaster with the tightest access possible. @@ -38234,6 +39976,22 @@ index 0000000..5d07daa +.B setsebool -P puppetmaster_use_db 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the puppetmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the puppetmaster_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -38270,7 +40028,7 @@ index 0000000..5d07daa + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38320,23 +40078,33 @@ index 0000000..5d07daa \ No newline at end of file diff --git a/man/man8/pyicqt_selinux.8 b/man/man8/pyicqt_selinux.8 new file mode 100644 -index 0000000..7c291ab +index 0000000..2a1614e --- /dev/null +++ b/man/man8/pyicqt_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,111 @@ +.TH "pyicqt_selinux" "8" "pyicqt" "dwalsh@redhat.com" "pyicqt SELinux Policy documentation" +.SH "NAME" +pyicqt_selinux \- Security Enhanced Linux Policy for the pyicqt processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B pyicqt -+(PyICQt is an ICQ transport for XMPP server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the pyicqt processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the pyicqt_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pyicqt_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -38382,7 +40150,7 @@ index 0000000..7c291ab + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38427,17 +40195,33 @@ index 0000000..7c291ab +selinux(8), pyicqt(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/qdiskd_selinux.8 b/man/man8/qdiskd_selinux.8 new file mode 100644 -index 0000000..fe306cf +index 0000000..77f1640 --- /dev/null +++ b/man/man8/qdiskd_selinux.8 -@@ -0,0 +1,103 @@ +@@ -0,0 +1,119 @@ +.TH "qdiskd_selinux" "8" "qdiskd" "dwalsh@redhat.com" "qdiskd SELinux Policy documentation" +.SH "NAME" +qdiskd_selinux \- Security Enhanced Linux Policy for the qdiskd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the qdiskd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the qdiskd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the qdiskd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -38491,7 +40275,7 @@ index 0000000..fe306cf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38536,36 +40320,23 @@ index 0000000..fe306cf +selinux(8), qdiskd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/qemu_selinux.8 b/man/man8/qemu_selinux.8 new file mode 100644 -index 0000000..1ca4c43 +index 0000000..6dcd7cf --- /dev/null +++ b/man/man8/qemu_selinux.8 -@@ -0,0 +1,151 @@ +@@ -0,0 +1,147 @@ +.TH "qemu_selinux" "8" "qemu" "dwalsh@redhat.com" "qemu SELinux Policy documentation" +.SH "NAME" +qemu_selinux \- Security Enhanced Linux Policy for the qemu processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B qemu -+(QEMU machine emulator and virtualizer) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the qemu processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. qemu policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qemu with the tightest access possible. + + +.PP -+If you want to allow qemu to use cifs/Samba file system, you must turn on the qemu_use_cifs boolean. -+ -+.EX -+.B setsebool -P qemu_use_cifs 1 -+.EE -+ -+.PP +If you want to allow qemu to use serial/parallel communication port, you must turn on the qemu_use_comm boolean. + +.EX @@ -38600,6 +40371,15 @@ index 0000000..1ca4c43 +.B setsebool -P xend_run_qemu 1 +.EE + ++.PP ++If you want to allow qemu to use cifs/Samba file system, you must turn on the qemu_use_cifs boolean. ++ ++.EX ++.B setsebool -P qemu_use_cifs 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -38644,7 +40424,7 @@ index 0000000..1ca4c43 +/var/run/libvirt/qemu(/.*)?, /var/lib/libvirt/qemu(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38694,23 +40474,33 @@ index 0000000..1ca4c43 \ No newline at end of file diff --git a/man/man8/qmail_selinux.8 b/man/man8/qmail_selinux.8 new file mode 100644 -index 0000000..d0f7752 +index 0000000..aeed846 --- /dev/null +++ b/man/man8/qmail_selinux.8 -@@ -0,0 +1,213 @@ +@@ -0,0 +1,223 @@ +.TH "qmail_selinux" "8" "qmail" "dwalsh@redhat.com" "qmail SELinux Policy documentation" +.SH "NAME" +qmail_selinux \- Security Enhanced Linux Policy for the qmail processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B qmail -+(Qmail Mail Server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the qmail processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the qmail_local_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the qmail_local_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -38868,7 +40658,7 @@ index 0000000..d0f7752 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38913,17 +40703,19 @@ index 0000000..d0f7752 +selinux(8), qmail(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/qpidd_selinux.8 b/man/man8/qpidd_selinux.8 new file mode 100644 -index 0000000..712a06e +index 0000000..3f60e17 --- /dev/null +++ b/man/man8/qpidd_selinux.8 -@@ -0,0 +1,107 @@ +@@ -0,0 +1,109 @@ +.TH "qpidd_selinux" "8" "qpidd" "dwalsh@redhat.com" "qpidd SELinux Policy documentation" +.SH "NAME" +qpidd_selinux \- Security Enhanced Linux Policy for the qpidd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the qpidd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -38981,7 +40773,7 @@ index 0000000..712a06e +/var/run/qpidd(/.*)?, /var/run/qpidd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39026,17 +40818,33 @@ index 0000000..712a06e +selinux(8), qpidd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/quantum_selinux.8 b/man/man8/quantum_selinux.8 new file mode 100644 -index 0000000..779196e +index 0000000..6747eb0 --- /dev/null +++ b/man/man8/quantum_selinux.8 -@@ -0,0 +1,107 @@ +@@ -0,0 +1,149 @@ +.TH "quantum_selinux" "8" "quantum" "dwalsh@redhat.com" "quantum SELinux Policy documentation" +.SH "NAME" +quantum_selinux \- Security Enhanced Linux Policy for the quantum processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the quantum processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quantum_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the quantum_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -39059,7 +40867,7 @@ index 0000000..779196e +.br +.TP 5 +Paths: -+/usr/bin/quantum-server, /usr/bin/quantum-ryu-agent, /usr/bin/quantum-linuxbridge-agent, /usr/bin/quantum-openvswitch-agent ++/usr/bin/quantum-openvswitch-agent, /usr/bin/quantum-server, /usr/bin/quantum-ryu-agent, /usr/bin/quantum-linuxbridge-agent + +.EX +.PP @@ -39094,12 +40902,35 @@ index 0000000..779196e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon +to apply the labels. + ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible. ++.PP ++The following port types are defined for quantum: ++ ++.EX ++.TP 5 ++.B quantum_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 9696 ++.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -39128,6 +40959,9 @@ index 0000000..779196e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage port ++can also be used to manipulate the port definitions ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -39139,23 +40973,33 @@ index 0000000..779196e +selinux(8), quantum(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/quota_selinux.8 b/man/man8/quota_selinux.8 new file mode 100644 -index 0000000..b90411d +index 0000000..35c287b --- /dev/null +++ b/man/man8/quota_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,127 @@ +.TH "quota_selinux" "8" "quota" "dwalsh@redhat.com" "quota SELinux Policy documentation" +.SH "NAME" +quota_selinux \- Security Enhanced Linux Policy for the quota processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B quota -+(File system quota management) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the quota processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the quota_nld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the quota_nld_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -39178,7 +41022,7 @@ index 0000000..b90411d +.br +.TP 5 +Paths: -+/boot/a?quota\.(user|group), /etc/a?quota\.(user|group), /var/lib/stickshift/a?quota\.(user|group), /a?quota\.(user|group), /var/a?quota\.(user|group), /var/spool/(.*/)?a?quota\.(user|group) ++/boot/a?quota\.(user|group), /etc/a?quota\.(user|group), /a?quota\.(user|group), /var/a?quota\.(user|group), /var/spool/(.*/)?a?quota\.(user|group) + +.EX +.PP @@ -39217,7 +41061,7 @@ index 0000000..b90411d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39262,23 +41106,19 @@ index 0000000..b90411d +selinux(8), quota(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rabbitmq_selinux.8 b/man/man8/rabbitmq_selinux.8 new file mode 100644 -index 0000000..dc1fda5 +index 0000000..0a0b7e4 --- /dev/null +++ b/man/man8/rabbitmq_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "rabbitmq_selinux" "8" "rabbitmq" "dwalsh@redhat.com" "rabbitmq SELinux Policy documentation" +.SH "NAME" +rabbitmq_selinux \- Security Enhanced Linux Policy for the rabbitmq processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rabbitmq -+(policy for rabbitmq) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rabbitmq processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -39324,7 +41164,7 @@ index 0000000..dc1fda5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39369,17 +41209,17 @@ index 0000000..dc1fda5 +selinux(8), rabbitmq(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/racoon_selinux.8 b/man/man8/racoon_selinux.8 new file mode 100644 -index 0000000..d573221 +index 0000000..ab4b7e2 --- /dev/null +++ b/man/man8/racoon_selinux.8 -@@ -0,0 +1,94 @@ +@@ -0,0 +1,110 @@ +.TH "racoon_selinux" "8" "racoon" "dwalsh@redhat.com" "racoon SELinux Policy documentation" +.SH "NAME" +racoon_selinux \- Security Enhanced Linux Policy for the racoon processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the racoon processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. racoon policy is extremely flexible and has several booleans that allow you to manipulate the policy and run racoon with the tightest access possible. @@ -39392,6 +41232,22 @@ index 0000000..d573221 +.B setsebool -P racoon_read_shadow 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the racoon_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the racoon_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -39420,7 +41276,7 @@ index 0000000..d573221 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39470,17 +41326,17 @@ index 0000000..d573221 \ No newline at end of file diff --git a/man/man8/radiusd_selinux.8 b/man/man8/radiusd_selinux.8 new file mode 100644 -index 0000000..6494aab +index 0000000..aa861ce --- /dev/null +++ b/man/man8/radiusd_selinux.8 -@@ -0,0 +1,172 @@ +@@ -0,0 +1,188 @@ +.TH "radiusd_selinux" "8" "radiusd" "dwalsh@redhat.com" "radiusd SELinux Policy documentation" +.SH "NAME" +radiusd_selinux \- Security Enhanced Linux Policy for the radiusd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the radiusd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. radiusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run radiusd with the tightest access possible. @@ -39493,6 +41349,22 @@ index 0000000..6494aab +.B setsebool -P authlogin_radius 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the radiusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the radiusd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -39573,7 +41445,7 @@ index 0000000..6494aab +/var/run/radiusd\.pid, /var/run/radiusd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39600,7 +41472,7 @@ index 0000000..6494aab + + +Default Defined Ports: -+tcp 8021 ++udp 1645,1812 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -39649,23 +41521,33 @@ index 0000000..6494aab \ No newline at end of file diff --git a/man/man8/radvd_selinux.8 b/man/man8/radvd_selinux.8 new file mode 100644 -index 0000000..e7f45e9 +index 0000000..257f975 --- /dev/null +++ b/man/man8/radvd_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,115 @@ +.TH "radvd_selinux" "8" "radvd" "dwalsh@redhat.com" "radvd SELinux Policy documentation" +.SH "NAME" +radvd_selinux \- Security Enhanced Linux Policy for the radvd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B radvd -+(IPv6 router advertisement daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the radvd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the radvd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the radvd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -39715,7 +41597,7 @@ index 0000000..e7f45e9 +/var/run/radvd(/.*)?, /var/run/radvd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39760,23 +41642,19 @@ index 0000000..e7f45e9 +selinux(8), radvd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rdisc_selinux.8 b/man/man8/rdisc_selinux.8 new file mode 100644 -index 0000000..f04f9bd +index 0000000..a06b607 --- /dev/null +++ b/man/man8/rdisc_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,77 @@ +.TH "rdisc_selinux" "8" "rdisc" "dwalsh@redhat.com" "rdisc SELinux Policy documentation" +.SH "NAME" +rdisc_selinux \- Security Enhanced Linux Policy for the rdisc processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rdisc -+(Network router discovery daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rdisc processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -39802,7 +41680,7 @@ index 0000000..f04f9bd +/sbin/rdisc, /usr/sbin/rdisc + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39847,23 +41725,19 @@ index 0000000..f04f9bd +selinux(8), rdisc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/readahead_selinux.8 b/man/man8/readahead_selinux.8 new file mode 100644 -index 0000000..7966b58 +index 0000000..ef18581 --- /dev/null +++ b/man/man8/readahead_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "readahead_selinux" "8" "readahead" "dwalsh@redhat.com" "readahead SELinux Policy documentation" +.SH "NAME" +readahead_selinux \- Security Enhanced Linux Policy for the readahead processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B readahead -+(Readahead, read files into page cache for improved performance) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the readahead processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -39886,7 +41760,7 @@ index 0000000..7966b58 +.br +.TP 5 +Paths: -+/lib/systemd/systemd-readahead.*, /sbin/readahead.*, /usr/lib/systemd/systemd-readahead.*, /usr/sbin/readahead.* ++/sbin/readahead.*, /usr/lib/systemd/systemd-readahead.*, /usr/sbin/readahead.* + +.EX +.PP @@ -39909,7 +41783,7 @@ index 0000000..7966b58 +/var/run/systemd/readahead(/.*)?, /dev/\.systemd/readahead(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39954,17 +41828,33 @@ index 0000000..7966b58 +selinux(8), readahead(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/regex_selinux.8 b/man/man8/regex_selinux.8 new file mode 100644 -index 0000000..529dc44 +index 0000000..e36af1f --- /dev/null +++ b/man/man8/regex_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,95 @@ +.TH "regex_selinux" "8" "regex" "dwalsh@redhat.com" "regex SELinux Policy documentation" +.SH "NAME" +regex_selinux \- Security Enhanced Linux Policy for the regex processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the regex processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the regex_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the regex_milter_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -39994,7 +41884,7 @@ index 0000000..529dc44 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40039,17 +41929,33 @@ index 0000000..529dc44 +selinux(8), regex(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/restorecond_selinux.8 b/man/man8/restorecond_selinux.8 new file mode 100644 -index 0000000..5258999 +index 0000000..6d75fcb --- /dev/null +++ b/man/man8/restorecond_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,95 @@ +.TH "restorecond_selinux" "8" "restorecond" "dwalsh@redhat.com" "restorecond SELinux Policy documentation" +.SH "NAME" +restorecond_selinux \- Security Enhanced Linux Policy for the restorecond processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the restorecond processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the restorecond_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the restorecond_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -40079,7 +41985,7 @@ index 0000000..5258999 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40124,24 +42030,18 @@ index 0000000..5258999 +selinux(8), restorecond(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rgmanager_selinux.8 b/man/man8/rgmanager_selinux.8 new file mode 100644 -index 0000000..b003935 +index 0000000..2b3980d --- /dev/null +++ b/man/man8/rgmanager_selinux.8 -@@ -0,0 +1,136 @@ +@@ -0,0 +1,146 @@ +.TH "rgmanager_selinux" "8" "rgmanager" "dwalsh@redhat.com" "rgmanager SELinux Policy documentation" +.SH "NAME" +rgmanager_selinux \- Security Enhanced Linux Policy for the rgmanager processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rgmanager -+(rgmanager - Resource Group Manager) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rgmanager processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. rgmanager policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rgmanager with the tightest access possible. + @@ -40153,6 +42053,22 @@ index 0000000..b003935 +.B setsebool -P rgmanager_can_network_connect 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rgmanager_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rgmanager_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -40217,7 +42133,7 @@ index 0000000..b003935 +/var/run/rgmanager\.pid, /var/run/cluster/rgmanager\.sk + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40267,23 +42183,33 @@ index 0000000..b003935 \ No newline at end of file diff --git a/man/man8/rhev_selinux.8 b/man/man8/rhev_selinux.8 new file mode 100644 -index 0000000..36bcd5b +index 0000000..b09665c --- /dev/null +++ b/man/man8/rhev_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,123 @@ +.TH "rhev_selinux" "8" "rhev" "dwalsh@redhat.com" "rhev SELinux Policy documentation" +.SH "NAME" +rhev_selinux \- Security Enhanced Linux Policy for the rhev processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rhev -+(rhev polic module contains policies for rhev apps) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rhev processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -40331,10 +42257,6 @@ index 0000000..36bcd5b + +- Set files with the rhev_agentd_unit_file_t type, if you want to treat the files as rhev agentd unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/ovirt-guest-agent\.serviceservice, /lib/systemd/system/ovirt-guest-agent\.service + +.EX +.PP @@ -40345,7 +42267,7 @@ index 0000000..36bcd5b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40390,23 +42312,19 @@ index 0000000..36bcd5b +selinux(8), rhev(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rhgb_selinux.8 b/man/man8/rhgb_selinux.8 new file mode 100644 -index 0000000..af7a010 +index 0000000..b9ec7f2 --- /dev/null +++ b/man/man8/rhgb_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,81 @@ +.TH "rhgb_selinux" "8" "rhgb" "dwalsh@redhat.com" "rhgb SELinux Policy documentation" +.SH "NAME" +rhgb_selinux \- Security Enhanced Linux Policy for the rhgb processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rhgb -+( Red Hat Graphical Boot ) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rhgb processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -40436,7 +42354,7 @@ index 0000000..af7a010 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40481,23 +42399,19 @@ index 0000000..af7a010 +selinux(8), rhgb(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rhsmcertd_selinux.8 b/man/man8/rhsmcertd_selinux.8 new file mode 100644 -index 0000000..0ba79be +index 0000000..053f6cf --- /dev/null +++ b/man/man8/rhsmcertd_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,113 @@ +.TH "rhsmcertd_selinux" "8" "rhsmcertd" "dwalsh@redhat.com" "rhsmcertd SELinux Policy documentation" +.SH "NAME" +rhsmcertd_selinux \- Security Enhanced Linux Policy for the rhsmcertd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rhsmcertd -+(Subscription Management Certificate Daemon policy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rhsmcertd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -40559,7 +42473,7 @@ index 0000000..0ba79be + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40604,23 +42518,33 @@ index 0000000..0ba79be +selinux(8), rhsmcertd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ricci_selinux.8 b/man/man8/ricci_selinux.8 new file mode 100644 -index 0000000..3a36033 +index 0000000..096c0d9 --- /dev/null +++ b/man/man8/ricci_selinux.8 -@@ -0,0 +1,246 @@ +@@ -0,0 +1,260 @@ +.TH "ricci_selinux" "8" "ricci" "dwalsh@redhat.com" "ricci SELinux Policy documentation" +.SH "NAME" +ricci_selinux \- Security Enhanced Linux Policy for the ricci processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ricci -+(Ricci cluster management agent) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ricci processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -40774,7 +42698,7 @@ index 0000000..3a36033 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40801,7 +42725,9 @@ index 0000000..3a36033 + + +Default Defined Ports: -+tcp 8021 ++tcp 16851 ++.EE ++udp 16851 +.EE + +.EX @@ -40812,7 +42738,9 @@ index 0000000..3a36033 + + +Default Defined Ports: -+tcp 8021 ++tcp 11111 ++.EE ++udp 11111 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -40856,17 +42784,33 @@ index 0000000..3a36033 +selinux(8), ricci(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rlogind_selinux.8 b/man/man8/rlogind_selinux.8 new file mode 100644 -index 0000000..b86f39b +index 0000000..77f13d4 --- /dev/null +++ b/man/man8/rlogind_selinux.8 -@@ -0,0 +1,137 @@ +@@ -0,0 +1,153 @@ +.TH "rlogind_selinux" "8" "rlogind" "dwalsh@redhat.com" "rlogind SELinux Policy documentation" +.SH "NAME" +rlogind_selinux \- Security Enhanced Linux Policy for the rlogind processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the rlogind processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rlogind_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rlogind_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -40928,7 +42872,7 @@ index 0000000..b86f39b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40955,7 +42899,7 @@ index 0000000..b86f39b + + +Default Defined Ports: -+tcp 8021 ++tcp 513 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -40999,23 +42943,19 @@ index 0000000..b86f39b +selinux(8), rlogind(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/roundup_selinux.8 b/man/man8/roundup_selinux.8 new file mode 100644 -index 0000000..5269077 +index 0000000..d5119ed --- /dev/null +++ b/man/man8/roundup_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "roundup_selinux" "8" "roundup" "dwalsh@redhat.com" "roundup SELinux Policy documentation" +.SH "NAME" +roundup_selinux \- Security Enhanced Linux Policy for the roundup processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B roundup -+(Roundup Issue Tracking System policy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the roundup processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -41061,7 +43001,7 @@ index 0000000..5269077 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41103,140 +43043,152 @@ index 0000000..5269077 +This manual page was autogenerated by genman.py. + +.SH "SEE ALSO" -+selinux(8), roundup(8), semanage(8), restorecon(8), chcon(1) -diff --git a/man/man8/rpcbind_selinux.8 b/man/man8/rpcbind_selinux.8 ++selinux(8), roundup(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/rpcbind_selinux.8 b/man/man8/rpcbind_selinux.8 +new file mode 100644 +index 0000000..5089077 +--- /dev/null ++++ b/man/man8/rpcbind_selinux.8 +@@ -0,0 +1,109 @@ ++.TH "rpcbind_selinux" "8" "rpcbind" "dwalsh@redhat.com" "rpcbind SELinux Policy documentation" ++.SH "NAME" ++rpcbind_selinux \- Security Enhanced Linux Policy for the rpcbind processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the rpcbind processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux rpcbind policy is very flexible allowing users to setup their rpcbind processes in as secure a method as possible. ++.PP ++The following file types are defined for rpcbind: ++ ++ ++.EX ++.PP ++.B rpcbind_exec_t ++.EE ++ ++- Set files with the rpcbind_exec_t type, if you want to transition an executable to the rpcbind_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/rpcbind, /sbin/rpcbind ++ ++.EX ++.PP ++.B rpcbind_initrc_exec_t ++.EE ++ ++- Set files with the rpcbind_initrc_exec_t type, if you want to transition an executable to the rpcbind_initrc_t domain. ++ ++ ++.EX ++.PP ++.B rpcbind_var_lib_t ++.EE ++ ++- Set files with the rpcbind_var_lib_t type, if you want to store the rpcbind files under the /var/lib directory. ++ ++.br ++.TP 5 ++Paths: ++/var/lib/rpcbind(/.*)?, /var/cache/rpcbind(/.*)? ++ ++.EX ++.PP ++.B rpcbind_var_run_t ++.EE ++ ++- Set files with the rpcbind_var_run_t type, if you want to store the rpcbind files under the /run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/rpcbind\.sock, /var/run/rpcbind\.lock, /var/run/rpc.statd\.pid ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux rpcbind policy is very flexible allowing users to setup their rpcbind processes in as secure a method as possible. ++.PP ++The following process types are defined for rpcbind: ++ ++.EX ++.B rpcbind_t ++.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), rpcbind(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/rpcd_selinux.8 b/man/man8/rpcd_selinux.8 new file mode 100644 -index 0000000..8fdfc21 +index 0000000..4a1bc16 --- /dev/null -+++ b/man/man8/rpcbind_selinux.8 -@@ -0,0 +1,113 @@ -+.TH "rpcbind_selinux" "8" "rpcbind" "dwalsh@redhat.com" "rpcbind SELinux Policy documentation" ++++ b/man/man8/rpcd_selinux.8 +@@ -0,0 +1,123 @@ ++.TH "rpcd_selinux" "8" "rpcd" "dwalsh@redhat.com" "rpcd SELinux Policy documentation" +.SH "NAME" -+rpcbind_selinux \- Security Enhanced Linux Policy for the rpcbind processes ++rpcd_selinux \- Security Enhanced Linux Policy for the rpcd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rpcbind -+(Universal Addresses to RPC Program Number Mapper) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rpcd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux rpcbind policy is very flexible allowing users to setup their rpcbind processes in as secure a method as possible. -+.PP -+The following file types are defined for rpcbind: -+ -+ -+.EX -+.PP -+.B rpcbind_exec_t -+.EE -+ -+- Set files with the rpcbind_exec_t type, if you want to transition an executable to the rpcbind_t domain. -+ -+.br -+.TP 5 -+Paths: -+/usr/sbin/rpcbind, /sbin/rpcbind ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B rpcbind_initrc_exec_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the rpcbind_initrc_exec_t type, if you want to transition an executable to the rpcbind_initrc_t domain. -+ -+ -+.EX +.PP -+.B rpcbind_var_lib_t -+.EE -+ -+- Set files with the rpcbind_var_lib_t type, if you want to store the rpcbind files under the /var/lib directory. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/rpcbind(/.*)?, /var/cache/rpcbind(/.*)? ++If you want to allow confined applications to run with kerberos for the rpcd_t, you must turn on the kerberos_enabled boolean. + +.EX -+.PP -+.B rpcbind_var_run_t ++setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the rpcbind_var_run_t type, if you want to store the rpcbind files under the /run directory. -+ -+.br -+.TP 5 -+Paths: -+/var/run/rpcbind\.sock, /var/run/rpcbind\.lock, /var/run/rpc.statd\.pid -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux rpcbind policy is very flexible allowing users to setup their rpcbind processes in as secure a method as possible. -+.PP -+The following process types are defined for rpcbind: -+ -+.EX -+.B rpcbind_t -+.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was autogenerated by genman.py. -+ -+.SH "SEE ALSO" -+selinux(8), rpcbind(8), semanage(8), restorecon(8), chcon(1) -diff --git a/man/man8/rpcd_selinux.8 b/man/man8/rpcd_selinux.8 -new file mode 100644 -index 0000000..f86ef74 ---- /dev/null -+++ b/man/man8/rpcd_selinux.8 -@@ -0,0 +1,119 @@ -+.TH "rpcd_selinux" "8" "rpcd" "dwalsh@redhat.com" "rpcd SELinux Policy documentation" -+.SH "NAME" -+rpcd_selinux \- Security Enhanced Linux Policy for the rpcd processes -+.SH "DESCRIPTION" -+ -+ -+ -+ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -41250,14 +43202,6 @@ index 0000000..f86ef74 + +.EX +.PP -+.B rpc_pipefs_t -+.EE -+ -+- Set files with the rpc_pipefs_t type, if you want to treat the files as rpc pipefs data. -+ -+ -+.EX -+.PP +.B rpcd_exec_t +.EE + @@ -41266,7 +43210,7 @@ index 0000000..f86ef74 +.br +.TP 5 +Paths: -+/sbin/sm-notify, /usr/sbin/rpc\..*, /usr/sbin/rpc\.idmapd, /usr/sbin/sm-notify, /usr/sbin/rpc\.rquotad, /sbin/rpc\..* ++/sbin/sm-notify, /usr/sbin/rpc\..*, /usr/sbin/rpc\.rquotad, /usr/sbin/rpc\.idmapd, /usr/sbin/sm-notify, /sbin/rpc\..* + +.EX +.PP @@ -41287,10 +43231,6 @@ index 0000000..f86ef74 + +- Set files with the rpcd_unit_file_t type, if you want to treat the files as rpcd unit content. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/system/rpc.*, /usr/lib/systemd/system/rpc.* + +.EX +.PP @@ -41305,7 +43245,7 @@ index 0000000..f86ef74 +/var/run/rpc\.statd(/.*)?, /var/run/rpc\.statd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41350,23 +43290,33 @@ index 0000000..f86ef74 +selinux(8), rpcd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rpm_selinux.8 b/man/man8/rpm_selinux.8 new file mode 100644 -index 0000000..2c01fa3 +index 0000000..a569a6d --- /dev/null +++ b/man/man8/rpm_selinux.8 -@@ -0,0 +1,177 @@ +@@ -0,0 +1,183 @@ +.TH "rpm_selinux" "8" "rpm" "dwalsh@redhat.com" "rpm SELinux Policy documentation" +.SH "NAME" +rpm_selinux \- Security Enhanced Linux Policy for the rpm processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rpm -+(Policy for the RPM package manager) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rpm processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rpm_script_t, rpm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rpm_script_t, rpm_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -41389,7 +43339,7 @@ index 0000000..2c01fa3 +.br +.TP 5 +Paths: -+/usr/bin/apt-get, /usr/libexec/yumDBUSBackend.py, /usr/sbin/rhn_check, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/synaptic, /usr/share/yumex/yumex-yum-backend, /usr/sbin/yum-updatesd, /usr/sbin/pup, /usr/libexec/packagekitd, /usr/bin/apt-shell, /usr/sbin/pirut, /usr/bin/package-cleanup, /usr/bin/fedora-rmdevelrpms, /bin/rpm, /usr/bin/yum, /usr/sbin/system-install-packages, /usr/bin/zif, /usr/bin/rpm, /usr/sbin/yum-complete-transaction, /usr/bin/smart, /usr/sbin/packagekitd, /usr/sbin/rhnreg_ks, /usr/share/yumex/yum_childtask\.py, /usr/sbin/up2date ++/usr/sbin/yum-updatesd, /usr/bin/apt-get, /usr/sbin/bcfg2, /usr/sbin/rhn_check, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/synaptic, /usr/share/yumex/yumex-yum-backend, /usr/bin/apt-shell, /usr/sbin/pup, /usr/libexec/packagekitd, /usr/libexec/yumDBUSBackend.py, /usr/sbin/pirut, /usr/bin/package-cleanup, /usr/bin/fedora-rmdevelrpms, /bin/rpm, /usr/bin/yum, /usr/sbin/system-install-packages, /usr/bin/zif, /usr/bin/rpm, /usr/sbin/yum-complete-transaction, /usr/bin/smart, /usr/sbin/packagekitd, /usr/sbin/rhnreg_ks, /usr/share/yumex/yum_childtask\.py, /usr/sbin/up2date + +.EX +.PP @@ -41406,10 +43356,6 @@ index 0000000..2c01fa3 + +- Set files with the rpm_log_t type, if you want to treat the data as rpm log data, usually stored under the /var/log directory. + -+.br -+.TP 5 -+Paths: -+/var/log/yum\.log.*, /var/log/rpmpkgs.* + +.EX +.PP @@ -41488,7 +43434,7 @@ index 0000000..2c01fa3 +/var/run/PackageKit(/.*)?, /var/run/yum.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41533,23 +43479,33 @@ index 0000000..2c01fa3 +selinux(8), rpm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rshd_selinux.8 b/man/man8/rshd_selinux.8 new file mode 100644 -index 0000000..929f616 +index 0000000..63603e6 --- /dev/null +++ b/man/man8/rshd_selinux.8 -@@ -0,0 +1,115 @@ +@@ -0,0 +1,125 @@ +.TH "rshd_selinux" "8" "rshd" "dwalsh@redhat.com" "rshd SELinux Policy documentation" +.SH "NAME" +rshd_selinux \- Security Enhanced Linux Policy for the rshd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rshd -+(Remote shell service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rshd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rshd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rshd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -41583,7 +43539,7 @@ index 0000000..929f616 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41610,7 +43566,7 @@ index 0000000..929f616 + + +Default Defined Ports: -+tcp 8021 ++tcp 514 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -41654,23 +43610,33 @@ index 0000000..929f616 +selinux(8), rshd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rssh_selinux.8 b/man/man8/rssh_selinux.8 new file mode 100644 -index 0000000..fea92f8 +index 0000000..98ec63b --- /dev/null +++ b/man/man8/rssh_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,111 @@ +.TH "rssh_selinux" "8" "rssh" "dwalsh@redhat.com" "rssh SELinux Policy documentation" +.SH "NAME" +rssh_selinux \- Security Enhanced Linux Policy for the rssh processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rssh -+(Restricted (scp/sftp) only shell) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rssh processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rssh_chroot_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rssh_chroot_helper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -41716,7 +43682,7 @@ index 0000000..fea92f8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41760,10 +43726,10 @@ index 0000000..fea92f8 +.SH "SEE ALSO" +selinux(8), rssh(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8 -index ad9ccf5..65a1b3e 100644 +index ad9ccf5..0e20ab4 100644 --- a/man/man8/rsync_selinux.8 +++ b/man/man8/rsync_selinux.8 -@@ -1,52 +1,205 @@ +@@ -1,52 +1,217 @@ -.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation" -.de EX -.nf @@ -41780,11 +43746,7 @@ index ad9ccf5..65a1b3e 100644 .SH "DESCRIPTION" -Security-Enhanced Linux secures the rsync server via flexible mandatory access -+ -+SELinux Linux secures -+.B rsync -+(Fast incremental file transfer for synchronization) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rsync processes via flexible mandatory access control. -.SH FILE_CONTEXTS -SELinux requires files to have an extended attribute to define the file type. @@ -41797,8 +43759,6 @@ index ad9ccf5..65a1b3e 100644 -.TP -To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration: + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. rsync policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rsync with the tightest access possible. + @@ -41831,6 +43791,22 @@ index ad9ccf5..65a1b3e 100644 +.B setsebool -P rsync_use_cifs 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rsync_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rsync_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. .TP @@ -41849,7 +43825,7 @@ index ad9ccf5..65a1b3e 100644 -Run the restorecon command to apply the changes: -.TP -restorecon -R -v /var/rsync/ -+Allow rsync servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_rsync_anon_write boolean to be set. ++Allow rsync servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_rsyncd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/rsync/incoming(/.*)?" @@ -41858,10 +43834,10 @@ index ad9ccf5..65a1b3e 100644 + + +.PP -+If you want to allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the allow_rsync_anon_write boolean. ++If you want to allow rsync to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the rsync_anon_write boolean. + +.EX -+.B setsebool -P allow_rsync_anon_write 1 ++.B setsebool -P rsync_anon_write 1 .EE -.SH SHARING FILES @@ -41930,7 +43906,7 @@ index ad9ccf5..65a1b3e 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41957,7 +43933,9 @@ index ad9ccf5..65a1b3e 100644 + + +Default Defined Ports: -+tcp 8021 ++tcp 873 ++.EE ++udp 873 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -42008,23 +43986,33 @@ index ad9ccf5..65a1b3e 100644 \ No newline at end of file diff --git a/man/man8/rtkit_selinux.8 b/man/man8/rtkit_selinux.8 new file mode 100644 -index 0000000..50cb948 +index 0000000..a6af45c --- /dev/null +++ b/man/man8/rtkit_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,87 @@ +.TH "rtkit_selinux" "8" "rtkit" "dwalsh@redhat.com" "rtkit SELinux Policy documentation" +.SH "NAME" +rtkit_selinux \- Security Enhanced Linux Policy for the rtkit processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rtkit -+(Realtime scheduling for user processes) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rtkit processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rtkit_daemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rtkit_daemon_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -42046,7 +44034,7 @@ index 0000000..50cb948 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42091,23 +44079,30 @@ index 0000000..50cb948 +selinux(8), rtkit(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/run_selinux.8 b/man/man8/run_selinux.8 new file mode 100644 -index 0000000..75796ad +index 0000000..3640723 --- /dev/null +++ b/man/man8/run_selinux.8 -@@ -0,0 +1,100 @@ +@@ -0,0 +1,123 @@ +.TH "run_selinux" "8" "run" "dwalsh@redhat.com" "run SELinux Policy documentation" +.SH "NAME" +run_selinux \- Security Enhanced Linux Policy for the run processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the run processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. run policy is extremely flexible and has several booleans that allow you to manipulate the policy and run run with the tightest access possible. + + +.PP ++If you want to allow Apache to run in stickshift mode, not transition to passenge, you must turn on the httpd_run_stickshift boolean. ++ ++.EX ++.B setsebool -P httpd_run_stickshift 1 ++.EE ++ ++.PP +If you want to allow xend to run qemu-dm. Not required if using paravirt and no vfb, you must turn on the xend_run_qemu boolean. + +.EX @@ -42128,6 +44123,22 @@ index 0000000..75796ad +.B setsebool -P samba_run_unconfined 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the run_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the run_init_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -42148,7 +44159,7 @@ index 0000000..75796ad + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42198,23 +44209,19 @@ index 0000000..75796ad \ No newline at end of file diff --git a/man/man8/rwho_selinux.8 b/man/man8/rwho_selinux.8 new file mode 100644 -index 0000000..65c182c +index 0000000..0dade68 --- /dev/null +++ b/man/man8/rwho_selinux.8 -@@ -0,0 +1,127 @@ +@@ -0,0 +1,123 @@ +.TH "rwho_selinux" "8" "rwho" "dwalsh@redhat.com" "rwho SELinux Policy documentation" +.SH "NAME" +rwho_selinux \- Security Enhanced Linux Policy for the rwho processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rwho -+(Who is logged in on other machines?) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rwho processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -42260,7 +44267,7 @@ index 0000000..65c182c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42287,7 +44294,7 @@ index 0000000..65c182c + + +Default Defined Ports: -+tcp 8021 ++udp 513 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -42330,10 +44337,10 @@ index 0000000..65c182c +.SH "SEE ALSO" +selinux(8), rwho(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8 -index ca702c7..25316f0 100644 +index ca702c7..716f04c 100644 --- a/man/man8/samba_selinux.8 +++ b/man/man8/samba_selinux.8 -@@ -1,56 +1,269 @@ +@@ -1,56 +1,275 @@ -.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation" +.TH "samba_selinux" "8" "samba" "dwalsh@redhat.com" "samba SELinux Policy documentation" .SH "NAME" @@ -42342,15 +44349,7 @@ index ca702c7..25316f0 100644 .SH "DESCRIPTION" -Security-Enhanced Linux secures the Samba server via flexible mandatory access -+ -+SELinux Linux secures -+.B samba -+( -+SMB and CIFS client/server programs for UNIX and -+name Service Switch daemon for resolving names -+from Windows NT servers. -+) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the samba processes via flexible mandatory access control. -.SH FILE_CONTEXTS -SELinux requires files to have an extended attribute to define the file type. @@ -42377,8 +44376,6 @@ index ca702c7..25316f0 100644 -If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute: - -setsebool -P allow_smbd_anon_write=1 -+ -+ .SH BOOLEANS -.br @@ -42398,13 +44395,6 @@ index ca702c7..25316f0 100644 +.EE + +.PP -+If you want to allow samba to act as a portmappe, you must turn on the samba_portmapper boolean. -+ -+.EX -+.B setsebool -P samba_portmapper 1 -+.EE -+ -+.PP +If you want to allow samba to share any file/directory read only, you must turn on the samba_export_all_ro boolean. + +.EX @@ -42433,6 +44423,13 @@ index ca702c7..25316f0 100644 +.EE + +.PP ++If you want to allow samba to act as a portmappe, you must turn on the samba_portmapper boolean. ++ ++.EX ++.B setsebool -P samba_portmapper 1 ++.EE ++ ++.PP +If you want to allow samba to export ntfs/fusefs volumes, you must turn on the samba_share_fusefs boolean. + +.EX @@ -42474,6 +44471,22 @@ index ca702c7..25316f0 100644 +.B setsebool -P virt_use_samba 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the samba_net_t, sambagui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the samba_net_t, sambagui_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -42500,7 +44513,7 @@ index ca702c7..25316f0 100644 + +- Set files with the samba_initrc_exec_t type, if you want to transition an executable to the samba_initrc_t domain. + -+.br + .br +.TP 5 +Paths: +/etc/rc\.d/init\.d/nmb, /etc/rc\.d/init\.d/smb, /etc/rc\.d/init\.d/winbind @@ -42567,7 +44580,7 @@ index ca702c7..25316f0 100644 +.br +.TP 5 +Paths: -+/lib/systemd/system/smb.service, /usr/lib/systemd/system/smb.service ++/usr/lib/systemd/system/smb.*, /usr/lib/systemd/system/nmb.* + +.EX +.PP @@ -42576,7 +44589,7 @@ index ca702c7..25316f0 100644 + +- Set files with the samba_var_t type, if you want to store the s files under the /var directory. + - .br ++.br +.TP 5 +Paths: +/var/spool/samba(/.*)?, /var/cache/samba(/.*)?, /var/lib/samba(/.*)? @@ -42590,7 +44603,7 @@ index ca702c7..25316f0 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42607,7 +44620,7 @@ index ca702c7..25316f0 100644 +The following process types are defined for samba: + +.EX -+.B samba_net_t, samba_unconfined_script_t, sambagui_t ++.B samba_net_t, samba_unconfined_net_t, samba_unconfined_script_t, sambagui_t +.EE +.PP +Note: @@ -42649,23 +44662,33 @@ index ca702c7..25316f0 100644 \ No newline at end of file diff --git a/man/man8/sambagui_selinux.8 b/man/man8/sambagui_selinux.8 new file mode 100644 -index 0000000..763d193 +index 0000000..8c06b88 --- /dev/null +++ b/man/man8/sambagui_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,87 @@ +.TH "sambagui_selinux" "8" "sambagui" "dwalsh@redhat.com" "sambagui SELinux Policy documentation" +.SH "NAME" +sambagui_selinux \- Security Enhanced Linux Policy for the sambagui processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sambagui -+(system-config-samba dbus service policy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sambagui processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sambagui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sambagui_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -42687,7 +44710,7 @@ index 0000000..763d193 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42732,24 +44755,18 @@ index 0000000..763d193 +selinux(8), sambagui(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/sandbox_selinux.8 b/man/man8/sandbox_selinux.8 new file mode 100644 -index 0000000..437feff +index 0000000..312758e --- /dev/null +++ b/man/man8/sandbox_selinux.8 -@@ -0,0 +1,148 @@ +@@ -0,0 +1,158 @@ +.TH "sandbox_selinux" "8" "sandbox" "dwalsh@redhat.com" "sandbox SELinux Policy documentation" +.SH "NAME" +sandbox_selinux \- Security Enhanced Linux Policy for the sandbox processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sandbox -+(policy for sandbox) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sandbox processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. sandbox policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox with the tightest access possible. + @@ -42761,6 +44778,22 @@ index 0000000..437feff +.B setsebool -P unconfined_chrome_sandbox_transition 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sandbox_min_t, sandbox_net_t, sandbox_web_client_t, sandbox_xserver_t, sandbox_web_t, sandbox_x_client_t, sandbox_x_t, sandbox_net_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sandbox_min_t, sandbox_net_t, sandbox_web_client_t, sandbox_xserver_t, sandbox_web_t, sandbox_x_client_t, sandbox_x_t, sandbox_net_client_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -42837,7 +44870,7 @@ index 0000000..437feff + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42887,24 +44920,18 @@ index 0000000..437feff \ No newline at end of file diff --git a/man/man8/sanlock_selinux.8 b/man/man8/sanlock_selinux.8 new file mode 100644 -index 0000000..b15e691 +index 0000000..f759126 --- /dev/null +++ b/man/man8/sanlock_selinux.8 -@@ -0,0 +1,130 @@ +@@ -0,0 +1,140 @@ +.TH "sanlock_selinux" "8" "sanlock" "dwalsh@redhat.com" "sanlock SELinux Policy documentation" +.SH "NAME" +sanlock_selinux \- Security Enhanced Linux Policy for the sanlock processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sanlock -+(policy for sanlock) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sanlock processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. sanlock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sanlock with the tightest access possible. + @@ -42930,6 +44957,22 @@ index 0000000..b15e691 +.B setsebool -P sanlock_use_samba 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sanlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sanlock_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -42974,7 +45017,7 @@ index 0000000..b15e691 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43024,27 +45067,43 @@ index 0000000..b15e691 \ No newline at end of file diff --git a/man/man8/saslauthd_selinux.8 b/man/man8/saslauthd_selinux.8 new file mode 100644 -index 0000000..8a922b3 +index 0000000..e19a072 --- /dev/null +++ b/man/man8/saslauthd_selinux.8 -@@ -0,0 +1,114 @@ +@@ -0,0 +1,130 @@ +.TH "saslauthd_selinux" "8" "saslauthd" "dwalsh@redhat.com" "saslauthd SELinux Policy documentation" +.SH "NAME" +saslauthd_selinux \- Security Enhanced Linux Policy for the saslauthd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the saslauthd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. saslauthd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run saslauthd with the tightest access possible. + + +.PP -+If you want to allow sasl to read shado, you must turn on the allow_saslauthd_read_shadow boolean. ++If you want to allow sasl to read shado, you must turn on the saslauthd_read_shadow boolean. + +.EX -+.B setsebool -P allow_saslauthd_read_shadow 1 ++.B setsebool -P saslauthd_read_shadow 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the saslauthd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the saslauthd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 +.EE + +.SH FILE CONTEXTS @@ -43092,10 +45151,10 @@ index 0000000..8a922b3 +.br +.TP 5 +Paths: -+/var/lib/sasl2(/.*)?, /var/run/saslauthd(/.*)? ++/var/run/saslauthd(/.*)?, /var/lib/sasl2(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43145,23 +45204,19 @@ index 0000000..8a922b3 \ No newline at end of file diff --git a/man/man8/sblim_selinux.8 b/man/man8/sblim_selinux.8 new file mode 100644 -index 0000000..5c6807e +index 0000000..bae951c --- /dev/null +++ b/man/man8/sblim_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,89 @@ +.TH "sblim_selinux" "8" "sblim" "dwalsh@redhat.com" "sblim SELinux Policy documentation" +.SH "NAME" +sblim_selinux \- Security Enhanced Linux Policy for the sblim processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sblim -+( policy for SBLIM Gatherer ) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sblim processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43199,7 +45254,7 @@ index 0000000..5c6807e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43315,23 +45370,33 @@ index 0000000..6bf3e2b +selinux(8), semanage(8). diff --git a/man/man8/sectoolm_selinux.8 b/man/man8/sectoolm_selinux.8 new file mode 100644 -index 0000000..232ac2e +index 0000000..41be52c --- /dev/null +++ b/man/man8/sectoolm_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,87 @@ +.TH "sectoolm_selinux" "8" "sectoolm" "dwalsh@redhat.com" "sectoolm SELinux Policy documentation" +.SH "NAME" +sectoolm_selinux \- Security Enhanced Linux Policy for the sectoolm processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sectoolm -+(Sectool security audit tool) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sectoolm processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sectoolm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sectoolm_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43353,7 +45418,7 @@ index 0000000..232ac2e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43398,25 +45463,44 @@ index 0000000..232ac2e +selinux(8), sectoolm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/selinux_selinux.8 b/man/man8/selinux_selinux.8 new file mode 100644 -index 0000000..42b09e3 +index 0000000..45c7217 --- /dev/null +++ b/man/man8/selinux_selinux.8 -@@ -0,0 +1,107 @@ +@@ -0,0 +1,130 @@ +.TH "selinux_selinux" "8" "selinux" "dwalsh@redhat.com" "selinux SELinux Policy documentation" +.SH "NAME" +selinux_selinux \- Security Enhanced Linux Policy for the selinux processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B selinux -+( -+Policy for kernel security interface, in particular, selinuxfs. -+) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the selinux processes via flexible mandatory access +control. + ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. selinux policy is extremely flexible and has several booleans that allow you to manipulate the policy and run selinux with the tightest access possible. ++ ++ ++.PP ++If you want to allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzill, you must turn on the selinuxuser_execheap boolean. ++ ++.EX ++.B setsebool -P selinuxuser_execheap 1 ++.EE ++ ++.PP ++If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_, you must turn on the selinuxuser_execmod boolean. ++ ++.EX ++.B setsebool -P selinuxuser_execmod 1 ++.EE ++ ++.PP ++If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzill, you must turn on the selinuxuser_execstack boolean. ++ ++.EX ++.B setsebool -P selinuxuser_execstack 1 ++.EE + ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43439,7 +45523,7 @@ index 0000000..42b09e3 +.br +.TP 5 +Paths: -+/etc/selinux/([^/]*/)?users(/.*)?, /etc/selinux(/.*)?, /etc/selinux/([^/]*/)?seusers, /etc/selinux/([^/]*/)?setrans\.conf ++/etc/selinux/([^/]*/)?users(/.*)?, /etc/selinux/([^/]*/)?setrans\.conf, /etc/selinux(/.*)?, /etc/selinux/([^/]*/)?seusers + +.EX +.PP @@ -43466,7 +45550,7 @@ index 0000000..42b09e3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43500,6 +45584,9 @@ index 0000000..42b09e3 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -43509,19 +45596,23 @@ index 0000000..42b09e3 + +.SH "SEE ALSO" +selinux(8), selinux(8), semanage(8), restorecon(8), chcon(1) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/semanage_selinux.8 b/man/man8/semanage_selinux.8 new file mode 100644 -index 0000000..ad680da +index 0000000..4ed4357 --- /dev/null +++ b/man/man8/semanage_selinux.8 -@@ -0,0 +1,111 @@ +@@ -0,0 +1,121 @@ +.TH "semanage_selinux" "8" "semanage" "dwalsh@redhat.com" "semanage SELinux Policy documentation" +.SH "NAME" +semanage_selinux \- Security Enhanced Linux Policy for the semanage processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the semanage processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43544,7 +45635,7 @@ index 0000000..ad680da +.br +.TP 5 +Paths: -+/usr/share/system-config-selinux/system-config-selinux-dbus\.py, /usr/sbin/semanage, /usr/sbin/semodule ++/usr/sbin/semanage, /usr/sbin/semodule, /usr/share/system-config-selinux/system-config-selinux-dbus\.py + +.EX +.PP @@ -43582,8 +45673,16 @@ index 0000000..ad680da +- Set files with the semanage_trans_lock_t type, if you want to treat the files as semanage trans lock data, stored under the /var/lock directory + + ++.EX +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B semanage_var_lib_t ++.EE ++ ++- Set files with the semanage_var_lib_t type, if you want to store the semanage files under the /var/lib directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43628,24 +45727,18 @@ index 0000000..ad680da +selinux(8), semanage(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/sendmail_selinux.8 b/man/man8/sendmail_selinux.8 new file mode 100644 -index 0000000..f2e3fa2 +index 0000000..1709275 --- /dev/null +++ b/man/man8/sendmail_selinux.8 -@@ -0,0 +1,158 @@ +@@ -0,0 +1,168 @@ +.TH "sendmail_selinux" "8" "sendmail" "dwalsh@redhat.com" "sendmail SELinux Policy documentation" +.SH "NAME" +sendmail_selinux \- Security Enhanced Linux Policy for the sendmail processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sendmail -+(Policy for sendmail) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sendmail processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. sendmail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sendmail with the tightest access possible. + @@ -43671,6 +45764,22 @@ index 0000000..f2e3fa2 +.B setsebool -P gitosis_can_sendmail 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sendmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sendmail_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -43743,7 +45852,7 @@ index 0000000..f2e3fa2 +/var/run/sendmail\.pid, /var/run/sm-client\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43793,17 +45902,19 @@ index 0000000..f2e3fa2 \ No newline at end of file diff --git a/man/man8/services_selinux.8 b/man/man8/services_selinux.8 new file mode 100644 -index 0000000..08da721 +index 0000000..1004c86 --- /dev/null +++ b/man/man8/services_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,85 @@ +.TH "services_selinux" "8" "services" "dwalsh@redhat.com" "services SELinux Policy documentation" +.SH "NAME" +services_selinux \- Security Enhanced Linux Policy for the services processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the services processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43826,7 +45937,7 @@ index 0000000..08da721 +.br +.TP 5 +Paths: -+/usr/share/munin/plugins/nut.*, /usr/share/munin/plugins/named, /usr/share/munin/plugins/varnish_.*, /usr/share/munin/plugins/tomcat_.*, /usr/share/munin/plugins/postgres_.*, /usr/share/munin/plugins/asterisk_.*, /usr/share/munin/plugins/lpstat, /usr/share/munin/plugins/mysql_.*, /usr/share/munin/plugins/slapd_.*, /usr/share/munin/plugins/apache_.*, /usr/share/munin/plugins/ping_, /usr/share/munin/plugins/squid_.*, /usr/share/munin/plugins/fail2ban, /usr/share/munin/plugins/openvpn, /usr/share/munin/plugins/snmp_.*, /usr/share/munin/plugins/samba, /usr/share/munin/plugins/ntp_.*, /usr/share/munin/plugins/http_loadtime ++/usr/share/munin/plugins/nut.*, /usr/share/munin/plugins/snmp_.*, /usr/share/munin/plugins/named, /usr/share/munin/plugins/varnish_.*, /usr/share/munin/plugins/tomcat_.*, /usr/share/munin/plugins/postgres_.*, /usr/share/munin/plugins/asterisk_.*, /usr/share/munin/plugins/lpstat, /usr/share/munin/plugins/mysql_.*, /usr/share/munin/plugins/slapd_.*, /usr/share/munin/plugins/apache_.*, /usr/share/munin/plugins/ping_, /usr/share/munin/plugins/squid_.*, /usr/share/munin/plugins/fail2ban, /usr/share/munin/plugins/openvpn, /usr/share/munin/plugins/samba, /usr/share/munin/plugins/ntp_.*, /usr/share/munin/plugins/http_loadtime + +.EX +.PP @@ -43837,7 +45948,7 @@ index 0000000..08da721 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43882,17 +45993,19 @@ index 0000000..08da721 +selinux(8), services(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setfiles_selinux.8 b/man/man8/setfiles_selinux.8 new file mode 100644 -index 0000000..33dfb2f +index 0000000..00771fb --- /dev/null +++ b/man/man8/setfiles_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +.TH "setfiles_selinux" "8" "setfiles" "dwalsh@redhat.com" "setfiles SELinux Policy documentation" +.SH "NAME" +setfiles_selinux \- Security Enhanced Linux Policy for the setfiles processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the setfiles processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43918,7 +46031,7 @@ index 0000000..33dfb2f +/sbin/setfiles.*, /sbin/restorecon, /usr/sbin/setfiles.*, /usr/sbin/restorecon + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43963,17 +46076,19 @@ index 0000000..33dfb2f +selinux(8), setfiles(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setkey_selinux.8 b/man/man8/setkey_selinux.8 new file mode 100644 -index 0000000..8a21ecc +index 0000000..3508525 --- /dev/null +++ b/man/man8/setkey_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +.TH "setkey_selinux" "8" "setkey" "dwalsh@redhat.com" "setkey SELinux Policy documentation" +.SH "NAME" +setkey_selinux \- Security Enhanced Linux Policy for the setkey processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the setkey processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43999,7 +46114,7 @@ index 0000000..8a21ecc +/usr/sbin/setkey, /sbin/setkey + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44044,23 +46159,19 @@ index 0000000..8a21ecc +selinux(8), setkey(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setrans_selinux.8 b/man/man8/setrans_selinux.8 new file mode 100644 -index 0000000..99b5cda +index 0000000..1851634 --- /dev/null +++ b/man/man8/setrans_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "setrans_selinux" "8" "setrans" "dwalsh@redhat.com" "setrans SELinux Policy documentation" +.SH "NAME" +setrans_selinux \- Security Enhanced Linux Policy for the setrans processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B setrans -+(SELinux MLS/MCS label translation service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the setrans processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -44106,7 +46217,7 @@ index 0000000..99b5cda +/var/run/mcstransd\.pid, /var/run/setrans(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44151,23 +46262,33 @@ index 0000000..99b5cda +selinux(8), setrans(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setroubleshoot_selinux.8 b/man/man8/setroubleshoot_selinux.8 new file mode 100644 -index 0000000..cbed8e8 +index 0000000..3e3593f --- /dev/null +++ b/man/man8/setroubleshoot_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,119 @@ +.TH "setroubleshoot_selinux" "8" "setroubleshoot" "dwalsh@redhat.com" "setroubleshoot SELinux Policy documentation" +.SH "NAME" +setroubleshoot_selinux \- Security Enhanced Linux Policy for the setroubleshoot processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B setroubleshoot -+(SELinux troubleshooting service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the setroubleshoot processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -44221,7 +46342,7 @@ index 0000000..cbed8e8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44266,17 +46387,33 @@ index 0000000..cbed8e8 +selinux(8), setroubleshoot(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setroubleshootd_selinux.8 b/man/man8/setroubleshootd_selinux.8 new file mode 100644 -index 0000000..924d3bc +index 0000000..838a09a --- /dev/null +++ b/man/man8/setroubleshootd_selinux.8 -@@ -0,0 +1,103 @@ +@@ -0,0 +1,87 @@ +.TH "setroubleshootd_selinux" "8" "setroubleshootd" "dwalsh@redhat.com" "setroubleshootd SELinux Policy documentation" +.SH "NAME" +setroubleshootd_selinux \- Security Enhanced Linux Policy for the setroubleshootd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the setroubleshootd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -44291,46 +46428,107 @@ index 0000000..924d3bc + +.EX +.PP -+.B setroubleshoot_fixit_exec_t ++.B setroubleshootd_exec_t +.EE + -+- Set files with the setroubleshoot_fixit_exec_t type, if you want to transition an executable to the setroubleshoot_fixit_t domain. ++- Set files with the setroubleshootd_exec_t type, if you want to transition an executable to the setroubleshootd_t domain. + + -+.EX +.PP -+.B setroubleshoot_var_lib_t -+.EE -+ -+- Set files with the setroubleshoot_var_lib_t type, if you want to store the setroubleshoot files under the /var/lib directory. ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux setroubleshootd policy is very flexible allowing users to setup their setroubleshootd processes in as secure a method as possible. ++.PP ++The following process types are defined for setroubleshootd: + +.EX -+.PP -+.B setroubleshoot_var_log_t ++.B setroubleshoot_fixit_t, setroubleshootd_t +.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. + -+- Set files with the setroubleshoot_var_log_t type, if you want to treat the data as setroubleshoot var log data, usually stored under the /var/log directory. ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. + ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), setroubleshootd(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/setsebool_selinux.8 b/man/man8/setsebool_selinux.8 +new file mode 100644 +index 0000000..a3d4b57 +--- /dev/null ++++ b/man/man8/setsebool_selinux.8 +@@ -0,0 +1,87 @@ ++.TH "setsebool_selinux" "8" "setsebool" "dwalsh@redhat.com" "setsebool SELinux Policy documentation" ++.SH "NAME" ++setsebool_selinux \- Security Enhanced Linux Policy for the setsebool processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the setsebool processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the setsebool_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ +.PP -+.B setroubleshoot_var_run_t ++If you want to allow confined applications to run with kerberos for the setsebool_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the setroubleshoot_var_run_t type, if you want to store the setroubleshoot files under the /run directory. ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux setsebool policy is very flexible allowing users to setup their setsebool processes in as secure a method as possible. ++.PP ++The following file types are defined for setsebool: + + +.EX +.PP -+.B setroubleshootd_exec_t ++.B setsebool_exec_t +.EE + -+- Set files with the setroubleshootd_exec_t type, if you want to transition an executable to the setroubleshootd_t domain. ++- Set files with the setsebool_exec_t type, if you want to transition an executable to the setsebool_t domain. + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44342,12 +46540,12 @@ index 0000000..924d3bc +You can see the context of a process using the \fB\-Z\fP option to \fBps\bP +.PP +Policy governs the access confined processes have to files. -+SELinux setroubleshootd policy is very flexible allowing users to setup their setroubleshootd processes in as secure a method as possible. ++SELinux setsebool policy is very flexible allowing users to setup their setsebool processes in as secure a method as possible. +.PP -+The following process types are defined for setroubleshootd: ++The following process types are defined for setsebool: + +.EX -+.B setroubleshoot_fixit_t, setroubleshootd_t ++.B setsebool_t +.EE +.PP +Note: @@ -44372,113 +46570,53 @@ index 0000000..924d3bc +This manual page was autogenerated by genman.py. + +.SH "SEE ALSO" -+selinux(8), setroubleshootd(8), semanage(8), restorecon(8), chcon(1) -diff --git a/man/man8/setsebool_selinux.8 b/man/man8/setsebool_selinux.8 ++selinux(8), setsebool(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/sge_selinux.8 b/man/man8/sge_selinux.8 new file mode 100644 -index 0000000..0b850e8 +index 0000000..c74c0a7 --- /dev/null -+++ b/man/man8/setsebool_selinux.8 -@@ -0,0 +1,71 @@ -+.TH "setsebool_selinux" "8" "setsebool" "dwalsh@redhat.com" "setsebool SELinux Policy documentation" ++++ b/man/man8/sge_selinux.8 +@@ -0,0 +1,141 @@ ++.TH "sge_selinux" "8" "sge" "dwalsh@redhat.com" "sge SELinux Policy documentation" +.SH "NAME" -+setsebool_selinux \- Security Enhanced Linux Policy for the setsebool processes ++sge_selinux \- Security Enhanced Linux Policy for the sge processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the sge processes via flexible mandatory access ++control. + ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. sge policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sge with the tightest access possible. + + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux setsebool policy is very flexible allowing users to setup their setsebool processes in as secure a method as possible. -+.PP -+The following file types are defined for setsebool: -+ ++If you want to allow sge to connect to the network using any TCP por, you must turn on the sge_domain_can_network_connect boolean. + +.EX -+.PP -+.B setsebool_exec_t ++.B setsebool -P sge_domain_can_network_connect 1 +.EE + -+- Set files with the setsebool_exec_t type, if you want to transition an executable to the setsebool_t domain. -+ -+ +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux setsebool policy is very flexible allowing users to setup their setsebool processes in as secure a method as possible. -+.PP -+The following process types are defined for setsebool: ++If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean. + +.EX -+.B setsebool_t ++.B setsebool -P sge_use_nfs 1 +.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. + -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. ++.SH NSSWITCH DOMAIN + +.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was autogenerated by genman.py. -+ -+.SH "SEE ALSO" -+selinux(8), setsebool(8), semanage(8), restorecon(8), chcon(1) -diff --git a/man/man8/sge_selinux.8 b/man/man8/sge_selinux.8 -new file mode 100644 -index 0000000..636d762 ---- /dev/null -+++ b/man/man8/sge_selinux.8 -@@ -0,0 +1,124 @@ -+.TH "sge_selinux" "8" "sge" "dwalsh@redhat.com" "sge SELinux Policy documentation" -+.SH "NAME" -+sge_selinux \- Security Enhanced Linux Policy for the sge processes -+.SH "DESCRIPTION" -+ -+ -+SELinux Linux secures -+.B sge -+(Policy for gridengine MPI jobs) -+processes via flexible mandatory access -+control. -+ -+ -+ -+.SH BOOLEANS -+SELinux policy is customizable based on least access required. sge policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sge with the tightest access possible. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sge_execd_t, sge_job_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + +.PP -+If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean. ++If you want to allow confined applications to run with kerberos for the sge_execd_t, sge_job_ssh_t, you must turn on the kerberos_enabled boolean. + +.EX -+.B setsebool -P sge_use_nfs 1 ++setsebool -P kerberos_enabled 1 +.EE + +.SH FILE CONTEXTS @@ -44533,7 +46671,7 @@ index 0000000..636d762 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44583,23 +46721,33 @@ index 0000000..636d762 \ No newline at end of file diff --git a/man/man8/shorewall_selinux.8 b/man/man8/shorewall_selinux.8 new file mode 100644 -index 0000000..b02195e +index 0000000..0741c14 --- /dev/null +++ b/man/man8/shorewall_selinux.8 -@@ -0,0 +1,141 @@ +@@ -0,0 +1,151 @@ +.TH "shorewall_selinux" "8" "shorewall" "dwalsh@redhat.com" "shorewall SELinux Policy documentation" +.SH "NAME" +shorewall_selinux \- Security Enhanced Linux Policy for the shorewall processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B shorewall -+(Shoreline Firewall high-level tool for configuring netfilter) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the shorewall processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the shorewall_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the shorewall_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -44634,7 +46782,7 @@ index 0000000..b02195e +.br +.TP 5 +Paths: -+/sbin/shorewall6?, /sbin/shorewall-lite, /usr/sbin/shorewall-lite, /usr/sbin/shorewall6? ++/sbin/shorewall6?, /usr/sbin/shorewall-lite, /sbin/shorewall-lite, /usr/sbin/shorewall6? + +.EX +.PP @@ -44685,7 +46833,7 @@ index 0000000..b02195e +/var/lib/shorewall-lite(/.*)?, /var/lib/shorewall(/.*)?, /var/lib/shorewall6(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44730,17 +46878,19 @@ index 0000000..b02195e +selinux(8), shorewall(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/showmount_selinux.8 b/man/man8/showmount_selinux.8 new file mode 100644 -index 0000000..df89321 +index 0000000..4dabeda --- /dev/null +++ b/man/man8/showmount_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,73 @@ +.TH "showmount_selinux" "8" "showmount" "dwalsh@redhat.com" "showmount SELinux Policy documentation" +.SH "NAME" +showmount_selinux \- Security Enhanced Linux Policy for the showmount processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the showmount processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -44762,7 +46912,7 @@ index 0000000..df89321 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44807,23 +46957,44 @@ index 0000000..df89321 +selinux(8), showmount(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/shutdown_selinux.8 b/man/man8/shutdown_selinux.8 new file mode 100644 -index 0000000..733dd9c +index 0000000..496324f --- /dev/null +++ b/man/man8/shutdown_selinux.8 -@@ -0,0 +1,97 @@ +@@ -0,0 +1,122 @@ +.TH "shutdown_selinux" "8" "shutdown" "dwalsh@redhat.com" "shutdown SELinux Policy documentation" +.SH "NAME" +shutdown_selinux \- Security Enhanced Linux Policy for the shutdown processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B shutdown -+(System shutdown command) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the shutdown processes via flexible mandatory access +control. + ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. shutdown policy is extremely flexible and has several booleans that allow you to manipulate the policy and run shutdown with the tightest access possible. ++ ++ ++.PP ++If you want to allow HTTPD to connect to port 80 for graceful shutdow, you must turn on the httpd_graceful_shutdown boolean. ++ ++.EX ++.B setsebool -P httpd_graceful_shutdown 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the shutdown_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the shutdown_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -44865,7 +47036,7 @@ index 0000000..733dd9c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44899,6 +47070,9 @@ index 0000000..733dd9c +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -44908,19 +47082,37 @@ index 0000000..733dd9c + +.SH "SEE ALSO" +selinux(8), shutdown(8), semanage(8), restorecon(8), chcon(1) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/slapd_selinux.8 b/man/man8/slapd_selinux.8 new file mode 100644 -index 0000000..4031380 +index 0000000..382766a --- /dev/null +++ b/man/man8/slapd_selinux.8 -@@ -0,0 +1,175 @@ +@@ -0,0 +1,191 @@ +.TH "slapd_selinux" "8" "slapd" "dwalsh@redhat.com" "slapd SELinux Policy documentation" +.SH "NAME" +slapd_selinux \- Security Enhanced Linux Policy for the slapd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the slapd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the slapd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the slapd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -44951,7 +47143,7 @@ index 0000000..4031380 +.br +.TP 5 +Paths: -+/etc/openldap/slapd\.d(/.*)?, /var/lib/ldap(/.*)? ++/var/lib/ldap(/.*)?, /etc/openldap/slapd\.d(/.*)? + +.EX +.PP @@ -45046,7 +47238,7 @@ index 0000000..4031380 +/var/run/slapd\.args, /var/run/openldap(/.*)?, /var/run/slapd\.pid, /var/run/ldapi, /var/run/slapd.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45091,17 +47283,19 @@ index 0000000..4031380 +selinux(8), slapd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smbcontrol_selinux.8 b/man/man8/smbcontrol_selinux.8 new file mode 100644 -index 0000000..1f4a491 +index 0000000..8f94f43 --- /dev/null +++ b/man/man8/smbcontrol_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,73 @@ +.TH "smbcontrol_selinux" "8" "smbcontrol" "dwalsh@redhat.com" "smbcontrol SELinux Policy documentation" +.SH "NAME" +smbcontrol_selinux \- Security Enhanced Linux Policy for the smbcontrol processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the smbcontrol processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45123,7 +47317,7 @@ index 0000000..1f4a491 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45168,17 +47362,33 @@ index 0000000..1f4a491 +selinux(8), smbcontrol(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smbd_selinux.8 b/man/man8/smbd_selinux.8 new file mode 100644 -index 0000000..78125d2 +index 0000000..a03df1b --- /dev/null +++ b/man/man8/smbd_selinux.8 -@@ -0,0 +1,151 @@ +@@ -0,0 +1,167 @@ +.TH "smbd_selinux" "8" "smbd" "dwalsh@redhat.com" "smbd SELinux Policy documentation" +.SH "NAME" +smbd_selinux \- Security Enhanced Linux Policy for the smbd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the smbd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smbmount_t, smbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the smbmount_t, smbd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. @@ -45191,7 +47401,7 @@ index 0000000..78125d2 +.B restorecon -F -R -v /var/smbd +.pp +.TP -+Allow smbd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_smbd_anon_write boolean to be set. ++Allow smbd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_smbdd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/smbd/incoming(/.*)?" @@ -45200,10 +47410,10 @@ index 0000000..78125d2 + + +.PP -+If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the allow_smbd_anon_write boolean. ++If you want to allow samba to modify public files used for public file transfer services. Files/Directories must be labeled public_content_rw_t., you must turn on the smbd_anon_write boolean. + +.EX -+.B setsebool -P allow_smbd_anon_write 1 ++.B setsebool -P smbd_anon_write 1 +.EE + +.SH FILE CONTEXTS @@ -45254,7 +47464,7 @@ index 0000000..78125d2 +/var/run/samba/gencache\.tdb, /var/run/samba/share_info\.tdb, /var/run/samba(/.*)?, /var/run/samba/locking\.tdb, /var/run/samba/connections\.tdb, /var/run/samba/smbd\.pid, /var/run/samba/sessionid\.tdb, /var/run/samba/brlock\.tdb + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45281,7 +47491,7 @@ index 0000000..78125d2 + + +Default Defined Ports: -+tcp 8021 ++tcp 137-139,445 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -45325,17 +47535,33 @@ index 0000000..78125d2 +selinux(8), smbd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smbmount_selinux.8 b/man/man8/smbmount_selinux.8 new file mode 100644 -index 0000000..e5fd258 +index 0000000..8865bd0 --- /dev/null +++ b/man/man8/smbmount_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,91 @@ +.TH "smbmount_selinux" "8" "smbmount" "dwalsh@redhat.com" "smbmount SELinux Policy documentation" +.SH "NAME" +smbmount_selinux \- Security Enhanced Linux Policy for the smbmount processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the smbmount processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smbmount_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the smbmount_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45361,7 +47587,7 @@ index 0000000..e5fd258 +/usr/bin/smbmnt, /usr/bin/smbmount + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45406,23 +47632,33 @@ index 0000000..e5fd258 +selinux(8), smbmount(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smokeping_selinux.8 b/man/man8/smokeping_selinux.8 new file mode 100644 -index 0000000..6eb81ca +index 0000000..8269f01 --- /dev/null +++ b/man/man8/smokeping_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,111 @@ +.TH "smokeping_selinux" "8" "smokeping" "dwalsh@redhat.com" "smokeping SELinux Policy documentation" +.SH "NAME" +smokeping_selinux \- Security Enhanced Linux Policy for the smokeping processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B smokeping -+(Smokeping network latency measurement) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the smokeping processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smokeping_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the smokeping_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45468,7 +47704,7 @@ index 0000000..6eb81ca + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45513,23 +47749,33 @@ index 0000000..6eb81ca +selinux(8), smokeping(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smoltclient_selinux.8 b/man/man8/smoltclient_selinux.8 new file mode 100644 -index 0000000..7290f4e +index 0000000..3a4bff5 --- /dev/null +++ b/man/man8/smoltclient_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,95 @@ +.TH "smoltclient_selinux" "8" "smoltclient" "dwalsh@redhat.com" "smoltclient SELinux Policy documentation" +.SH "NAME" +smoltclient_selinux \- Security Enhanced Linux Policy for the smoltclient processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B smoltclient -+(The Fedora hardware profiler client) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the smoltclient processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the smoltclient_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the smoltclient_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45559,7 +47805,7 @@ index 0000000..7290f4e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45604,17 +47850,33 @@ index 0000000..7290f4e +selinux(8), smoltclient(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/snmpd_selinux.8 b/man/man8/snmpd_selinux.8 new file mode 100644 -index 0000000..ce8506a +index 0000000..f51efbd --- /dev/null +++ b/man/man8/snmpd_selinux.8 -@@ -0,0 +1,141 @@ +@@ -0,0 +1,159 @@ +.TH "snmpd_selinux" "8" "snmpd" "dwalsh@redhat.com" "snmpd SELinux Policy documentation" +.SH "NAME" +snmpd_selinux \- Security Enhanced Linux Policy for the snmpd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the snmpd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the snmpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the snmpd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45680,7 +47942,7 @@ index 0000000..ce8506a +/var/run/net-snmpd(/.*)?, /var/run/snmpd\.pid, /var/run/snmpd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45707,7 +47969,9 @@ index 0000000..ce8506a + + +Default Defined Ports: -+tcp 8021 ++tcp 161-162,199,1161 ++.EE ++udp 161-162 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -45751,23 +48015,19 @@ index 0000000..ce8506a +selinux(8), snmpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/snort_selinux.8 b/man/man8/snort_selinux.8 new file mode 100644 -index 0000000..4a3cd80 +index 0000000..cccbbc7 --- /dev/null +++ b/man/man8/snort_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,117 @@ +.TH "snort_selinux" "8" "snort" "dwalsh@redhat.com" "snort SELinux Policy documentation" +.SH "NAME" +snort_selinux \- Security Enhanced Linux Policy for the snort processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B snort -+(Snort network intrusion detection system) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the snort processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45833,7 +48093,7 @@ index 0000000..4a3cd80 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45878,23 +48138,33 @@ index 0000000..4a3cd80 +selinux(8), snort(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/sosreport_selinux.8 b/man/man8/sosreport_selinux.8 new file mode 100644 -index 0000000..d92aa21 +index 0000000..529935f --- /dev/null +++ b/man/man8/sosreport_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,103 @@ +.TH "sosreport_selinux" "8" "sosreport" "dwalsh@redhat.com" "sosreport SELinux Policy documentation" +.SH "NAME" +sosreport_selinux \- Security Enhanced Linux Policy for the sosreport processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sosreport -+(sosreport - Generate debugging information for system) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sosreport processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sosreport_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sosreport_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45932,7 +48202,7 @@ index 0000000..d92aa21 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45977,17 +48247,19 @@ index 0000000..d92aa21 +selinux(8), sosreport(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/soundd_selinux.8 b/man/man8/soundd_selinux.8 new file mode 100644 -index 0000000..4c912c3 +index 0000000..cdb926f --- /dev/null +++ b/man/man8/soundd_selinux.8 -@@ -0,0 +1,157 @@ +@@ -0,0 +1,159 @@ +.TH "soundd_selinux" "8" "soundd" "dwalsh@redhat.com" "soundd SELinux Policy documentation" +.SH "NAME" +soundd_selinux \- Security Enhanced Linux Policy for the soundd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the soundd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -46069,7 +48341,7 @@ index 0000000..4c912c3 +/var/run/nasd(/.*)?, /var/run/yiff-[0-9]+\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46096,7 +48368,7 @@ index 0000000..4c912c3 + + +Default Defined Ports: -+tcp 8021 ++tcp 8000,9433,16001 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -46140,17 +48412,17 @@ index 0000000..4c912c3 +selinux(8), soundd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/spamass_selinux.8 b/man/man8/spamass_selinux.8 new file mode 100644 -index 0000000..3285cb1 +index 0000000..f2b9e39 --- /dev/null +++ b/man/man8/spamass_selinux.8 -@@ -0,0 +1,106 @@ +@@ -0,0 +1,108 @@ +.TH "spamass_selinux" "8" "spamass" "dwalsh@redhat.com" "spamass SELinux Policy documentation" +.SH "NAME" +spamass_selinux \- Security Enhanced Linux Policy for the spamass processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the spamass processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. spamass policy is extremely flexible and has several booleans that allow you to manipulate the policy and run spamass with the tightest access possible. @@ -46163,6 +48435,8 @@ index 0000000..3285cb1 +.B setsebool -P spamassassin_can_network 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -46184,7 +48458,7 @@ index 0000000..3285cb1 +.br +.TP 5 +Paths: -+/var/run/spamass-milter(/.*)?, /var/run/spamass-milter\.pid ++/var/spool/postfix/spamass(/.*)?, /var/run/spamass(/.*)?, /var/run/spamass-milter(/.*)?, /var/run/spamass-milter\.pid + +.EX +.PP @@ -46203,7 +48477,7 @@ index 0000000..3285cb1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46253,17 +48527,33 @@ index 0000000..3285cb1 \ No newline at end of file diff --git a/man/man8/spamc_selinux.8 b/man/man8/spamc_selinux.8 new file mode 100644 -index 0000000..3be61d7 +index 0000000..f03830d --- /dev/null +++ b/man/man8/spamc_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,111 @@ +.TH "spamc_selinux" "8" "spamc" "dwalsh@redhat.com" "spamc SELinux Policy documentation" +.SH "NAME" +spamc_selinux \- Security Enhanced Linux Policy for the spamc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the spamc processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the spamc_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -46286,7 +48576,7 @@ index 0000000..3be61d7 +.br +.TP 5 +Paths: -+/usr/bin/spamc, /usr/bin/razor.*, /usr/bin/sa-learn, /usr/bin/spamassassin ++/usr/bin/pyzor, /usr/bin/spamc, /usr/bin/razor.*, /usr/bin/sa-learn, /usr/bin/spamassassin + +.EX +.PP @@ -46298,7 +48588,7 @@ index 0000000..3be61d7 +.br +.TP 5 +Paths: -+/root/\.razor(/.*)?, /root/\.spamassassin(/.*)? ++/root/\.spamd(/.*)?, /root/\.pyzor(/.*)?, /root/\.razor(/.*)?, /root/\.spamassassin(/.*)? + +.EX +.PP @@ -46309,7 +48599,7 @@ index 0000000..3be61d7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46354,17 +48644,17 @@ index 0000000..3be61d7 +selinux(8), spamc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/spamd_selinux.8 b/man/man8/spamd_selinux.8 new file mode 100644 -index 0000000..cb40498 +index 0000000..ede8ae7 --- /dev/null +++ b/man/man8/spamd_selinux.8 -@@ -0,0 +1,222 @@ +@@ -0,0 +1,242 @@ +.TH "spamd_selinux" "8" "spamd" "dwalsh@redhat.com" "spamd SELinux Policy documentation" +.SH "NAME" +spamd_selinux \- Security Enhanced Linux Policy for the spamd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the spamd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. spamd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run spamd with the tightest access possible. @@ -46391,6 +48681,22 @@ index 0000000..cb40498 +.B setsebool -P httpd_can_check_spam 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the spamc_t, spamd_update_t, spamd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the spamc_t, spamd_update_t, spamd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -46417,6 +48723,10 @@ index 0000000..cb40498 + +- Set files with the spamd_etc_t type, if you want to store spamd files in the /etc directories. + ++.br ++.TP 5 ++Paths: ++/etc/pyzor(/.*)?, /etc/razor(/.*)? + +.EX +.PP @@ -46428,7 +48738,7 @@ index 0000000..cb40498 +.br +.TP 5 +Paths: -+/usr/sbin/spamd, /usr/bin/mimedefang-multiplexor, /usr/bin/spamd, /usr/bin/mimedefang ++/usr/sbin/spamd, /usr/bin/mimedefang-multiplexor, /usr/bin/pyzord, /usr/bin/spamd, /usr/bin/mimedefang + +.EX +.PP @@ -46440,7 +48750,7 @@ index 0000000..cb40498 +.br +.TP 5 +Paths: -+/etc/rc\.d/init\.d/spamd, /etc/rc\.d/init\.d/mimedefang.* ++/etc/rc\.d/init\.d/spamd, /etc/rc\.d/init\.d/mimedefang.*, /etc/rc\.d/init\.d/pyzord + +.EX +.PP @@ -46452,7 +48762,7 @@ index 0000000..cb40498 +.br +.TP 5 +Paths: -+/var/log/razor-agent\.log, /var/log/spamd\.log, /var/log/mimedefang ++/var/log/razor-agent\.log, /var/log/spamd\.log, /var/log/mimedefang, /var/log/pyzord\.log + +.EX +.PP @@ -46492,7 +48802,7 @@ index 0000000..cb40498 +.br +.TP 5 +Paths: -+/var/lib/spamassassin(/.*)?, /var/lib/razor(/.*)? ++/var/lib/spamassassin(/.*)?, /var/lib/razor(/.*)?, /var/lib/pyzord(/.*)? + +.EX +.PP @@ -46507,7 +48817,7 @@ index 0000000..cb40498 +/var/run/spamassassin(/.*)?, /var/spool/MIMEDefang(/.*)?, /var/spool/MD-Quarantine(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46534,7 +48844,7 @@ index 0000000..cb40498 + + +Default Defined Ports: -+tcp 8021 ++tcp 783 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -46583,24 +48893,18 @@ index 0000000..cb40498 \ No newline at end of file diff --git a/man/man8/squid_selinux.8 b/man/man8/squid_selinux.8 new file mode 100644 -index 0000000..5d1acc2 +index 0000000..51ec8b0 --- /dev/null +++ b/man/man8/squid_selinux.8 -@@ -0,0 +1,185 @@ +@@ -0,0 +1,205 @@ +.TH "squid_selinux" "8" "squid" "dwalsh@redhat.com" "squid SELinux Policy documentation" +.SH "NAME" +squid_selinux \- Security Enhanced Linux Policy for the squid processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B squid -+(Squid caching http proxy server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the squid processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. squid policy is extremely flexible and has several booleans that allow you to manipulate the policy and run squid with the tightest access possible. + @@ -46619,6 +48923,22 @@ index 0000000..5d1acc2 +.B setsebool -P squid_connect_any 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the squid_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the squid_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -46684,6 +49004,14 @@ index 0000000..5d1acc2 + +.EX +.PP ++.B squid_tmp_t ++.EE ++ ++- Set files with the squid_tmp_t type, if you want to store squid temporary files in the /tmp directories. ++ ++ ++.EX ++.PP +.B squid_tmpfs_t +.EE + @@ -46699,7 +49027,7 @@ index 0000000..5d1acc2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46726,7 +49054,9 @@ index 0000000..5d1acc2 + + +Default Defined Ports: -+tcp 8021 ++tcp 3128,3401,4827 ++.EE ++udp 3401,4827 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -46775,17 +49105,19 @@ index 0000000..5d1acc2 \ No newline at end of file diff --git a/man/man8/srvsvcd_selinux.8 b/man/man8/srvsvcd_selinux.8 new file mode 100644 -index 0000000..036f028 +index 0000000..c7b7658 --- /dev/null +++ b/man/man8/srvsvcd_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "srvsvcd_selinux" "8" "srvsvcd" "dwalsh@redhat.com" "srvsvcd SELinux Policy documentation" +.SH "NAME" +srvsvcd_selinux \- Security Enhanced Linux Policy for the srvsvcd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the srvsvcd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -46831,7 +49163,7 @@ index 0000000..036f028 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46876,24 +49208,18 @@ index 0000000..036f028 +selinux(8), srvsvcd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ssh_selinux.8 b/man/man8/ssh_selinux.8 new file mode 100644 -index 0000000..a3beeec +index 0000000..c83c4fe --- /dev/null +++ b/man/man8/ssh_selinux.8 -@@ -0,0 +1,254 @@ +@@ -0,0 +1,264 @@ +.TH "ssh_selinux" "8" "ssh" "dwalsh@redhat.com" "ssh SELinux Policy documentation" +.SH "NAME" +ssh_selinux \- Security Enhanced Linux Policy for the ssh processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ssh -+(Secure shell client and server policy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ssh processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. ssh policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ssh with the tightest access possible. + @@ -46906,6 +49232,13 @@ index 0000000..a3beeec +.EE + +.PP ++If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. ++ ++.EX ++.B setsebool -P sftpd_write_ssh_home 1 ++.EE ++ ++.PP +If you want to allow ssh logins as sysadm_r:sysadm_, you must turn on the ssh_sysadm_login boolean. + +.EX @@ -46913,10 +49246,10 @@ index 0000000..a3beeec +.EE + +.PP -+If you want to allow host key based authenticatio, you must turn on the allow_ssh_keysign boolean. ++If you want to allow host key based authenticatio, you must turn on the ssh_keysign boolean. + +.EX -+.B setsebool -P allow_ssh_keysign 1 ++.B setsebool -P ssh_keysign 1 +.EE + +.PP @@ -46926,11 +49259,20 @@ index 0000000..a3beeec +.B setsebool -P fenced_can_ssh 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.PP -+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.B setsebool -P sftpd_write_ssh_home 1 ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 +.EE + +.SH FILE CONTEXTS @@ -46978,7 +49320,7 @@ index 0000000..a3beeec +.br +.TP 5 +Paths: -+/var/lib/nocpulse/\.ssh(/.*)?, /var/lib/gitolite/\.ssh(/.*)?, /root/\.shosts, /var/lib/amanda/\.ssh(/.*)?, /root/\.ssh(/.*)?, /var/lib/stickshift/.*/\.ssh(/.*)? ++/var/lib/nocpulse/\.ssh(/.*)?, /var/lib/gitolite/\.ssh(/.*)?, /root/\.shosts, /var/lib/amanda/\.ssh(/.*)?, /var/lib/gitolite3/\.ssh(/.*)?, /root/\.ssh(/.*)? + +.EX +.PP @@ -47058,10 +49400,10 @@ index 0000000..a3beeec +.br +.TP 5 +Paths: -+/var/run/sshd\.init\.pid, /var/run/sshd\.pid ++/var/run/sshd\.pid, /var/run/sshd\.init\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47088,7 +49430,7 @@ index 0000000..a3beeec + + +Default Defined Ports: -+tcp 8021 ++tcp 22 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -47137,17 +49479,17 @@ index 0000000..a3beeec \ No newline at end of file diff --git a/man/man8/sshd_selinux.8 b/man/man8/sshd_selinux.8 new file mode 100644 -index 0000000..b78c331 +index 0000000..95b44d6 --- /dev/null +++ b/man/man8/sshd_selinux.8 -@@ -0,0 +1,248 @@ +@@ -0,0 +1,204 @@ +.TH "sshd_selinux" "8" "sshd" "dwalsh@redhat.com" "sshd SELinux Policy documentation" +.SH "NAME" +sshd_selinux \- Security Enhanced Linux Policy for the sshd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the sshd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. sshd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sshd with the tightest access possible. @@ -47161,102 +49503,58 @@ index 0000000..b78c331 +.EE + +.PP -+If you want to allow ssh logins as sysadm_r:sysadm_, you must turn on the ssh_sysadm_login boolean. ++If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. + +.EX -+.B setsebool -P ssh_sysadm_login 1 ++.B setsebool -P sftpd_write_ssh_home 1 +.EE + +.PP -+If you want to allow host key based authenticatio, you must turn on the allow_ssh_keysign boolean. ++If you want to allow ssh logins as sysadm_r:sysadm_, you must turn on the ssh_sysadm_login boolean. + +.EX -+.B setsebool -P allow_ssh_keysign 1 ++.B setsebool -P ssh_sysadm_login 1 +.EE + +.PP -+If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean. ++If you want to allow host key based authenticatio, you must turn on the ssh_keysign boolean. + +.EX -+.B setsebool -P fenced_can_ssh 1 ++.B setsebool -P ssh_keysign 1 +.EE + +.PP -+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. -+ -+.EX -+.B setsebool -P sftpd_write_ssh_home 1 -+.EE -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible. -+.PP -+The following file types are defined for sshd: -+ ++If you want to allow fenced domain to execute ssh, you must turn on the fenced_can_ssh boolean. + +.EX -+.PP -+.B ssh_agent_exec_t ++.B setsebool -P fenced_can_ssh 1 +.EE + -+- Set files with the ssh_agent_exec_t type, if you want to transition an executable to the ssh_agent_t domain. -+ ++.SH NSSWITCH DOMAIN + -+.EX +.PP -+.B ssh_agent_tmp_t -+.EE -+ -+- Set files with the ssh_agent_tmp_t type, if you want to store ssh agent temporary files in the /tmp directories. -+ ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B ssh_exec_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the ssh_exec_t type, if you want to transition an executable to the ssh_t domain. -+ -+ -+.EX +.PP -+.B ssh_home_t -+.EE -+ -+- Set files with the ssh_home_t type, if you want to store ssh files in the users home directory. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/nocpulse/\.ssh(/.*)?, /var/lib/gitolite/\.ssh(/.*)?, /root/\.shosts, /var/lib/amanda/\.ssh(/.*)?, /root/\.ssh(/.*)?, /var/lib/stickshift/.*/\.ssh(/.*)? ++If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the kerberos_enabled boolean. + +.EX -+.PP -+.B ssh_keygen_exec_t ++setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the ssh_keygen_exec_t type, if you want to transition an executable to the ssh_keygen_t domain. -+ -+ -+.EX ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. +.PP -+.B ssh_keysign_exec_t -+.EE -+ -+- Set files with the ssh_keysign_exec_t type, if you want to transition an executable to the ssh_keysign_t domain. -+ -+ -+.EX ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP -+.B ssh_tmpfs_t -+.EE -+ -+- Set files with the ssh_tmpfs_t type, if you want to store ssh files on a tmpfs file system. ++Policy governs the access confined processes have to these files. ++SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible. ++.PP ++The following file types are defined for sshd: + + +.EX @@ -47313,10 +49611,10 @@ index 0000000..b78c331 +.br +.TP 5 +Paths: -+/var/run/sshd\.init\.pid, /var/run/sshd\.pid ++/var/run/sshd\.pid, /var/run/sshd\.init\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47343,7 +49641,7 @@ index 0000000..b78c331 + + +Default Defined Ports: -+tcp 8021 ++tcp 22 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -47392,23 +49690,33 @@ index 0000000..b78c331 \ No newline at end of file diff --git a/man/man8/sssd_selinux.8 b/man/man8/sssd_selinux.8 new file mode 100644 -index 0000000..d9a7d4a +index 0000000..2c75b4d --- /dev/null +++ b/man/man8/sssd_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,139 @@ +.TH "sssd_selinux" "8" "sssd" "dwalsh@redhat.com" "sssd SELinux Policy documentation" +.SH "NAME" +sssd_selinux \- Security Enhanced Linux Policy for the sssd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sssd -+(System Security Services Daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sssd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the sssd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -47423,6 +49731,14 @@ index 0000000..d9a7d4a + +.EX +.PP ++.B sssd_conf_t ++.EE ++ ++- Set files with the sssd_conf_t type, if you want to treat the files as sssd configuration data, usually stored under the /etc directory. ++ ++ ++.EX ++.PP +.B sssd_exec_t +.EE + @@ -47444,6 +49760,10 @@ index 0000000..d9a7d4a + +- Set files with the sssd_public_t type, if you want to treat the files as sssd public data. + ++.br ++.TP 5 ++Paths: ++/var/lib/sss/mc(/.*)?, /var/lib/sss/pubconf(/.*)? + +.EX +.PP @@ -47470,7 +49790,7 @@ index 0000000..d9a7d4a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47765,23 +50085,33 @@ index 0000000..039dc00 +selinux(8), semanage(8). diff --git a/man/man8/stunnel_selinux.8 b/man/man8/stunnel_selinux.8 new file mode 100644 -index 0000000..0af68a0 +index 0000000..03f6069 --- /dev/null +++ b/man/man8/stunnel_selinux.8 -@@ -0,0 +1,131 @@ +@@ -0,0 +1,137 @@ +.TH "stunnel_selinux" "8" "stunnel" "dwalsh@redhat.com" "stunnel SELinux Policy documentation" +.SH "NAME" +stunnel_selinux \- Security Enhanced Linux Policy for the stunnel processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B stunnel -+(SSL Tunneling Proxy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the stunnel processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the stunnel_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the stunnel_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -47831,7 +50161,7 @@ index 0000000..0af68a0 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47856,10 +50186,6 @@ index 0000000..0af68a0 +.TP 10 +.EE + -+ -+Default Defined Ports: -+tcp 8021 -+.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -47902,17 +50228,33 @@ index 0000000..0af68a0 +selinux(8), stunnel(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/sulogin_selinux.8 b/man/man8/sulogin_selinux.8 new file mode 100644 -index 0000000..6cff947 +index 0000000..e529876 --- /dev/null +++ b/man/man8/sulogin_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,91 @@ +.TH "sulogin_selinux" "8" "sulogin" "dwalsh@redhat.com" "sulogin SELinux Policy documentation" +.SH "NAME" +sulogin_selinux \- Security Enhanced Linux Policy for the sulogin processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the sulogin processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sulogin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sulogin_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -47938,7 +50280,7 @@ index 0000000..6cff947 +/usr/sbin/sushell, /sbin/sulogin, /usr/sbin/sulogin, /sbin/sushell + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47983,17 +50325,19 @@ index 0000000..6cff947 +selinux(8), sulogin(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/svc_selinux.8 b/man/man8/svc_selinux.8 new file mode 100644 -index 0000000..1c06ece +index 0000000..965dccb --- /dev/null +++ b/man/man8/svc_selinux.8 -@@ -0,0 +1,127 @@ +@@ -0,0 +1,129 @@ +.TH "svc_selinux" "8" "svc" "dwalsh@redhat.com" "svc SELinux Policy documentation" +.SH "NAME" +svc_selinux \- Security Enhanced Linux Policy for the svc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the svc processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -48071,7 +50415,7 @@ index 0000000..1c06ece +/service, /var/tinydns(/.*)?, /service/.*, /var/service/.*, /var/qmail/supervise(/.*)?, /var/dnscache(/.*)?, /var/axfrdns(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48116,17 +50460,33 @@ index 0000000..1c06ece +selinux(8), svc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/swat_selinux.8 b/man/man8/swat_selinux.8 new file mode 100644 -index 0000000..bd9a083 +index 0000000..50630d4 --- /dev/null +++ b/man/man8/swat_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,129 @@ +.TH "swat_selinux" "8" "swat" "dwalsh@redhat.com" "swat SELinux Policy documentation" +.SH "NAME" +swat_selinux \- Security Enhanced Linux Policy for the swat processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the swat processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the swat_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the swat_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -48164,7 +50524,7 @@ index 0000000..bd9a083 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48191,7 +50551,7 @@ index 0000000..bd9a083 + + +Default Defined Ports: -+tcp 8021 ++tcp 901 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -48471,17 +50831,17 @@ index 0000000..679f836 +selinux(8), semanage(8). diff --git a/man/man8/syslogd_selinux.8 b/man/man8/syslogd_selinux.8 new file mode 100644 -index 0000000..875440a +index 0000000..789af30 --- /dev/null +++ b/man/man8/syslogd_selinux.8 -@@ -0,0 +1,182 @@ +@@ -0,0 +1,195 @@ +.TH "syslogd_selinux" "8" "syslogd" "dwalsh@redhat.com" "syslogd SELinux Policy documentation" +.SH "NAME" +syslogd_selinux \- Security Enhanced Linux Policy for the syslogd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the syslogd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. syslogd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run syslogd with the tightest access possible. @@ -48495,6 +50855,13 @@ index 0000000..875440a +.EE + +.PP ++If you want to allow syslogd the ability to read/write terminal, you must turn on the logging_syslogd_use_tty boolean. ++ ++.EX ++.B setsebool -P logging_syslogd_use_tty 1 ++.EE ++ ++.PP +If you want to allow syslogd daemon to send mai, you must turn on the logging_syslogd_can_sendmail boolean. + +.EX @@ -48502,10 +50869,26 @@ index 0000000..875440a +.EE + +.PP -+If you want to allow syslogd the ability to read/write terminal, you must turn on the logging_syslogd_use_tty boolean. ++If you want to determine whether Git session daemons can send syslog messages, you must turn on the git_session_send_syslog_msg boolean. + +.EX -+.B setsebool -P logging_syslogd_use_tty 1 ++.B setsebool -P git_session_send_syslog_msg 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the syslogd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the syslogd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 +.EE + +.SH FILE CONTEXTS @@ -48521,18 +50904,6 @@ index 0000000..875440a + +.EX +.PP -+.B syslog_conf_t -+.EE -+ -+- Set files with the syslog_conf_t type, if you want to treat the files as syslog configuration data, usually stored under the /etc directory. -+ -+.br -+.TP 5 -+Paths: -+/etc/rsyslog.conf, /etc/syslog.conf -+ -+.EX -+.PP +.B syslogd_exec_t +.EE + @@ -48541,7 +50912,7 @@ index 0000000..875440a +.br +.TP 5 +Paths: -+/lib/systemd/systemd-kmsg-syslogd, /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-kmsg-syslogd, /usr/sbin/metalog, /usr/lib/systemd/systemd-journald, /usr/sbin/syslogd, /usr/sbin/minilogd, /sbin/rsyslogd, /sbin/syslogd, /sbin/syslog-ng, /sbin/minilogd, /lib/systemd/systemd-journald ++/usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/sbin/metalog, /usr/sbin/syslogd, /usr/sbin/minilogd, /sbin/rsyslogd, /usr/lib/systemd/systemd-kmsg-syslogd, /sbin/syslogd, /sbin/syslog-ng, /usr/lib/systemd/systemd-journald, /sbin/minilogd + +.EX +.PP @@ -48581,10 +50952,10 @@ index 0000000..875440a +.br +.TP 5 +Paths: -+/var/log/syslog-ng(/.*)?, /var/run/syslog-ng(/.*)?, /var/run/metalog\.pid, /var/run/syslogd\.pid, /var/run/log(/.*)?, /var/run/syslog-ng.ctl ++/var/run/syslogd\.pid, /var/log/syslog-ng(/.*)?, /var/run/syslog-ng(/.*)?, /var/run/metalog\.pid, /var/run/log(/.*)?, /var/run/syslog-ng.ctl + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48611,7 +50982,9 @@ index 0000000..875440a + + +Default Defined Ports: -+tcp 8021 ++tcp 6514 ++.EE ++udp 514,6514 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -48660,23 +51033,33 @@ index 0000000..875440a \ No newline at end of file diff --git a/man/man8/sysstat_selinux.8 b/man/man8/sysstat_selinux.8 new file mode 100644 -index 0000000..79ea311 +index 0000000..da849d6 --- /dev/null +++ b/man/man8/sysstat_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,103 @@ +.TH "sysstat_selinux" "8" "sysstat" "dwalsh@redhat.com" "sysstat SELinux Policy documentation" +.SH "NAME" +sysstat_selinux \- Security Enhanced Linux Policy for the sysstat processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sysstat -+(Policy for sysstat. Reports on various system states) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sysstat processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the sysstat_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sysstat_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -48714,7 +51097,7 @@ index 0000000..79ea311 +/var/log/sysstat(/.*)?, /var/log/sa(/.*)?, /var/log/atsar(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48759,50 +51142,73 @@ index 0000000..79ea311 +selinux(8), sysstat(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/system_selinux.8 b/man/man8/system_selinux.8 new file mode 100644 -index 0000000..a08a3e0 +index 0000000..4f13780 --- /dev/null +++ b/man/man8/system_selinux.8 -@@ -0,0 +1,339 @@ +@@ -0,0 +1,350 @@ +.TH "system_selinux" "8" "system" "dwalsh@redhat.com" "system SELinux Policy documentation" +.SH "NAME" +system_selinux \- Security Enhanced Linux Policy for the system processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the system processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. system policy is extremely flexible and has several booleans that allow you to manipulate the policy and run system with the tightest access possible. + + +.PP -+If you want to allow Git daemon system to access cifs file systems, you must turn on the git_system_use_cifs boolean. ++If you want to determine whether Git system daemon can access cifs file systems, you must turn on the git_system_use_cifs boolean. + +.EX +.B setsebool -P git_system_use_cifs 1 +.EE + +.PP -+If you want to allow Git daemon system to search home directories, you must turn on the git_system_enable_homedirs boolean. ++If you want to determine whether Git system daemon can search home directories, you must turn on the git_system_enable_homedirs boolean. + +.EX +.B setsebool -P git_system_enable_homedirs 1 +.EE + +.PP -+If you want to allow Git daemon system to access nfs file systems, you must turn on the git_system_use_nfs boolean. ++If you want to determine whether Git system daemon can access nfs file systems, you must turn on the git_system_use_nfs boolean. + +.EX +.B setsebool -P git_system_use_nfs 1 +.EE + +.PP ++If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. ++ ++.EX ++.B setsebool -P clamscan_can_scan_system 1 ++.EE ++ ++.PP +If you want to enable support for systemd as the init program, you must turn on the init_systemd boolean. + +.EX +.B setsebool -P init_systemd 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the system_cronjob_t, systemd_notify_t, systemd_logind_t, system_dbusd_t, systemd_passwd_agent_t, systemd_logger_t, systemd_tmpfiles_t, system_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the system_cronjob_t, systemd_notify_t, systemd_logind_t, system_dbusd_t, systemd_passwd_agent_t, systemd_logger_t, systemd_tmpfiles_t, system_mail_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -48928,7 +51334,7 @@ index 0000000..a08a3e0 +.br +.TP 5 +Paths: -+/usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/load, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/users, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/open_files ++/usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/load, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/users, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/open_files + +.EX +.PP @@ -48945,10 +51351,6 @@ index 0000000..a08a3e0 + +- Set files with the systemd_logger_exec_t type, if you want to transition an executable to the systemd_logger_t domain. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/systemd-logger, /usr/lib/systemd/systemd-logger + +.EX +.PP @@ -48957,10 +51359,6 @@ index 0000000..a08a3e0 + +- Set files with the systemd_logind_exec_t type, if you want to transition an executable to the systemd_logind_t domain. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/systemd-logind, /usr/lib/systemd/systemd-logind + +.EX +.PP @@ -48980,7 +51378,7 @@ index 0000000..a08a3e0 +.br +.TP 5 +Paths: -+/var/run/systemd/users(/.*)?, /var/run/systemd/seats(/.*)? ++/var/run/nologin, /var/run/systemd/users(/.*)?, /var/run/systemd/seats(/.*)? + +.EX +.PP @@ -49040,7 +51438,7 @@ index 0000000..a08a3e0 +.br +.TP 5 +Paths: -+/usr/bin/systemd-tmpfiles, /bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles, /lib/systemd/systemd-tmpfiles ++/usr/bin/systemd-tmpfiles, /bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles + +.EX +.PP @@ -49049,13 +51447,9 @@ index 0000000..a08a3e0 + +- Set files with the systemd_unit_file_t type, if you want to treat the files as systemd unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system(/.*)?, /lib/systemd/system(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -49105,309 +51499,307 @@ index 0000000..a08a3e0 \ No newline at end of file diff --git a/man/man8/systemd_selinux.8 b/man/man8/systemd_selinux.8 new file mode 100644 -index 0000000..93fe832 +index 0000000..0b8e918 --- /dev/null +++ b/man/man8/systemd_selinux.8 -@@ -0,0 +1,345 @@ +@@ -0,0 +1,226 @@ +.TH "systemd_selinux" "8" "systemd" "dwalsh@redhat.com" "systemd SELinux Policy documentation" +.SH "NAME" +systemd_selinux \- Security Enhanced Linux Policy for the systemd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B systemd -+(SELinux policy for systemd components) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the systemd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. systemd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run systemd with the tightest access possible. + + +.PP -+If you want to allow Git daemon system to access cifs file systems, you must turn on the git_system_use_cifs boolean. ++If you want to determine whether Git system daemon can access cifs file systems, you must turn on the git_system_use_cifs boolean. + +.EX +.B setsebool -P git_system_use_cifs 1 +.EE + +.PP -+If you want to allow Git daemon system to search home directories, you must turn on the git_system_enable_homedirs boolean. ++If you want to determine whether Git system daemon can search home directories, you must turn on the git_system_enable_homedirs boolean. + +.EX +.B setsebool -P git_system_enable_homedirs 1 +.EE + +.PP -+If you want to allow Git daemon system to access nfs file systems, you must turn on the git_system_use_nfs boolean. ++If you want to determine whether Git system daemon can access nfs file systems, you must turn on the git_system_use_nfs boolean. + +.EX +.B setsebool -P git_system_use_nfs 1 +.EE + +.PP -+If you want to enable support for systemd as the init program, you must turn on the init_systemd boolean. ++If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. + +.EX -+.B setsebool -P init_systemd 1 ++.B setsebool -P clamscan_can_scan_system 1 +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP -+Policy governs the access confined processes have to these files. -+SELinux systemd policy is very flexible allowing users to setup their systemd processes in as secure a method as possible. -+.PP -+The following file types are defined for systemd: -+ ++If you want to enable support for systemd as the init program, you must turn on the init_systemd boolean. + +.EX -+.PP -+.B system_conf_t ++.B setsebool -P init_systemd 1 +.EE + -+- Set files with the system_conf_t type, if you want to treat the files as system configuration data, usually stored under the /etc directory. -+ -+.br -+.TP 5 -+Paths: -+/etc/sysctl\.conf(\.old)?, /etc/sysconfig/ipvsadm.*, /etc/sysconfig/ebtables.*, /etc/sysconfig/ip6?tables.*, /etc/sysconfig/system-config-firewall.* ++.SH NSSWITCH DOMAIN + -+.EX +.PP -+.B system_cron_spool_t -+.EE -+ -+- Set files with the system_cron_spool_t type, if you want to store the system cron files under the /var/spool directory. -+ -+.br -+.TP 5 -+Paths: -+/etc/crontab, /var/spool/anacron(/.*)?, /etc/cron\.d(/.*)?, /var/spool/fcron/systab\.orig, /var/spool/fcron/new\.systab, /var/spool/fcron/systab ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the system_cronjob_t, systemd_notify_t, systemd_logind_t, system_dbusd_t, systemd_passwd_agent_t, systemd_logger_t, systemd_tmpfiles_t, system_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B system_cronjob_lock_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the system_cronjob_lock_t type, if you want to treat the files as system cronjob lock data, stored under the /var/lock directory -+ -+ -+.EX +.PP -+.B system_cronjob_tmp_t -+.EE -+ -+- Set files with the system_cronjob_tmp_t type, if you want to store system cronjob temporary files in the /tmp directories. -+ ++If you want to allow confined applications to run with kerberos for the system_cronjob_t, systemd_notify_t, systemd_logind_t, system_dbusd_t, systemd_passwd_agent_t, systemd_logger_t, systemd_tmpfiles_t, system_mail_t, you must turn on the kerberos_enabled boolean. + +.EX -+.PP -+.B system_cronjob_var_lib_t ++setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the system_cronjob_var_lib_t type, if you want to store the system cronjob files under the /var/lib directory. ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux systemd policy is very flexible allowing users to setup their systemd processes in as secure a method as possible. ++.PP ++The following file types are defined for systemd: + + +.EX +.PP -+.B system_cronjob_var_run_t ++.B systemd_logger_exec_t +.EE + -+- Set files with the system_cronjob_var_run_t type, if you want to store the system cronjob files under the /run directory. ++- Set files with the systemd_logger_exec_t type, if you want to transition an executable to the systemd_logger_t domain. + + +.EX +.PP -+.B system_dbusd_tmp_t ++.B systemd_logind_exec_t +.EE + -+- Set files with the system_dbusd_tmp_t type, if you want to store system dbusd temporary files in the /tmp directories. ++- Set files with the systemd_logind_exec_t type, if you want to transition an executable to the systemd_logind_t domain. + + +.EX +.PP -+.B system_dbusd_var_lib_t ++.B systemd_logind_sessions_t +.EE + -+- Set files with the system_dbusd_var_lib_t type, if you want to store the system dbusd files under the /var/lib directory. ++- Set files with the systemd_logind_sessions_t type, if you want to treat the files as systemd logind sessions data. + + +.EX +.PP -+.B system_dbusd_var_run_t ++.B systemd_logind_var_run_t +.EE + -+- Set files with the system_dbusd_var_run_t type, if you want to store the system dbusd files under the /run directory. ++- Set files with the systemd_logind_var_run_t type, if you want to store the systemd logind files under the /run directory. + +.br +.TP 5 +Paths: -+/var/named/chroot/var/run/dbus(/.*)?, /var/run/dbus(/.*)? ++/var/run/nologin, /var/run/systemd/users(/.*)?, /var/run/systemd/seats(/.*)? + +.EX +.PP -+.B system_mail_tmp_t -+.EE -+ -+- Set files with the system_mail_tmp_t type, if you want to store system mail temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B system_map_t ++.B systemd_notify_exec_t +.EE + -+- Set files with the system_map_t type, if you want to treat the files as system map data. ++- Set files with the systemd_notify_exec_t type, if you want to transition an executable to the systemd_notify_t domain. + +.br +.TP 5 +Paths: -+/boot/System\.map(-.*)?, /boot/efi(/.*)?/System\.map(-.*)? ++/usr/bin/systemd-notify, /bin/systemd-notify + +.EX +.PP -+.B system_munin_plugin_exec_t ++.B systemd_passwd_agent_exec_t +.EE + -+- Set files with the system_munin_plugin_exec_t type, if you want to transition an executable to the system_munin_plugin_t domain. ++- Set files with the systemd_passwd_agent_exec_t type, if you want to transition an executable to the systemd_passwd_agent_t domain. + +.br +.TP 5 +Paths: -+/usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/load, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/users, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/open_files ++/bin/systemd-tty-ask-password-agent, /usr/bin/systemd-gnome-ask-password-agent, /usr/bin/systemd-tty-ask-password-agent + +.EX +.PP -+.B system_munin_plugin_tmp_t ++.B systemd_passwd_var_run_t +.EE + -+- Set files with the system_munin_plugin_tmp_t type, if you want to store system munin plugin temporary files in the /tmp directories. ++- Set files with the systemd_passwd_var_run_t type, if you want to store the systemd passwd files under the /run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/systemd/ask-password(/.*)?, /var/run/systemd/ask-password-block(/.*)? + +.EX +.PP -+.B systemd_logger_exec_t ++.B systemd_systemctl_exec_t +.EE + -+- Set files with the systemd_logger_exec_t type, if you want to transition an executable to the systemd_logger_t domain. ++- Set files with the systemd_systemctl_exec_t type, if you want to transition an executable to the systemd_systemctl_t domain. + +.br +.TP 5 +Paths: -+/lib/systemd/systemd-logger, /usr/lib/systemd/systemd-logger ++/usr/bin/systemctl, /bin/systemctl + +.EX +.PP -+.B systemd_logind_exec_t ++.B systemd_tmpfiles_exec_t +.EE + -+- Set files with the systemd_logind_exec_t type, if you want to transition an executable to the systemd_logind_t domain. ++- Set files with the systemd_tmpfiles_exec_t type, if you want to transition an executable to the systemd_tmpfiles_t domain. + +.br +.TP 5 +Paths: -+/lib/systemd/systemd-logind, /usr/lib/systemd/systemd-logind ++/usr/bin/systemd-tmpfiles, /bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles + +.EX +.PP -+.B systemd_logind_sessions_t ++.B systemd_unit_file_t +.EE + -+- Set files with the systemd_logind_sessions_t type, if you want to treat the files as systemd logind sessions data. ++- Set files with the systemd_unit_file_t type, if you want to treat the files as systemd unit content. + + -+.EX +.PP -+.B systemd_logind_var_run_t -+.EE -+ -+- Set files with the systemd_logind_var_run_t type, if you want to store the systemd logind files under the /run directory. ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. + -+.br -+.TP 5 -+Paths: -+/var/run/systemd/users(/.*)?, /var/run/systemd/seats(/.*)? ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux systemd policy is very flexible allowing users to setup their systemd processes in as secure a method as possible. ++.PP ++The following process types are defined for systemd: + +.EX -+.PP -+.B systemd_notify_exec_t ++.B system_munin_plugin_t, systemd_logger_t, systemd_logind_t, system_cronjob_t, systemd_notify_t, system_mail_t, systemd_passwd_agent_t, system_dbusd_t, systemd_tmpfiles_t +.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. + -+- Set files with the systemd_notify_exec_t type, if you want to transition an executable to the systemd_notify_t domain. ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. + -+.br -+.TP 5 -+Paths: -+/usr/bin/systemd-notify, /bin/systemd-notify ++.B semanage boolean ++can also be used to manipulate the booleans + -+.EX +.PP -+.B systemd_passwd_agent_exec_t -+.EE ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. + -+- Set files with the systemd_passwd_agent_exec_t type, if you want to transition an executable to the systemd_passwd_agent_t domain. ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), systemd(8), semanage(8), restorecon(8), chcon(1) ++, setsebool(8) +\ No newline at end of file +diff --git a/man/man8/tcpd_selinux.8 b/man/man8/tcpd_selinux.8 +new file mode 100644 +index 0000000..1bc9697 +--- /dev/null ++++ b/man/man8/tcpd_selinux.8 +@@ -0,0 +1,110 @@ ++.TH "tcpd_selinux" "8" "tcpd" "dwalsh@redhat.com" "tcpd SELinux Policy documentation" ++.SH "NAME" ++tcpd_selinux \- Security Enhanced Linux Policy for the tcpd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the tcpd processes via flexible mandatory access ++control. ++ ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. tcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tcpd with the tightest access possible. + -+.br -+.TP 5 -+Paths: -+/bin/systemd-tty-ask-password-agent, /usr/bin/systemd-gnome-ask-password-agent, /usr/bin/systemd-tty-ask-password-agent + -+.EX +.PP -+.B systemd_passwd_var_run_t -+.EE ++If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean. + -+- Set files with the systemd_passwd_var_run_t type, if you want to store the systemd passwd files under the /run directory. ++.EX ++.B setsebool -P telepathy_tcp_connect_generic_network_ports 1 ++.EE + -+.br -+.TP 5 -+Paths: -+/var/run/systemd/ask-password(/.*)?, /var/run/systemd/ask-password-block(/.*)? ++.PP ++If you want to allow all daemons to use tcp wrappers, you must turn on the daemons_use_tcp_wrapper boolean. + +.EX ++.B setsebool -P daemons_use_tcp_wrapper 1 ++.EE ++ +.PP -+.B systemd_systemctl_exec_t ++If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the user_tcp_server boolean. ++ ++.EX ++.B setsebool -P user_tcp_server 1 +.EE + -+- Set files with the systemd_systemctl_exec_t type, if you want to transition an executable to the systemd_systemctl_t domain. ++.SH NSSWITCH DOMAIN ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux tcpd policy is very flexible allowing users to setup their tcpd processes in as secure a method as possible. ++.PP ++The following file types are defined for tcpd: + -+.br -+.TP 5 -+Paths: -+/usr/bin/systemctl, /bin/systemctl + +.EX +.PP -+.B systemd_tmpfiles_exec_t ++.B tcpd_exec_t +.EE + -+- Set files with the systemd_tmpfiles_exec_t type, if you want to transition an executable to the systemd_tmpfiles_t domain. ++- Set files with the tcpd_exec_t type, if you want to transition an executable to the tcpd_t domain. + -+.br -+.TP 5 -+Paths: -+/usr/bin/systemd-tmpfiles, /bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles, /lib/systemd/systemd-tmpfiles + +.EX +.PP -+.B systemd_unit_file_t ++.B tcpd_tmp_t +.EE + -+- Set files with the systemd_unit_file_t type, if you want to treat the files as systemd unit content. ++- Set files with the tcpd_tmp_t type, if you want to store tcpd temporary files in the /tmp directories. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system(/.*)?, /lib/systemd/system(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -49419,12 +51811,12 @@ index 0000000..93fe832 +You can see the context of a process using the \fB\-Z\fP option to \fBps\bP +.PP +Policy governs the access confined processes have to files. -+SELinux systemd policy is very flexible allowing users to setup their systemd processes in as secure a method as possible. ++SELinux tcpd policy is very flexible allowing users to setup their tcpd processes in as secure a method as possible. +.PP -+The following process types are defined for systemd: ++The following process types are defined for tcpd: + +.EX -+.B system_munin_plugin_t, systemd_logger_t, systemd_logind_t, system_cronjob_t, systemd_notify_t, system_mail_t, systemd_passwd_agent_t, system_dbusd_t, systemd_tmpfiles_t ++.B tcpd_t +.EE +.PP +Note: @@ -49452,149 +51844,38 @@ index 0000000..93fe832 +This manual page was autogenerated by genman.py. + +.SH "SEE ALSO" -+selinux(8), systemd(8), semanage(8), restorecon(8), chcon(1) ++selinux(8), tcpd(8), semanage(8), restorecon(8), chcon(1) +, setsebool(8) \ No newline at end of file -diff --git a/man/man8/tcpd_selinux.8 b/man/man8/tcpd_selinux.8 +diff --git a/man/man8/tcsd_selinux.8 b/man/man8/tcsd_selinux.8 new file mode 100644 -index 0000000..5543123 +index 0000000..0edc1da --- /dev/null -+++ b/man/man8/tcpd_selinux.8 -@@ -0,0 +1,114 @@ -+.TH "tcpd_selinux" "8" "tcpd" "dwalsh@redhat.com" "tcpd SELinux Policy documentation" ++++ b/man/man8/tcsd_selinux.8 +@@ -0,0 +1,129 @@ ++.TH "tcsd_selinux" "8" "tcsd" "dwalsh@redhat.com" "tcsd SELinux Policy documentation" +.SH "NAME" -+tcpd_selinux \- Security Enhanced Linux Policy for the tcpd processes ++tcsd_selinux \- Security Enhanced Linux Policy for the tcsd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B tcpd -+(Policy for TCP daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the tcsd processes via flexible mandatory access +control. + -+ -+ -+.SH BOOLEANS -+SELinux policy is customizable based on least access required. tcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tcpd with the tightest access possible. -+ ++.SH NSSWITCH DOMAIN + +.PP -+If you want to allow the Telepathy connection managers to connect to any generic TCP port, you must turn on the telepathy_tcp_connect_generic_network_ports boolean. ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tcsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.B setsebool -P telepathy_tcp_connect_generic_network_ports 1 ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + +.PP -+If you want to allow all daemons to use tcp wrappers, you must turn on the allow_daemons_use_tcp_wrapper boolean. -+ -+.EX -+.B setsebool -P allow_daemons_use_tcp_wrapper 1 -+.EE -+ -+.PP -+If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols, you must turn on the user_tcp_server boolean. -+ -+.EX -+.B setsebool -P user_tcp_server 1 -+.EE -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux tcpd policy is very flexible allowing users to setup their tcpd processes in as secure a method as possible. -+.PP -+The following file types are defined for tcpd: -+ -+ -+.EX -+.PP -+.B tcpd_exec_t -+.EE -+ -+- Set files with the tcpd_exec_t type, if you want to transition an executable to the tcpd_t domain. -+ -+ -+.EX -+.PP -+.B tcpd_tmp_t -+.EE -+ -+- Set files with the tcpd_tmp_t type, if you want to store tcpd temporary files in the /tmp directories. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux tcpd policy is very flexible allowing users to setup their tcpd processes in as secure a method as possible. -+.PP -+The following process types are defined for tcpd: ++If you want to allow confined applications to run with kerberos for the tcsd_t, you must turn on the kerberos_enabled boolean. + +.EX -+.B tcpd_t ++setsebool -P kerberos_enabled 1 +.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.B semanage boolean -+can also be used to manipulate the booleans -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was autogenerated by genman.py. -+ -+.SH "SEE ALSO" -+selinux(8), tcpd(8), semanage(8), restorecon(8), chcon(1) -+, setsebool(8) -\ No newline at end of file -diff --git a/man/man8/tcsd_selinux.8 b/man/man8/tcsd_selinux.8 -new file mode 100644 -index 0000000..514ced5 ---- /dev/null -+++ b/man/man8/tcsd_selinux.8 -@@ -0,0 +1,119 @@ -+.TH "tcsd_selinux" "8" "tcsd" "dwalsh@redhat.com" "tcsd SELinux Policy documentation" -+.SH "NAME" -+tcsd_selinux \- Security Enhanced Linux Policy for the tcsd processes -+.SH "DESCRIPTION" -+ -+ -+SELinux Linux secures -+.B tcsd -+(TSS Core Services (TCS) daemon (tcsd) policy) -+processes via flexible mandatory access -+control. -+ -+ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -49632,7 +51913,7 @@ index 0000000..514ced5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -49659,7 +51940,7 @@ index 0000000..514ced5 + + +Default Defined Ports: -+tcp 8021 ++tcp 30003 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -49703,24 +51984,18 @@ index 0000000..514ced5 +selinux(8), tcsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/telepathy_selinux.8 b/man/man8/telepathy_selinux.8 new file mode 100644 -index 0000000..996878a +index 0000000..8ea175b --- /dev/null +++ b/man/man8/telepathy_selinux.8 -@@ -0,0 +1,311 @@ +@@ -0,0 +1,321 @@ +.TH "telepathy_selinux" "8" "telepathy" "dwalsh@redhat.com" "telepathy SELinux Policy documentation" +.SH "NAME" +telepathy_selinux \- Security Enhanced Linux Policy for the telepathy processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B telepathy -+(Telepathy communications framework) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the telepathy processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. telepathy policy is extremely flexible and has several booleans that allow you to manipulate the policy and run telepathy with the tightest access possible. + @@ -49739,6 +52014,22 @@ index 0000000..996878a +.B setsebool -P telepathy_connect_all_ports 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telepathy_mission_control_t, telepathy_logger_t, telepathy_salut_t, telepathy_gabble_t, telepathy_idle_t, telepathy_sunshine_t, telepathy_stream_engine_t, telepathy_sofiasip_t, telepathy_msn_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the telepathy_mission_control_t, telepathy_logger_t, telepathy_salut_t, telepathy_gabble_t, telepathy_idle_t, telepathy_sunshine_t, telepathy_stream_engine_t, telepathy_sofiasip_t, telepathy_msn_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -49971,7 +52262,7 @@ index 0000000..996878a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50021,17 +52312,33 @@ index 0000000..996878a \ No newline at end of file diff --git a/man/man8/telnetd_selinux.8 b/man/man8/telnetd_selinux.8 new file mode 100644 -index 0000000..34d5d8c +index 0000000..a7dc2aa --- /dev/null +++ b/man/man8/telnetd_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,141 @@ +.TH "telnetd_selinux" "8" "telnetd" "dwalsh@redhat.com" "telnetd SELinux Policy documentation" +.SH "NAME" +telnetd_selinux \- Security Enhanced Linux Policy for the telnetd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the telnetd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the telnetd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the telnetd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -50081,7 +52388,7 @@ index 0000000..34d5d8c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50108,7 +52415,7 @@ index 0000000..34d5d8c + + +Default Defined Ports: -+tcp 8021 ++tcp 23 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -50152,17 +52459,33 @@ index 0000000..34d5d8c +selinux(8), telnetd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tftpd_selinux.8 b/man/man8/tftpd_selinux.8 new file mode 100644 -index 0000000..b7bdb6b +index 0000000..7c880cc --- /dev/null +++ b/man/man8/tftpd_selinux.8 -@@ -0,0 +1,155 @@ +@@ -0,0 +1,179 @@ +.TH "tftpd_selinux" "8" "tftpd" "dwalsh@redhat.com" "tftpd SELinux Policy documentation" +.SH "NAME" +tftpd_selinux \- Security Enhanced Linux Policy for the tftpd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the tftpd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the tftpd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. @@ -50175,7 +52498,7 @@ index 0000000..b7bdb6b +.B restorecon -F -R -v /var/tftpd +.pp +.TP -+Allow tftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_tftpd_anon_write boolean to be set. ++Allow tftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_tftpdd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/tftpd/incoming(/.*)?" @@ -50203,6 +52526,14 @@ index 0000000..b7bdb6b + +.EX +.PP ++.B tftpd_etc_t ++.EE ++ ++- Set files with the tftpd_etc_t type, if you want to store tftpd files in the /etc directories. ++ ++ ++.EX ++.PP +.B tftpd_exec_t +.EE + @@ -50242,7 +52573,7 @@ index 0000000..b7bdb6b +/tftpboot/.*, /tftpboot + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50269,7 +52600,7 @@ index 0000000..b7bdb6b + + +Default Defined Ports: -+tcp 8021 ++udp 69 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -50313,23 +52644,19 @@ index 0000000..b7bdb6b +selinux(8), tftpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tgtd_selinux.8 b/man/man8/tgtd_selinux.8 new file mode 100644 -index 0000000..ed0f28a +index 0000000..a134111 --- /dev/null +++ b/man/man8/tgtd_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,113 @@ +.TH "tgtd_selinux" "8" "tgtd" "dwalsh@redhat.com" "tgtd SELinux Policy documentation" +.SH "NAME" +tgtd_selinux \- Security Enhanced Linux Policy for the tgtd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B tgtd -+(Linux Target Framework Daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the tgtd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -50391,7 +52718,7 @@ index 0000000..ed0f28a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50521,23 +52848,33 @@ index 0000000..c7f6423 +selinux(8), thin(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/thumb_selinux.8 b/man/man8/thumb_selinux.8 new file mode 100644 -index 0000000..b03036c +index 0000000..0177855 --- /dev/null +++ b/man/man8/thumb_selinux.8 -@@ -0,0 +1,89 @@ +@@ -0,0 +1,107 @@ +.TH "thumb_selinux" "8" "thumb" "dwalsh@redhat.com" "thumb SELinux Policy documentation" +.SH "NAME" +thumb_selinux \- Security Enhanced Linux Policy for the thumb processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B thumb -+(policy for thumb) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the thumb processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the thumb_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the thumb_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -50564,6 +52901,14 @@ index 0000000..b03036c + +.EX +.PP ++.B thumb_home_t ++.EE ++ ++- Set files with the thumb_home_t type, if you want to store thumb files in the users home directory. ++ ++ ++.EX ++.PP +.B thumb_tmp_t +.EE + @@ -50571,7 +52916,7 @@ index 0000000..b03036c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50616,23 +52961,33 @@ index 0000000..b03036c +selinux(8), thumb(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tmpreaper_selinux.8 b/man/man8/tmpreaper_selinux.8 new file mode 100644 -index 0000000..53468d0 +index 0000000..2f35c84 --- /dev/null +++ b/man/man8/tmpreaper_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,91 @@ +.TH "tmpreaper_selinux" "8" "tmpreaper" "dwalsh@redhat.com" "tmpreaper SELinux Policy documentation" +.SH "NAME" +tmpreaper_selinux \- Security Enhanced Linux Policy for the tmpreaper processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B tmpreaper -+(Manage temporary directory sizes and file ages) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the tmpreaper processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tmpreaper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the tmpreaper_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -50658,7 +53013,7 @@ index 0000000..53468d0 +/usr/sbin/tmpwatch, /usr/sbin/tmpreaper + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50703,24 +53058,18 @@ index 0000000..53468d0 +selinux(8), tmpreaper(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tor_selinux.8 b/man/man8/tor_selinux.8 new file mode 100644 -index 0000000..8ec79ef +index 0000000..3a97e32 --- /dev/null +++ b/man/man8/tor_selinux.8 -@@ -0,0 +1,177 @@ +@@ -0,0 +1,195 @@ +.TH "tor_selinux" "8" "tor" "dwalsh@redhat.com" "tor SELinux Policy documentation" +.SH "NAME" +tor_selinux \- Security Enhanced Linux Policy for the tor processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B tor -+(TOR, the onion router) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the tor processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. tor policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tor with the tightest access possible. + @@ -50732,6 +53081,22 @@ index 0000000..8ec79ef +.B setsebool -P tor_bind_all_unreserved_ports 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tor_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the tor_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -50773,6 +53138,14 @@ index 0000000..8ec79ef + +.EX +.PP ++.B tor_unit_file_t ++.EE ++ ++- Set files with the tor_unit_file_t type, if you want to treat the files as tor unit content. ++ ++ ++.EX ++.PP +.B tor_var_lib_t +.EE + @@ -50800,7 +53173,7 @@ index 0000000..8ec79ef + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50827,7 +53200,7 @@ index 0000000..8ec79ef + + +Default Defined Ports: -+tcp 8021 ++tcp 6969,9001,9030,9051 +.EE + +.EX @@ -50838,7 +53211,7 @@ index 0000000..8ec79ef + + +Default Defined Ports: -+tcp 8021 ++tcp 9050 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -50887,17 +53260,33 @@ index 0000000..8ec79ef \ No newline at end of file diff --git a/man/man8/traceroute_selinux.8 b/man/man8/traceroute_selinux.8 new file mode 100644 -index 0000000..c4ea5dd +index 0000000..af7a872 --- /dev/null +++ b/man/man8/traceroute_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,117 @@ +.TH "traceroute_selinux" "8" "traceroute" "dwalsh@redhat.com" "traceroute SELinux Policy documentation" +.SH "NAME" +traceroute_selinux \- Security Enhanced Linux Policy for the traceroute processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the traceroute processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the traceroute_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the traceroute_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -50920,10 +53309,10 @@ index 0000000..c4ea5dd +.br +.TP 5 +Paths: -+/bin/tracepath.*, /usr/bin/traceroute.*, /usr/bin/nmap, /usr/bin/lft, /bin/traceroute.*, /usr/bin/tracepath.*, /usr/sbin/traceroute.*, /usr/bin/mtr ++/bin/tracepath.*, /usr/sbin/mtr, /usr/bin/traceroute.*, /usr/bin/nmap, /usr/bin/lft, /bin/traceroute.*, /usr/bin/tracepath.*, /usr/sbin/traceroute.*, /usr/bin/mtr + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50950,7 +53339,7 @@ index 0000000..c4ea5dd + + +Default Defined Ports: -+tcp 8021 ++udp 64000-64010 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -50994,23 +53383,33 @@ index 0000000..c4ea5dd +selinux(8), traceroute(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tuned_selinux.8 b/man/man8/tuned_selinux.8 new file mode 100644 -index 0000000..824c519 +index 0000000..57d21c7 --- /dev/null +++ b/man/man8/tuned_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,135 @@ +.TH "tuned_selinux" "8" "tuned" "dwalsh@redhat.com" "tuned SELinux Policy documentation" +.SH "NAME" +tuned_selinux \- Security Enhanced Linux Policy for the tuned processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B tuned -+(Dynamic adaptive system tuning daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the tuned processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the tuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the tuned_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51025,6 +53424,14 @@ index 0000000..824c519 + +.EX +.PP ++.B tuned_etc_t ++.EE ++ ++- Set files with the tuned_etc_t type, if you want to store tuned files in the /etc directories. ++ ++ ++.EX ++.PP +.B tuned_exec_t +.EE + @@ -51053,14 +53460,26 @@ index 0000000..824c519 + +.EX +.PP ++.B tuned_rw_etc_t ++.EE ++ ++- Set files with the tuned_rw_etc_t type, if you want to store tuned rw files in the /etc directories. ++ ++ ++.EX ++.PP +.B tuned_var_run_t +.EE + +- Set files with the tuned_var_run_t type, if you want to store the tuned files under the /run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/tuned(/.*)?, /var/run/tuned\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51105,23 +53524,19 @@ index 0000000..824c519 +selinux(8), tuned(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tvtime_selinux.8 b/man/man8/tvtime_selinux.8 new file mode 100644 -index 0000000..0694cf9 +index 0000000..fd62159 --- /dev/null +++ b/man/man8/tvtime_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "tvtime_selinux" "8" "tvtime" "dwalsh@redhat.com" "tvtime SELinux Policy documentation" +.SH "NAME" +tvtime_selinux \- Security Enhanced Linux Policy for the tvtime processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B tvtime -+( tvtime - a high quality television application ) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the tvtime processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51167,7 +53582,7 @@ index 0000000..0694cf9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51212,23 +53627,33 @@ index 0000000..0694cf9 +selinux(8), tvtime(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/udev_selinux.8 b/man/man8/udev_selinux.8 new file mode 100644 -index 0000000..e90dada +index 0000000..995f726 --- /dev/null +++ b/man/man8/udev_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,131 @@ +.TH "udev_selinux" "8" "udev" "dwalsh@redhat.com" "udev SELinux Policy documentation" +.SH "NAME" +udev_selinux \- Security Enhanced Linux Policy for the udev processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B udev -+(Policy for udev) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the udev processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the udev_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the udev_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51259,7 +53684,7 @@ index 0000000..e90dada +.br +.TP 5 +Paths: -+/lib/udev/udevd, /sbin/udevd, /sbin/udev, /usr/sbin/wait_for_sysfs, /sbin/udevsend, /usr/sbin/udevadm, /usr/bin/udevadm, /usr/bin/udevinfo, /usr/sbin/start_udev, /usr/sbin/udev, /usr/sbin/udevsend, /sbin/start_udev, /sbin/udevstart, /bin/udevadm, /sbin/wait_for_sysfs, /lib/udev/udev-acl, /sbin/udevadm, /usr/sbin/udevd, /usr/sbin/udevstart, /usr/lib/udev/udev-acl, /usr/lib/udev/udevd ++/lib/udev/udevd, /usr/bin/udevinfo, /sbin/udevd, /sbin/udev, /usr/sbin/wait_for_sysfs, /sbin/udevsend, /usr/sbin/udevadm, /usr/bin/udevadm, /usr/sbin/start_udev, /usr/sbin/udev, /sbin/wait_for_sysfs, /usr/sbin/udevsend, /sbin/start_udev, /sbin/udevstart, /bin/udevadm, /lib/udev/udev-acl, /sbin/udevadm, /usr/sbin/udevd, /usr/lib/systemd/systemd-udevd, /usr/sbin/udevstart, /usr/lib/udev/udev-acl, /usr/lib/udev/udevd + +.EX +.PP @@ -51294,7 +53719,7 @@ index 0000000..e90dada +/var/run/udev(/.*)?, /dev/\.udevdb, /var/run/PackageKit/udev(/.*)?, /dev/\.udev(/.*)?, /dev/udev\.tbl, /var/run/libgpod(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51339,23 +53764,19 @@ index 0000000..e90dada +selinux(8), udev(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ulogd_selinux.8 b/man/man8/ulogd_selinux.8 new file mode 100644 -index 0000000..3ab14e4 +index 0000000..7e31875 --- /dev/null +++ b/man/man8/ulogd_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,105 @@ +.TH "ulogd_selinux" "8" "ulogd" "dwalsh@redhat.com" "ulogd SELinux Policy documentation" +.SH "NAME" +ulogd_selinux \- Security Enhanced Linux Policy for the ulogd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ulogd -+(Iptables/netfilter userspace logging daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ulogd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51409,7 +53830,7 @@ index 0000000..3ab14e4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51454,23 +53875,19 @@ index 0000000..3ab14e4 +selinux(8), ulogd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/uml_selinux.8 b/man/man8/uml_selinux.8 new file mode 100644 -index 0000000..34355cf +index 0000000..e33f74d --- /dev/null +++ b/man/man8/uml_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,121 @@ +.TH "uml_selinux" "8" "uml" "dwalsh@redhat.com" "uml SELinux Policy documentation" +.SH "NAME" +uml_selinux \- Security Enhanced Linux Policy for the uml processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B uml -+(Policy for UML) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the uml processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51540,7 +53957,7 @@ index 0000000..34355cf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51585,24 +54002,18 @@ index 0000000..34355cf +selinux(8), uml(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/unconfined_selinux.8 b/man/man8/unconfined_selinux.8 new file mode 100644 -index 0000000..49f0e32 +index 0000000..f2d638d --- /dev/null +++ b/man/man8/unconfined_selinux.8 -@@ -0,0 +1,131 @@ +@@ -0,0 +1,141 @@ +.TH "unconfined_selinux" "8" "unconfined" "dwalsh@redhat.com" "unconfined SELinux Policy documentation" +.SH "NAME" +unconfined_selinux \- Security Enhanced Linux Policy for the unconfined processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B unconfined -+(The unconfined domain) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the unconfined processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. unconfined policy is extremely flexible and has several booleans that allow you to manipulate the policy and run unconfined with the tightest access possible. + @@ -51649,6 +54060,22 @@ index 0000000..49f0e32 +.B setsebool -P unconfined_mplayer 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the unconfined_dbusd_t, unconfined_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the unconfined_dbusd_t, unconfined_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -51670,10 +54097,10 @@ index 0000000..49f0e32 +.br +.TP 5 +Paths: -+/usr/bin/vncserver, /usr/sbin/xrdp, /usr/sbin/xrdp-sesman ++/usr/sbin/xrdp, /usr/sbin/xrdp-sesman, /usr/bin/vncserver + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51723,17 +54150,19 @@ index 0000000..49f0e32 \ No newline at end of file diff --git a/man/man8/update_selinux.8 b/man/man8/update_selinux.8 new file mode 100644 -index 0000000..df3a1eb +index 0000000..252ec75 --- /dev/null +++ b/man/man8/update_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,85 @@ +.TH "update_selinux" "8" "update" "dwalsh@redhat.com" "update SELinux Policy documentation" +.SH "NAME" +update_selinux \- Security Enhanced Linux Policy for the update processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the update processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51756,7 +54185,7 @@ index 0000000..df3a1eb +.br +.TP 5 +Paths: -+/usr/sbin/modules-update, /usr/sbin/update-modules, /sbin/modules-update, /sbin/generate-modprobe\.conf, /sbin/update-modules, /usr/sbin/generate-modprobe\.conf ++/usr/sbin/modules-update, /sbin/modules-update, /sbin/generate-modprobe\.conf, /sbin/update-modules, /usr/sbin/generate-modprobe\.conf, /usr/sbin/update-modules + +.EX +.PP @@ -51767,7 +54196,7 @@ index 0000000..df3a1eb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51812,23 +54241,33 @@ index 0000000..df3a1eb +selinux(8), update(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/updfstab_selinux.8 b/man/man8/updfstab_selinux.8 new file mode 100644 -index 0000000..17c099b +index 0000000..d7cb248 --- /dev/null +++ b/man/man8/updfstab_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,91 @@ +.TH "updfstab_selinux" "8" "updfstab" "dwalsh@redhat.com" "updfstab SELinux Policy documentation" +.SH "NAME" +updfstab_selinux \- Security Enhanced Linux Policy for the updfstab processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B updfstab -+(Red Hat utility to change /etc/fstab) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the updfstab processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the updfstab_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the updfstab_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51854,7 +54293,7 @@ index 0000000..17c099b +/usr/sbin/updfstab, /usr/sbin/fstab-sync + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51899,17 +54338,33 @@ index 0000000..17c099b +selinux(8), updfstab(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/updpwd_selinux.8 b/man/man8/updpwd_selinux.8 new file mode 100644 -index 0000000..b48fb1b +index 0000000..c302ebe --- /dev/null +++ b/man/man8/updpwd_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,91 @@ +.TH "updpwd_selinux" "8" "updpwd" "dwalsh@redhat.com" "updpwd SELinux Policy documentation" +.SH "NAME" +updpwd_selinux \- Security Enhanced Linux Policy for the updpwd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the updpwd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the updpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the updpwd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51935,7 +54390,7 @@ index 0000000..b48fb1b +/sbin/unix_update, /usr/sbin/unix_update + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51980,23 +54435,19 @@ index 0000000..b48fb1b +selinux(8), updpwd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/usbmodules_selinux.8 b/man/man8/usbmodules_selinux.8 new file mode 100644 -index 0000000..83e61e3 +index 0000000..532a0c5 --- /dev/null +++ b/man/man8/usbmodules_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,77 @@ +.TH "usbmodules_selinux" "8" "usbmodules" "dwalsh@redhat.com" "usbmodules SELinux Policy documentation" +.SH "NAME" +usbmodules_selinux \- Security Enhanced Linux Policy for the usbmodules processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B usbmodules -+(List kernel modules of USB devices) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the usbmodules processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52022,7 +54473,7 @@ index 0000000..83e61e3 +/usr/sbin/usbmodules, /sbin/usbmodules + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52067,23 +54518,33 @@ index 0000000..83e61e3 +selinux(8), usbmodules(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/usbmuxd_selinux.8 b/man/man8/usbmuxd_selinux.8 new file mode 100644 -index 0000000..a8d74de +index 0000000..f7902e5 --- /dev/null +++ b/man/man8/usbmuxd_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,95 @@ +.TH "usbmuxd_selinux" "8" "usbmuxd" "dwalsh@redhat.com" "usbmuxd SELinux Policy documentation" +.SH "NAME" +usbmuxd_selinux \- Security Enhanced Linux Policy for the usbmuxd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B usbmuxd -+(USB multiplexing daemon for communicating with Apple iPod Touch and iPhone) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the usbmuxd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the usbmuxd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the usbmuxd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52113,7 +54574,7 @@ index 0000000..a8d74de + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52358,17 +54819,33 @@ index 0000000..a2082e9 +selinux(8), semanage(8). diff --git a/man/man8/useradd_selinux.8 b/man/man8/useradd_selinux.8 new file mode 100644 -index 0000000..8ad5cf6 +index 0000000..a32bbec --- /dev/null +++ b/man/man8/useradd_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,91 @@ +.TH "useradd_selinux" "8" "useradd" "dwalsh@redhat.com" "useradd SELinux Policy documentation" +.SH "NAME" +useradd_selinux \- Security Enhanced Linux Policy for the useradd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the useradd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the useradd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the useradd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52391,10 +54868,10 @@ index 0000000..8ad5cf6 +.br +.TP 5 +Paths: -+/usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel ++/usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /usr/sbin/newusers + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52439,23 +54916,33 @@ index 0000000..8ad5cf6 +selinux(8), useradd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/usernetctl_selinux.8 b/man/man8/usernetctl_selinux.8 new file mode 100644 -index 0000000..8789d75 +index 0000000..cf7a33b --- /dev/null +++ b/man/man8/usernetctl_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,87 @@ +.TH "usernetctl_selinux" "8" "usernetctl" "dwalsh@redhat.com" "usernetctl SELinux Policy documentation" +.SH "NAME" +usernetctl_selinux \- Security Enhanced Linux Policy for the usernetctl processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B usernetctl -+(User network interface configuration helper) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the usernetctl processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the usernetctl_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the usernetctl_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52477,7 +54964,7 @@ index 0000000..8789d75 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52522,17 +55009,33 @@ index 0000000..8789d75 +selinux(8), usernetctl(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/utempter_selinux.8 b/man/man8/utempter_selinux.8 new file mode 100644 -index 0000000..a311394 +index 0000000..34af4de --- /dev/null +++ b/man/man8/utempter_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,87 @@ +.TH "utempter_selinux" "8" "utempter" "dwalsh@redhat.com" "utempter SELinux Policy documentation" +.SH "NAME" +utempter_selinux \- Security Enhanced Linux Policy for the utempter processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the utempter processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the utempter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the utempter_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52554,7 +55057,7 @@ index 0000000..a311394 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52599,17 +55102,33 @@ index 0000000..a311394 +selinux(8), utempter(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/uucpd_selinux.8 b/man/man8/uucpd_selinux.8 new file mode 100644 -index 0000000..10de0a8 +index 0000000..43406f1 --- /dev/null +++ b/man/man8/uucpd_selinux.8 -@@ -0,0 +1,157 @@ +@@ -0,0 +1,173 @@ +.TH "uucpd_selinux" "8" "uucpd" "dwalsh@redhat.com" "uucpd SELinux Policy documentation" +.SH "NAME" +uucpd_selinux \- Security Enhanced Linux Policy for the uucpd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the uucpd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the uucpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the uucpd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52691,7 +55210,7 @@ index 0000000..10de0a8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52718,7 +55237,7 @@ index 0000000..10de0a8 + + +Default Defined Ports: -+tcp 8021 ++tcp 540 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -52762,23 +55281,19 @@ index 0000000..10de0a8 +selinux(8), uucpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/uuidd_selinux.8 b/man/man8/uuidd_selinux.8 new file mode 100644 -index 0000000..82a5e37 +index 0000000..3dfe015 --- /dev/null +++ b/man/man8/uuidd_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "uuidd_selinux" "8" "uuidd" "dwalsh@redhat.com" "uuidd SELinux Policy documentation" +.SH "NAME" +uuidd_selinux \- Security Enhanced Linux Policy for the uuidd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B uuidd -+(policy for uuidd) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the uuidd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52824,7 +55339,7 @@ index 0000000..82a5e37 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52869,17 +55384,33 @@ index 0000000..82a5e37 +selinux(8), uuidd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/uux_selinux.8 b/man/man8/uux_selinux.8 new file mode 100644 -index 0000000..c1913bf +index 0000000..6116416 --- /dev/null +++ b/man/man8/uux_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,87 @@ +.TH "uux_selinux" "8" "uux" "dwalsh@redhat.com" "uux SELinux Policy documentation" +.SH "NAME" +uux_selinux \- Security Enhanced Linux Policy for the uux processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the uux processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the uux_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the uux_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52901,7 +55432,7 @@ index 0000000..c1913bf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52946,24 +55477,18 @@ index 0000000..c1913bf +selinux(8), uux(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/varnishd_selinux.8 b/man/man8/varnishd_selinux.8 new file mode 100644 -index 0000000..97d1ed5 +index 0000000..e1852e6 --- /dev/null +++ b/man/man8/varnishd_selinux.8 -@@ -0,0 +1,158 @@ +@@ -0,0 +1,168 @@ +.TH "varnishd_selinux" "8" "varnishd" "dwalsh@redhat.com" "varnishd SELinux Policy documentation" +.SH "NAME" +varnishd_selinux \- Security Enhanced Linux Policy for the varnishd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B varnishd -+(Varnishd http accelerator daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the varnishd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. varnishd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run varnishd with the tightest access possible. + @@ -52975,6 +55500,22 @@ index 0000000..97d1ed5 +.B setsebool -P varnishd_connect_any 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the varnishd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the varnishd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -53035,7 +55576,7 @@ index 0000000..97d1ed5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53062,7 +55603,7 @@ index 0000000..97d1ed5 + + +Default Defined Ports: -+tcp 8021 ++tcp 6081-6082 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -53111,17 +55652,19 @@ index 0000000..97d1ed5 \ No newline at end of file diff --git a/man/man8/varnishlog_selinux.8 b/man/man8/varnishlog_selinux.8 new file mode 100644 -index 0000000..a761366 +index 0000000..aec0070 --- /dev/null +++ b/man/man8/varnishlog_selinux.8 -@@ -0,0 +1,107 @@ +@@ -0,0 +1,109 @@ +.TH "varnishlog_selinux" "8" "varnishlog" "dwalsh@redhat.com" "varnishlog SELinux Policy documentation" +.SH "NAME" +varnishlog_selinux \- Security Enhanced Linux Policy for the varnishlog processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the varnishlog processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -53179,7 +55722,7 @@ index 0000000..a761366 +/var/run/varnishncsa\.pid, /var/run/varnishlog\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53224,24 +55767,18 @@ index 0000000..a761366 +selinux(8), varnishlog(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vbetool_selinux.8 b/man/man8/vbetool_selinux.8 new file mode 100644 -index 0000000..690e094 +index 0000000..a380712 --- /dev/null +++ b/man/man8/vbetool_selinux.8 -@@ -0,0 +1,92 @@ +@@ -0,0 +1,88 @@ +.TH "vbetool_selinux" "8" "vbetool" "dwalsh@redhat.com" "vbetool SELinux Policy documentation" +.SH "NAME" +vbetool_selinux \- Security Enhanced Linux Policy for the vbetool processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B vbetool -+(run real-mode video BIOS code to alter hardware state) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the vbetool processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. vbetool policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vbetool with the tightest access possible. + @@ -53253,6 +55790,8 @@ index 0000000..690e094 +.B setsebool -P vbetool_mmap_zero_ignore 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -53273,7 +55812,7 @@ index 0000000..690e094 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53323,23 +55862,19 @@ index 0000000..690e094 \ No newline at end of file diff --git a/man/man8/vdagent_selinux.8 b/man/man8/vdagent_selinux.8 new file mode 100644 -index 0000000..ef8444d +index 0000000..bdcb173 --- /dev/null +++ b/man/man8/vdagent_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "vdagent_selinux" "8" "vdagent" "dwalsh@redhat.com" "vdagent SELinux Policy documentation" +.SH "NAME" +vdagent_selinux \- Security Enhanced Linux Policy for the vdagent processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B vdagent -+(policy for vdagent) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the vdagent processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -53385,7 +55920,7 @@ index 0000000..ef8444d +/var/run/spice-vdagentd.\pid, /var/run/spice-vdagentd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53430,23 +55965,33 @@ index 0000000..ef8444d +selinux(8), vdagent(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vhostmd_selinux.8 b/man/man8/vhostmd_selinux.8 new file mode 100644 -index 0000000..1800dc6 +index 0000000..3f35c18 --- /dev/null +++ b/man/man8/vhostmd_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,111 @@ +.TH "vhostmd_selinux" "8" "vhostmd" "dwalsh@redhat.com" "vhostmd SELinux Policy documentation" +.SH "NAME" +vhostmd_selinux \- Security Enhanced Linux Policy for the vhostmd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B vhostmd -+(Virtual host metrics daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the vhostmd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vhostmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the vhostmd_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -53492,7 +56037,7 @@ index 0000000..1800dc6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53537,17 +56082,33 @@ index 0000000..1800dc6 +selinux(8), vhostmd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/virsh_selinux.8 b/man/man8/virsh_selinux.8 new file mode 100644 -index 0000000..97dc9a2 +index 0000000..7b63ffc --- /dev/null +++ b/man/man8/virsh_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,87 @@ +.TH "virsh_selinux" "8" "virsh" "dwalsh@redhat.com" "virsh SELinux Policy documentation" +.SH "NAME" +virsh_selinux \- Security Enhanced Linux Policy for the virsh processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the virsh processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virsh_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the virsh_ssh_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -53569,7 +56130,7 @@ index 0000000..97dc9a2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53614,36 +56175,23 @@ index 0000000..97dc9a2 +selinux(8), virsh(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/virt_selinux.8 b/man/man8/virt_selinux.8 new file mode 100644 -index 0000000..bc4a520 +index 0000000..f7d1708 --- /dev/null +++ b/man/man8/virt_selinux.8 -@@ -0,0 +1,349 @@ +@@ -0,0 +1,365 @@ +.TH "virt_selinux" "8" "virt" "dwalsh@redhat.com" "virt SELinux Policy documentation" +.SH "NAME" +virt_selinux \- Security Enhanced Linux Policy for the virt processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B virt -+(Libvirt virtualization API) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the virt processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. virt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virt with the tightest access possible. + + +.PP -+If you want to allow confined virtual guests to read fuse file, you must turn on the virt_use_fusefs boolean. -+ -+.EX -+.B setsebool -P virt_use_fusefs 1 -+.EE -+ -+.PP +If you want to allow confined virtual guests to manage nfs file, you must turn on the virt_use_nfs boolean. + +.EX @@ -53672,6 +56220,13 @@ index 0000000..bc4a520 +.EE + +.PP ++If you want to allow confined virtual guests to interact with the sanloc, you must turn on the virt_use_sanlock boolean. ++ ++.EX ++.B setsebool -P virt_use_sanlock 1 ++.EE ++ ++.PP +If you want to allow confined virtual guests to use executable memory and executable stac, you must turn on the virt_use_execmem boolean. + +.EX @@ -53679,10 +56234,10 @@ index 0000000..bc4a520 +.EE + +.PP -+If you want to allow confined virtual guests to interact with the sanloc, you must turn on the virt_use_sanlock boolean. ++If you want to allow confined virtual guests to read fuse file, you must turn on the virt_use_fusefs boolean. + +.EX -+.B setsebool -P virt_use_sanlock 1 ++.B setsebool -P virt_use_fusefs 1 +.EE + +.PP @@ -53699,6 +56254,22 @@ index 0000000..bc4a520 +.B setsebool -P virt_use_samba 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virtd_t, virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the virtd_t, virtd_lxc_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -53800,6 +56371,18 @@ index 0000000..bc4a520 + +.EX +.PP ++.B virt_lxc_var_run_t ++.EE ++ ++- Set files with the virt_lxc_var_run_t type, if you want to store the virt lxc files under the /run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/libvirt-sandbox(/.*)?, /var/run/libvirt/lxc(/.*)? ++ ++.EX ++.PP +.B virt_qmf_exec_t +.EE + @@ -53848,7 +56431,7 @@ index 0000000..bc4a520 +.br +.TP 5 +Paths: -+/usr/sbin/condor_vm-gahp, /usr/bin/imagefactory, /usr/bin/imgfac\.py, /usr/bin/nova-compute, /usr/sbin/libvirtd ++/usr/sbin/condor_vm-gahp, /usr/bin/imagefactory, /usr/bin/vios-proxy-host, /usr/bin/imgfac\.py, /usr/bin/vios-proxy-guest, /usr/bin/nova-compute, /usr/sbin/libvirtd + +.EX +.PP @@ -53874,16 +56457,8 @@ index 0000000..bc4a520 +- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain. + + -+.EX -+.PP -+.B virtd_lxc_var_run_t -+.EE -+ -+- Set files with the virtd_lxc_var_run_t type, if you want to store the virtd lxc files under the /run directory. -+ -+ +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53910,7 +56485,7 @@ index 0000000..bc4a520 + + +Default Defined Ports: -+tcp 8021 ++tcp 49152-49216 +.EE + +.EX @@ -53921,7 +56496,9 @@ index 0000000..bc4a520 + + +Default Defined Ports: -+tcp 8021 ++tcp 16509,16514 ++.EE ++udp 16509,16514 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -53970,30 +56547,23 @@ index 0000000..bc4a520 \ No newline at end of file diff --git a/man/man8/virtd_selinux.8 b/man/man8/virtd_selinux.8 new file mode 100644 -index 0000000..40dfb33 +index 0000000..b6b2fd4 --- /dev/null +++ b/man/man8/virtd_selinux.8 -@@ -0,0 +1,343 @@ +@@ -0,0 +1,225 @@ +.TH "virtd_selinux" "8" "virtd" "dwalsh@redhat.com" "virtd SELinux Policy documentation" +.SH "NAME" +virtd_selinux \- Security Enhanced Linux Policy for the virtd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the virtd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. virtd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virtd with the tightest access possible. + + +.PP -+If you want to allow confined virtual guests to read fuse file, you must turn on the virt_use_fusefs boolean. -+ -+.EX -+.B setsebool -P virt_use_fusefs 1 -+.EE -+ -+.PP +If you want to allow confined virtual guests to manage nfs file, you must turn on the virt_use_nfs boolean. + +.EX @@ -54022,13 +56592,6 @@ index 0000000..40dfb33 +.EE + +.PP -+If you want to allow confined virtual guests to use executable memory and executable stac, you must turn on the virt_use_execmem boolean. -+ -+.EX -+.B setsebool -P virt_use_execmem 1 -+.EE -+ -+.PP +If you want to allow confined virtual guests to interact with the sanloc, you must turn on the virt_use_sanlock boolean. + +.EX @@ -54036,157 +56599,59 @@ index 0000000..40dfb33 +.EE + +.PP -+If you want to allow confined virtual guests to use usb device, you must turn on the virt_use_usb boolean. ++If you want to allow confined virtual guests to use executable memory and executable stac, you must turn on the virt_use_execmem boolean. + +.EX -+.B setsebool -P virt_use_usb 1 ++.B setsebool -P virt_use_execmem 1 +.EE + +.PP -+If you want to allow confined virtual guests to manage cifs file, you must turn on the virt_use_samba boolean. -+ -+.EX -+.B setsebool -P virt_use_samba 1 -+.EE -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible. -+.PP -+The following file types are defined for virtd: -+ -+ -+.EX -+.PP -+.B virt_bridgehelper_exec_t -+.EE -+ -+- Set files with the virt_bridgehelper_exec_t type, if you want to transition an executable to the virt_bridgehelper_t domain. -+ ++If you want to allow confined virtual guests to read fuse file, you must turn on the virt_use_fusefs boolean. + +.EX -+.PP -+.B virt_cache_t ++.B setsebool -P virt_use_fusefs 1 +.EE + -+- Set files with the virt_cache_t type, if you want to store the files under the /var/cache directory. -+ -+.br -+.TP 5 -+Paths: -+/var/cache/oz(/.*)?, /var/cache/libvirt(/.*)? -+ -+.EX +.PP -+.B virt_content_t -+.EE -+ -+- Set files with the virt_content_t type, if you want to treat the files as virt content. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/vdsm(/.*)?, /var/lib/oz/isos(/.*)?, /var/lib/libvirt/boot(/.*)?, /var/lib/libvirt/isos(/.*)? ++If you want to allow confined virtual guests to use usb device, you must turn on the virt_use_usb boolean. + +.EX -+.PP -+.B virt_etc_rw_t ++.B setsebool -P virt_use_usb 1 +.EE + -+- Set files with the virt_etc_rw_t type, if you want to treat the files as virt etc read/write content. -+ -+.br -+.TP 5 -+Paths: -+/etc/libvirt/.*/.*, /etc/xen/.*/.*, /etc/xen/[^/]*, /etc/libvirt/[^/]* -+ -+.EX +.PP -+.B virt_etc_t -+.EE -+ -+- Set files with the virt_etc_t type, if you want to store virt files in the /etc directories. -+ -+.br -+.TP 5 -+Paths: -+/etc/libvirt/[^/]*, /etc/libvirt, /etc/xen/[^/]*, /etc/xen ++If you want to allow confined virtual guests to manage cifs file, you must turn on the virt_use_samba boolean. + +.EX -+.PP -+.B virt_home_t ++.B setsebool -P virt_use_samba 1 +.EE + -+- Set files with the virt_home_t type, if you want to store virt files in the users home directory. -+ ++.SH NSSWITCH DOMAIN + -+.EX +.PP -+.B virt_image_t -+.EE -+ -+- Set files with the virt_image_t type, if you want to treat the files as virt image data. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/imagefactory/images(/.*)?, /var/lib/libvirt/images(/.*)? ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virtd_t, virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B virt_log_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the virt_log_t type, if you want to treat the data as virt log data, usually stored under the /var/log directory. -+ -+.br -+.TP 5 -+Paths: -+/var/log/log(/.*)?, /var/log/vdsm(/.*)?, /var/log/libvirt(/.*)? -+ -+.EX +.PP -+.B virt_qmf_exec_t -+.EE -+ -+- Set files with the virt_qmf_exec_t type, if you want to transition an executable to the virt_qmf_t domain. -+ ++If you want to allow confined applications to run with kerberos for the virtd_t, virtd_lxc_t, you must turn on the kerberos_enabled boolean. + +.EX -+.PP -+.B virt_tmp_t ++setsebool -P kerberos_enabled 1 +.EE + -+- Set files with the virt_tmp_t type, if you want to store virt temporary files in the /tmp directories. -+ -+ -+.EX ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. +.PP -+.B virt_var_lib_t -+.EE -+ -+- Set files with the virt_var_lib_t type, if you want to store the virt files under the /var/lib directory. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/oz(/.*)?, /var/lib/libvirt(/.*)? -+ -+.EX ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP -+.B virt_var_run_t -+.EE -+ -+- Set files with the virt_var_run_t type, if you want to store the virt files under the /run directory. ++Policy governs the access confined processes have to these files. ++SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible. ++.PP ++The following file types are defined for virtd: + -+.br -+.TP 5 -+Paths: -+/var/run/vdsm(/.*)?, /var/vdsm(/.*)?, /var/run/libvirt(/.*)? + +.EX +.PP @@ -54198,7 +56663,7 @@ index 0000000..40dfb33 +.br +.TP 5 +Paths: -+/usr/sbin/condor_vm-gahp, /usr/bin/imagefactory, /usr/bin/imgfac\.py, /usr/bin/nova-compute, /usr/sbin/libvirtd ++/usr/sbin/condor_vm-gahp, /usr/bin/imagefactory, /usr/bin/vios-proxy-host, /usr/bin/imgfac\.py, /usr/bin/vios-proxy-guest, /usr/bin/nova-compute, /usr/sbin/libvirtd + +.EX +.PP @@ -54224,16 +56689,8 @@ index 0000000..40dfb33 +- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain. + + -+.EX -+.PP -+.B virtd_lxc_var_run_t -+.EE -+ -+- Set files with the virtd_lxc_var_run_t type, if you want to store the virtd lxc files under the /run directory. -+ -+ +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54260,7 +56717,7 @@ index 0000000..40dfb33 + + +Default Defined Ports: -+tcp 8021 ++tcp 49152-49216 +.EE + +.EX @@ -54271,7 +56728,9 @@ index 0000000..40dfb33 + + +Default Defined Ports: -+tcp 8021 ++tcp 16509,16514 ++.EE ++udp 16509,16514 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -54320,23 +56779,33 @@ index 0000000..40dfb33 \ No newline at end of file diff --git a/man/man8/vlock_selinux.8 b/man/man8/vlock_selinux.8 new file mode 100644 -index 0000000..c8e2a9e +index 0000000..a334b41 --- /dev/null +++ b/man/man8/vlock_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,87 @@ +.TH "vlock_selinux" "8" "vlock" "dwalsh@redhat.com" "vlock SELinux Policy documentation" +.SH "NAME" +vlock_selinux \- Security Enhanced Linux Policy for the vlock processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B vlock -+(Lock one or more sessions on the Linux console) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the vlock processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the vlock_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -54358,7 +56827,7 @@ index 0000000..c8e2a9e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54403,23 +56872,19 @@ index 0000000..c8e2a9e +selinux(8), vlock(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vmware_selinux.8 b/man/man8/vmware_selinux.8 new file mode 100644 -index 0000000..735cd42 +index 0000000..7ce75e5 --- /dev/null +++ b/man/man8/vmware_selinux.8 -@@ -0,0 +1,173 @@ +@@ -0,0 +1,169 @@ +.TH "vmware_selinux" "8" "vmware" "dwalsh@redhat.com" "vmware SELinux Policy documentation" +.SH "NAME" +vmware_selinux \- Security Enhanced Linux Policy for the vmware processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B vmware -+(VMWare Workstation virtual machines) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the vmware processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -54450,7 +56915,7 @@ index 0000000..735cd42 +.br +.TP 5 +Paths: -+/usr/sbin/vmware-serverd, /usr/lib/vmware/bin/vmware-mks, /usr/lib/vmware/bin/vmplayer, /usr/bin/vmware-ping, /usr/lib/vmware/bin/vmware-ui, /usr/bin/vmware, /usr/bin/vmware-wizard ++/usr/sbin/vmware-serverd, /usr/lib/vmware/bin/vmware-mks, /usr/lib/vmware/bin/vmplayer, /usr/bin/vmware-ping, /usr/lib/vmware/bin/vmware-ui, /usr/bin/vmware-wizard, /usr/bin/vmware + +.EX +.PP @@ -54537,7 +57002,7 @@ index 0000000..735cd42 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54582,17 +57047,19 @@ index 0000000..735cd42 +selinux(8), vmware(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vnstat_selinux.8 b/man/man8/vnstat_selinux.8 new file mode 100644 -index 0000000..254d3d4 +index 0000000..c497c1b --- /dev/null +++ b/man/man8/vnstat_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "vnstat_selinux" "8" "vnstat" "dwalsh@redhat.com" "vnstat SELinux Policy documentation" +.SH "NAME" +vnstat_selinux \- Security Enhanced Linux Policy for the vnstat processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the vnstat processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -54638,7 +57105,7 @@ index 0000000..254d3d4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54683,23 +57150,19 @@ index 0000000..254d3d4 +selinux(8), vnstat(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vnstatd_selinux.8 b/man/man8/vnstatd_selinux.8 new file mode 100644 -index 0000000..1589eb8 +index 0000000..ee13308 --- /dev/null +++ b/man/man8/vnstatd_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,89 @@ +.TH "vnstatd_selinux" "8" "vnstatd" "dwalsh@redhat.com" "vnstatd SELinux Policy documentation" +.SH "NAME" +vnstatd_selinux \- Security Enhanced Linux Policy for the vnstatd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B vnstatd -+(Console network traffic monitor) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the vnstatd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -54714,14 +57177,6 @@ index 0000000..1589eb8 + +.EX +.PP -+.B vnstat_exec_t -+.EE -+ -+- Set files with the vnstat_exec_t type, if you want to transition an executable to the vnstat_t domain. -+ -+ -+.EX -+.PP +.B vnstatd_exec_t +.EE + @@ -54745,7 +57200,7 @@ index 0000000..1589eb8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54790,17 +57245,33 @@ index 0000000..1589eb8 +selinux(8), vnstatd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vpnc_selinux.8 b/man/man8/vpnc_selinux.8 new file mode 100644 -index 0000000..41a5246 +index 0000000..cabfeb1 --- /dev/null +++ b/man/man8/vpnc_selinux.8 -@@ -0,0 +1,91 @@ +@@ -0,0 +1,107 @@ +.TH "vpnc_selinux" "8" "vpnc" "dwalsh@redhat.com" "vpnc SELinux Policy documentation" +.SH "NAME" +vpnc_selinux \- Security Enhanced Linux Policy for the vpnc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the vpnc processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the vpnc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the vpnc_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -54842,7 +57313,7 @@ index 0000000..41a5246 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54887,23 +57358,33 @@ index 0000000..41a5246 +selinux(8), vpnc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/wdmd_selinux.8 b/man/man8/wdmd_selinux.8 new file mode 100644 -index 0000000..a060bdb +index 0000000..1d1a204 --- /dev/null +++ b/man/man8/wdmd_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,103 @@ +.TH "wdmd_selinux" "8" "wdmd" "dwalsh@redhat.com" "wdmd SELinux Policy documentation" +.SH "NAME" +wdmd_selinux \- Security Enhanced Linux Policy for the wdmd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B wdmd -+(policy for wdmd) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the wdmd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the wdmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the wdmd_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -54941,7 +57422,7 @@ index 0000000..a060bdb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55057,23 +57538,33 @@ index 0000000..072a0c0 +selinux(8), semanage(8). diff --git a/man/man8/webalizer_selinux.8 b/man/man8/webalizer_selinux.8 new file mode 100644 -index 0000000..ba0eb02 +index 0000000..b4575fa --- /dev/null +++ b/man/man8/webalizer_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,131 @@ +.TH "webalizer_selinux" "8" "webalizer" "dwalsh@redhat.com" "webalizer SELinux Policy documentation" +.SH "NAME" +webalizer_selinux \- Security Enhanced Linux Policy for the webalizer processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B webalizer -+(Web server log analysis) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the webalizer processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the webalizer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the webalizer_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -55101,6 +57592,10 @@ index 0000000..ba0eb02 + +- Set files with the webalizer_exec_t type, if you want to transition an executable to the webalizer_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/webalizer, /usr/bin/awffull + +.EX +.PP @@ -55135,7 +57630,7 @@ index 0000000..ba0eb02 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55180,27 +57675,43 @@ index 0000000..ba0eb02 +selinux(8), webalizer(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/winbind_selinux.8 b/man/man8/winbind_selinux.8 new file mode 100644 -index 0000000..df63d07 +index 0000000..5be2428 --- /dev/null +++ b/man/man8/winbind_selinux.8 -@@ -0,0 +1,114 @@ +@@ -0,0 +1,130 @@ +.TH "winbind_selinux" "8" "winbind" "dwalsh@redhat.com" "winbind SELinux Policy documentation" +.SH "NAME" +winbind_selinux \- Security Enhanced Linux Policy for the winbind processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the winbind processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. winbind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run winbind with the tightest access possible. + + +.PP -+If you want to allow Apache to use mod_auth_ntlm_winbin, you must turn on the allow_httpd_mod_auth_ntlm_winbind boolean. ++If you want to allow Apache to use mod_auth_ntlm_winbin, you must turn on the httpd_mod_auth_ntlm_winbind boolean. ++ ++.EX ++.B setsebool -P httpd_mod_auth_ntlm_winbind 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the winbind_helper_t, winbind_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the winbind_helper_t, winbind_t, you must turn on the kerberos_enabled boolean. + +.EX -+.B setsebool -P allow_httpd_mod_auth_ntlm_winbind 1 ++setsebool -P kerberos_enabled 1 +.EE + +.SH FILE CONTEXTS @@ -55248,10 +57759,10 @@ index 0000000..df63d07 +.br +.TP 5 +Paths: -+/var/cache/samba/winbindd_privileged(/.*)?, /var/lib/samba/winbindd_privileged(/.*)?, /var/run/winbindd(/.*)? ++/var/cache/samba/winbindd_privileged(/.*)?, /var/lib/samba/winbindd_privileged(/.*)?, /var/run/winbindd(/.*)?, /var/run/samba/winbindd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55301,24 +57812,18 @@ index 0000000..df63d07 \ No newline at end of file diff --git a/man/man8/wine_selinux.8 b/man/man8/wine_selinux.8 new file mode 100644 -index 0000000..c2107f1 +index 0000000..8bce1e7 --- /dev/null +++ b/man/man8/wine_selinux.8 -@@ -0,0 +1,104 @@ +@@ -0,0 +1,100 @@ +.TH "wine_selinux" "8" "wine" "dwalsh@redhat.com" "wine SELinux Policy documentation" +.SH "NAME" +wine_selinux \- Security Enhanced Linux Policy for the wine processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B wine -+(Wine Is Not an Emulator. Run Windows programs in Linux) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the wine processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. wine policy is extremely flexible and has several booleans that allow you to manipulate the policy and run wine with the tightest access possible. + @@ -55330,6 +57835,8 @@ index 0000000..c2107f1 +.B setsebool -P wine_mmap_zero_ignore 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -55362,7 +57869,7 @@ index 0000000..c2107f1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55412,23 +57919,33 @@ index 0000000..c2107f1 \ No newline at end of file diff --git a/man/man8/wireshark_selinux.8 b/man/man8/wireshark_selinux.8 new file mode 100644 -index 0000000..4536946 +index 0000000..f195e54 --- /dev/null +++ b/man/man8/wireshark_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,111 @@ +.TH "wireshark_selinux" "8" "wireshark" "dwalsh@redhat.com" "wireshark SELinux Policy documentation" +.SH "NAME" +wireshark_selinux \- Security Enhanced Linux Policy for the wireshark processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B wireshark -+(Wireshark packet capture tool) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the wireshark processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the wireshark_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the wireshark_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -55474,7 +57991,7 @@ index 0000000..4536946 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55519,17 +58036,19 @@ index 0000000..4536946 +selinux(8), wireshark(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/wpa_selinux.8 b/man/man8/wpa_selinux.8 new file mode 100644 -index 0000000..e8a5a9f +index 0000000..6c081d0 --- /dev/null +++ b/man/man8/wpa_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +.TH "wpa_selinux" "8" "wpa" "dwalsh@redhat.com" "wpa SELinux Policy documentation" +.SH "NAME" +wpa_selinux \- Security Enhanced Linux Policy for the wpa processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the wpa processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -55555,7 +58074,7 @@ index 0000000..e8a5a9f +/usr/sbin/wpa_cli, /sbin/wpa_cli + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55600,17 +58119,33 @@ index 0000000..e8a5a9f +selinux(8), wpa(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/xauth_selinux.8 b/man/man8/xauth_selinux.8 new file mode 100644 -index 0000000..85c91f3 +index 0000000..7d613d7 --- /dev/null +++ b/man/man8/xauth_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,111 @@ +.TH "xauth_selinux" "8" "xauth" "dwalsh@redhat.com" "xauth SELinux Policy documentation" +.SH "NAME" +xauth_selinux \- Security Enhanced Linux Policy for the xauth processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the xauth processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the xauth_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -55656,7 +58191,7 @@ index 0000000..85c91f3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55701,17 +58236,17 @@ index 0000000..85c91f3 +selinux(8), xauth(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/xdm_selinux.8 b/man/man8/xdm_selinux.8 new file mode 100644 -index 0000000..e377b25 +index 0000000..729ab4a --- /dev/null +++ b/man/man8/xdm_selinux.8 -@@ -0,0 +1,223 @@ +@@ -0,0 +1,257 @@ +.TH "xdm_selinux" "8" "xdm" "dwalsh@redhat.com" "xdm SELinux Policy documentation" +.SH "NAME" +xdm_selinux \- Security Enhanced Linux Policy for the xdm processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the xdm processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. xdm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xdm with the tightest access possible. @@ -55731,6 +58266,22 @@ index 0000000..e377b25 +.B setsebool -P xdm_exec_bootloader 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xdm_dbusd_t, xdm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the xdm_dbusd_t, xdm_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -55760,7 +58311,7 @@ index 0000000..e377b25 +.br +.TP 5 +Paths: -+/usr/bin/[xgkw]dm, /usr/bin/slim, /usr/sbin/[xgkw]dm, /usr/X11R6/bin/[xgkw]dm, /usr/sbin/lxdm, /usr/sbin/lxdm-binary, /usr/bin/lxdm-binary, /usr/bin/gpe-dm, /usr/bin/gdm-binary, /usr/bin/lxdm, /opt/kde3/bin/kdm, /usr/sbin/gdm-binary ++/usr/bin/slim, /usr/(s)?bin/lightdm*, /usr/(s)?bin/[mxgkw]dm, /usr/sbin/mdm-binary, /usr/(s)?bin/lxdm(-binary)?, /usr/X11R6/bin/[xgkw]dm, /usr/(s)?bin/gdm-binary, /usr/bin/gpe-dm, /opt/kde3/bin/kdm + +.EX +.PP @@ -55792,7 +58343,7 @@ index 0000000..e377b25 +.br +.TP 5 +Paths: -+/var/log/slim\.log.*, /var/log/(l)?xdm\.log.*, /var/log/gdm(/.*)? ++/var/log/slim\.log, /var/log/lxdm\.log.*, /var/log/[mg]dm(/.*)?, /var/log/[mkwx]dm\.log.* + +.EX +.PP @@ -55801,6 +58352,10 @@ index 0000000..e377b25 + +- Set files with the xdm_rw_etc_t type, if you want to store xdm rw files in the /etc directories. + ++.br ++.TP 5 ++Paths: ++/etc/opt/VirtualGL(/.*)?, /etc/X11/wdm(/.*)? + +.EX +.PP @@ -55832,6 +58387,18 @@ index 0000000..e377b25 + +.EX +.PP ++.B xdm_unconfined_exec_t ++.EE ++ ++- Set files with the xdm_unconfined_exec_t type, if you want to transition an executable to the xdm_unconfined_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/[mg]dm/Init(/.*)?, /etc/[mg]dm/PreSession(/.*)?, /etc/[mg]dm/PostLogin(/.*)?, /etc/[mg]dm/PostSession(/.*)? ++ ++.EX ++.PP +.B xdm_var_lib_t +.EE + @@ -55840,7 +58407,7 @@ index 0000000..e377b25 +.br +.TP 5 +Paths: -+/var/lib/[gxkw]dm(/.*)?, /var/cache/gdm(/.*)?, /var/lib/lxdm(/.*)? ++/var/lib/lightdm(/.*)?, /var/cache/lightdm(/.*)?, /var/lib/[mxkwg]dm(/.*)?, /var/lib/lxdm(/.*)?, /var/cache/[mg]dm(/.*)? + +.EX +.PP @@ -55852,10 +58419,10 @@ index 0000000..e377b25 +.br +.TP 5 +Paths: -+/var/run/kdm(/.*)?, /var/run/slim.*, /var/run/lxdm(/.*)?, /var/run/gdm(/.*)?, /usr/lib/qt-.*/etc/settings(/.*)?, /var/run/lxdm\.auth, /var/run/xauth(/.*)?, /var/run/xdmctl(/.*)?, /var/run/[gx]dm\.pid, /var/run/slim(/.*)?, /var/run/gdm_socket, /etc/kde3?/kdm/backgroundrc, /var/run/lxdm\.pid ++/etc/kde[34]?/kdm/backgroundrc, /var/run/slim.*, /var/run/lxdm(/.*)?, /usr/lib/qt-.*/etc/settings(/.*)?, /var/run/lxdm\.auth, /var/run/systemd/multi-session-x(/.*)?, /var/run/xauth(/.*)?, /var/run/xdmctl(/.*)?, /var/run/[gx]dm\.pid, /var/run/[kgm]dm(/.*)?, /var/run/slim(/.*)?, /var/run/gdm_socket, /var/run/lxdm\.pid, /var/run/lightdm(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55882,7 +58449,9 @@ index 0000000..e377b25 + + +Default Defined Ports: -+tcp 8021 ++tcp 177 ++.EE ++udp 177 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -55895,7 +58464,7 @@ index 0000000..e377b25 +The following process types are defined for xdm: + +.EX -+.B xdm_t, xdm_dbusd_t ++.B xdm_t, xdm_dbusd_t, xdm_unconfined_t +.EE +.PP +Note: @@ -55931,17 +58500,19 @@ index 0000000..e377b25 \ No newline at end of file diff --git a/man/man8/xenconsoled_selinux.8 b/man/man8/xenconsoled_selinux.8 new file mode 100644 -index 0000000..94ba970 +index 0000000..1693d56 --- /dev/null +++ b/man/man8/xenconsoled_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,81 @@ +.TH "xenconsoled_selinux" "8" "xenconsoled" "dwalsh@redhat.com" "xenconsoled SELinux Policy documentation" +.SH "NAME" +xenconsoled_selinux \- Security Enhanced Linux Policy for the xenconsoled processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the xenconsoled processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -55971,7 +58542,7 @@ index 0000000..94ba970 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56016,17 +58587,17 @@ index 0000000..94ba970 +selinux(8), xenconsoled(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/xend_selinux.8 b/man/man8/xend_selinux.8 new file mode 100644 -index 0000000..ef97b9c +index 0000000..bd5ca3c --- /dev/null +++ b/man/man8/xend_selinux.8 -@@ -0,0 +1,190 @@ +@@ -0,0 +1,172 @@ +.TH "xend_selinux" "8" "xend" "dwalsh@redhat.com" "xend SELinux Policy documentation" +.SH "NAME" +xend_selinux \- Security Enhanced Linux Policy for the xend processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the xend processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. xend policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xend with the tightest access possible. @@ -56053,6 +58624,8 @@ index 0000000..ef97b9c +.B setsebool -P xend_run_blktap 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -56066,26 +58639,6 @@ index 0000000..ef97b9c + +.EX +.PP -+.B xen_devpts_t -+.EE -+ -+- Set files with the xen_devpts_t type, if you want to treat the files as xen devpts data. -+ -+ -+.EX -+.PP -+.B xen_image_t -+.EE -+ -+- Set files with the xen_image_t type, if you want to treat the files as xen image data. -+ -+.br -+.TP 5 -+Paths: -+/xen(/.*)?, /var/lib/xen/images(/.*)? -+ -+.EX -+.PP +.B xend_exec_t +.EE + @@ -56137,7 +58690,7 @@ index 0000000..ef97b9c +/var/run/xenner(/.*)?, /var/run/xend(/.*)?, /var/run/xend\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56164,7 +58717,7 @@ index 0000000..ef97b9c + + +Default Defined Ports: -+tcp 8021 ++tcp 8002 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -56213,17 +58766,19 @@ index 0000000..ef97b9c \ No newline at end of file diff --git a/man/man8/xenstored_selinux.8 b/man/man8/xenstored_selinux.8 new file mode 100644 -index 0000000..0cf576a +index 0000000..b799204 --- /dev/null +++ b/man/man8/xenstored_selinux.8 -@@ -0,0 +1,107 @@ +@@ -0,0 +1,109 @@ +.TH "xenstored_selinux" "8" "xenstored" "dwalsh@redhat.com" "xenstored SELinux Policy documentation" +.SH "NAME" +xenstored_selinux \- Security Enhanced Linux Policy for the xenstored processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the xenstored processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -56281,7 +58836,7 @@ index 0000000..0cf576a +/var/run/xenstore\.pid, /var/run/xenstored(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56563,29 +59118,37 @@ index 0000000..2478817 +selinux(8), semanage(8). diff --git a/man/man8/xserver_selinux.8 b/man/man8/xserver_selinux.8 new file mode 100644 -index 0000000..868120f +index 0000000..e104d51 --- /dev/null +++ b/man/man8/xserver_selinux.8 -@@ -0,0 +1,176 @@ +@@ -0,0 +1,193 @@ +.TH "xserver_selinux" "8" "xserver" "dwalsh@redhat.com" "xserver SELinux Policy documentation" +.SH "NAME" +xserver_selinux \- Security Enhanced Linux Policy for the xserver processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B xserver -+(X Windows Server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the xserver processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. xserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xserver with the tightest access possible. + + +.PP ++If you want to support X userspace object manage, you must turn on the xserver_object_manager boolean. ++ ++.EX ++.B setsebool -P xserver_object_manager 1 ++.EE ++ ++.PP ++If you want to allows XServer to execute writable memor, you must turn on the xserver_execmem boolean. ++ ++.EX ++.B setsebool -P xserver_execmem 1 ++.EE ++ ++.PP +If you want to allow confined virtual guests to interact with the xserve, you must turn on the virt_use_xserver boolean. + +.EX @@ -56593,17 +59156,26 @@ index 0000000..868120f +.EE + +.PP -+If you want to support X userspace object manage, you must turn on the xserver_object_manager boolean. ++If you want to allows clients to write to the X server shared memory segments, you must turn on the xserver_clients_write_xshm boolean. + +.EX -+.B setsebool -P xserver_object_manager 1 ++.B setsebool -P xserver_clients_write_xshm 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the xserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + +.PP -+If you want to allows XServer to execute writable memor, you must turn on the allow_xserver_execmem boolean. ++If you want to allow confined applications to run with kerberos for the xserver_t, you must turn on the kerberos_enabled boolean. + +.EX -+.B setsebool -P allow_xserver_execmem 1 ++setsebool -P kerberos_enabled 1 +.EE + +.SH FILE CONTEXTS @@ -56627,7 +59199,7 @@ index 0000000..868120f +.br +.TP 5 +Paths: -+/usr/bin/Xair, /usr/bin/Xephyr, /usr/X11R6/bin/Xwrapper, /usr/X11R6/bin/XFree86, /etc/init\.d/xfree86-common, /usr/X11R6/bin/Xorg, /usr/X11R6/bin/Xipaq, /usr/bin/Xorg, /usr/X11R6/bin/X ++/usr/bin/Xair, /usr/X11R6/bin/Xwrapper, /usr/X11R6/bin/XFree86, /etc/init\.d/xfree86-common, /usr/X11R6/bin/Xorg, /usr/X11R6/bin/Xipaq, /usr/bin/Xephyr, /usr/bin/Xorg, /usr/X11R6/bin/X + +.EX +.PP @@ -56639,7 +59211,7 @@ index 0000000..868120f +.br +.TP 5 +Paths: -+/usr/var/[xgkw]dm(/.*)?, /var/[xgk]dm(/.*)?, /var/log/nvidia-installer\.log.*, /var/log/XFree86.*, /var/log/Xorg.*, /var/log/[kw]dm\.log.* ++/var/log/lightdm(/.*)?, /usr/var/[xgkw]dm(/.*)?, /var/log/nvidia-installer\.log.*, /var/[xgkw]dm(/.*)?, /var/log/XFree86.*, /var/log/Xorg.* + +.EX +.PP @@ -56670,7 +59242,7 @@ index 0000000..868120f +/var/run/xorg(/.*)?, /var/run/video.rom + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56697,7 +59269,7 @@ index 0000000..868120f + + +Default Defined Ports: -+tcp 8021 ++tcp 6000-6020 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -56745,10 +59317,10 @@ index 0000000..868120f +, setsebool(8) \ No newline at end of file diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8 -index 5061a5f..22c9968 100644 +index 5061a5f..474160f 100644 --- a/man/man8/ypbind_selinux.8 +++ b/man/man8/ypbind_selinux.8 -@@ -1,19 +1,118 @@ +@@ -1,19 +1,109 @@ -.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation" +.TH "ypbind_selinux" "8" "ypbind" "dwalsh@redhat.com" "ypbind SELinux Policy documentation" .SH "NAME" @@ -56758,25 +59330,17 @@ index 5061a5f..22c9968 100644 -Security-Enhanced Linux secures the system via flexible mandatory access -control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network. -+ -+ -+ - .SH BOOLEANS +-.SH BOOLEANS -.TP -You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment. -.TP -setsebool -P allow_ypbind 1 -.TP -system-config-selinux is a GUI tool available to customize SELinux policy settings. -+SELinux policy is customizable based on least access required. ypbind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ypbind with the tightest access possible. ++Security-Enhanced Linux secures the ypbind processes via flexible mandatory access ++control. + -+ -+.PP -+If you want to allow system to run with NI, you must turn on the allow_ypbind boolean. -+ -+.EX -+.B setsebool -P allow_ypbind 1 -+.EE ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -56811,15 +59375,19 @@ index 5061a5f..22c9968 100644 + +.EX +.PP ++.B ypbind_tmp_t ++.EE ++ ++- Set files with the ypbind_tmp_t type, if you want to store ypbind temporary files in the /tmp directories. ++ ++ ++.EX ++.PP +.B ypbind_unit_file_t +.EE + +- Set files with the ypbind_unit_file_t type, if you want to treat the files as ypbind unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/ypbind\.service, /lib/systemd/system/ypbind\.service + +.EX +.PP @@ -56830,7 +59398,7 @@ index 5061a5f..22c9968 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56864,9 +59432,6 @@ index 5061a5f..22c9968 100644 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + -+.B semanage boolean -+can also be used to manipulate the booleans -+ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -56878,21 +59443,21 @@ index 5061a5f..22c9968 100644 .SH "SEE ALSO" -selinux(8), ypbind(8), chcon(1), setsebool(8) +selinux(8), ypbind(8), semanage(8), restorecon(8), chcon(1) -+, setsebool(8) -\ No newline at end of file diff --git a/man/man8/yppasswdd_selinux.8 b/man/man8/yppasswdd_selinux.8 new file mode 100644 -index 0000000..4b570b3 +index 0000000..982aeba --- /dev/null +++ b/man/man8/yppasswdd_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,85 @@ +.TH "yppasswdd_selinux" "8" "yppasswdd" "dwalsh@redhat.com" "yppasswdd SELinux Policy documentation" +.SH "NAME" +yppasswdd_selinux \- Security Enhanced Linux Policy for the yppasswdd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the yppasswdd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -56912,6 +59477,10 @@ index 0000000..4b570b3 + +- Set files with the yppasswdd_exec_t type, if you want to transition an executable to the yppasswdd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/rpc\.yppasswdd\.env, /usr/sbin/rpc\.yppasswdd + +.EX +.PP @@ -56922,7 +59491,7 @@ index 0000000..4b570b3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56967,17 +59536,19 @@ index 0000000..4b570b3 +selinux(8), yppasswdd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ypserv_selinux.8 b/man/man8/ypserv_selinux.8 new file mode 100644 -index 0000000..b5da81b +index 0000000..3ba6a0a --- /dev/null +++ b/man/man8/ypserv_selinux.8 -@@ -0,0 +1,87 @@ +@@ -0,0 +1,97 @@ +.TH "ypserv_selinux" "8" "ypserv" "dwalsh@redhat.com" "ypserv SELinux Policy documentation" +.SH "NAME" +ypserv_selinux \- Security Enhanced Linux Policy for the ypserv processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ypserv processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -57008,6 +59579,14 @@ index 0000000..b5da81b + +.EX +.PP ++.B ypserv_tmp_t ++.EE ++ ++- Set files with the ypserv_tmp_t type, if you want to store ypserv temporary files in the /tmp directories. ++ ++ ++.EX ++.PP +.B ypserv_var_run_t +.EE + @@ -57015,7 +59594,7 @@ index 0000000..b5da81b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57060,17 +59639,19 @@ index 0000000..b5da81b +selinux(8), ypserv(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ypxfr_selinux.8 b/man/man8/ypxfr_selinux.8 new file mode 100644 -index 0000000..3e761eb +index 0000000..a6a3716 --- /dev/null +++ b/man/man8/ypxfr_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,85 @@ +.TH "ypxfr_selinux" "8" "ypxfr" "dwalsh@redhat.com" "ypxfr SELinux Policy documentation" +.SH "NAME" +ypxfr_selinux \- Security Enhanced Linux Policy for the ypxfr processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ypxfr processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -57104,7 +59685,7 @@ index 0000000..3e761eb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57149,24 +59730,18 @@ index 0000000..3e761eb +selinux(8), ypxfr(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/zabbix_selinux.8 b/man/man8/zabbix_selinux.8 new file mode 100644 -index 0000000..6f79276 +index 0000000..91db3b2 --- /dev/null +++ b/man/man8/zabbix_selinux.8 -@@ -0,0 +1,200 @@ +@@ -0,0 +1,210 @@ +.TH "zabbix_selinux" "8" "zabbix" "dwalsh@redhat.com" "zabbix SELinux Policy documentation" +.SH "NAME" +zabbix_selinux \- Security Enhanced Linux Policy for the zabbix processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B zabbix -+(Distributed infrastructure monitoring) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the zabbix processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. zabbix policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zabbix with the tightest access possible. + @@ -57185,6 +59760,22 @@ index 0000000..6f79276 +.B setsebool -P httpd_can_connect_zabbix 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zabbix_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zabbix_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -57222,7 +59813,7 @@ index 0000000..6f79276 +.br +.TP 5 +Paths: -+/usr/sbin/zabbix_server_sqlite3, /usr/sbin/zabbix_server_mysql, /usr/sbin/zabbix_server_pgsql, /usr/sbin/zabbix_server ++/usr/sbin/zabbix_server_pgsql, /usr/sbin/zabbix_server_sqlite3, /usr/sbin/zabbix_server_mysql, /usr/(s)?bin/zabbix_server + +.EX +.PP @@ -57269,7 +59860,7 @@ index 0000000..6f79276 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57296,7 +59887,7 @@ index 0000000..6f79276 + + +Default Defined Ports: -+tcp 8021 ++tcp 10050 +.EE + +.EX @@ -57307,7 +59898,7 @@ index 0000000..6f79276 + + +Default Defined Ports: -+tcp 8021 ++tcp 10051 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -57356,23 +59947,33 @@ index 0000000..6f79276 \ No newline at end of file diff --git a/man/man8/zarafa_selinux.8 b/man/man8/zarafa_selinux.8 new file mode 100644 -index 0000000..928b3c1 +index 0000000..47f7399 --- /dev/null +++ b/man/man8/zarafa_selinux.8 -@@ -0,0 +1,319 @@ +@@ -0,0 +1,333 @@ +.TH "zarafa_selinux" "8" "zarafa" "dwalsh@redhat.com" "zarafa SELinux Policy documentation" +.SH "NAME" +zarafa_selinux \- Security Enhanced Linux Policy for the zarafa processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B zarafa -+(Zarafa collaboration platform) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the zarafa processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zarafa_deliver_t, zarafa_spooler_t, zarafa_gateway_t, zarafa_ical_t, zarafa_server_t, zarafa_monitor_t, zarafa_indexer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zarafa_deliver_t, zarafa_spooler_t, zarafa_gateway_t, zarafa_ical_t, zarafa_server_t, zarafa_monitor_t, zarafa_indexer_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -57504,6 +60105,10 @@ index 0000000..928b3c1 + +- Set files with the zarafa_indexer_var_run_t type, if you want to store the zarafa indexer files under the /run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/zarafa-indexer\.pid, /var/run/zarafa-indexer + +.EX +.PP @@ -57610,7 +60215,7 @@ index 0000000..928b3c1 +/var/lib/zarafa-webaccess(/.*)?, /var/lib/zarafa(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57637,7 +60242,7 @@ index 0000000..928b3c1 + + +Default Defined Ports: -+tcp 8021 ++tcp 236,237 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -57681,35 +60286,31 @@ index 0000000..928b3c1 +selinux(8), zarafa(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/zebra_selinux.8 b/man/man8/zebra_selinux.8 new file mode 100644 -index 0000000..705cdbc +index 0000000..56e8ffe --- /dev/null +++ b/man/man8/zebra_selinux.8 -@@ -0,0 +1,178 @@ +@@ -0,0 +1,176 @@ +.TH "zebra_selinux" "8" "zebra" "dwalsh@redhat.com" "zebra SELinux Policy documentation" +.SH "NAME" +zebra_selinux \- Security Enhanced Linux Policy for the zebra processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B zebra -+(Zebra border gateway protocol network routing service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the zebra processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. zebra policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zebra with the tightest access possible. + + +.PP -+If you want to allow zebra daemon to write it configuration file, you must turn on the allow_zebra_write_config boolean. ++If you want to allow zebra daemon to write it configuration file, you must turn on the zebra_write_config boolean. + +.EX -+.B setsebool -P allow_zebra_write_config 1 ++.B setsebool -P zebra_write_config 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -57755,7 +60356,7 @@ index 0000000..705cdbc +.br +.TP 5 +Paths: -+/etc/rc\.d/init\.d/ripngd, /etc/rc\.d/init\.d/zebra, /etc/rc\.d/init\.d/ripd, /etc/rc\.d/init\.d/bgpd, /etc/rc\.d/init\.d/ospf6d, /etc/rc\.d/init\.d/ospfd ++/etc/rc\.d/init\.d/ripd, /etc/rc\.d/init\.d/ripngd, /etc/rc\.d/init\.d/zebra, /etc/rc\.d/init\.d/bgpd, /etc/rc\.d/init\.d/ospf6d, /etc/rc\.d/init\.d/ospfd + +.EX +.PP @@ -57790,7 +60391,7 @@ index 0000000..705cdbc +/var/run/\.zserv, /var/run/\.zebra, /var/run/quagga(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57817,7 +60418,9 @@ index 0000000..705cdbc + + +Default Defined Ports: -+tcp 8021 ++tcp 2600-2604,2606 ++.EE ++udp 2600-2604,2606 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -57866,23 +60469,33 @@ index 0000000..705cdbc \ No newline at end of file diff --git a/man/man8/zoneminder_selinux.8 b/man/man8/zoneminder_selinux.8 new file mode 100644 -index 0000000..4f71f64 +index 0000000..2c64f7b --- /dev/null +++ b/man/man8/zoneminder_selinux.8 -@@ -0,0 +1,163 @@ +@@ -0,0 +1,173 @@ +.TH "zoneminder_selinux" "8" "zoneminder" "dwalsh@redhat.com" "zoneminder SELinux Policy documentation" +.SH "NAME" +zoneminder_selinux \- Security Enhanced Linux Policy for the zoneminder processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B zoneminder -+(policy for zoneminder) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the zoneminder processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zoneminder_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zoneminder_t, you must turn on the kerberos_enabled boolean. ++ ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. @@ -57895,7 +60508,7 @@ index 0000000..4f71f64 +.B restorecon -F -R -v /var/zoneminder +.pp +.TP -+Allow zoneminder servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_zoneminder_anon_write boolean to be set. ++Allow zoneminder servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_zoneminderd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/zoneminder/incoming(/.*)?" @@ -57955,7 +60568,7 @@ index 0000000..4f71f64 +.br +.TP 5 +Paths: -+/var/log/motion\.log, /var/log/zoneminder(/.*)? ++/var/log/zoneminder(/.*)?, /var/log/motion\.log + +.EX +.PP @@ -57990,7 +60603,7 @@ index 0000000..4f71f64 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -58035,23 +60648,33 @@ index 0000000..4f71f64 +selinux(8), zoneminder(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/zos_selinux.8 b/man/man8/zos_selinux.8 new file mode 100644 -index 0000000..b9eb5b9 +index 0000000..a244707 --- /dev/null +++ b/man/man8/zos_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,91 @@ +.TH "zos_selinux" "8" "zos" "dwalsh@redhat.com" "zos SELinux Policy documentation" +.SH "NAME" +zos_selinux \- Security Enhanced Linux Policy for the zos processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B zos -+(policy for z/OS Remote-services Audit dispatcher plugin) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the zos processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the zos_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zos_remote_t, you must turn on the kerberos_enabled boolean. + ++.EX ++setsebool -P kerberos_enabled 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -58077,7 +60700,7 @@ index 0000000..b9eb5b9 +/sbin/audispd-zos-remote, /usr/sbin/audispd-zos-remote + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -58341,7 +60964,7 @@ index 4705ab6..8ba19a0 100644 gen_tunable(user_tcp_server,false) + diff --git a/policy/mcs b/policy/mcs -index f477c7f..d80599b 100644 +index f477c7f..4acbe5d 100644 --- a/policy/mcs +++ b/policy/mcs @@ -1,4 +1,6 @@ @@ -58419,7 +61042,7 @@ index f477c7f..d80599b 100644 ( h1 dom h2 ); +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind -+ (( h1 dom h2 ) or ( t1 == mcsnetwrite )); ++ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); + +# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation +# because the subject in this particular case is the remote domain which is @@ -66611,7 +69234,7 @@ index cda5588..91d1e25 100644 +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/usr/lib/udev/devices/shm/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 7c6b791..242bce2 100644 +index 7c6b791..1be0007 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -67108,11 +69731,21 @@ index 7c6b791..242bce2 100644 ######################################## ## ## Mount a FUSE filesystem. -@@ -2006,21 +2368,83 @@ interface(`fs_dontaudit_manage_fusefs_files',` - - ######################################## - ## --## Read symbolic links on a FUSEFS filesystem. +@@ -1996,17 +2358,99 @@ interface(`fs_manage_fusefs_files',` + ## + ## + # +-interface(`fs_dontaudit_manage_fusefs_files',` ++interface(`fs_dontaudit_manage_fusefs_files',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ dontaudit $1 fusefs_t:file manage_file_perms; ++') ++ ++######################################## ++## +## Read symbolic links on a FUSEFS filesystem. +## +## @@ -67152,7 +69785,7 @@ index 7c6b791..242bce2 100644 +## +## Execute a file on a FUSE filesystem +## in the specified domain. - ## ++## +## +##

+## Execute a file on a FUSE filesystem @@ -67172,56 +69805,116 @@ index 7c6b791..242bce2 100644 +## in particular used by the ssh-agent policy. +##

+##
- ## - ## --## Domain allowed access. ++## ++## +## Domain allowed to transition. +## +## +## +## +## The type of the new process. ++## ++## ++# ++interface(`fs_fusefs_domtrans',` + gen_require(` + type fusefs_t; + ') + +- dontaudit $1 fusefs_t:file manage_file_perms; ++ allow $1 fusefs_t:dir search_dir_perms; ++ domain_auto_transition_pattern($1, fusefs_t, $2) + ') + + ######################################## + ## +-## Read symbolic links on a FUSEFS filesystem. ++## Get the attributes of an hugetlbfs ++## filesystem. + ## + ## + ## +@@ -2014,19 +2458,17 @@ interface(`fs_dontaudit_manage_fusefs_files',` ## ## # -interface(`fs_read_fusefs_symlinks',` -+interface(`fs_fusefs_domtrans',` ++interface(`fs_getattr_hugetlbfs',` gen_require(` - type fusefs_t; +- type fusefs_t; ++ type hugetlbfs_t; ') - allow $1 fusefs_t:dir list_dir_perms; - read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 fusefs_t:dir search_dir_perms; -+ domain_auto_transition_pattern($1, fusefs_t, $2) ++ allow $1 hugetlbfs_t:filesystem getattr; + ') + + ######################################## + ## +-## Get the attributes of an hugetlbfs +-## filesystem. ++## List hugetlbfs. + ## + ## + ## +@@ -2034,17 +2476,17 @@ interface(`fs_read_fusefs_symlinks',` + ## + ## + # +-interface(`fs_getattr_hugetlbfs',` ++interface(`fs_list_hugetlbfs',` + gen_require(` + type hugetlbfs_t; + ') + +- allow $1 hugetlbfs_t:filesystem getattr; ++ allow $1 hugetlbfs_t:dir list_dir_perms; ') ######################################## -@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',` + ## +-## List hugetlbfs. ++## Manage hugetlbfs dirs. + ## + ## + ## +@@ -2052,17 +2494,17 @@ interface(`fs_getattr_hugetlbfs',` + ## + ## + # +-interface(`fs_list_hugetlbfs',` ++interface(`fs_manage_hugetlbfs_dirs',` + gen_require(` + type hugetlbfs_t; + ') + +- allow $1 hugetlbfs_t:dir list_dir_perms; ++ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) + ') ######################################## ## +-## Manage hugetlbfs dirs. +## Read hugetlbfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_hugetlbfs_files',` -+ gen_require(` -+ type hugetlbfs_t; -+ ') -+ -+ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+') -+ -+######################################## -+## - ## Read and write hugetlbfs files. ## ## + ## +@@ -2070,12 +2512,12 @@ interface(`fs_list_hugetlbfs',` + ## + ## + # +-interface(`fs_manage_hugetlbfs_dirs',` ++interface(`fs_read_hugetlbfs_files',` + gen_require(` + type hugetlbfs_t; + ') + +- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t) + ') + + ######################################## @@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',` ') @@ -67621,10 +70314,29 @@ index 7c6b791..242bce2 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4242,6 +4889,24 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4242,6 +4889,43 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## ++## Relabel sock nodes on tmpfs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_relabel_tmpfs_sock_file',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ allow $1 tmpfs_t:dir list_dir_perms; ++ relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t) ++') ++ ++######################################## ++## +## Delete generic files in tmpfs directory. +## +## @@ -67646,7 +70358,7 @@ index 7c6b791..242bce2 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4261,6 +4926,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4261,6 +4945,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -67672,7 +70384,7 @@ index 7c6b791..242bce2 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4467,6 +5151,8 @@ interface(`fs_mount_all_fs',` +@@ -4467,6 +5170,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -67681,7 +70393,7 @@ index 7c6b791..242bce2 100644 ') ######################################## -@@ -4513,7 +5199,7 @@ interface(`fs_unmount_all_fs',` +@@ -4513,7 +5218,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -67690,7 +70402,7 @@ index 7c6b791..242bce2 100644 ## Example attributes: ##

##
    -@@ -4876,3 +5562,24 @@ interface(`fs_unconfined',` +@@ -4876,3 +5581,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -67799,9 +70511,18 @@ index 7be4ddf..f7021a0 100644 + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 4bf45cb..90627a9 100644 +index 4bf45cb..712189d 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if +@@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',` + type kernel_t; + ') + +- allow $1 kernel_t:unix_dgram_socket { read write ioctl }; ++ allow $1 kernel_t:unix_dgram_socket { getattr read write ioctl }; + ') + + ######################################## @@ -785,6 +785,24 @@ interface(`kernel_unmount_proc',` ######################################## @@ -68014,7 +70735,7 @@ index 4bf45cb..90627a9 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2956,5 +3092,43 @@ interface(`kernel_unconfined',` +@@ -2956,5 +3092,60 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -68057,8 +70778,25 @@ index 4bf45cb..90627a9 100644 + ') + + typeattribute $1 proc_type; - ') ++') + ++######################################## ++## ++## Do not audit attempts by caller to get attributes on all sysctls. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`kernel_dontaudit_getattr_all_sysctls',` ++ gen_require(` ++ attribute sysctl_type; ++ ') ++ ++ dontaudit $1 sysctl_type:file getattr; + ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index b285b90..3e933a1 100644 --- a/policy/modules/kernel/kernel.te @@ -72907,7 +75645,7 @@ index fe0c682..93ec53f 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index b17e27a..89d7bf8 100644 +index b17e27a..47602cb 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0) @@ -73150,7 +75888,7 @@ index b17e27a..89d7bf8 100644 ################################# # # sshd local policy -@@ -227,33 +247,46 @@ optional_policy(` +@@ -227,33 +247,48 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -73174,6 +75912,8 @@ index b17e27a..89d7bf8 100644 corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) ++auth_exec_login_program(sshd_t) ++ +userdom_read_user_home_content_files(sshd_t) +userdom_read_user_home_content_symlinks(sshd_t) +userdom_manage_tmp_role(system_r, sshd_t) @@ -73206,7 +75946,7 @@ index b17e27a..89d7bf8 100644 ') optional_policy(` -@@ -261,11 +294,24 @@ optional_policy(` +@@ -261,11 +296,24 @@ optional_policy(` ') optional_policy(` @@ -73232,7 +75972,7 @@ index b17e27a..89d7bf8 100644 ') optional_policy(` -@@ -283,6 +329,15 @@ optional_policy(` +@@ -283,6 +331,15 @@ optional_policy(` ') optional_policy(` @@ -73248,7 +75988,7 @@ index b17e27a..89d7bf8 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -290,6 +345,29 @@ optional_policy(` +@@ -290,6 +347,29 @@ optional_policy(` xserver_domtrans_xauth(sshd_t) ') @@ -73278,7 +76018,7 @@ index b17e27a..89d7bf8 100644 ######################################## # # ssh_keygen local policy -@@ -298,19 +376,26 @@ optional_policy(` +@@ -298,19 +378,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -73306,7 +76046,7 @@ index b17e27a..89d7bf8 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -327,9 +412,11 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -327,9 +414,11 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -73320,7 +76060,7 @@ index b17e27a..89d7bf8 100644 ') optional_policy(` -@@ -339,3 +426,83 @@ optional_policy(` +@@ -339,3 +428,83 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -73550,7 +76290,7 @@ index fc86b7c..3347d48 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..173eaf5 100644 +index 130ced9..1b31c76 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -74328,7 +77068,7 @@ index 130ced9..173eaf5 100644 ') ######################################## -@@ -1243,10 +1558,533 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1558,534 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -74832,6 +77572,7 @@ index 130ced9..173eaf5 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") + userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") ++ gnome_cache_filetrans($1, xdm_home_t, dir, "xdm") +') + +######################################## @@ -76228,7 +78969,7 @@ index 28ad538..47fdb65 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 6ce867a..ee79c5a 100644 +index 6ce867a..25def3e 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -76449,7 +79190,33 @@ index 6ce867a..ee79c5a 100644 ## Use the login program as an entry point program. ## ## -@@ -395,13 +518,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -231,6 +354,25 @@ interface(`auth_domtrans_login_program',` + + ######################################## + ## ++## Execute a login_program in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`auth_exec_login_program',` ++ gen_require(` ++ type login_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, login_exec_t) ++') ++ ++######################################## ++## + ## Execute a login_program in the target domain, + ## with a range transition. + ## +@@ -395,13 +537,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -76466,7 +79233,7 @@ index 6ce867a..ee79c5a 100644 ') ######################################## -@@ -448,6 +573,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +592,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -76492,7 +79259,7 @@ index 6ce867a..ee79c5a 100644 ') ######################################## -@@ -467,7 +611,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +630,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -76500,7 +79267,7 @@ index 6ce867a..ee79c5a 100644 ') ######################################## -@@ -664,6 +807,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +826,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -76511,7 +79278,7 @@ index 6ce867a..ee79c5a 100644 ') ####################################### -@@ -763,7 +910,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +929,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -76563,7 +79330,7 @@ index 6ce867a..ee79c5a 100644 ') ####################################### -@@ -959,9 +1149,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1168,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -76597,7 +79364,7 @@ index 6ce867a..ee79c5a 100644 ') ######################################## -@@ -1040,6 +1251,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1270,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -76608,7 +79375,7 @@ index 6ce867a..ee79c5a 100644 ') ######################################## -@@ -1157,6 +1372,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1157,6 +1391,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -76616,7 +79383,7 @@ index 6ce867a..ee79c5a 100644 ') ####################################### -@@ -1526,6 +1742,25 @@ interface(`auth_setattr_login_records',` +@@ -1526,6 +1761,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -76642,7 +79409,7 @@ index 6ce867a..ee79c5a 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1676,37 +1911,49 @@ interface(`auth_manage_login_records',` +@@ -1676,37 +1930,49 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -76702,7 +79469,7 @@ index 6ce867a..ee79c5a 100644 ##

    ## ## -@@ -1714,87 +1961,206 @@ interface(`auth_relabel_login_records',` +@@ -1714,87 +1980,206 @@ interface(`auth_relabel_login_records',` ## Domain allowed access. ## ## @@ -78715,7 +81482,7 @@ index d26fe81..3f3a57f 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 5fb9683..a2c2556 100644 +index 5fb9683..d2c89ca 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -78804,7 +81571,7 @@ index 5fb9683..a2c2556 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -104,12 +144,25 @@ allow init_t self:fifo_file rw_fifo_file_perms; +@@ -104,12 +144,26 @@ allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself can_exec(init_t, init_exec_t) @@ -78828,6 +81595,7 @@ index 5fb9683..a2c2556 100644 +manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t) +files_pid_filetrans(init_t, init_var_run_t, { dir file }) +allow init_t init_var_run_t:dir mounton; ++allow init_t init_var_run_t:sock_file relabelto; + +allow init_t machineid_t:file manage_file_perms; +files_pid_filetrans(init_t, machineid_t, file, "machine-id") @@ -78836,7 +81604,7 @@ index 5fb9683..a2c2556 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -119,28 +172,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -119,28 +173,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -78876,7 +81644,7 @@ index 5fb9683..a2c2556 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -149,6 +212,8 @@ fs_list_inotifyfs(init_t) +@@ -149,6 +213,8 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -78885,7 +81653,7 @@ index 5fb9683..a2c2556 100644 mcs_process_set_categories(init_t) mcs_killall(init_t) -@@ -156,22 +221,40 @@ mls_file_read_all_levels(init_t) +@@ -156,22 +222,41 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -78913,6 +81681,7 @@ index 5fb9683..a2c2556 100644 logging_send_syslog_msg(init_t) +logging_send_audit_msgs(init_t) logging_rw_generic_logs(init_t) ++logging_relabel_devlog_dev(init_t) seutil_read_config(init_t) +seutil_read_module_store(init_t) @@ -78927,7 +81696,7 @@ index 5fb9683..a2c2556 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -180,12 +263,14 @@ ifdef(`distro_gentoo',` +@@ -180,12 +265,14 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -78943,7 +81712,7 @@ index 5fb9683..a2c2556 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -193,16 +278,146 @@ tunable_policy(`init_upstart',` +@@ -193,16 +280,148 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -79026,6 +81795,8 @@ index 5fb9683..a2c2556 100644 + fs_unmount_all_fs(init_t) + fs_remount_all_fs(init_t) + fs_list_auto_mountpoints(init_t) ++ fs_relabel_tmpfs_sock_file(init_t) ++ fs_rw_tmpfs_files(init_t) + fs_relabel_cgroup_dirs(init_t) + fs_search_cgroup_dirs(daemon) + @@ -79092,13 +81863,14 @@ index 5fb9683..a2c2556 100644 ') optional_policy(` -@@ -210,6 +425,17 @@ optional_policy(` +@@ -210,6 +429,18 @@ optional_policy(` ') optional_policy(` + udev_read_db(init_t) + udev_relabelto_db(init_t) + udev_create_kobject_uevent_socket(init_t) ++ udev_relabel_pid_sockfile(init_t) +') + +optional_policy(` @@ -79110,7 +81882,7 @@ index 5fb9683..a2c2556 100644 unconfined_domain(init_t) ') -@@ -219,8 +445,8 @@ optional_policy(` +@@ -219,8 +450,8 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -79121,7 +81893,7 @@ index 5fb9683..a2c2556 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -248,12 +474,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -248,12 +479,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -79137,7 +81909,7 @@ index 5fb9683..a2c2556 100644 init_write_initctl(initrc_t) -@@ -265,20 +494,35 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -265,20 +499,35 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -79177,7 +81949,7 @@ index 5fb9683..a2c2556 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -286,6 +530,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -286,6 +535,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -79185,7 +81957,7 @@ index 5fb9683..a2c2556 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -296,8 +541,10 @@ dev_write_framebuffer(initrc_t) +@@ -296,8 +546,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -79196,7 +81968,7 @@ index 5fb9683..a2c2556 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -305,17 +552,16 @@ dev_manage_generic_files(initrc_t) +@@ -305,17 +557,16 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -79216,7 +81988,7 @@ index 5fb9683..a2c2556 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -323,6 +569,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -323,6 +574,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -79224,7 +81996,7 @@ index 5fb9683..a2c2556 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -330,8 +577,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -330,8 +582,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -79236,7 +82008,7 @@ index 5fb9683..a2c2556 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -347,8 +596,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -347,8 +601,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -79250,7 +82022,7 @@ index 5fb9683..a2c2556 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -358,9 +611,12 @@ fs_mount_all_fs(initrc_t) +@@ -358,9 +616,12 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -79264,7 +82036,7 @@ index 5fb9683..a2c2556 100644 mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -370,6 +626,7 @@ mls_process_read_up(initrc_t) +@@ -370,6 +631,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -79272,7 +82044,7 @@ index 5fb9683..a2c2556 100644 selinux_get_enforce_mode(initrc_t) -@@ -381,6 +638,7 @@ term_use_all_terms(initrc_t) +@@ -381,6 +643,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -79280,7 +82052,7 @@ index 5fb9683..a2c2556 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -401,18 +659,17 @@ logging_read_audit_config(initrc_t) +@@ -401,18 +664,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -79302,7 +82074,7 @@ index 5fb9683..a2c2556 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -465,6 +722,10 @@ ifdef(`distro_gentoo',` +@@ -465,6 +727,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -79313,7 +82085,7 @@ index 5fb9683..a2c2556 100644 alsa_read_lib(initrc_t) ') -@@ -485,7 +746,7 @@ ifdef(`distro_redhat',` +@@ -485,7 +751,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -79322,7 +82094,7 @@ index 5fb9683..a2c2556 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -500,6 +761,7 @@ ifdef(`distro_redhat',` +@@ -500,6 +766,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -79330,7 +82102,7 @@ index 5fb9683..a2c2556 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -520,6 +782,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +787,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -79338,7 +82110,7 @@ index 5fb9683..a2c2556 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -529,8 +792,35 @@ ifdef(`distro_redhat',` +@@ -529,8 +797,35 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -79374,7 +82146,7 @@ index 5fb9683..a2c2556 100644 ') optional_policy(` -@@ -538,14 +828,27 @@ ifdef(`distro_redhat',` +@@ -538,14 +833,27 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -79402,7 +82174,7 @@ index 5fb9683..a2c2556 100644 ') ') -@@ -556,6 +859,39 @@ ifdef(`distro_suse',` +@@ -556,6 +864,39 @@ ifdef(`distro_suse',` ') ') @@ -79442,7 +82214,7 @@ index 5fb9683..a2c2556 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -568,6 +904,8 @@ optional_policy(` +@@ -568,6 +909,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -79451,7 +82223,7 @@ index 5fb9683..a2c2556 100644 ') optional_policy(` -@@ -589,6 +927,7 @@ optional_policy(` +@@ -589,6 +932,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -79459,7 +82231,7 @@ index 5fb9683..a2c2556 100644 ') optional_policy(` -@@ -601,6 +940,17 @@ optional_policy(` +@@ -601,6 +945,17 @@ optional_policy(` ') optional_policy(` @@ -79477,7 +82249,7 @@ index 5fb9683..a2c2556 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -617,9 +967,13 @@ optional_policy(` +@@ -617,9 +972,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -79491,7 +82263,7 @@ index 5fb9683..a2c2556 100644 ') optional_policy(` -@@ -644,6 +998,10 @@ optional_policy(` +@@ -644,6 +1003,10 @@ optional_policy(` ') optional_policy(` @@ -79502,7 +82274,7 @@ index 5fb9683..a2c2556 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -661,6 +1019,15 @@ optional_policy(` +@@ -661,6 +1024,15 @@ optional_policy(` ') optional_policy(` @@ -79518,7 +82290,7 @@ index 5fb9683..a2c2556 100644 inn_exec_config(initrc_t) ') -@@ -701,6 +1068,7 @@ optional_policy(` +@@ -701,6 +1073,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -79526,7 +82298,7 @@ index 5fb9683..a2c2556 100644 ') optional_policy(` -@@ -718,7 +1086,13 @@ optional_policy(` +@@ -718,7 +1091,13 @@ optional_policy(` ') optional_policy(` @@ -79540,7 +82312,7 @@ index 5fb9683..a2c2556 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -741,6 +1115,10 @@ optional_policy(` +@@ -741,6 +1120,10 @@ optional_policy(` ') optional_policy(` @@ -79551,7 +82323,7 @@ index 5fb9683..a2c2556 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -750,10 +1128,20 @@ optional_policy(` +@@ -750,10 +1133,20 @@ optional_policy(` ') optional_policy(` @@ -79572,7 +82344,7 @@ index 5fb9683..a2c2556 100644 quota_manage_flags(initrc_t) ') -@@ -762,6 +1150,10 @@ optional_policy(` +@@ -762,6 +1155,10 @@ optional_policy(` ') optional_policy(` @@ -79583,7 +82355,7 @@ index 5fb9683..a2c2556 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -783,8 +1175,6 @@ optional_policy(` +@@ -783,8 +1180,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -79592,7 +82364,7 @@ index 5fb9683..a2c2556 100644 ') optional_policy(` -@@ -793,6 +1183,10 @@ optional_policy(` +@@ -793,6 +1188,10 @@ optional_policy(` ') optional_policy(` @@ -79603,7 +82375,7 @@ index 5fb9683..a2c2556 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -802,10 +1196,12 @@ optional_policy(` +@@ -802,10 +1201,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -79616,7 +82388,7 @@ index 5fb9683..a2c2556 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -817,7 +1213,6 @@ optional_policy(` +@@ -817,7 +1218,6 @@ optional_policy(` ') optional_policy(` @@ -79624,7 +82396,7 @@ index 5fb9683..a2c2556 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -827,12 +1222,30 @@ optional_policy(` +@@ -827,12 +1227,30 @@ optional_policy(` ') optional_policy(` @@ -79657,7 +82429,7 @@ index 5fb9683..a2c2556 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -842,6 +1255,18 @@ optional_policy(` +@@ -842,6 +1260,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -79676,7 +82448,7 @@ index 5fb9683..a2c2556 100644 ') optional_policy(` -@@ -857,6 +1282,10 @@ optional_policy(` +@@ -857,6 +1287,10 @@ optional_policy(` ') optional_policy(` @@ -79687,7 +82459,7 @@ index 5fb9683..a2c2556 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -867,3 +1296,165 @@ optional_policy(` +@@ -867,3 +1301,165 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -81134,7 +83906,7 @@ index 02f4c97..54c74fe 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 321bb13..e9c2da9 100644 +index 321bb13..9de21c2 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -81219,7 +83991,7 @@ index 321bb13..e9c2da9 100644 ######################################## ## ## Send system log messages. -@@ -546,6 +603,48 @@ interface(`logging_send_syslog_msg',` +@@ -546,6 +603,66 @@ interface(`logging_send_syslog_msg',` # will write to the console. term_write_console($1) term_dontaudit_read_console($1) @@ -81250,6 +84022,24 @@ index 321bb13..e9c2da9 100644 + +######################################## +## ++## Relabel the devlog sock_file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_relabel_devlog_dev',` ++ gen_require(` ++ type devlog_t; ++ ') ++ ++ allow $1 devlog_t:sock_file relabel_sock_file_perms; ++') ++ ++######################################## ++## +## Connect to the syslog control unix stream socket. +## +## @@ -81268,7 +84058,7 @@ index 321bb13..e9c2da9 100644 ') ######################################## -@@ -739,7 +838,25 @@ interface(`logging_append_all_logs',` +@@ -739,7 +856,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -81295,7 +84085,7 @@ index 321bb13..e9c2da9 100644 ') ######################################## -@@ -822,7 +939,7 @@ interface(`logging_manage_all_logs',` +@@ -822,7 +957,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -81304,7 +84094,7 @@ index 321bb13..e9c2da9 100644 ') ######################################## -@@ -848,6 +965,44 @@ interface(`logging_read_generic_logs',` +@@ -848,6 +983,44 @@ interface(`logging_read_generic_logs',` ######################################## ## @@ -81349,7 +84139,7 @@ index 321bb13..e9c2da9 100644 ## Write generic log files. ## ## -@@ -947,11 +1102,16 @@ interface(`logging_admin_audit',` +@@ -947,11 +1120,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -81367,7 +84157,7 @@ index 321bb13..e9c2da9 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -967,6 +1127,33 @@ interface(`logging_admin_audit',` +@@ -967,6 +1145,33 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -81401,7 +84191,7 @@ index 321bb13..e9c2da9 100644 ') ######################################## -@@ -995,10 +1182,15 @@ interface(`logging_admin_syslog',` +@@ -995,10 +1200,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -81419,7 +84209,7 @@ index 321bb13..e9c2da9 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1020,6 +1212,8 @@ interface(`logging_admin_syslog',` +@@ -1020,6 +1230,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -81428,7 +84218,7 @@ index 321bb13..e9c2da9 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1048,3 +1242,25 @@ interface(`logging_admin',` +@@ -1048,3 +1260,25 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -81455,7 +84245,7 @@ index 321bb13..e9c2da9 100644 + files_spool_filetrans($1, audit_spool_t, dir, "audit") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 92555db..b9e5467 100644 +index 92555db..0b2acb1 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -5,6 +5,20 @@ policy_module(logging, 1.18.2) @@ -81642,7 +84432,18 @@ index 92555db..b9e5467 100644 # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -427,10 +479,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -401,6 +453,10 @@ kernel_read_messages(syslogd_t) + kernel_clear_ring_buffer(syslogd_t) + kernel_change_ring_buffer_level(syslogd_t) + ++ifdef(`hide_broken_symptoms',` ++ kernel_rw_unix_dgram_sockets(syslogd_t) ++') ++ + corenet_all_recvfrom_unlabeled(syslogd_t) + corenet_all_recvfrom_netlabel(syslogd_t) + corenet_udp_sendrecv_generic_if(syslogd_t) +@@ -427,10 +483,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -81670,7 +84471,7 @@ index 92555db..b9e5467 100644 files_read_etc_files(syslogd_t) files_read_usr_files(syslogd_t) -@@ -448,7 +517,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and +@@ -448,7 +521,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) @@ -81680,7 +84481,7 @@ index 92555db..b9e5467 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -460,6 +531,7 @@ init_use_fds(syslogd_t) +@@ -460,6 +535,7 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -81688,7 +84489,7 @@ index 92555db..b9e5467 100644 miscfiles_read_localization(syslogd_t) -@@ -493,15 +565,29 @@ optional_policy(` +@@ -493,15 +569,29 @@ optional_policy(` ') optional_policy(` @@ -83426,7 +86227,7 @@ index d43f3b1..5858c5f 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..a783cb1 100644 +index 3822072..cac0b1e 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',` @@ -83717,7 +86518,7 @@ index 3822072..a783cb1 100644 ') ######################################## -@@ -1137,3 +1332,107 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1137,3 +1332,58 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -83736,68 +86537,19 @@ index 3822072..a783cb1 100644 + gen_require(` + type semanage_tmp_t; + type policy_config_t; ++ attribute policy_manager_domain; + ') -+ allow $1 self:capability { dac_override sys_resource }; -+ dontaudit $1 self:capability sys_tty_config; -+ allow $1 self:process signal; -+ allow $1 self:unix_stream_socket create_stream_socket_perms; -+ allow $1 self:unix_dgram_socket create_socket_perms; -+ logging_send_audit_msgs($1) ++ typeattribute $1 policy_manager_domain; + + # Running genhomedircon requires this for finding all users + auth_use_nsswitch($1) + -+ allow $1 policy_config_t:file { read write }; -+ -+ allow $1 semanage_tmp_t:dir manage_dir_perms; -+ allow $1 semanage_tmp_t:file manage_file_perms; -+ files_tmp_filetrans($1, semanage_tmp_t, { file dir }) -+ -+ kernel_read_system_state($1) -+ kernel_read_kernel_sysctls($1) -+ -+ corecmd_exec_bin($1) -+ corecmd_exec_shell($1) -+ -+ dev_read_urand($1) -+ -+ domain_use_interactive_fds($1) -+ -+ files_read_etc_files($1) -+ files_read_etc_runtime_files($1) -+ files_read_usr_files($1) -+ files_list_pids($1) -+ fs_list_inotifyfs($1) -+ fs_getattr_all_fs($1) -+ + mls_file_write_all_levels($1) + mls_file_read_all_levels($1) + -+ selinux_getattr_fs($1) -+ selinux_validate_context($1) -+ selinux_get_enforce_mode($1) -+ -+ term_use_all_inherited_terms($1) -+ -+ locallogin_use_fds($1) -+ -+ logging_send_syslog_msg($1) -+ -+ miscfiles_read_localization($1) -+ -+ seutil_search_default_contexts($1) -+ seutil_domtrans_loadpolicy($1) -+ seutil_read_config($1) + seutil_manage_bin_policy($1) -+ seutil_use_newrole_fds($1) -+ seutil_manage_module_store($1) -+ seutil_get_semanage_trans_lock($1) -+ seutil_get_semanage_read_lock($1) -+ -+ userdom_dontaudit_write_user_home_content_files($1) +') + -+ +####################################### +## +## All rules necessary to run setfiles command @@ -83826,15 +86578,16 @@ index 3822072..a783cb1 100644 + auth_relabelto_shadow($1) +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc0c03b..03121df 100644 +index dc0c03b..0472c89 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te -@@ -11,14 +11,16 @@ gen_require(` +@@ -11,14 +11,17 @@ gen_require(` attribute can_write_binary_policy; attribute can_relabelto_binary_policy; +attribute setfiles_domain; +attribute seutil_semanage_domain; ++attribute policy_manager_domain; -attribute_role newrole_roles; +#attribute_role newrole_roles; @@ -83851,7 +86604,7 @@ index dc0c03b..03121df 100644 # # selinux_config_t is the type applied to -@@ -30,6 +32,9 @@ roleattribute system_r semanage_roles; +@@ -30,6 +33,9 @@ roleattribute system_r semanage_roles; type selinux_config_t; files_type(selinux_config_t) @@ -83861,7 +86614,7 @@ index dc0c03b..03121df 100644 type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; application_domain(checkpolicy_t, checkpolicy_exec_t) -@@ -60,14 +65,20 @@ application_domain(newrole_t, newrole_exec_t) +@@ -60,14 +66,20 @@ application_domain(newrole_t, newrole_exec_t) domain_role_change_exemption(newrole_t) domain_obj_id_change_exemption(newrole_t) domain_interactive_fd(newrole_t) @@ -83885,7 +86638,7 @@ index dc0c03b..03121df 100644 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append }; -@@ -83,7 +94,6 @@ type restorecond_t; +@@ -83,7 +95,6 @@ type restorecond_t; type restorecond_exec_t; init_daemon_domain(restorecond_t, restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) @@ -83893,7 +86646,7 @@ index dc0c03b..03121df 100644 type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) -@@ -92,25 +102,33 @@ type run_init_t; +@@ -92,25 +103,33 @@ type run_init_t; type run_init_exec_t; application_domain(run_init_t, run_init_exec_t) domain_system_change_exemption(run_init_t) @@ -83932,7 +86685,7 @@ index dc0c03b..03121df 100644 type semanage_var_lib_t; files_type(semanage_var_lib_t) -@@ -120,6 +138,11 @@ type setfiles_exec_t alias restorecon_exec_t; +@@ -120,6 +139,11 @@ type setfiles_exec_t alias restorecon_exec_t; init_system_domain(setfiles_t, setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) @@ -83944,7 +86697,7 @@ index dc0c03b..03121df 100644 ######################################## # # Checkpolicy local policy -@@ -151,7 +174,7 @@ term_use_console(checkpolicy_t) +@@ -151,7 +175,7 @@ term_use_console(checkpolicy_t) init_use_fds(checkpolicy_t) init_use_script_ptys(checkpolicy_t) @@ -83953,7 +86706,7 @@ index dc0c03b..03121df 100644 userdom_use_all_users_fds(checkpolicy_t) ifdef(`distro_ubuntu',` -@@ -188,13 +211,15 @@ term_list_ptys(load_policy_t) +@@ -188,13 +212,15 @@ term_list_ptys(load_policy_t) init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) @@ -83970,7 +86723,7 @@ index dc0c03b..03121df 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -220,7 +245,7 @@ optional_policy(` +@@ -220,7 +246,7 @@ optional_policy(` # Newrole local policy # @@ -83979,7 +86732,7 @@ index dc0c03b..03121df 100644 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; -@@ -232,7 +257,7 @@ allow newrole_t self:msgq create_msgq_perms; +@@ -232,7 +258,7 @@ allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -83988,7 +86741,7 @@ index dc0c03b..03121df 100644 read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -249,6 +274,7 @@ domain_use_interactive_fds(newrole_t) +@@ -249,6 +275,7 @@ domain_use_interactive_fds(newrole_t) # for when the user types "exec newrole" at the command line: domain_sigchld_interactive_fds(newrole_t) @@ -83996,7 +86749,7 @@ index dc0c03b..03121df 100644 files_read_etc_files(newrole_t) files_read_var_files(newrole_t) files_read_var_symlinks(newrole_t) -@@ -276,25 +302,39 @@ term_relabel_all_ptys(newrole_t) +@@ -276,25 +303,39 @@ term_relabel_all_ptys(newrole_t) term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -84042,7 +86795,7 @@ index dc0c03b..03121df 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) -@@ -309,7 +349,7 @@ if(secure_mode) { +@@ -309,7 +350,7 @@ if(secure_mode) { userdom_spec_domtrans_all_users(newrole_t) } @@ -84051,7 +86804,7 @@ index dc0c03b..03121df 100644 files_polyinstantiate_all(newrole_t) ') -@@ -328,9 +368,13 @@ kernel_use_fds(restorecond_t) +@@ -328,9 +369,13 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -84066,7 +86819,7 @@ index dc0c03b..03121df 100644 fs_list_inotifyfs(restorecond_t) selinux_validate_context(restorecond_t) -@@ -341,6 +385,7 @@ selinux_compute_user_contexts(restorecond_t) +@@ -341,6 +386,7 @@ selinux_compute_user_contexts(restorecond_t) files_relabel_non_auth_files(restorecond_t ) files_read_non_auth_files(restorecond_t) @@ -84074,7 +86827,7 @@ index dc0c03b..03121df 100644 auth_use_nsswitch(restorecond_t) locallogin_dontaudit_use_fds(restorecond_t) -@@ -351,6 +396,8 @@ miscfiles_read_localization(restorecond_t) +@@ -351,6 +397,8 @@ miscfiles_read_localization(restorecond_t) seutil_libselinux_linked(restorecond_t) @@ -84083,7 +86836,7 @@ index dc0c03b..03121df 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -366,21 +413,24 @@ optional_policy(` +@@ -366,21 +414,24 @@ optional_policy(` # Run_init local policy # @@ -84110,7 +86863,7 @@ index dc0c03b..03121df 100644 dev_dontaudit_list_all_dev_nodes(run_init_t) domain_use_interactive_fds(run_init_t) -@@ -398,14 +448,23 @@ selinux_compute_create_context(run_init_t) +@@ -398,14 +449,23 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) @@ -84136,7 +86889,7 @@ index dc0c03b..03121df 100644 logging_send_syslog_msg(run_init_t) -@@ -414,7 +473,7 @@ miscfiles_read_localization(run_init_t) +@@ -414,7 +474,7 @@ miscfiles_read_localization(run_init_t) seutil_libselinux_linked(run_init_t) seutil_read_default_contexts(run_init_t) @@ -84145,7 +86898,7 @@ index dc0c03b..03121df 100644 ifndef(`direct_sysadm_daemon',` ifdef(`distro_gentoo',` -@@ -425,6 +484,19 @@ ifndef(`direct_sysadm_daemon',` +@@ -425,6 +485,19 @@ ifndef(`direct_sysadm_daemon',` ') ') @@ -84165,10 +86918,28 @@ index dc0c03b..03121df 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -458,172 +530,204 @@ manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) - kernel_read_system_state(semanage_t) - kernel_read_kernel_sysctls(semanage_t) +@@ -440,81 +513,83 @@ optional_policy(` + # semodule local policy + # +-allow semanage_t self:capability { dac_override audit_write }; +-allow semanage_t self:unix_stream_socket create_stream_socket_perms; +-allow semanage_t self:unix_dgram_socket create_socket_perms; + allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +-allow semanage_t self:fifo_file rw_fifo_file_perms; +- +-allow semanage_t policy_config_t:file rw_file_perms; +- +-allow semanage_t semanage_tmp_t:dir manage_dir_perms; +-allow semanage_t semanage_tmp_t:file manage_file_perms; +-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) + + manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) + manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) + +-kernel_read_system_state(semanage_t) +-kernel_read_kernel_sysctls(semanage_t) +- -corecmd_exec_bin(semanage_t) - -dev_read_urand(semanage_t) @@ -84194,16 +86965,17 @@ index dc0c03b..03121df 100644 - -# Running genhomedircon requires this for finding all users -auth_use_nsswitch(semanage_t) -- --locallogin_use_fds(semanage_t) +# Admins are creating pp files in random locations +files_read_non_security_files(semanage_t) +-locallogin_use_fds(semanage_t) +- -logging_send_syslog_msg(semanage_t) - -miscfiles_read_localization(semanage_t) - -seutil_libselinux_linked(semanage_t) ++seutil_semanage_policy(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) -seutil_run_setfiles(semanage_t, semanage_roles) @@ -84246,8 +87018,7 @@ index dc0c03b..03121df 100644 + +optional_policy(` + unconfined_domain(semanage_t) - ') - ++') + +####################################n#### +# @@ -84264,14 +87035,29 @@ index dc0c03b..03121df 100644 +seutil_manage_default_contexts(setsebool_t) +seutil_manage_config(setsebool_t) + - ######################################## - # --# Setfiles local policy ++######################################## ++# +# Setfiles mac local policy - # ++# +seutil_setfiles(setfiles_mac_t) +allow setfiles_mac_t self:capability2 mac_admin; +kernel_relabelto_unlabeled(setfiles_mac_t) ++ ++optional_policy(` ++ files_dontaudit_write_isid_chr_files(setfiles_mac_t) ++ livecd_dontaudit_leaks(setfiles_mac_t) ++ livecd_rw_tmp_files(setfiles_mac_t) ++ dev_dontaudit_write_all_chr_files(setfiles_mac_t) ++') ++ ++optional_policy(` ++ unconfined_domain(setfiles_mac_t) + ') + + ######################################## +@@ -522,108 +597,184 @@ ifdef(`distro_ubuntu',` + # Setfiles local policy + # -allow setfiles_t self:capability { dac_override dac_read_search fowner }; -dontaudit setfiles_t self:capability sys_tty_config; @@ -84331,76 +87117,41 @@ index dc0c03b..03121df 100644 -init_use_script_fds(setfiles_t) -init_use_script_ptys(setfiles_t) -init_exec_script_files(setfiles_t) -+optional_policy(` -+ files_dontaudit_write_isid_chr_files(setfiles_mac_t) -+ livecd_dontaudit_leaks(setfiles_mac_t) -+ livecd_rw_tmp_files(setfiles_mac_t) -+ dev_dontaudit_write_all_chr_files(setfiles_mac_t) -+') - --logging_send_audit_msgs(setfiles_t) --logging_send_syslog_msg(setfiles_t) -+optional_policy(` -+ unconfined_domain(setfiles_mac_t) -+') - --miscfiles_read_localization(setfiles_t) -+######################################## -+# -+# Setfiles local policy -+# - --seutil_libselinux_linked(setfiles_t) +seutil_setfiles(setfiles_t) +# During boot in Rawhide +term_use_generic_ptys(setfiles_t) - --userdom_use_all_users_fds(setfiles_t) --# for config files in a home directory --userdom_read_user_home_content_files(setfiles_t) ++ +# needs to be able to read symlinks to make restorecon on symlink working +files_read_all_symlinks(setfiles_t) --ifdef(`distro_debian',` -- # udev tmpfs is populated with static device nodes -- # and then relabeled afterwards; thus -- # /dev/console has the tmpfs type -- fs_rw_tmpfs_chr_files(setfiles_t) -+logging_send_audit_msgs(setfiles_t) -+logging_send_syslog_msg(setfiles_t) -+ + logging_send_audit_msgs(setfiles_t) + logging_send_syslog_msg(setfiles_t) + +-miscfiles_read_localization(setfiles_t) +optional_policy(` + devicekit_dontaudit_read_pid_files(setfiles_t) + devicekit_dontaudit_rw_log(setfiles_t) - ') ++') --ifdef(`distro_redhat', ` -- fs_rw_tmpfs_chr_files(setfiles_t) -- fs_rw_tmpfs_blk_files(setfiles_t) -- fs_relabel_tmpfs_blk_file(setfiles_t) -- fs_relabel_tmpfs_chr_file(setfiles_t) +-seutil_libselinux_linked(setfiles_t) +optional_policy(` + xserver_append_xdm_tmp_files(setfiles_t) - ') - --ifdef(`distro_ubuntu',` ++') ++ +ifdef(`hide_broken_symptoms',` + - optional_policy(` ++ optional_policy(` + setroubleshoot_fixit_dontaudit_leaks(setfiles_t) + setroubleshoot_fixit_dontaudit_leaks(setsebool_t) + ') +') +ifdef(`distro_ubuntu',` + optional_policy(` - unconfined_domain(setfiles_t) - ') - ') ++ unconfined_domain(setfiles_t) ++ ') ++') --ifdef(`hide_broken_symptoms',` -- optional_policy(` -- udev_dontaudit_rw_dgram_sockets(setfiles_t) -- ') +-userdom_use_all_users_fds(setfiles_t) +######################################## +# +# Setfiles common policy @@ -84471,21 +87222,23 @@ index dc0c03b..03121df 100644 +seutil_libselinux_linked(setfiles_domain) + +userdom_use_all_users_fds(setfiles_domain) -+# for config files in a home directory + # for config files in a home directory +-userdom_read_user_home_content_files(setfiles_t) +userdom_read_user_home_content_files(setfiles_domain) -- # cjp: cover up stray file descriptors. -- optional_policy(` -- unconfined_dontaudit_read_pipes(setfiles_t) -- unconfined_dontaudit_rw_tcp_sockets(setfiles_t) -- ') -+ifdef(`distro_debian',` -+ # udev tmpfs is populated with static device nodes -+ # and then relabeled afterwards; thus -+ # /dev/console has the tmpfs type + ifdef(`distro_debian',` + # udev tmpfs is populated with static device nodes + # and then relabeled afterwards; thus + # /dev/console has the tmpfs type +- fs_rw_tmpfs_chr_files(setfiles_t) + fs_rw_tmpfs_chr_files(setfiles_domain) -+') -+ + ') + +-ifdef(`distro_redhat', ` +- fs_rw_tmpfs_chr_files(setfiles_t) +- fs_rw_tmpfs_blk_files(setfiles_t) +- fs_relabel_tmpfs_blk_file(setfiles_t) +- fs_relabel_tmpfs_chr_file(setfiles_t) +ifdef(`distro_redhat',` + fs_rw_tmpfs_chr_files(setfiles_domain) + fs_rw_tmpfs_blk_files(setfiles_domain) @@ -84493,10 +87246,85 @@ index dc0c03b..03121df 100644 + fs_relabel_tmpfs_chr_file(setfiles_domain) ') - optional_policy(` -- hotplug_use_fds(setfiles_t) +-ifdef(`distro_ubuntu',` +- optional_policy(` +- unconfined_domain(setfiles_t) +- ') ++optional_policy(` + hotplug_use_fds(setfiles_domain) ') + +-ifdef(`hide_broken_symptoms',` +- optional_policy(` +- udev_dontaudit_rw_dgram_sockets(setfiles_t) +- ') ++allow policy_manager_domain self:capability { dac_override sys_resource }; ++dontaudit policy_manager_domain self:capability sys_tty_config; ++allow policy_manager_domain self:process signal; ++allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms; ++allow policy_manager_domain self:unix_dgram_socket create_socket_perms; ++allow policy_manager_domain self:fifo_file rw_fifo_file_perms; + +- # cjp: cover up stray file descriptors. +- optional_policy(` +- unconfined_dontaudit_read_pipes(setfiles_t) +- unconfined_dontaudit_rw_tcp_sockets(setfiles_t) +- ') +-') ++dev_read_rand(policy_manager_domain) ++dev_read_urand(policy_manager_domain) + +-optional_policy(` +- hotplug_use_fds(setfiles_t) +-') ++logging_send_syslog_msg(policy_manager_domain) ++logging_send_audit_msgs(policy_manager_domain) ++ ++# Domains that will manage policy ++allow policy_manager_domain policy_config_t:file rw_file_perms; ++ ++allow policy_manager_domain semanage_tmp_t:dir manage_dir_perms; ++allow policy_manager_domain semanage_tmp_t:file manage_file_perms; ++files_tmp_filetrans(policy_manager_domain, semanage_tmp_t, { file dir }) ++ ++kernel_read_system_state(policy_manager_domain) ++kernel_read_kernel_sysctls(policy_manager_domain) ++ ++corecmd_exec_bin(policy_manager_domain) ++corecmd_exec_shell(policy_manager_domain) ++ ++dev_read_urand(policy_manager_domain) ++ ++domain_use_interactive_fds(policy_manager_domain) ++ ++files_read_etc_files(policy_manager_domain) ++files_read_etc_runtime_files(policy_manager_domain) ++files_read_usr_files(policy_manager_domain) ++files_list_pids(policy_manager_domain) ++fs_list_inotifyfs(policy_manager_domain) ++fs_getattr_all_fs(policy_manager_domain) ++ ++selinux_getattr_fs(policy_manager_domain) ++selinux_validate_context(policy_manager_domain) ++selinux_get_enforce_mode(policy_manager_domain) ++ ++term_use_all_inherited_terms(policy_manager_domain) ++ ++locallogin_use_fds(policy_manager_domain) ++ ++logging_send_syslog_msg(policy_manager_domain) ++ ++miscfiles_read_localization(policy_manager_domain) ++ ++seutil_search_default_contexts(policy_manager_domain) ++seutil_domtrans_loadpolicy(policy_manager_domain) ++seutil_read_config(policy_manager_domain) ++seutil_use_newrole_fds(policy_manager_domain) ++seutil_manage_module_store(policy_manager_domain) ++seutil_get_semanage_trans_lock(policy_manager_domain) ++seutil_get_semanage_read_lock(policy_manager_domain) ++ ++userdom_dontaudit_write_user_home_content_files(policy_manager_domain) diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc index bea4629..06e2834 100644 --- a/policy/modules/system/setrans.fc @@ -85953,10 +88781,10 @@ index 0000000..6a29fb0 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..a558441 +index 0000000..bd7cbee --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,421 @@ +@@ -0,0 +1,427 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -86063,6 +88891,8 @@ index 0000000..a558441 +fs_manage_cgroup_dirs(systemd_logind_t) +# write getattr open setattr +fs_manage_cgroup_files(systemd_logind_t) ++fs_getattr_tmpfs(systemd_logind_t) ++fs_read_tmpfs_symlinks(systemd_logind_t) + +mcs_killall(systemd_logind_t) + @@ -86125,6 +88955,10 @@ index 0000000..a558441 +') + +optional_policy(` ++ rpm_dbus_chat(systemd_logind_t) ++') ++ ++optional_policy(` + # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file + xserver_search_xdm_tmp_dirs(systemd_logind_t) +') @@ -86430,7 +89264,7 @@ index 2575393..49fd32e 100644 ifdef(`distro_debian',` /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if -index 025348a..c15e57c 100644 +index 025348a..d7b15a4 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -34,6 +34,7 @@ interface(`udev_domtrans',` @@ -86502,7 +89336,7 @@ index 025348a..c15e57c 100644 ## ## ## -@@ -203,13 +216,36 @@ interface(`udev_read_db',` +@@ -203,13 +216,54 @@ interface(`udev_read_db',` ## ## # @@ -86518,6 +89352,25 @@ index 025348a..c15e57c 100644 + +######################################## +## ++## Relabel the udev sock_file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`udev_relabel_pid_sockfile',` + gen_require(` +- type udev_tbl_t; ++ type udev_var_run_t; ++ ') ++ ++ allow $1 udev_var_run_t:sock_file relabel_sock_file_perms; ++') ++ ++######################################## ++## +## Create, read, write, and delete +## udev pid files. +## @@ -86528,8 +89381,7 @@ index 025348a..c15e57c 100644 +## +# +interface(`udev_read_pid_files',` - gen_require(` -- type udev_tbl_t; ++ gen_require(` + type udev_var_run_t; ') @@ -86542,7 +89394,7 @@ index 025348a..c15e57c 100644 ') ######################################## -@@ -228,6 +264,84 @@ interface(`udev_manage_pid_files',` +@@ -228,6 +282,84 @@ interface(`udev_manage_pid_files',` type udev_var_run_t; ') diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index e906a1b..b25522a 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -1054,6 +1054,16 @@ index 6d685ba..b6f9ba3 100644 logging_send_syslog_msg(aiccu_t) miscfiles_read_localization(aiccu_t) +diff --git a/aide.fc b/aide.fc +index 7798464..62ccdc6 100644 +--- a/aide.fc ++++ b/aide.fc +@@ -3,4 +3,4 @@ + /var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh) + + /var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh) +-/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh) ++/var/log/aide\.log.* -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh) diff --git a/aide.if b/aide.if index 838d25b..33981e0 100644 --- a/aide.if @@ -1097,6 +1107,18 @@ index 2509dd2..7ada82f 100644 -userdom_use_user_terminals(aide_t) +userdom_use_inherited_user_terminals(aide_t) +diff --git a/aisexec.fc b/aisexec.fc +index 7b4f4b9..9c2daa5 100644 +--- a/aisexec.fc ++++ b/aisexec.fc +@@ -4,6 +4,6 @@ + + /var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0) + +-/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0) ++/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:aisexec_var_log_t,s0) + + /var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) diff --git a/aisexec.if b/aisexec.if index 0370dba..c2d68a4 100644 --- a/aisexec.if @@ -1490,7 +1512,7 @@ index bec220e..1d26add 100644 + fstools_signal(amanda_t) +') diff --git a/amavis.fc b/amavis.fc -index 446ee16..25423bf 100644 +index 446ee16..33c0147 100644 --- a/amavis.fc +++ b/amavis.fc @@ -2,6 +2,7 @@ @@ -1501,6 +1523,18 @@ index 446ee16..25423bf 100644 /usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) /usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0) +@@ -10,9 +11,10 @@ ifdef(`distro_debian',` + /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) + ') + ++/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) + /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) + /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) +-/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0) ++/var/log/amavisd\.log.* -- gen_context(system_u:object_r:amavis_var_log_t,s0) + /var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0) + /var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0) + /var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0) diff --git a/amavis.if b/amavis.if index e31d92a..1aa0718 100644 --- a/amavis.if @@ -1529,7 +1563,7 @@ index e31d92a..1aa0718 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te -index 5a9b451..189c0a8 100644 +index 5a9b451..e36eab0 100644 --- a/amavis.te +++ b/amavis.te @@ -38,7 +38,7 @@ type amavis_quarantine_t; @@ -1559,11 +1593,11 @@ index 5a9b451..189c0a8 100644 +manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) allow amavis_t amavis_tmp_t:dir setattr_dir_perms; -files_tmp_filetrans(amavis_t, amavis_tmp_t, file) -+files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir } ) ++files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } ) # var/lib files for amavis manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -@@ -125,20 +127,23 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t) +@@ -125,20 +127,24 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t) corenet_udp_bind_generic_port(amavis_t) corenet_dontaudit_udp_bind_all_ports(amavis_t) corenet_tcp_connect_razor_port(amavis_t) @@ -1574,6 +1608,7 @@ index 5a9b451..189c0a8 100644 +dev_read_sysfs(amavis_t) domain_use_interactive_fds(amavis_t) ++domain_dontaudit_read_all_domains_state(amavis_t) -files_read_etc_files(amavis_t) files_read_etc_runtime_files(amavis_t) @@ -1588,7 +1623,7 @@ index 5a9b451..189c0a8 100644 # uses uptime which reads utmp - redhat bug 561383 init_read_utmp(amavis_t) init_stream_connect_script(amavis_t) -@@ -148,34 +153,38 @@ logging_send_syslog_msg(amavis_t) +@@ -148,21 +154,21 @@ logging_send_syslog_msg(amavis_t) miscfiles_read_generic_certs(amavis_t) miscfiles_read_localization(amavis_t) @@ -1607,18 +1642,18 @@ index 5a9b451..189c0a8 100644 optional_policy(` clamav_stream_connect(amavis_t) clamav_domtrans_clamscan(amavis_t) - ') - - optional_policy(` ++ clamav_read_state_clamd(amavis_t) ++') ++ ++optional_policy(` + #Cron handling + cron_use_fds(amavis_t) + cron_use_system_job_fds(amavis_t) + cron_rw_pipes(amavis_t) -+') -+ -+optional_policy(` - dcc_domtrans_client(amavis_t) - dcc_stream_connect_dccifd(amavis_t) + ') + + optional_policy(` +@@ -171,11 +177,16 @@ optional_policy(` ') optional_policy(` @@ -1635,7 +1670,7 @@ index 5a9b451..189c0a8 100644 ') optional_policy(` -@@ -188,6 +197,10 @@ optional_policy(` +@@ -188,6 +199,10 @@ optional_policy(` ') optional_policy(` @@ -1681,7 +1716,7 @@ index e81bdbd..63ab279 100644 optional_policy(` diff --git a/apache.fc b/apache.fc -index fd9fa07..b289cef 100644 +index fd9fa07..9416b51 100644 --- a/apache.fc +++ b/apache.fc @@ -1,39 +1,54 @@ @@ -1800,7 +1835,7 @@ index fd9fa07..b289cef 100644 +/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -+/var/log/suphp\.log -- gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -5738,7 +5773,7 @@ index d3019b3..59440d1 100644 logging_send_syslog_msg(bluetooth_helper_t) diff --git a/boinc.fc b/boinc.fc new file mode 100644 -index 0000000..e59e51b +index 0000000..bda740a --- /dev/null +++ b/boinc.fc @@ -0,0 +1,12 @@ @@ -5753,7 +5788,7 @@ index 0000000..e59e51b +/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) +/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) + -+/var/log/boinc\.log -- gen_context(system_u:object_r:boinc_log_t,s0) ++/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) diff --git a/boinc.if b/boinc.if new file mode 100644 index 0000000..9d891b7 @@ -6332,7 +6367,7 @@ index 0000000..3b41945 +') diff --git a/cachefilesd.te b/cachefilesd.te new file mode 100644 -index 0000000..e7d2a5b +index 0000000..40fd0ad --- /dev/null +++ b/cachefilesd.te @@ -0,0 +1,145 @@ @@ -6430,8 +6465,8 @@ index 0000000..e7d2a5b +allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms; + +# Allow access to cache superstructure -+allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms }; -+allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms }; ++manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t) ++manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t) + +# Permit statfs on the backing filesystem +fs_getattr_xattr_fs(cachefilesd_t) @@ -7596,18 +7631,19 @@ index 0000000..0de6133 + +auth_use_nsswitch(cfengine_monitord_t) diff --git a/cgroup.fc b/cgroup.fc -index b6bb46c..645d203 100644 +index b6bb46c..9a2bf65 100644 --- a/cgroup.fc +++ b/cgroup.fc @@ -11,5 +11,9 @@ /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) /sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) +-/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0) +/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) +/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) +/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) + - /var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0) ++/var/log/cgrulesengd\.log.* -- gen_context(system_u:object_r:cgred_log_t,s0) /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --git a/cgroup.if b/cgroup.if index 33facaf..c624aaa 100644 @@ -7645,7 +7681,7 @@ index 33facaf..c624aaa 100644 admin_pattern($1, cgrules_etc_t) files_list_etc($1) diff --git a/cgroup.te b/cgroup.te -index 806191a..bc34bfe 100644 +index 806191a..8c30667 100644 --- a/cgroup.te +++ b/cgroup.te @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -7659,16 +7695,17 @@ index 806191a..bc34bfe 100644 init_daemon_domain(cgconfig_t, cgconfig_exec_t) type cgconfig_initrc_exec_t; -@@ -42,6 +42,8 @@ files_config_file(cgconfig_etc_t) +@@ -42,6 +42,9 @@ files_config_file(cgconfig_etc_t) allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; +read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t) + ++ kernel_read_system_state(cgclear_t) domain_setpriority_all_domains(cgclear_t) -@@ -64,7 +66,6 @@ kernel_list_unlabeled(cgconfig_t) +@@ -64,7 +67,6 @@ kernel_list_unlabeled(cgconfig_t) kernel_read_system_state(cgconfig_t) # /etc/nsswitch.conf, /etc/passwd @@ -7676,7 +7713,7 @@ index 806191a..bc34bfe 100644 fs_manage_cgroup_dirs(cgconfig_t) fs_manage_cgroup_files(cgconfig_t) -@@ -72,12 +73,15 @@ fs_mount_cgroup(cgconfig_t) +@@ -72,12 +74,15 @@ fs_mount_cgroup(cgconfig_t) fs_mounton_cgroup(cgconfig_t) fs_unmount_cgroup(cgconfig_t) @@ -7693,7 +7730,7 @@ index 806191a..bc34bfe 100644 allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; -@@ -86,6 +90,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file) +@@ -86,6 +91,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file) allow cgred_t cgrules_etc_t:file read_file_perms; @@ -7703,7 +7740,7 @@ index 806191a..bc34bfe 100644 # rc script creates pid file manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) -@@ -100,10 +107,11 @@ files_getattr_all_files(cgred_t) +@@ -100,10 +108,11 @@ files_getattr_all_files(cgred_t) files_getattr_all_sockets(cgred_t) files_read_all_symlinks(cgred_t) # /etc/group @@ -8361,7 +8398,7 @@ index e8e9a21..22986ef 100644 /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) diff --git a/clamav.if b/clamav.if -index bbac14a..87840b4 100644 +index bbac14a..99c5cca 100644 --- a/clamav.if +++ b/clamav.if @@ -33,6 +33,7 @@ interface(`clamav_stream_connect',` @@ -8372,7 +8409,7 @@ index bbac14a..87840b4 100644 stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t) ') -@@ -133,6 +134,49 @@ interface(`clamav_exec_clamscan',` +@@ -133,6 +134,68 @@ interface(`clamav_exec_clamscan',` ######################################## ## @@ -8395,6 +8432,25 @@ index bbac14a..87840b4 100644 + +####################################### +## ++## Read clamd state files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`clamav_read_state_clamd',` ++ gen_require(` ++ type clamd_t; ++ ') ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, clamd_t) ++') ++ ++####################################### ++## +## Execute clamd server in the clamd domain. +## +## @@ -8422,7 +8478,7 @@ index bbac14a..87840b4 100644 ## All of the rules required to administrate ## an clamav environment ## -@@ -151,19 +195,25 @@ interface(`clamav_exec_clamscan',` +@@ -151,19 +214,25 @@ interface(`clamav_exec_clamscan',` interface(`clamav_admin',` gen_require(` type clamd_t, clamd_etc_t, clamd_tmp_t; @@ -8454,7 +8510,7 @@ index bbac14a..87840b4 100644 ps_process_pattern($1, freshclam_t) init_labeled_script_domtrans($1, clamd_initrc_exec_t) -@@ -171,6 +221,10 @@ interface(`clamav_admin',` +@@ -171,6 +240,10 @@ interface(`clamav_admin',` role_transition $2 clamd_initrc_exec_t system_r; allow $2 system_r; @@ -8465,7 +8521,7 @@ index bbac14a..87840b4 100644 files_list_etc($1) admin_pattern($1, clamd_etc_t) -@@ -189,4 +243,10 @@ interface(`clamav_admin',` +@@ -189,4 +262,10 @@ interface(`clamav_admin',` admin_pattern($1, clamscan_tmp_t) admin_pattern($1, freshclam_var_log_t) @@ -8477,7 +8533,7 @@ index bbac14a..87840b4 100644 + ') diff --git a/clamav.te b/clamav.te -index 5b7a1d7..0bcee92 100644 +index 5b7a1d7..e5d835c 100644 --- a/clamav.te +++ b/clamav.te @@ -1,9 +1,23 @@ @@ -8609,7 +8665,7 @@ index 5b7a1d7..0bcee92 100644 ') ######################################## -@@ -178,10 +210,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) +@@ -178,10 +210,17 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) @@ -8620,6 +8676,7 @@ index 5b7a1d7..0bcee92 100644 logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) +kernel_read_kernel_sysctls(freshclam_t) ++kernel_read_network_state(freshclam_t) +kernel_read_system_state(freshclam_t) + +corecmd_exec_shell(freshclam_t) @@ -8628,7 +8685,7 @@ index 5b7a1d7..0bcee92 100644 corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +227,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) +@@ -189,6 +228,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -8637,7 +8694,7 @@ index 5b7a1d7..0bcee92 100644 corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -196,7 +236,6 @@ dev_read_urand(freshclam_t) +@@ -196,7 +237,6 @@ dev_read_urand(freshclam_t) domain_use_interactive_fds(freshclam_t) @@ -8645,7 +8702,7 @@ index 5b7a1d7..0bcee92 100644 files_read_etc_runtime_files(freshclam_t) auth_use_nsswitch(freshclam_t) -@@ -207,16 +246,22 @@ miscfiles_read_localization(freshclam_t) +@@ -207,16 +247,22 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -8672,7 +8729,7 @@ index 5b7a1d7..0bcee92 100644 ######################################## # # clamscam local policy -@@ -242,17 +287,36 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) +@@ -242,17 +288,36 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) allow clamscan_t clamd_var_lib_t:dir list_dir_perms; @@ -8710,7 +8767,7 @@ index 5b7a1d7..0bcee92 100644 files_read_etc_runtime_files(clamscan_t) files_search_var_lib(clamscan_t) -@@ -264,10 +328,15 @@ miscfiles_read_public_files(clamscan_t) +@@ -264,10 +329,15 @@ miscfiles_read_public_files(clamscan_t) clamav_stream_connect(clamscan_t) @@ -8743,7 +8800,7 @@ index b40f3f7..3676ecc 100644 # diff --git a/cloudform.fc b/cloudform.fc new file mode 100644 -index 0000000..e59cc85 +index 0000000..61ab864 --- /dev/null +++ b/cloudform.fc @@ -0,0 +1,20 @@ @@ -8760,9 +8817,9 @@ index 0000000..e59cc85 +/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0) + +/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0) -+/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0) ++/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0) +/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0) -+/var/log/aeolus-conductor/dbomatic\.log -- gen_context(system_u:object_r:mongod_log_t,s0) ++/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0) + +/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) @@ -10942,7 +10999,7 @@ index 6f2896d..5a5a3bb 100644 unconfined_stream_connect(consolekit_t) ') diff --git a/corosync.fc b/corosync.fc -index 3a6d7eb..bb32bf0 100644 +index 3a6d7eb..45bf29b 100644 --- a/corosync.fc +++ b/corosync.fc @@ -1,12 +1,22 @@ @@ -10962,7 +11019,8 @@ index 3a6d7eb..bb32bf0 100644 /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) +/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) - /var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0) +-/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0) ++/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:corosync_var_log_t,s0) /var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) @@ -11750,7 +11808,7 @@ index f77d58a..3d78ee8 100644 + xserver_dbus_chat_xdm(cpufreqselector_t) +') diff --git a/cron.fc b/cron.fc -index 3559a05..50c8036 100644 +index 3559a05..224142a 100644 --- a/cron.fc +++ b/cron.fc @@ -3,6 +3,9 @@ @@ -11800,15 +11858,18 @@ index 3559a05..50c8036 100644 /var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) /var/spool/cron/crontabs/.* -- <> #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) -@@ -36,6 +53,8 @@ +@@ -36,8 +53,10 @@ /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + ifdef(`distro_debian',` - /var/log/prelink.log -- gen_context(system_u:object_r:cron_log_t,s0) +-/var/log/prelink.log -- gen_context(system_u:object_r:cron_log_t,s0) ++/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0) + /var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) + /var/spool/cron/atjobs/[^/]* -- <> diff --git a/cron.if b/cron.if index 6e12dc7..bd94df7 100644 --- a/cron.if @@ -13187,7 +13248,7 @@ index 0000000..284fbae + sysnet_domtrans_ifconfig(ctdbd_t) +') diff --git a/cups.fc b/cups.fc -index 848bb92..7d949a9 100644 +index 848bb92..306cd8e 100644 --- a/cups.fc +++ b/cups.fc @@ -19,7 +19,10 @@ @@ -13222,7 +13283,7 @@ index 848bb92..7d949a9 100644 /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + -+/usr/local/Brother/fax/.*\.log gen_context(system_u:object_r:cupsd_log_t,s0) ++/usr/local/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) +/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + @@ -14907,7 +14968,7 @@ index 8ba9425..e03f80a 100644 + gnome_dontaudit_search_config(denyhosts_t) +') diff --git a/devicekit.fc b/devicekit.fc -index 9af85c8..e5de842 100644 +index 9af85c8..5483806 100644 --- a/devicekit.fc +++ b/devicekit.fc @@ -1,3 +1,8 @@ @@ -14932,8 +14993,8 @@ index 9af85c8..e5de842 100644 -/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) +/var/lib/udisks.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) + -+/var/log/pm-powersave\.log -- gen_context(system_u:object_r:devicekit_var_log_t,s0) -+/var/log/pm-suspend\.log -- gen_context(system_u:object_r:devicekit_var_log_t,s0) ++/var/log/pm-powersave\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0) ++/var/log/pm-suspend\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0) /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) @@ -16037,7 +16098,7 @@ index 0000000..c2ac646 + diff --git a/dirsrv.fc b/dirsrv.fc new file mode 100644 -index 0000000..6fc4865 +index 0000000..0ea1ebb --- /dev/null +++ b/dirsrv.fc @@ -0,0 +1,23 @@ @@ -16063,7 +16124,7 @@ index 0000000..6fc4865 + +/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0) + -+/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) ++/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) diff --git a/dirsrv.if b/dirsrv.if new file mode 100644 index 0000000..b214253 @@ -17111,7 +17172,7 @@ index e1d7dc5..df96c0d 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/dovecot.te b/dovecot.te -index 2df7766..479b994 100644 +index 2df7766..b1b3824 100644 --- a/dovecot.te +++ b/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -17187,7 +17248,7 @@ index 2df7766..479b994 100644 corenet_tcp_bind_sieve_port(dovecot_t) corenet_tcp_connect_all_ports(dovecot_t) corenet_tcp_connect_postgresql_port(dovecot_t) -@@ -128,13 +136,13 @@ corecmd_exec_bin(dovecot_t) +@@ -128,13 +136,14 @@ corecmd_exec_bin(dovecot_t) domain_use_interactive_fds(dovecot_t) @@ -17195,6 +17256,7 @@ index 2df7766..479b994 100644 files_search_spool(dovecot_t) files_search_tmp(dovecot_t) files_dontaudit_list_default(dovecot_t) ++files_dontaudit_search_all_dirs(dovecot_t) # Dovecot now has quota support and it uses getmntent() to find the mountpoints. files_read_etc_runtime_files(dovecot_t) files_search_all_mountpoints(dovecot_t) @@ -17202,7 +17264,7 @@ index 2df7766..479b994 100644 init_getattr_utmp(dovecot_t) -@@ -145,6 +153,7 @@ logging_send_syslog_msg(dovecot_t) +@@ -145,6 +154,7 @@ logging_send_syslog_msg(dovecot_t) miscfiles_read_generic_certs(dovecot_t) miscfiles_read_localization(dovecot_t) @@ -17210,7 +17272,7 @@ index 2df7766..479b994 100644 userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_manage_user_home_content_dirs(dovecot_t) userdom_manage_user_home_content_files(dovecot_t) -@@ -153,6 +162,7 @@ userdom_manage_user_home_content_pipes(dovecot_t) +@@ -153,6 +163,7 @@ userdom_manage_user_home_content_pipes(dovecot_t) userdom_manage_user_home_content_sockets(dovecot_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) @@ -17218,7 +17280,7 @@ index 2df7766..479b994 100644 mta_manage_spool(dovecot_t) optional_policy(` -@@ -160,10 +170,24 @@ optional_policy(` +@@ -160,10 +171,24 @@ optional_policy(` ') optional_policy(` @@ -17243,7 +17305,7 @@ index 2df7766..479b994 100644 seutil_sigchld_newrole(dovecot_t) ') -@@ -180,8 +204,8 @@ optional_policy(` +@@ -180,8 +205,8 @@ optional_policy(` # dovecot auth local policy # @@ -17254,7 +17316,7 @@ index 2df7766..479b994 100644 allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -@@ -190,6 +214,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p +@@ -190,6 +215,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) @@ -17264,7 +17326,7 @@ index 2df7766..479b994 100644 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -@@ -201,22 +228,25 @@ dovecot_stream_connect_auth(dovecot_auth_t) +@@ -201,22 +229,25 @@ dovecot_stream_connect_auth(dovecot_auth_t) kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) @@ -17292,7 +17354,7 @@ index 2df7766..479b994 100644 init_rw_utmp(dovecot_auth_t) -@@ -236,6 +266,8 @@ optional_policy(` +@@ -236,6 +267,8 @@ optional_policy(` optional_policy(` mysql_search_db(dovecot_auth_t) mysql_stream_connect(dovecot_auth_t) @@ -17301,7 +17363,7 @@ index 2df7766..479b994 100644 ') optional_policy(` -@@ -243,6 +275,8 @@ optional_policy(` +@@ -243,6 +276,8 @@ optional_policy(` ') optional_policy(` @@ -17310,7 +17372,7 @@ index 2df7766..479b994 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -250,23 +284,42 @@ optional_policy(` +@@ -250,23 +285,42 @@ optional_policy(` # # dovecot deliver local policy # @@ -17356,7 +17418,7 @@ index 2df7766..479b994 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -283,24 +336,21 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) +@@ -283,24 +337,21 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) userdom_manage_user_home_content_sockets(dovecot_deliver_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) @@ -18457,6 +18519,17 @@ index f28f64b..6a30d96 100644 ') optional_policy(` +diff --git a/fail2ban.fc b/fail2ban.fc +index 0de2b83..6de0fca 100644 +--- a/fail2ban.fc ++++ b/fail2ban.fc +@@ -4,5 +4,5 @@ + /usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) + + /var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) +-/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) ++/var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0) + /var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/fail2ban.if b/fail2ban.if index f590a1f..b1b13b0 100644 --- a/fail2ban.if @@ -23075,7 +23148,7 @@ index 6d50300..46cc164 100644 ## ## Send generic signals to user gpg processes. diff --git a/gpg.te b/gpg.te -index 156820c..970165a 100644 +index 156820c..401b90c 100644 --- a/gpg.te +++ b/gpg.te @@ -1,9 +1,10 @@ @@ -23289,7 +23362,15 @@ index 156820c..970165a 100644 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -@@ -232,34 +264,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) +@@ -223,6 +255,7 @@ corecmd_read_bin_symlinks(gpg_agent_t) + corecmd_search_bin(gpg_agent_t) + corecmd_exec_shell(gpg_agent_t) + ++dev_read_rand(gpg_agent_t) + dev_read_urand(gpg_agent_t) + + domain_use_interactive_fds(gpg_agent_t) +@@ -232,34 +265,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) miscfiles_read_localization(gpg_agent_t) # Write to the user domain tty. @@ -23328,7 +23409,7 @@ index 156820c..970165a 100644 optional_policy(` mozilla_dontaudit_rw_user_home_files(gpg_agent_t) -@@ -294,6 +317,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) +@@ -294,6 +318,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) # read /proc/meminfo kernel_read_system_state(gpg_pinentry_t) @@ -23336,7 +23417,7 @@ index 156820c..970165a 100644 corecmd_exec_bin(gpg_pinentry_t) corenet_all_recvfrom_netlabel(gpg_pinentry_t) -@@ -310,7 +334,6 @@ dev_read_rand(gpg_pinentry_t) +@@ -310,7 +335,6 @@ dev_read_rand(gpg_pinentry_t) files_read_usr_files(gpg_pinentry_t) # read /etc/X11/qtrc @@ -23344,7 +23425,7 @@ index 156820c..970165a 100644 fs_dontaudit_list_inotifyfs(gpg_pinentry_t) fs_getattr_tmpfs(gpg_pinentry_t) -@@ -325,13 +348,15 @@ miscfiles_read_localization(gpg_pinentry_t) +@@ -325,13 +349,15 @@ miscfiles_read_localization(gpg_pinentry_t) # for .Xauthority userdom_read_user_home_content_files(gpg_pinentry_t) userdom_read_user_tmpfs_files(gpg_pinentry_t) @@ -23365,7 +23446,7 @@ index 156820c..970165a 100644 ') optional_policy(` -@@ -340,6 +365,12 @@ optional_policy(` +@@ -340,6 +366,12 @@ optional_policy(` ') optional_policy(` @@ -23378,7 +23459,7 @@ index 156820c..970165a 100644 pulseaudio_exec(gpg_pinentry_t) pulseaudio_rw_home_files(gpg_pinentry_t) pulseaudio_setattr_home_dir(gpg_pinentry_t) -@@ -349,4 +380,28 @@ optional_policy(` +@@ -349,4 +381,28 @@ optional_policy(` optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) @@ -23945,6 +24026,28 @@ index 978c32f..0e03f2a 100644 auth_use_nsswitch(ifplugd_t) +diff --git a/imaze.fc b/imaze.fc +index 8d455ba..58729cb 100644 +--- a/imaze.fc ++++ b/imaze.fc +@@ -1,4 +1,4 @@ + /usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0) + /usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0) + +-/var/log/imaze\.log -- gen_context(system_u:object_r:imazesrv_log_t,s0) ++/var/log/imaze\.log.* -- gen_context(system_u:object_r:imazesrv_log_t,s0) +diff --git a/inetd.fc b/inetd.fc +index 39d5baa..4288778 100644 +--- a/inetd.fc ++++ b/inetd.fc +@@ -7,6 +7,6 @@ + /usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) + /usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) + +-/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0) ++/var/log/(x)?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0) + + /var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) diff --git a/inetd.if b/inetd.if index df48e5e..161814e 100644 --- a/inetd.if @@ -24338,7 +24441,7 @@ index 9aeeaf9..3cf4e02 100644 allow irqbalance_t self:udp_socket create_socket_perms; diff --git a/iscsi.fc b/iscsi.fc -index 14d9670..358255e 100644 +index 14d9670..6825edc 100644 --- a/iscsi.fc +++ b/iscsi.fc @@ -1,7 +1,16 @@ @@ -24349,8 +24452,9 @@ index 14d9670..358255e 100644 /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) + /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) +-/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) + - /var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) ++/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) +/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) + /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) @@ -24658,7 +24762,7 @@ index 0000000..a0f2f83 +sysnet_dns_name_resolve(isnsd_t) + diff --git a/jabber.fc b/jabber.fc -index da6f4b4..9a9ca2a 100644 +index da6f4b4..bd02cc8 100644 --- a/jabber.fc +++ b/jabber.fc @@ -1,10 +1,18 @@ @@ -24682,7 +24786,7 @@ index da6f4b4..9a9ca2a 100644 + +/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) + -+/var/log/pyicq-t\.log gen_context(system_u:object_r:pyicqt_log_t,s0) ++/var/log/pyicq-t\.log.* gen_context(system_u:object_r:pyicqt_log_t,s0) + +/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) + @@ -25414,7 +25518,7 @@ index 0000000..af510ea +# No local policy. This module just contains type definitions diff --git a/jockey.fc b/jockey.fc new file mode 100644 -index 0000000..274cdec +index 0000000..a59ad8d --- /dev/null +++ b/jockey.fc @@ -0,0 +1,6 @@ @@ -25423,7 +25527,7 @@ index 0000000..274cdec +/var/cache/jockey(/.*)? gen_context(system_u:object_r:jockey_cache_t,s0) + +/var/log/jockey(/.*)? gen_context(system_u:object_r:jockey_var_log_t,s0) -+/var/log/jockey\.log -- gen_context(system_u:object_r:jockey_var_log_t,s0) ++/var/log/jockey\.log.* -- gen_context(system_u:object_r:jockey_var_log_t,s0) diff --git a/jockey.if b/jockey.if new file mode 100644 index 0000000..868c7d0 @@ -25558,10 +25662,10 @@ index 0000000..868c7d0 +') diff --git a/jockey.te b/jockey.te new file mode 100644 -index 0000000..56b4856 +index 0000000..0316d53 --- /dev/null +++ b/jockey.te -@@ -0,0 +1,43 @@ +@@ -0,0 +1,52 @@ +policy_module(jockey, 1.0.0) + +######################################## @@ -25596,6 +25700,10 @@ index 0000000..56b4856 +logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir }) + +corecmd_exec_bin(jockey_t) ++corecmd_exec_shell(jockey_t) ++ ++dev_read_rand(jockey_t) ++dev_read_urand(jockey_t) + +dev_read_sysfs(jockey_t) + @@ -25605,6 +25713,11 @@ index 0000000..56b4856 +files_read_usr_files(jockey_t) + +miscfiles_read_localization(jockey_t) ++ ++optional_policy(` ++ modutils_domtrans_insmod(jockey_t) ++ modutils_read_module_config(jockey_t) ++') diff --git a/kde.fc b/kde.fc new file mode 100644 index 0000000..25e4b68 @@ -25999,15 +26112,20 @@ index 0c52f60..a085fbd 100644 optional_policy(` diff --git a/kerberos.fc b/kerberos.fc -index 3525d24..ee0a3d5 100644 +index 3525d24..ad19527 100644 --- a/kerberos.fc +++ b/kerberos.fc -@@ -30,4 +30,12 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) - /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) - /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) +@@ -27,7 +27,15 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + /var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) -+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) +-/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) +-/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) ++/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0) ++/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0) + ++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) + /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) @@ -30597,7 +30715,7 @@ index 0000000..00d38c5 + userdom_read_user_home_content_files(mock_build_t) +') diff --git a/modemmanager.te b/modemmanager.te -index b3ace16..83392b6 100644 +index b3ace16..46f4b11 100644 --- a/modemmanager.te +++ b/modemmanager.te @@ -8,6 +8,7 @@ policy_module(modemmanager, 1.1.0) @@ -30618,7 +30736,7 @@ index b3ace16..83392b6 100644 allow modemmanager_t self:fifo_file rw_file_perms; allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -28,13 +30,25 @@ dev_rw_modem(modemmanager_t) +@@ -28,13 +30,27 @@ dev_rw_modem(modemmanager_t) files_read_etc_files(modemmanager_t) @@ -30626,6 +30744,8 @@ index b3ace16..83392b6 100644 +term_use_generic_ptys(modemmanager_t) +term_use_unallocated_ttys(modemmanager_t) # this should be reproduced, might have been mislabelled usbtty_device_t +term_use_usb_ttys(modemmanager_t) ++ ++xserver_read_state_xdm(modemmanager_t) miscfiles_read_localization(modemmanager_t) @@ -31048,7 +31168,7 @@ index b397fde..25a03ce 100644 +') + diff --git a/mozilla.te b/mozilla.te -index 0724816..6002fc6 100644 +index 0724816..3488035 100644 --- a/mozilla.te +++ b/mozilla.te @@ -12,14 +12,22 @@ policy_module(mozilla, 2.5.3) @@ -31240,7 +31360,8 @@ index 0724816..6002fc6 100644 + can_exec(mozilla_plugin_t, mozilla_exec_t) - kernel_read_kernel_sysctls(mozilla_plugin_t) +-kernel_read_kernel_sysctls(mozilla_plugin_t) ++kernel_read_all_sysctls(mozilla_plugin_t) kernel_read_system_state(mozilla_plugin_t) kernel_read_network_state(mozilla_plugin_t) kernel_request_load_module(mozilla_plugin_t) @@ -34654,7 +34775,7 @@ index 2324d9e..da61d01 100644 + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf") +') diff --git a/networkmanager.te b/networkmanager.te -index 0619395..d7078ce 100644 +index 0619395..a5b43fc 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -34673,7 +34794,7 @@ index 0619395..d7078ce 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -35,16 +44,26 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -35,26 +44,49 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) @@ -34704,10 +34825,12 @@ index 0619395..d7078ce 100644 allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; -@@ -52,9 +71,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; + allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; can_exec(NetworkManager_t, NetworkManager_exec_t) - ++#wicd ++can_exec(NetworkManager_t, wpa_cli_exec_t) ++ +list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) @@ -34717,7 +34840,7 @@ index 0619395..d7078ce 100644 +filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) + +logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) -+ + manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -34725,7 +34848,7 @@ index 0619395..d7078ce 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -95,11 +125,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t) +@@ -95,11 +127,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t) corenet_rw_tun_tap_dev(NetworkManager_t) corenet_getattr_ppp_dev(NetworkManager_t) @@ -34739,7 +34862,7 @@ index 0619395..d7078ce 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) -@@ -113,10 +144,10 @@ corecmd_exec_shell(NetworkManager_t) +@@ -113,10 +146,10 @@ corecmd_exec_shell(NetworkManager_t) corecmd_exec_bin(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t) @@ -34752,7 +34875,7 @@ index 0619395..d7078ce 100644 files_read_usr_files(NetworkManager_t) files_read_usr_src_files(NetworkManager_t) -@@ -128,35 +159,44 @@ init_domtrans_script(NetworkManager_t) +@@ -128,35 +161,44 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -34799,7 +34922,7 @@ index 0619395..d7078ce 100644 ') optional_policy(` -@@ -176,10 +216,17 @@ optional_policy(` +@@ -176,10 +218,17 @@ optional_policy(` ') optional_policy(` @@ -34817,7 +34940,7 @@ index 0619395..d7078ce 100644 ') ') -@@ -191,6 +238,7 @@ optional_policy(` +@@ -191,6 +240,7 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -34825,7 +34948,7 @@ index 0619395..d7078ce 100644 ') optional_policy(` -@@ -202,23 +250,45 @@ optional_policy(` +@@ -202,23 +252,45 @@ optional_policy(` ') optional_policy(` @@ -34871,7 +34994,7 @@ index 0619395..d7078ce 100644 openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -234,6 +304,10 @@ optional_policy(` +@@ -234,6 +306,10 @@ optional_policy(` ') optional_policy(` @@ -34882,7 +35005,7 @@ index 0619395..d7078ce 100644 ppp_initrc_domtrans(NetworkManager_t) ppp_domtrans(NetworkManager_t) ppp_manage_pid_files(NetworkManager_t) -@@ -241,6 +315,7 @@ optional_policy(` +@@ -241,6 +317,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -34890,7 +35013,7 @@ index 0619395..d7078ce 100644 ') optional_policy(` -@@ -254,6 +329,10 @@ optional_policy(` +@@ -254,6 +331,10 @@ optional_policy(` ') optional_policy(` @@ -34901,7 +35024,7 @@ index 0619395..d7078ce 100644 udev_exec(NetworkManager_t) udev_read_db(NetworkManager_t) ') -@@ -263,6 +342,7 @@ optional_policy(` +@@ -263,6 +344,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -36994,7 +37117,7 @@ index c61adc8..b3dd6cc 100644 files_list_var_lib(ntpd_t) diff --git a/numad.fc b/numad.fc new file mode 100644 -index 0000000..be6fcb0 +index 0000000..1f97624 --- /dev/null +++ b/numad.fc @@ -0,0 +1,7 @@ @@ -37002,7 +37125,7 @@ index 0000000..be6fcb0 + +/usr/lib/systemd/system/numad.* -- gen_context(system_u:object_r:numad_unit_file_t,s0) + -+/var/log/numad\.log -- gen_context(system_u:object_r:numad_var_log_t,s0) ++/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_var_log_t,s0) + +/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) diff --git a/numad.if b/numad.if @@ -37247,6 +37370,16 @@ index 58e2972..5aff5a5 100644 kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) +diff --git a/oav.fc b/oav.fc +index 0a66474..cf90b6e 100644 +--- a/oav.fc ++++ b/oav.fc +@@ -6,4 +6,4 @@ + + /var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0) + /var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0) +-/var/log/scannerdaemon\.log -- gen_context(system_u:object_r:scannerdaemon_log_t,s0) ++/var/log/scannerdaemon\.log.* -- gen_context(system_u:object_r:scannerdaemon_log_t,s0) diff --git a/oav.te b/oav.te index b4c5f86..0f1549d 100644 --- a/oav.te @@ -40638,6 +40771,19 @@ index 0000000..781625a +') + +userdom_home_manager(polipo_session_t) +diff --git a/portage.fc b/portage.fc +index 1d5b4e5..a79acdd 100644 +--- a/portage.fc ++++ b/portage.fc +@@ -23,7 +23,7 @@ + /var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) + /var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) + /var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0) +-/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0) ++/var/log/emerge-fetch.log.* -- gen_context(system_u:object_r:portage_log_t,s0) + /var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0) + /var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) + /var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) diff --git a/portage.if b/portage.if index b4bb48a..7098ded 100644 --- a/portage.if @@ -40966,7 +41112,7 @@ index 1ddfa16..c0e0959 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/postfix.if b/postfix.if -index 46bee12..99499ef 100644 +index 46bee12..eccdc20 100644 --- a/postfix.if +++ b/postfix.if @@ -28,75 +28,19 @@ interface(`postfix_stub',` @@ -41265,7 +41411,7 @@ index 46bee12..99499ef 100644 ') ######################################## -@@ -621,3 +643,154 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +643,155 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -41381,6 +41527,7 @@ index 46bee12..99499ef 100644 + + postfix_domtrans_postdrop($1) + role $2 types postfix_postdrop_t; ++ allow postfix_postdrop_t $1:unix_stream_socket { read write getattr }; +') + +######################################## @@ -42417,6 +42564,19 @@ index bcbf9ac..fd793b3 100644 fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) +diff --git a/prelink.fc b/prelink.fc +index ec0e76a..62af9a4 100644 +--- a/prelink.fc ++++ b/prelink.fc +@@ -4,7 +4,7 @@ + + /usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) + +-/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) ++/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0) + /var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) + + /var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) diff --git a/prelink.te b/prelink.te index af55369..e97defd 100644 --- a/prelink.te @@ -42773,7 +42933,7 @@ index b64b02f..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) +') diff --git a/procmail.te b/procmail.te -index 29b9295..59d1db3 100644 +index 29b9295..4bd0290 100644 --- a/procmail.te +++ b/procmail.te @@ -10,6 +10,9 @@ type procmail_exec_t; @@ -42877,6 +43037,14 @@ index 29b9295..59d1db3 100644 ') optional_policy(` +@@ -134,6 +148,7 @@ optional_policy(` + + optional_policy(` + mta_read_config(procmail_t) ++ mta_manage_home_rw(procmail_t) + sendmail_domtrans(procmail_t) + sendmail_signal(procmail_t) + sendmail_dontaudit_rw_tcp_sockets(procmail_t) diff --git a/psad.if b/psad.if index bc329d1..20bb463 100644 --- a/psad.if @@ -43988,6 +44156,18 @@ index 0000000..8d2c891 +logging_send_audit_msgs(pwauth_t) + +miscfiles_read_localization(pwauth_t) +diff --git a/pxe.fc b/pxe.fc +index 44b3a0c..5d247cb 100644 +--- a/pxe.fc ++++ b/pxe.fc +@@ -1,6 +1,6 @@ + + /usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0) + +-/var/log/pxe\.log -- gen_context(system_u:object_r:pxe_log_t,s0) ++/var/log/pxe\.log.* -- gen_context(system_u:object_r:pxe_log_t,s0) + + /var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0) diff --git a/pyicqt.te b/pyicqt.te index a841221..b62a01f 100644 --- a/pyicqt.te @@ -44002,10 +44182,10 @@ index a841221..b62a01f 100644 type pyicqt_var_run_t; files_pid_file(pyicqt_var_run_t) diff --git a/pyzor.fc b/pyzor.fc -index d4a7750..705196e 100644 +index d4a7750..a927c5a 100644 --- a/pyzor.fc +++ b/pyzor.fc -@@ -1,6 +1,10 @@ +@@ -1,9 +1,13 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -44016,6 +44196,10 @@ index d4a7750..705196e 100644 /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) + + /var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) +-/var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0) ++/var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0) diff --git a/pyzor.if b/pyzor.if index 494f7e2..2c411af 100644 --- a/pyzor.if @@ -46010,7 +46194,7 @@ index 641f677..1e3cf4c 100644 ') diff --git a/razor.fc b/razor.fc -index 1efba0c..bfda924 100644 +index 1efba0c..6e26673 100644 --- a/razor.fc +++ b/razor.fc @@ -1,8 +1,9 @@ @@ -46027,7 +46211,7 @@ index 1efba0c..bfda924 100644 -/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) -/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0) +#/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) -+#/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0) ++#/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0) diff --git a/razor.if b/razor.if index f04a595..d6a6e1a 100644 --- a/razor.if @@ -46710,15 +46894,19 @@ index d457736..eabdd78 100644 + stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t) ') diff --git a/rgmanager.fc b/rgmanager.fc -index 3c97ef0..c025d59 100644 +index 3c97ef0..d3de440 100644 --- a/rgmanager.fc +++ b/rgmanager.fc -@@ -1,3 +1,5 @@ +@@ -1,6 +1,8 @@ +/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) + /usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) - /var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) +-/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) ++/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) + + /var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) + diff --git a/rgmanager.if b/rgmanager.if index 7dc38d1..808f9c6 100644 --- a/rgmanager.if @@ -47856,7 +48044,7 @@ index 783f678..f82fdec 100644 + +rpm_read_db(rhsmcertd_t) diff --git a/ricci.fc b/ricci.fc -index 5b08327..ed5dc05 100644 +index 5b08327..4d5819e 100644 --- a/ricci.fc +++ b/ricci.fc @@ -1,3 +1,6 @@ @@ -47866,6 +48054,15 @@ index 5b08327..ed5dc05 100644 /usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0) /usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) +@@ -9,7 +12,7 @@ + + /var/lib/ricci(/.*)? gen_context(system_u:object_r:ricci_var_lib_t,s0) + +-/var/log/clumond\.log -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0) ++/var/log/clumond\.log.* -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0) + + /var/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) + /var/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) diff --git a/ricci.if b/ricci.if index f7826f9..23d579c 100644 --- a/ricci.if @@ -49709,6 +49906,18 @@ index ffb9605..11dbdb2 100644 auth_use_nsswitch(rssh_chroot_helper_t) +diff --git a/rsync.fc b/rsync.fc +index 479615b..2d77839 100644 +--- a/rsync.fc ++++ b/rsync.fc +@@ -2,6 +2,6 @@ + + /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) + +-/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0) ++/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0) + + /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/rsync.if b/rsync.if index 3386f29..8d8f6c5 100644 --- a/rsync.if @@ -51879,14 +52088,19 @@ index 0000000..3203ede + mozilla_plugin_dontaudit_leaks(sandbox_x_domain) +') diff --git a/sanlock.fc b/sanlock.fc -index 5d1826c..630960e 100644 +index 5d1826c..9656f79 100644 --- a/sanlock.fc +++ b/sanlock.fc -@@ -1,3 +1,4 @@ +@@ -1,7 +1,8 @@ + /etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0) /var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) + +-/var/log/sanlock\.log gen_context(system_u:object_r:sanlock_log_t,s0) ++/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0) + + /usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) diff --git a/sanlock.if b/sanlock.if index cfe3172..3eb745d 100644 --- a/sanlock.if @@ -52483,6 +52697,16 @@ index 2583626..13d933c 100644 +userdom_setattr_user_ptys(screen_domain) +userdom_setattr_user_ttys(screen_domain) + +diff --git a/sectoolm.fc b/sectoolm.fc +index 1ed6870..3f1dac5 100644 +--- a/sectoolm.fc ++++ b/sectoolm.fc +@@ -1,4 +1,4 @@ + /usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) + + /var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) +-/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0) ++/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0) diff --git a/sectoolm.te b/sectoolm.te index c8ef84b..c761721 100644 --- a/sectoolm.te @@ -53738,12 +53962,15 @@ index bc00875..7c8590e 100644 ') diff --git a/snmp.fc b/snmp.fc -index 623c8fa..0a802f7 100644 +index 623c8fa..1ef62d0 100644 --- a/snmp.fc +++ b/snmp.fc -@@ -18,7 +18,8 @@ +@@ -16,9 +16,10 @@ + /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) + /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - /var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0) +-/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0) ++/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0) -/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) +/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) @@ -53875,7 +54102,7 @@ index 275f9fb..f1343b7 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 595942d..5273d6c 100644 +index 595942d..ec73300 100644 --- a/snmp.te +++ b/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.12.1) @@ -53892,7 +54119,7 @@ index 595942d..5273d6c 100644 # -allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; + -+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config }; ++allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; + dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; @@ -54149,7 +54376,7 @@ index 93fe7bf..1b07ed4 100644 init_labeled_script_domtrans($1, soundd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/spamassassin.fc b/spamassassin.fc -index 6b3abf9..663ebeb 100644 +index 6b3abf9..c1f28eb 100644 --- a/spamassassin.fc +++ b/spamassassin.fc @@ -1,15 +1,50 @@ @@ -54178,7 +54405,7 @@ index 6b3abf9..663ebeb 100644 /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) +/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0) + -+/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0) ++/var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) +/var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0) /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) @@ -54200,8 +54427,8 @@ index 6b3abf9..663ebeb 100644 +/var/lib/pyzord(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) +/var/lib/razor(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) + -+/var/log/pyzord\.log -- gen_context(system_u:object_r:spamd_log_t,s0) -+/var/log/razor-agent\.log -- gen_context(system_u:object_r:spamd_log_t,s0) ++/var/log/pyzord\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) ++/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) + +/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0) +/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0) @@ -56839,7 +57066,7 @@ index 80fe75c..cdeafc5 100644 +') diff --git a/thin.fc b/thin.fc new file mode 100644 -index 0000000..8954083 +index 0000000..7f4bce8 --- /dev/null +++ b/thin.fc @@ -0,0 +1,11 @@ @@ -56850,7 +57077,7 @@ index 0000000..8954083 +/var/lib/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0) + +/var/log/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_log_t,s0) -+/var/log/thin\.log -- gen_context(system_u:object_r:thin_log_t,s0) ++/var/log/thin\.log.* -- gen_context(system_u:object_r:thin_log_t,s0) + +/var/run/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_var_run_t,s0) +/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0) @@ -57016,12 +57243,12 @@ index 0000000..1ed278e +files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file }) diff --git a/thumb.fc b/thumb.fc new file mode 100644 -index 0000000..3a7c395 +index 0000000..34d6c89 --- /dev/null +++ b/thumb.fc @@ -0,0 +1,15 @@ +HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) -+HOME_DIR/missfont\.log gen_context(system_u:object_r:thumb_home_t,s0) ++HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0) + +/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) +/usr/bin/gsf-office-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) @@ -58051,7 +58278,7 @@ index 2ae8b62..a8e786b 100644 -userdom_use_user_terminals(siggen_t) +userdom_use_inherited_user_terminals(siggen_t) diff --git a/tuned.fc b/tuned.fc -index 639c962..8488152 100644 +index 639c962..e789b2e 100644 --- a/tuned.fc +++ b/tuned.fc @@ -1,8 +1,12 @@ @@ -58063,7 +58290,8 @@ index 639c962..8488152 100644 /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) /var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0) - /var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) +-/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) ++/var/log/tuned\.log.* -- gen_context(system_u:object_r:tuned_log_t,s0) +/var/run/tuned(/.*)? gen_context(system_u:object_r:tuned_var_run_t,s0) /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) @@ -58787,7 +59015,7 @@ index ebc5414..8f8ac45 100644 logging_list_logs($1) admin_pattern($1, uucpd_log_t) diff --git a/uucp.te b/uucp.te -index d4349e9..f015de0 100644 +index d4349e9..2634d44 100644 --- a/uucp.te +++ b/uucp.te @@ -24,7 +24,7 @@ type uucpd_ro_t; @@ -58799,7 +59027,15 @@ index d4349e9..f015de0 100644 type uucpd_log_t; logging_log_file(uucpd_log_t) -@@ -91,7 +91,6 @@ fs_getattr_xattr_fs(uucpd_t) +@@ -83,6 +83,7 @@ corenet_udp_sendrecv_generic_node(uucpd_t) + corenet_tcp_sendrecv_all_ports(uucpd_t) + corenet_udp_sendrecv_all_ports(uucpd_t) + corenet_tcp_connect_ssh_port(uucpd_t) ++corenet_tcp_connect_uucpd_port(uucpd_t) + + dev_read_urand(uucpd_t) + +@@ -91,7 +92,6 @@ fs_getattr_xattr_fs(uucpd_t) corecmd_exec_bin(uucpd_t) corecmd_exec_shell(uucpd_t) @@ -58807,7 +59043,7 @@ index d4349e9..f015de0 100644 files_search_home(uucpd_t) files_search_spool(uucpd_t) -@@ -125,15 +124,18 @@ optional_policy(` +@@ -125,15 +125,18 @@ optional_policy(` allow uux_t self:capability { setuid setgid }; allow uux_t self:fifo_file write_fifo_file_perms; @@ -58827,7 +59063,7 @@ index d4349e9..f015de0 100644 logging_send_syslog_msg(uux_t) miscfiles_read_localization(uux_t) -@@ -145,5 +147,5 @@ optional_policy(` +@@ -145,5 +148,5 @@ optional_policy(` ') optional_policy(` @@ -58925,6 +59161,19 @@ index f9310f3..e830a59 100644 fs_getattr_all_fs(varnishd_t) auth_use_nsswitch(varnishd_t) +diff --git a/vdagent.fc b/vdagent.fc +index 21c5f41..5a2b836 100644 +--- a/vdagent.fc ++++ b/vdagent.fc +@@ -1,7 +1,7 @@ + /usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0) + + /var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0) +-/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0) ++/var/log/spice-vdagentd\.log.* -- gen_context(system_u:object_r:vdagent_log_t,s0) + + /var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0) + /var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0) diff --git a/vdagent.if b/vdagent.if index e59a074..b708678 100644 --- a/vdagent.if @@ -59938,7 +60187,7 @@ index 7c5d8d8..9883b66 100644 + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") ') diff --git a/virt.te b/virt.te -index ad3068a..452693b 100644 +index ad3068a..39a5a70 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,87 @@ policy_module(virt, 1.4.2) @@ -60037,7 +60286,7 @@ index ad3068a..452693b 100644 type virt_etc_t; files_config_file(virt_etc_t) -@@ -62,26 +93,34 @@ files_config_file(virt_etc_t) +@@ -62,26 +93,37 @@ files_config_file(virt_etc_t) type virt_etc_rw_t; files_type(virt_etc_rw_t) @@ -60057,16 +60306,18 @@ index ad3068a..452693b 100644 virt_image(virt_content_t) userdom_user_home_content(virt_content_t) --type virt_log_t; --logging_log_file(virt_log_t) -- - type virt_tmp_t; - files_tmp_file(virt_tmp_t) - -+type virt_log_t; -+logging_log_file(virt_log_t) -+mls_trusted_object(virt_log_t) ++type virt_tmp_t; ++files_tmp_file(virt_tmp_t) + + type virt_log_t; + logging_log_file(virt_log_t) ++mls_trusted_object(virt_log_t) + +-type virt_tmp_t; +-files_tmp_file(virt_tmp_t) ++type virt_lock_t; ++files_lock_file(virt_lock_t) + type virt_var_run_t; files_pid_file(virt_var_run_t) @@ -60076,7 +60327,7 @@ index ad3068a..452693b 100644 type virtd_t; type virtd_exec_t; -@@ -92,6 +131,11 @@ domain_subj_id_change_exemption(virtd_t) +@@ -92,6 +134,11 @@ domain_subj_id_change_exemption(virtd_t) type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -60088,7 +60339,7 @@ index ad3068a..452693b 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -100,6 +144,35 @@ ifdef(`enable_mls',` +@@ -100,6 +147,35 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -60124,7 +60375,7 @@ index ad3068a..452693b 100644 ######################################## # # svirt local policy -@@ -107,15 +180,12 @@ ifdef(`enable_mls',` +@@ -107,15 +183,12 @@ ifdef(`enable_mls',` allow svirt_t self:udp_socket create_socket_perms; @@ -60141,7 +60392,7 @@ index ad3068a..452693b 100644 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -133,9 +203,17 @@ corenet_tcp_connect_all_ports(svirt_t) +@@ -133,9 +206,17 @@ corenet_tcp_connect_all_ports(svirt_t) dev_list_sysfs(svirt_t) @@ -60159,7 +60410,7 @@ index ad3068a..452693b 100644 tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -150,11 +228,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -150,11 +231,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -60175,7 +60426,7 @@ index ad3068a..452693b 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -163,11 +245,28 @@ tunable_policy(`virt_use_sysfs',` +@@ -163,11 +248,28 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -60204,7 +60455,7 @@ index ad3068a..452693b 100644 xen_rw_image_files(svirt_t) ') -@@ -176,22 +275,41 @@ optional_policy(` +@@ -176,22 +278,41 @@ optional_policy(` # virtd local policy # @@ -60253,7 +60504,7 @@ index ad3068a..452693b 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -202,19 +320,23 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -202,19 +323,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -60276,6 +60527,11 @@ index ad3068a..452693b 100644 files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) can_exec(virtd_t, virt_tmp_t) ++manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t) ++manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t) ++manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t) ++files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file }) ++ +manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) +manage_files_pattern(virtd_t, virt_log_t, virt_log_t) +logging_log_filetrans(virtd_t, virt_log_t, { file dir }) @@ -60283,7 +60539,7 @@ index ad3068a..452693b 100644 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -225,9 +347,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -225,9 +355,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -60299,7 +60555,7 @@ index ad3068a..452693b 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -247,22 +375,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -247,22 +383,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -60333,7 +60589,7 @@ index ad3068a..452693b 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -270,6 +407,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -270,6 +415,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -60352,7 +60608,7 @@ index ad3068a..452693b 100644 mcs_process_set_categories(virtd_t) -@@ -284,6 +433,8 @@ term_use_ptmx(virtd_t) +@@ -284,6 +441,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -60361,7 +60617,7 @@ index ad3068a..452693b 100644 miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -293,17 +444,32 @@ modutils_read_module_config(virtd_t) +@@ -293,17 +452,32 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -60394,7 +60650,7 @@ index ad3068a..452693b 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -322,6 +488,10 @@ optional_policy(` +@@ -322,6 +496,10 @@ optional_policy(` ') optional_policy(` @@ -60405,7 +60661,7 @@ index ad3068a..452693b 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -335,19 +505,30 @@ optional_policy(` +@@ -335,19 +513,30 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -60437,7 +60693,7 @@ index ad3068a..452693b 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -362,6 +543,12 @@ optional_policy(` +@@ -362,6 +551,12 @@ optional_policy(` ') optional_policy(` @@ -60450,7 +60706,7 @@ index ad3068a..452693b 100644 policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) -@@ -369,11 +556,11 @@ optional_policy(` +@@ -369,11 +564,11 @@ optional_policy(` ') optional_policy(` @@ -60467,7 +60723,7 @@ index ad3068a..452693b 100644 ') optional_policy(` -@@ -384,6 +571,7 @@ optional_policy(` +@@ -384,6 +579,7 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) @@ -60475,7 +60731,7 @@ index ad3068a..452693b 100644 xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) -@@ -403,20 +591,36 @@ optional_policy(` +@@ -403,20 +599,36 @@ optional_policy(` # virtual domains common policy # @@ -60515,7 +60771,7 @@ index ad3068a..452693b 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -427,10 +631,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -427,10 +639,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -60529,7 +60785,7 @@ index ad3068a..452693b 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,10 +644,11 @@ dev_write_sound(virt_domain) +@@ -438,10 +652,11 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -60542,7 +60798,7 @@ index ad3068a..452693b 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -449,25 +656,426 @@ files_search_all(virt_domain) +@@ -449,25 +664,440 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -60550,12 +60806,12 @@ index ad3068a..452693b 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) -+ + +-term_use_all_terms(virt_domain) +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) - --term_use_all_terms(virt_domain) ++ +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -60843,9 +61099,16 @@ index ad3068a..452693b 100644 +corecmd_exec_all_executables(svirt_lxc_domain) + +files_read_kernel_modules(svirt_lxc_net_t) ++files_dontaudit_getattr_all_dirs(svirt_lxc_domain) ++files_dontaudit_getattr_all_files(svirt_lxc_domain) ++files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) ++files_dontaudit_getattr_all_pipes(svirt_lxc_domain) ++files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +files_entrypoint_all_files(svirt_lxc_domain) ++files_list_var(svirt_lxc_domain) ++files_list_var_lib(svirt_lxc_domain) +files_search_all(svirt_lxc_domain) +files_read_config_files(svirt_lxc_domain) +files_read_usr_files(svirt_lxc_domain) @@ -60854,6 +61117,7 @@ index ad3068a..452693b 100644 + +fs_getattr_all_fs(svirt_lxc_domain) +fs_list_inotifyfs(svirt_lxc_domain) ++fs_rw_inherited_tmpfs_files(svirt_lxc_domain) + +auth_dontaudit_read_passwd(svirt_lxc_domain) +auth_dontaudit_read_login_records(svirt_lxc_domain) @@ -60873,6 +61137,8 @@ index ad3068a..452693b 100644 + +mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) + ++systemd_read_unit_files(svirt_lxc_domain) ++ +optional_policy(` + udev_read_pid_files(svirt_lxc_domain) +') @@ -60883,7 +61149,9 @@ index ad3068a..452693b 100644 + +virt_lxc_domain_template(svirt_lxc_net) + -+allow svirt_lxc_net_t self:capability { net_raw net_admin net_bind_service sys_nice chown dac_read_search dac_override fowner }; ++allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++allow svirt_lxc_net_t self:process setrlimit; ++ +allow svirt_lxc_net_t self:udp_socket create_socket_perms; +allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms; +allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms; @@ -60910,6 +61178,8 @@ index ad3068a..452693b 100644 + +auth_use_nsswitch(svirt_lxc_net_t) + ++rpm_read_db(svirt_lxc_net_t) ++ +####################################### +# +# svirt_prot_exec local policy @@ -61681,7 +61951,7 @@ index b3efef7..50c1a74 100644 dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --git a/xen.fc b/xen.fc -index 1a1b374..f22f770 100644 +index 1a1b374..574794d 100644 --- a/xen.fc +++ b/xen.fc @@ -1,12 +1,10 @@ @@ -61706,6 +61976,22 @@ index 1a1b374..f22f770 100644 /usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) ') +@@ -25,11 +24,11 @@ ifdef(`distro_debian',` + /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) + /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) + +-/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) ++/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) + /var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) +-/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) +-/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) +-/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) ++/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) ++/var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) ++/var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) + + /var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) + /var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) diff --git a/xen.if b/xen.if index 77d41b6..cc73c96 100644 --- a/xen.if @@ -62527,10 +62813,10 @@ index 8c0bd70..3d6a4f7 100644 fs_getattr_all_fs(zabbix_agent_t) diff --git a/zarafa.fc b/zarafa.fc -index 3defaa1..7436a1c 100644 +index 3defaa1..560e6e3 100644 --- a/zarafa.fc +++ b/zarafa.fc -@@ -8,8 +8,10 @@ +@@ -8,19 +8,23 @@ /usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) /usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) @@ -62538,12 +62824,19 @@ index 3defaa1..7436a1c 100644 +/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) +/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) -+/var/log/zarafa/dagent\.log -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) - /var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) - /var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) - /var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) -@@ -18,9 +20,11 @@ - /var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) +-/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) +-/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) +-/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) +-/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) +-/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0) +-/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) ++/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) ++/var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) ++/var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) ++/var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) ++/var/log/zarafa/monitor\.log.* -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) ++/var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0) ++/var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) /var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0) @@ -62779,7 +63072,7 @@ index ade6c2c..232b7bd 100644 diff --git a/zoneminder.fc b/zoneminder.fc new file mode 100644 -index 0000000..47e388a +index 0000000..20555d7 --- /dev/null +++ b/zoneminder.fc @@ -0,0 +1,22 @@ @@ -62797,7 +63090,7 @@ index 0000000..47e388a + +/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0) + -+/var/log/motion\.log -- gen_context(system_u:object_r:zoneminder_log_t,s0) ++/var/log/motion\.log.* -- gen_context(system_u:object_r:zoneminder_log_t,s0) + +/var/run/motion\.pid -- gen_context(system_u:object_r:zoneminder_var_run_t,s0) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 6fd2d70..3fea886 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.0 -Release: 11%{?dist} +Release: 12%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -491,6 +491,29 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jul 23 2012 Miroslav Grepl 3.11.0-12 +- Add interface to dontaudit getattr access on sysctls +- Allow sshd to execute /bin/login +- Looks like xdm is recreating the xdm directory in ~/.cache/ on login +- Allow syslog to use the leaked kernel_t unix_dgram_socket from system-jounald +- Fix semanage to work with unconfined domain disabled on F18 +- Dontaudit attempts by mozilla plugins to getattr on all kernel sysctls +- Virt seems to be using lock files +- Dovecot seems to be searching directories of every mountpoint +- Allow jockey to read random/urandom, execute shell and install third-party drivers +- Add aditional params to allow cachedfiles to manage its content +- gpg agent needs to read /dev/random +- The kernel hands an svirt domains /SYSxxxxx which is a tmpfs that httpd wants to read and write +- Add a bunch of dontaudit rules to quiet svirt_lxc domains +- Additional perms needed to run svirt_lxc domains +- Allow cgclear to read cgconfig +- Allow sys_ptrace capability for snmp +- Allow freshclam to read /proc +- Allow procmail to manage /home/user/Maildir content +- Allow NM to execute wpa_cli +- Allow amavis to read clamd system state +- Regenerate man pages + * Sat Jul 21 2012 Fedora Release Engineering - 3.11.0-11 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild