A couple of weeks ago, I began to look at the man pages for SELinux policy that we had written for SELinux several years ago. I wanted to update them and maybe add a few new ones. When I looked at the httpd_selinux man page, I noticed it was missing lots of descriptions of booleans and file types associated with the httpd domain. When I started adding the boolean definitions, I quickly became board and realized this would not scale.
I decided to write a tool genman.py, that would query the SELinux Policy and write a man page for every executable service domain.
I made a few assumptions that a service domain had an entrypoint ending in "_exec_t". Which we have pretty much standardized on. Then I truncated the first part of the name off and searched for types and booleans containing this name.
httpd_exec_t -> httpd for example.
I actually took is a step further and truncated a "d" off if the domain name ended in "d", since this is common.
httpd -> http.
Booleans have a description in policy so this was fairly easy to add to the man pages.
# semanage boolean -l | grep http
Would give you all the booleans that mention http, for example.
Since we don't have a description for each file type associated with a domain, I had to hard code a big it/then table with common definitions, for example.
def explain(f, k):
return "store the %s files under the /run directory." % prettyprint(f, "_var_run_t")
Then I added a special section for any domains that use public_content_t.
Bottom line the tool was generated over 400 man pages that have been added to the selinux-policy-doc rpm.
For example abrt man page.
Are these man pages perfect? NO.
But they are a lot better then nothing. Now if you want to know the types/and or booleans associated with a service, all you need to execute is man SERVICE_selinux.
If anyone wishes to enhance this, by perhaps adding file context definitions, patches welcomed...
Dan Walsh's Blog
- Fedora 17 New Security Feature part IV - man pages for SELinux service domains