danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
New Security Feature in Fedora 18 Part 8: Introducing sepolicy manpage
danwalsh
In my previous blog, I introduced the sepolicy command, today I am going to talk about sepolicy manpage.  This is probably the most important command in the sepolicy command suite. 

man sepolicy-manpage
sepolicy-manpage(8)                                                                                                            sepolicy-manpage(8)

NAME
       sepolicy-manpage - Generate a man page based on the installed SELinux Policy

SYNOPSIS
       sepolicy manpage [-w] [-h] [-p PATH ] [-a | -d ]

DESCRIPTION
       Use sepolicy manpage to generate manpages based on SELinux Policy.

OPTIONS
       -a, --all
              Generate Man Pages for All Domains

       -d, --domain
              Generate a Man Page for the specified domain. (Supports multiple commands)

       -h, --help
              Display help message

       -w, --web
              Generate an additonal HTML man pages for the specified domain(s).

       -p, --path
              Specify the directory to store the created man pages. (Default to /tmp)


We are now using this tool to generate hundreds of man pages to document SELinux policy on every process domain.
Each confined domains will have an _selinux extension added for example.

man httpd_selinux
httpd_selinux(8)                                      SELinux Policy documentation for httpd                                      httpd_selinux(8)

NAME
       httpd_selinux - Security Enhanced Linux Policy for the httpd processes

DESCRIPTION
       Security-Enhanced Linux secures the httpd processes via flexible mandatory access control.

       The  httpd  processes  execute with the httpd_t SELinux type. You can check if you have these processes running by executing the ps command
       with the -Z qualifier.

       For example:

       ps -eZ | grep httpd_t
...


These are pretty extensive man pages including sections:
  • Process types associated with the domain, the tool attempts to associate all process types that begin with the same prefix as the target domain.
  • File Types associated with the domain.   This will list all file types that are included in this policy.  (Using the prefix to gather the information)  The man page describes what the type is used for, along with the default path labelling on the system.
  • Booleans associated with the domain.  The manpage lists all booleans matching the prefix and then describes what the boolean is used for. 
  • Port Types associated with the domain.  The manpage lists the port types matching the prefix and describes the default port numbers assigned to these port types.
  • Sharing Types associated with the domain.  If the domain uses "Sharing Types"  like public_content_t, the man page will have a section explaining how to use them.
  • Managed Files section describes the types that the domain is allowed to write and the default paths associated with these types.
This is pretty extensive documentation, and the beauty of it, is that it is automatically generated so it will not get out of date. 
In Fedora 18, the man page for Apache is over 1600 lines long.

> man httpd_selinux  | wc -l
1603


Currently in Fedora 18 we have over 700 man pages.

> man -k selinux | grep _selinux | wc -l
734


Miroslav Grepl is building a web site that will list all SELinux Policy Man pages for RHEL6, Fedora 17 and Fedora 18.

You are viewing danwalsh