sepolicy-manpage - Generate a man page based on the installed SELinux Policy
sepolicy manpage [-w] [-h] [-p PATH ] [-a | -d ]
Use sepolicy manpage to generate manpages based on SELinux Policy.
Generate Man Pages for All Domains
Generate a Man Page for the specified domain. (Supports multiple commands)
Display help message
Generate an additonal HTML man pages for the specified domain(s).
Specify the directory to store the created man pages. (Default to /tmp)
We are now using this tool to generate hundreds of man pages to document SELinux policy on every process domain.
Each confined domains will have an _selinux extension added for example.
httpd_selinux - Security Enhanced Linux Policy for the httpd processes
Security-Enhanced Linux secures the httpd processes via flexible mandatory access control.
The httpd processes execute with the httpd_t SELinux type. You can check if you have these processes running by executing the ps command
with the -Z qualifier.
ps -eZ | grep httpd_t
These are pretty extensive man pages including sections:
- Process types associated with the domain, the tool attempts to associate all process types that begin with the same prefix as the target domain.
- File Types associated with the domain. This will list all file types that are included in this policy. (Using the prefix to gather the information) The man page describes what the type is used for, along with the default path labelling on the system.
- Booleans associated with the domain. The manpage lists all booleans matching the prefix and then describes what the boolean is used for.
- Port Types associated with the domain. The manpage lists the port types matching the prefix and describes the default port numbers assigned to these port types.
- Sharing Types associated with the domain. If the domain uses "Sharing Types" like public_content_t, the man page will have a section explaining how to use them.
- Managed Files section describes the types that the domain is allowed to write and the default paths associated with these types.
In Fedora 18, the man page for Apache is over 1600 lines long.
> man httpd_selinux | wc -l
Currently in Fedora 18 we have over 700 man pages.
> man -k selinux | grep _selinux | wc -l
Miroslav Grepl is building a web site that will list all SELinux Policy Man pages for RHEL6, Fedora 17 and Fedora 18.