Log in

No account? Create an account

Previous Entry Share Next Entry
Fedora 17 New Security Feature part IV - man pages for SELinux service domains
A couple of weeks ago, I began to look at the man pages for SELinux policy that we had written for SELinux several years ago.    I wanted to update them and maybe add a few new ones.    When I looked at the httpd_selinux man page, I noticed it was missing lots of descriptions of booleans and file types associated with the httpd domain.  When I started adding the boolean definitions, I quickly became board and realized this would not scale. 

I decided to write a tool genman.py, that would query the SELinux Policy and write a man page for every executable service domain.   

I made a few assumptions that a service domain had an entrypoint ending in "_exec_t".  Which we have pretty much standardized on.  Then I truncated the first part of the name off and searched for types and booleans containing this name. 

httpd_exec_t -> httpd for example. 

I actually took is a step further and truncated a "d" off if the domain name ended in "d", since this is common. 

httpd -> http.

Booleans have a description in policy so this was fairly easy to add to the man pages.

# semanage boolean -l | grep http

Would give you all the booleans that mention http, for example.

Since we don't have a description for each file type associated with a domain, I had to hard code a big it/then table with common definitions,  for example.

def explain(f, k):
    if f.endswith("_var_run_t"):
        return "store the %s files under the /run directory." % prettyprint(f, "_var_run_t")

Then I added a special section for any domains that use public_content_t. 

Bottom line the tool was generated over 400 man pages that have been added to the selinux-policy-doc rpm.

For example abrt man page.

Are these man pages perfect? NO. 

But they are a lot better then nothing.  Now if you want to know the types/and or booleans associated with a service, all you need to execute is man SERVICE_selinux.

If anyone wishes to enhance this, by perhaps adding file context definitions, patches welcomed...