-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJpJFoACgkQrlYvE4MpobOfJQCfWwQdTauIOZDvDuky4W7B+9WG
jZEAoI0QsR1Y5oy412Y3bTa6moO042Ry
=uXu/
-----END PGP SIGNATURE-----
>From 297a7ed5b6c9771c214642ea0bf6ad5dbbba84cf Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Wed, 9 Oct 2013 14:37:31 -0400
Subject: [PATCH 05/74] Laurent Bigonville patch to fix various minor manpage
issues and correct section numbering.
---
checkpolicy/checkmodule.8 | 6 +-
checkpolicy/checkpolicy.8 | 4 +-
libselinux/man/man3/security_compute_av.3 | 4 +-
libselinux/man/man3/security_disable.3 | 4 +-
libselinux/man/man3/security_load_policy.3 | 4 +-
libselinux/man/man3/selinux_policy_root.3 | 17 ++++-
libselinux/man/man8/getenforce.8 | 2 +-
libselinux/man/man8/selinux.8 | 24 ++++---
libselinux/man/man8/selinuxenabled.8 | 2 +-
libselinux/man/man8/selinuxexeccon.8 | 2 +-
libselinux/man/man8/setenforce.8 | 2 +-
libselinux/man/man8/togglesebool.8 | 2 +-
libsemanage/man/man3/semanage_bool_set_active.3 | 2 +-
libsemanage/man/man3/semanage_count.3 | 2 +-
libsemanage/man/man3/semanage_del.3 | 2 +-
libsemanage/man/man3/semanage_exists.3 | 2 +-
libsemanage/man/man3/semanage_iterate.3 | 4 +-
libsemanage/man/man3/semanage_list.3 | 2 +-
libsemanage/man/man3/semanage_modify.3 | 2 +-
libsemanage/man/man3/semanage_query.3 | 2 +-
libsemanage/man/man3/semanage_set_root.3 | 2 +-
libsepol/man/man3/sepol_check_context.3 | 2 +-
libsepol/man/man3/sepol_genbools.3 | 2 +-
libsepol/man/man3/sepol_genusers.3 | 2 +-
policycoreutils/audit2allow/audit2allow.1 | 53 ++++++++++------
policycoreutils/mcstrans/man/man8/mcs.8 | 2 +-
policycoreutils/newrole/newrole.1 | 24 +++----
policycoreutils/sandbox/sandbox.8 | 73 ++++++++++++----------
policycoreutils/scripts/chcat.8 | 4 +-
policycoreutils/scripts/fixfiles.8 | 36 ++++++-----
policycoreutils/semodule/semodule.8 | 16 ++---
policycoreutils/semodule_deps/semodule_deps.8 | 6 +-
.../semodule_package/semodule_package.8 | 8 +--
.../semodule_package/semodule_unpackage.8 | 2 +-
policycoreutils/sestatus/sestatus.conf.5 | 2 +-
policycoreutils/setfiles/restorecon.8 | 16 +++--
policycoreutils/setfiles/setfiles.8 | 6 +-
policycoreutils/setsebool/setsebool.8 | 12 ++--
38 files changed, 206 insertions(+), 153 deletions(-)
diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8
index 40f73c5..2a7ab5c 100644
--- a/checkpolicy/checkmodule.8
+++ b/checkpolicy/checkmodule.8
@@ -3,7 +3,7 @@
checkmodule \- SELinux policy module compiler
.SH SYNOPSIS
.B checkmodule
-.I "[-h] [-b] [-m] [-M] [-U handle_unknown ] [-V] [-o output_file] [input_file]"
+.I "[\-h] [\-b] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]"
.SH "DESCRIPTION"
This manual page describes the
.BR checkmodule
@@ -12,7 +12,7 @@ command.
.B checkmodule
is a program that checks and compiles a SELinux security policy module
into a binary representation. It can generate either a base policy
-module (default) or a non-base policy module (-m option); typically,
+module (default) or a non-base policy module (\-m option); typically,
you would build a non-base policy module to add to an existing module
store that already has a base module provided by the base policy. Use
semodule_package to combine this module with its optional file
@@ -48,7 +48,7 @@ Specify how the kernel should handle unknown classes or permissions (deny, allow
.SH EXAMPLE
.nf
# Build a MLS/MCS-enabled non-base policy module.
-$ checkmodule -M -m httpd.te -o httpd.mod
+$ checkmodule \-M \-m httpd.te \-o httpd.mod
.fi
.SH "SEE ALSO"
diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
index 6826938..0086bdc 100644
--- a/checkpolicy/checkpolicy.8
+++ b/checkpolicy/checkpolicy.8
@@ -3,7 +3,7 @@
checkpolicy \- SELinux policy compiler
.SH SYNOPSIS
.B checkpolicy
-.I "[-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]"
+.I "[\-b] [\-d] [\-M] [\-c policyvers] [\-o output_file] [input_file]"
.br
.SH "DESCRIPTION"
This manual page describes the
@@ -14,7 +14,7 @@ command.
is a program that checks and compiles a SELinux security policy configuration
into a binary representation that can be loaded into the kernel. If no
input file name is specified, checkpolicy will attempt to read from
-policy.conf or policy, depending on whether the -b flag is specified.
+policy.conf or policy, depending on whether the \-b flag is specified.
.SH OPTIONS
.TP
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
index c6837fc..de62d26 100644
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@@ -37,9 +37,9 @@ the SELinux policy database in the kernel
.sp
.BI "int security_compute_user_raw(security_context_t "scon ", const char *" username ", security_context_t **" con );
.sp
-.BI "int security_get_initial_context(const char *" name ", security_context_t " con );
+.BI "int security_get_initial_context(const char *" name ", security_context_t *" con );
.sp
-.BI "int security_get_initial_context_raw(const char *" name ", security_context_t " con );
+.BI "int security_get_initial_context_raw(const char *" name ", security_context_t *" con );
.sp
.BI "int selinux_check_access(const security_context_t " scon ", const security_context_t " tcon ", const char *" class ", const char *" perm ", void *" auditdata);
.sp
diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3
index aeb78da..c75ce0d 100644
--- a/libselinux/man/man3/security_disable.3
+++ b/libselinux/man/man3/security_disable.3
@@ -17,7 +17,7 @@ and then unmounts
This function can only be called at runtime and prior to the initial policy
load. After the initial policy load, the SELinux kernel code cannot be disabled,
but only placed in "permissive" mode by using
-.BR setenforce (1).
+.BR security_setenforce(3).
.
.SH "RETURN VALUE"
.BR security_disable ()
@@ -27,4 +27,4 @@ returns zero on success or \-1 on error.
This manual page has been written by Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>
.
.SH "SEE ALSO"
-.BR selinux (8), " setenforce "(3)
+.BR selinux (8), " setenforce "(8)
diff --git a/libselinux/man/man3/security_load_policy.3 b/libselinux/man/man3/security_load_policy.3
index c4439bf..af56163 100644
--- a/libselinux/man/man3/security_load_policy.3
+++ b/libselinux/man/man3/security_load_policy.3
@@ -43,7 +43,7 @@ unmounted using a call to
.BR security_disable (3).
Therefore, after the initial policy load, the only operational changes
are those permitted by
-.BR setenforce (3)
+.BR security_setenforce (3)
(i.e. eventually setting the framework in permissive mode rather than
in enforcing one).
.
@@ -54,4 +54,4 @@ Returns zero on success or \-1 on error.
This manual page has been written by Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>
.
.SH "SEE ALSO"
-.BR selinux "(8), " security_disable "(3), " setenforce "(1)
+.BR selinux "(8), " security_disable "(3), " setenforce "(8)
diff --git a/libselinux/man/man3/selinux_policy_root.3 b/libselinux/man/man3/selinux_policy_root.3
index a6ccf86..63dc901 100644
--- a/libselinux/man/man3/selinux_policy_root.3
+++ b/libselinux/man/man3/selinux_policy_root.3
@@ -1,21 +1,34 @@
.TH "selinux_policy_root" "3" "25 May 2004" "dwalsh@xxxxxxxxxx" "SELinux API documentation"
.SH "NAME"
selinux_policy_root \- return the path of the SELinux policy files for this machine
+selinux_set_policy_root \- Set an alternate SELinux root path for the SELinux policy files for this machine.
.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.B const char *selinux_policy_root(void);
.
+.sp
+.B int selinux_set_policy_root(const char *policypath);
+.
.SH "DESCRIPTION"
.BR selinux_policy_root ()
reads the contents of the
.I /etc/selinux/config
file to determine which policy files should be used for this machine.
.
+.BR selinux_set_policy_root ()
+sets up all all policy paths based on the alternate root
+
+.I /etc/selinux/config
+file to determine which policy files should be used for this machine.
+.
.SH "RETURN VALUE"
-On success, returns a directory path containing the SELinux policy files.
-On failure, NULL is returned.
+On success, selinux_policy_root returns a directory path containing the SELinux policy files.
+On failure, selinux_policy_root returns NULL.
+
+On success, selinux_set_policy_root returns 0 on success -1 on failure.
+
.
.SH "SEE ALSO"
.BR selinux "(8)"
diff --git a/libselinux/man/man8/getenforce.8 b/libselinux/man/man8/getenforce.8
index 906279f..e0924d8 100644
--- a/libselinux/man/man8/getenforce.8
+++ b/libselinux/man/man8/getenforce.8
@@ -1,4 +1,4 @@
-.TH "getenforce" "1" "7 April 2004" "dwalsh@xxxxxxxxxx" "SELinux Command Line documentation"
+.TH "getenforce" "8" "7 April 2004" "dwalsh@xxxxxxxxxx" "SELinux Command Line documentation"
.SH "NAME"
getenforce \- get the current mode of SELinux
.
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index a328866..50868e4 100644
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@@ -37,20 +37,22 @@ The
configuration file also controls what policy
is active on the system. SELinux allows for multiple policies to be
installed on the system, but only one policy may be active at any
-given time. At present, two kinds of SELinux policy exist: targeted
-and strict. The targeted policy is designed as a policy where most
-processes operate without restrictions, and only specific services are
+given time. At present, multiple kinds of SELinux policy exist: targeted,
+mls for example. The targeted policy is designed as a policy where most
+user processes operate without restrictions, and only specific services are
placed into distinct security domains that are confined by the policy.
For example, the user would run in a completely unconfined domain
while the named daemon or apache daemon would run in a specific domain
-tailored to its operation. The strict policy is designed as a policy
-where all processes are partitioned into fine-grained security domains
-and confined by policy. It is anticipated in the future that other
-policies will be created (Multi-Level Security for example). You can
+tailored to its operation. The MLS (Multi-Level Security) policy is designed
+as a policy where all processes are partitioned into fine-grained security
+domains and confined by policy. MLS also supports the Bell And LaPadula model, where processes are not only confined by the type but also the level of the data.
+
+You can
define which policy you will run by setting the
.B SELINUXTYPE
environment variable within
.IR /etc/selinux/config .
+You must reboot and possibly relabel if you change the policy type to have it take effect on the system.
The corresponding
policy configuration for each such policy must be installed in the
.I /etc/selinux/{SELINUXTYPE}/
@@ -58,7 +60,7 @@ directories.
A given SELinux policy can be customized further based on a set of
compile-time tunable options and a set of runtime policy booleans.
-.B \%system\-config\-securitylevel
+.B \%system\-config\-selinux
allows customization of these booleans and tunables.
Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their policy.
@@ -86,11 +88,13 @@ This manual page was written by Dan Walsh <dwalsh@xxxxxxxxxx>.
.nh
.BR booleans (8),
.BR setsebool (8),
-.BR selinuxenabled (8),
+.BR sepolicy (8),
+.BR system-config-selinux (8),
.BR togglesebool (8),
.BR restorecon (8),
+.BR fixfiles (8),
.BR setfiles (8),
-.BR semange (8),
+.BR semanage (8),
.BR sepolicy(8)
Every confined service on the system has a man page in the following format:
diff --git a/libselinux/man/man8/selinuxenabled.8 b/libselinux/man/man8/selinuxenabled.8
index e0b5201..ac20587 100644
--- a/libselinux/man/man8/selinuxenabled.8
+++ b/libselinux/man/man8/selinuxenabled.8
@@ -1,4 +1,4 @@
-.TH "selinuxenabled" "1" "7 April 2004" "dwalsh@xxxxxxxxxx" "SELinux Command Line documentation"
+.TH "selinuxenabled" "8" "7 April 2004" "dwalsh@xxxxxxxxxx" "SELinux Command Line documentation"
.SH "NAME"
selinuxenabled \- tool to be used within shell scripts to determine if selinux is enabled
.
diff --git a/libselinux/man/man8/selinuxexeccon.8 b/libselinux/man/man8/selinuxexeccon.8
index 765cf8c..30c20ed 100644
--- a/libselinux/man/man8/selinuxexeccon.8
+++ b/libselinux/man/man8/selinuxexeccon.8
@@ -1,4 +1,4 @@
-.TH "selinuxexeccon" "1" "14 May 2011" "dwalsh@xxxxxxxxxx" "SELinux Command Line documentation"
+.TH "selinuxexeccon" "8" "14 May 2011" "dwalsh@xxxxxxxxxx" "SELinux Command Line documentation"
.SH "NAME"
selinuxexeccon \- report SELinux context used for this executable
.
diff --git a/libselinux/man/man8/setenforce.8 b/libselinux/man/man8/setenforce.8
index b038da0..8a24f1c 100644
--- a/libselinux/man/man8/setenforce.8
+++ b/libselinux/man/man8/setenforce.8
@@ -1,4 +1,4 @@
-.TH "setenforce" "1" "7 April 2004" "dwalsh@xxxxxxxxxx" "SELinux Command Line documentation"
+.TH "setenforce" "8" "7 April 2004" "dwalsh@xxxxxxxxxx" "SELinux Command Line documentation"
.SH "NAME"
setenforce \- modify the mode SELinux is running in
.
diff --git a/libselinux/man/man8/togglesebool.8 b/libselinux/man/man8/togglesebool.8
index 948aff1..598dc94 100644
--- a/libselinux/man/man8/togglesebool.8
+++ b/libselinux/man/man8/togglesebool.8
@@ -1,4 +1,4 @@
-.TH "togglesebool" "1" "26 Oct 2004" "sgrubb@xxxxxxxxxx" "SELinux Command Line documentation"
+.TH "togglesebool" "8" "26 Oct 2004" "sgrubb@xxxxxxxxxx" "SELinux Command Line documentation"
.SH "NAME"
togglesebool \- flip the current value of a SELinux boolean
.
diff --git a/libsemanage/man/man3/semanage_bool_set_active.3 b/libsemanage/man/man3/semanage_bool_set_active.3
index 026e29d..d868fe8 100644
--- a/libsemanage/man/man3/semanage_bool_set_active.3
+++ b/libsemanage/man/man3/semanage_bool_set_active.3
@@ -40,7 +40,7 @@ This function requires an semanage connection to be established (see
).
.SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
Otherwise 0 is returned.
.SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_count.3 b/libsemanage/man/man3/semanage_count.3
index b131cbe..b865a21 100644
--- a/libsemanage/man/man3/semanage_count.3
+++ b/libsemanage/man/man3/semanage_count.3
@@ -33,7 +33,7 @@ This function requires an semanage connection to be established (see
)
.SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
Otherwise a non-negative integer is returned (a commit number). The same number will be returned by all other semanage object read calls until the next commit.
.SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_del.3 b/libsemanage/man/man3/semanage_del.3
index 5b11ce3..4dd0a77 100644
--- a/libsemanage/man/man3/semanage_del.3
+++ b/libsemanage/man/man3/semanage_del.3
@@ -40,7 +40,7 @@ This function requires an semanage connection to be established (see
).
.SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
Otherwise 0 is returned.
.SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_exists.3 b/libsemanage/man/man3/semanage_exists.3
index da401c2..6d68c76 100644
--- a/libsemanage/man/man3/semanage_exists.3
+++ b/libsemanage/man/man3/semanage_exists.3
@@ -38,7 +38,7 @@ This function requires an semanage connection to be established (see
)
.SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
Otherwise a non-negative integer is returned (a commit number). The same number will be returned by all other read calls to the semanage database until the next commit.
.SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_iterate.3 b/libsemanage/man/man3/semanage_iterate.3
index 8773800..1528164 100644
--- a/libsemanage/man/man3/semanage_iterate.3
+++ b/libsemanage/man/man3/semanage_iterate.3
@@ -31,7 +31,7 @@ if that is necessary.
The handler code may not invoke any semanage write requests for the same object type (i.e. modifying the underlying store is not allowed). The iterate function is reentrant only while inside a transaction (see
.B semanage_begin_transaction
-). It is not safe to execute other semanage read or write requests within iterate if not inside a transaction. The handler may return -1 to signal error exit, 0 to signal continue, and 1 to signal successful exit early (the iterate function will stop accordingly).
+). It is not safe to execute other semanage read or write requests within iterate if not inside a transaction. The handler may return \-1 to signal error exit, 0 to signal continue, and 1 to signal successful exit early (the iterate function will stop accordingly).
.TP
.B Parameters:
@@ -50,7 +50,7 @@ This function requires an semanage connection to be established (see
)
.SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
Otherwise a non-negative integer is returned (a commit number). The same number will be returned by all other semanage object read calls until the next commit.
.SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_list.3 b/libsemanage/man/man3/semanage_list.3
index 9376702..acc161f 100644
--- a/libsemanage/man/man3/semanage_list.3
+++ b/libsemanage/man/man3/semanage_list.3
@@ -39,7 +39,7 @@ This function requires an semanage connection to be established (see
)
.SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
Otherwise a non-negative integer is returned (a commit number). The same number will be returned by all other semanage object read calls until the next commit.
.SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_modify.3 b/libsemanage/man/man3/semanage_modify.3
index 04bd801..ee23900 100644
--- a/libsemanage/man/man3/semanage_modify.3
+++ b/libsemanage/man/man3/semanage_modify.3
@@ -42,7 +42,7 @@ This function requires an semanage connection to be established (see
).
.SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
Otherwise 0 is returned.
.SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_query.3 b/libsemanage/man/man3/semanage_query.3
index 1a6cdb2..e61c8b8 100644
--- a/libsemanage/man/man3/semanage_query.3
+++ b/libsemanage/man/man3/semanage_query.3
@@ -39,7 +39,7 @@ This function requires an semanage connection to be established (see
)
.SH "RETURN VALUE"
-In case of failure, -1 is returned, and the semanage error callback is invoked, describing the error.
+In case of failure, \-1 is returned, and the semanage error callback is invoked, describing the error.
Otherwise a non-negative integer is returned (a commit number). The same number will be returned by all other semanage object read calls until the next commit.
.SH "SEE ALSO"
diff --git a/libsemanage/man/man3/semanage_set_root.3 b/libsemanage/man/man3/semanage_set_root.3
index 2ae0f17..664822e 100644
--- a/libsemanage/man/man3/semanage_set_root.3
+++ b/libsemanage/man/man3/semanage_set_root.3
@@ -15,7 +15,7 @@ Set the alternate root directory for SELinux configuration directory.
This function sets an alternate root directory to for SELinux configuration paths to be used by the semanage library.
.SH "RETURN VALUE"
-In case of failure, -1 is returned.
+In case of failure, \-1 is returned.
Otherwise 0 is returned.
.SH "SEE ALSO"
diff --git a/libsepol/man/man3/sepol_check_context.3 b/libsepol/man/man3/sepol_check_context.3
index a63cd56..4a3c57d 100644
--- a/libsepol/man/man3/sepol_check_context.3
+++ b/libsepol/man/man3/sepol_check_context.3
@@ -22,4 +22,4 @@ policy on a SELinux system, use
from libselinux instead.
.SH "RETURN VALUE"
-Returns 0 on success or -1 with errno set otherwise.
+Returns 0 on success or \-1 with errno set otherwise.
diff --git a/libsepol/man/man3/sepol_genbools.3 b/libsepol/man/man3/sepol_genbools.3
index 0a30137..ca5b5a6 100644
--- a/libsepol/man/man3/sepol_genbools.3
+++ b/libsepol/man/man3/sepol_genbools.3
@@ -21,7 +21,7 @@ does likewise, but obtains the boolean settings from the parallel arrays
(names, values) with nel elements each.
.SH "RETURN VALUE"
-Returns 0 on success or -1 otherwise, with errno set appropriately.
+Returns 0 on success or \-1 otherwise, with errno set appropriately.
An errno of ENOENT indicates that the boolean file did not exist.
An errno of EINVAL indicates that one or more booleans listed in the
boolean file was undefined in the policy or had an invalid value specified;
diff --git a/libsepol/man/man3/sepol_genusers.3 b/libsepol/man/man3/sepol_genusers.3
index 05dff00..1f820ff 100644
--- a/libsepol/man/man3/sepol_genusers.3
+++ b/libsepol/man/man3/sepol_genusers.3
@@ -44,7 +44,7 @@ set to 1 prior to calling
in order to enable deletion of such users.
.SH "RETURN VALUE"
-Returns 0 on success or -1 otherwise, with errno set appropriately.
+Returns 0 on success or \-1 otherwise, with errno set appropriately.
An errno of ENOENT indicates that one or both of the user
configuration files did not exist. An errno of EINVAL indicates that
either the original binary policy image or the generated one were
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index a854a45..2929b68 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -29,7 +29,7 @@
\- generate SELinux policy allow/dontaudit rules from logs of denied operations
.BR audit2why
-\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
+\- translates SELinux audit messages into a description of why the access was denied (audit2allow \-w)
.SH SYNOPSIS
.B audit2allow
@@ -37,16 +37,16 @@
.SH OPTIONS
.TP
.B "\-a" | "\-\-all"
-Read input from audit and message log, conflicts with -i
+Read input from audit and message log, conflicts with \-i
.TP
.B "\-b" | "\-\-boot"
-Read input from audit messages since last boot conflicts with -i
+Read input from audit messages since last boot conflicts with \-i
.TP
.B "\-d" | "\-\-dmesg"
Read input from output of
.I /bin/dmesg.
Note that all audit messages are not available via dmesg when
-auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead.
+auditd is running; use "ausearch \-m avc | audit2allow" or "\-a" instead.
.TP
.B "\-D" | "\-\-dontaudit"
Generate dontaudit rules (Default: allow)
@@ -65,7 +65,7 @@ read input only after last policy reload
Generate module/require output <modulename>
.TP
.B "\-M <modulename>"
-Generate loadable module package, conflicts with -o
+Generate loadable module package, conflicts with \-o
.TP
.B "\-p <policyfile>" | "\-\-policy <policyfile>"
Policy file to use for analysis
@@ -123,7 +123,7 @@ an 'allow' rule.
.PP
.B Using audit2allow to generate module policy
-$ cat /var/log/audit/audit.log | audit2allow -m local > local.te
+$ cat /var/log/audit/audit.log | audit2allow \-m local > local.te
$ cat local.te
module local 1.0;
@@ -141,7 +141,7 @@ allow myapp_t etc_t:file { getattr open read };
.B Using audit2allow to generate module policy using reference policy
-$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te
+$ cat /var/log/audit/audit.log | audit2allow \-R \-m local > local.te
$ cat local.te
policy_module(local, 1.0)
@@ -155,34 +155,49 @@ files_read_etc_files(myapp_t)
.B Building module policy using Makefile
-# SELinux provides a policy devel environment under /usr/share/selinux/devel
+# SELinux provides a policy devel environment under
+# /usr/share/selinux/devel including all of the shipped
+# interface files.
# You can create a te file and compile it by executing
-$ make -f /usr/share/selinux/devel/Makefile
-$ semodule -i local.pp
+
+$ make -f /usr/share/selinux/devel/Makefile local.pp
+
+
+# This make command will compile a local.te file in the current
+# directory. If you did not specify a "pp" file, the make file
+# will compile all "te" files in the current directory. After
+# you compile your te file into a "pp" file, you need to install
+# it using the semodule command.
+
+$ semodule \-i local.pp
.B Building module policy manually
# Compile the module
-$ checkmodule -M -m -o local.mod local.te
+$ checkmodule \-M \-m \-o local.mod local.te
+
# Create the package
-$ semodule_package -o local.pp -m local.mod
+$ semodule_package \-o local.pp \-m local.mod
+
# Load the module into the kernel
-$ semodule -i local.pp
+$ semodule \-i local.pp
.B Using audit2allow to generate and build module policy
-$ cat /var/log/audit/audit.log | audit2allow -M local
-Generating type enforcment file: local.te
-Compiling policy: checkmodule -M -m -o local.mod local.te
-Building package: semodule_package -o local.pp -m local.mod
+
+$ cat /var/log/audit/audit.log | audit2allow \-M local
+Generating type enforcement file: local.te
+Compiling policy: checkmodule \-M \-m \-o local.mod local.te
+Building package: semodule_package \-o local.pp \-m local.mod
******************** IMPORTANT ***********************
In order to load this newly created policy package into the kernel,
you are required to execute
-semodule -i local.pp
+semodule \-i local.pp
+
+.B Using audit2allow to generate monolithic (non\-module) policy
-.B Using audit2allow to generate monolithic (non-module) policy
$ cd /etc/selinux/$SELINUXTYPE/src/policy
$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
$ cat domains/misc/local.te
diff --git a/policycoreutils/mcstrans/man/man8/mcs.8 b/policycoreutils/mcstrans/man/man8/mcs.8
index 44126bf..aeaf22e 100644
--- a/policycoreutils/mcstrans/man/man8/mcs.8
+++ b/policycoreutils/mcstrans/man/man8/mcs.8
@@ -20,7 +20,7 @@ readable form. Administrators can define any labels they want in this file.
Certain applications like printing and auditing will use these labels to
identify the files. By setting a category on a file you will prevent
other applications/services from having access to the files.
-.p
+.P
Examples of file labels would be PatientRecord, CompanyConfidential etc.
.SH "SEE ALSO"
diff --git a/policycoreutils/newrole/newrole.1 b/policycoreutils/newrole/newrole.1
index 376c458..c47bc52 100644
--- a/policycoreutils/newrole/newrole.1
+++ b/policycoreutils/newrole/newrole.1
@@ -44,7 +44,7 @@ Additional arguments
.I ARGS
may be provided after a -- option,
in which case they are supplied to the new shell.
-In particular, an argument of -- -c will cause the next argument to be
+In particular, an argument of \-\- \-c will cause the next argument to be
treated as a command by most command interpreters.
.PP
If a command argument is specified to newrole and the command name is found
@@ -66,31 +66,31 @@ shows the current version of newrole
.SH EXAMPLE
.br
Changing role:
- # id -Z
+ # id \-Z
staff_u:staff_r:staff_t:SystemLow-SystemHigh
- # newrole -r sysadm_r
- # id -Z
+ # newrole \-r sysadm_r
+ # id \-Z
staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
Changing sensitivity only:
- # id -Z
+ # id \-Z
staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
- # newrole -l Secret
- # id -Z
+ # newrole \-l Secret
+ # id \-Z
staff_u:sysadm_r:sysadm_t:Secret-SystemHigh
.PP
Changing sensitivity and clearance:
- # id -Z
+ # id \-Z
staff_u:sysadm_r:sysadm_t:Unclassified-SystemHigh
- # newrole -l Secret-Secret
- # id -Z
+ # newrole \-l Secret-Secret
+ # id \-Z
staff_u:sysadm_r:sysadm_t:Secret
.PP
Running a program in a given role or level:
- # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..."
- # newrole -l Secret -- -c "/path/to/app arg1 arg2..."
+ # newrole \-r sysadm_r \-\- \-c "/path/to/app arg1 arg2..."
+ # newrole \-l Secret \-\- \-c "/path/to/app arg1 arg2..."
.SH FILES
/etc/passwd - user account information
diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
index 521afcd..0c8cd1e 100644
--- a/policycoreutils/sandbox/sandbox.8
+++ b/policycoreutils/sandbox/sandbox.8
@@ -3,87 +3,94 @@
sandbox \- Run cmd under an SELinux sandbox
.SH SYNOPSIS
.B sandbox
-[-C] [-c] [-s] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
+[\-C] [\-c] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd
.br
.B sandbox
-[-C] [-c] [-s] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
+[\-C] [\-c] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S
.br
.SH DESCRIPTION
.PP
Run the
.I cmd
-application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files. The -M option will mount an alternate homedir and tmpdir to be used by the sandbox.
+application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files. The \-M option will mount an alternate homedir and tmpdir to be used by the sandbox.
If you have the
.I policycoreutils-sandbox
-package installed, you can use the -X option and the -M option.
-.B sandbox -X
+package installed, you can use the \-X option and the \-M option.
+.B sandbox \-X
allows you to run X applications within a sandbox. These applications will start up their own X Server and create a temporary home directory and /tmp. The default SELinux policy does not allow any capabilities or network access. It also prevents all access to the users other processes and files. Files specified on the command that are in the home directory or /tmp will be copied into the sandbox directories.
-If directories are specified with -H or -T the directory will have its context modified with chcon(1) unless a level is specified with -l. If the MLS/MCS security level is specified, the user is responsible to set the correct labels.
+If directories are specified with \-H or \-T the directory will have its context modified with chcon(1) unless a level is specified with \-l. If the MLS/MCS security level is specified, the user is responsible to set the correct labels.
.PP
.TP
-\fB\-H\ homedir
-Use alternate homedir to mount over your home directory. Defaults to temporary. Requires -X or -M.
+\fB\-h\ \fB\\-\-help\fR
+display usage message
.TP
-\fB\-i file\fR
+\fB\-H\ \fB\\-\-homedir\fR
+Use alternate homedir to mount over your home directory. Defaults to temporary. Requires \-X or \-M.
+.TP
+\fB\-i\fR \fB\-\-include\fR
Copy this file into the appropriate temporary sandbox directory. Command can be repeated.
.TP
-\fB\-I inputfile\fR Copy all files listed in inputfile into the
+\fB\-I\fR \fB\-\-includefile\fR
+Copy all files listed in inputfile into the
appropriate temporary sandbox directories.
.TP
-\fB\-l\fR
+\fB\-l\fR \fB\-\-level\fR
Specify the MLS/MCS Security Level to run the sandbox with. Defaults to random.
.TP
-\fB\-M\fR
+\fB\-M\fR \fB\-\-mount\fR
Create a Sandbox with temporary files for $HOME and /tmp.
.TP
-\fB\-s\fR \fB\--shred\fR
+\fB\-s\fR \fB\-\-shred\fR
Shred temporary files created in $HOME and /tmp, before deleting.
.TP
-\fB\-t type\fR
-Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X.
+\fB\-t\fR \fB\-\-type\fR
+Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for \-X.
\fBExamples:\fR
.br
-sandbox_t - No X, No Network Access, No Open, read/write on passed in file descriptors.
+sandbox_t \- No X, No Network Access, No Open, read/write on passed in file descriptors.
.br
-sandbox_min_t - No Network Access
+sandbox_min_t \- No Network Access
.br
-sandbox_x_t - Printer Ports
+sandbox_x_t \- Printer Ports
.br
-sandbox_web_t - Ports required for web browsing
+sandbox_web_t \- Ports required for web browsing
.br
-sandbox_net_t - All network ports
+sandbox_net_t \- All network ports
.TP
-\fB\-T\ tmpdir
-Use alternate tempory directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M.
+\fB\-T\fR \fB\-\-tmpdir\fR
+Use alternate temporary directory to mount on /tmp. Defaults to tmpfs. Requires \-X or \-M.
.TP
-\fB\-S
+\fB\-S\fR \fB\-\-session\fR
Run a full desktop session, Requires level, and home and tmpdir.
.TP
-\fB\-w windowsize\fR
+\fB\-w\fR \fB\-\-windowsize\fR
+
Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700.
.TP
-\fB\-W windowmanager\fR
+\fB\-W\fR \fB\-\-windowmanager\fR
Select alternative window manager to run within
-.B sandbox -X.
-Default to /usr/bin/matchbox-window-manager.
+.B sandbox \-X.
+Default to /usr/bin/openbox.
.TP
\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
$HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
.TP
-\fB\-d\fR
-Set the DPI value for the sanbox X Server. Defaults to the current X Sever DPI.
+\fB\-d\fR \fB\-\-dpi\fR
+Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI.
.TP
-\fB\-c\fR
-Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
+\fB\-c\fR \fB\-\-cgroups\fR
+Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
.TP
-\fB\-C\fR
-Use capabilities within the sandbox. By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the -C flag, you can use programs requiring capabilities.
+\fB\-C\fR \fB\-\-capabilities\fR Use capabilities within the
+sandbox. By default applications executed within the sandbox will not
+be allowed to use capabilities (setuid apps), with the \-C flag, you
+can use programs requiring capabilities.
.PP
.SH "SEE ALSO"
.TP
diff --git a/policycoreutils/scripts/chcat.8 b/policycoreutils/scripts/chcat.8
index 7c6d75a..d095a25 100644
--- a/policycoreutils/scripts/chcat.8
+++ b/policycoreutils/scripts/chcat.8
@@ -21,7 +21,7 @@ chcat \- change file SELinux security category
[\fI-d\fR] \fIuser\fR...
.br
.B chcat
-\fI-L\fR [ -l ] [ user ... ]
+\fI-L\fR [ \-l ] [ user ... ]
.br
.SH DESCRIPTION
.PP
@@ -31,7 +31,7 @@ Use +/- to add/remove categories from a \fIfile\fR or \fIuser\fR.
.PP
.B
Note:
-When removing a category you must specify '--' on the command line before using the -Category syntax. This tells the command that you have finished entering options and are now specifying a category name instead.
+When removing a category you must specify '\-\-' on the command line before using the \-Category syntax. This tells the command that you have finished entering options and are now specifying a category name instead.
.TP
\fB\-d\fR
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index 9ab7334..b622c51 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -5,15 +5,15 @@ fixfiles \- fix file SELinux security contexts.
.SH "SYNOPSIS"
.B fixfiles
-.I [-v] [-F] [-l logfile ] { check | restore|[-f] relabel | verify } [[dir/file] ... ]
+.I [\-v] [\-F] [-B] [ -N time ] [\-l logfile ] { check | restore|[\-f] relabel | verify } [[dir/file] ... ]
.B fixfiles
-.I [-v] [-F] [ -R rpmpackagename[,rpmpackagename...] ] [-l logfile ] { check | restore | verify }
+.I [\-v] [\-F] [ \-R rpmpackagename[,rpmpackagename...] ] [\-l logfile ] { check | restore | verify }
.B fixfiles
-.I [-v] [ -C PREVIOUS_FILECONTEXT ] [-l logfile ] { check | restore | verify }
+.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT [\-l logfile ] { check | restore | verify }
-.B fixfiles
+.B fixfiles [-F] [-B]
.I onboot
.SH "DESCRIPTION"
@@ -28,35 +28,43 @@ It can also be run at any time to relabel when adding support for
new policy, or just check whether the file contexts are all
as you expect. By default it will relabel all mounted ext2, ext3, xfs and
jfs file systems as long as they do not have a security context mount
-option. You can use the -R flag to use rpmpackages as an alternative.
+option. You can use the \-R flag to use rpmpackages as an alternative.
The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
-excluded from relabelling.
+excluded from relabeling.
.P
.B fixfiles onboot
will setup the machine to relabel on the next reboot.
.SH "OPTIONS"
.TP
-.B -l logfile
+.B \-B
+If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today.
+.TP
+.B \-l logfile
Save the output to the specified logfile
.TP
-.B -F
-Force reset of context to match file_context for customizable files
+.B \-F
+Force reset of context to match file_context for customizable files
.TP
-.B -f
+.B \-f
Clear /tmp directory with out prompt for removal.
.TP
-.B -R rpmpackagename[,rpmpackagename...]
-Use the rpm database to discover all files within the specified packages and restore the file contexts. (-a will get all files in the RPM database).
+.B \-R rpmpackagename[,rpmpackagename...]
+Use the rpm database to discover all files within the specified packages and restore the file contexts. (\-a will get all files in the RPM database).
.TP
-.B -C PREVIOUS_FILECONTEXT
+.B \-C PREVIOUS_FILECONTEXT
Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.
.TP
+.B \-N time
+Only act on files created after the specified date. Date must be specified in
+"YYYY-MM-DD HH:MM" format. Date field will be passed to find --newermt command.
+
+.TP
.B -v
-Modify verbosity from progess to verbose. (Run restorecon with -v instead of -p)
+Modify verbosity from progress to verbose. (Run restorecon with -v instead of -p)
.SH "ARGUMENTS"
One of:
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index 9f911fb..35277e9 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -21,7 +21,7 @@ by semodule_package. Conventionally, these files have a .pp suffix
force a reload of policy
.TP
.B \-B, \-\-build
-force a rebuild of policy (also reloads unless -n is used)
+force a rebuild of policy (also reloads unless \-n is used)
.TP
.B \-D, \-\-disable_dontaudit
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
@@ -65,19 +65,19 @@ be verbose
.SH EXAMPLE
.nf
# Install or replace a base policy package.
-$ semodule -b base.pp
+$ semodule \-b base.pp
# Install or replace a non-base policy package.
-$ semodule -i httpd.pp
+$ semodule \-i httpd.pp
# List non-base modules.
-$ semodule -l
+$ semodule \-l
# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
-$ semodule -DB
+$ semodule \-DB
# Turn "dontaudit" rules back on.
-$ semodule -B
+$ semodule \-B
# Install or replace all non-base modules in the current directory.
-$ semodule -i *.pp
+$ semodule \-i *.pp
# Install or replace all modules in the current directory.
-$ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i
+$ ls *.pp | grep \-Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule \-b base.pp \-i
.fi
.SH SEE ALSO
diff --git a/policycoreutils/semodule_deps/semodule_deps.8 b/policycoreutils/semodule_deps/semodule_deps.8
index 86b7b3c..6f21a64 100644
--- a/policycoreutils/semodule_deps/semodule_deps.8
+++ b/policycoreutils/semodule_deps/semodule_deps.8
@@ -3,7 +3,7 @@
semodule_deps \- show the dependencies between SELinux policy packages.
.SH SYNOPSIS
-.B semodule_deps [-v -g -b] basemodpkg modpkg1 [modpkg2 ... ]
+.B semodule_deps [\-v \-g \-b] basemodpkg modpkg1 [modpkg2 ... ]
.br
.SH DESCRIPTION
.PP
@@ -19,12 +19,12 @@ general this means that the list of modules will usually be
quite long.
By default options to the base module are excluded as almost every
-module has this dependency. The -b option will include these
+module has this dependency. The \-b option will include these
dependencies.
In addition to human readable output, semodule_deps can output the
dependencies in the Graphviz dot format (http://www.graphviz.org/)
-using the -g option. This is useful for producing a picture of the
+using the \-g option. This is useful for producing a picture of the
dependencies.
.SH "OPTIONS"
diff --git a/policycoreutils/semodule_package/semodule_package.8 b/policycoreutils/semodule_package/semodule_package.8
index ddad2d2..563d526 100644
--- a/policycoreutils/semodule_package/semodule_package.8
+++ b/policycoreutils/semodule_package/semodule_package.8
@@ -3,7 +3,7 @@
semodule_package \- Create a SELinux policy module package.
.SH SYNOPSIS
-.B semodule_package -o <output file> -m <module> [-f <file contexts>]
+.B semodule_package \-o <output file> \-m <module> [\-f <file contexts>]
.br
.SH DESCRIPTION
.PP
@@ -16,11 +16,11 @@ be installed via semodule.
.SH EXAMPLE
.nf
# Build a policy package for a base module.
-$ semodule_package -o base.pp -m base.mod -f file_contexts
+$ semodule_package \-o base.pp \-m base.mod \-f file_contexts
# Build a policy package for a httpd module.
-$ semodule_package -o httpd.pp -m httpd.mod -f httpd.fc
+$ semodule_package \-o httpd.pp \-m httpd.mod \-f httpd.fc
# Build a policy package for local TE rules and no file contexts.
-$ semodule_package -o local.pp -m local.mod
+$ semodule_package \-o local.pp \-m local.mod
.fi
.SH "OPTIONS"
diff --git a/policycoreutils/semodule_package/semodule_unpackage.8 b/policycoreutils/semodule_package/semodule_unpackage.8
index 62dd53e..d6e1be0 100644
--- a/policycoreutils/semodule_package/semodule_unpackage.8
+++ b/policycoreutils/semodule_package/semodule_unpackage.8
@@ -1,6 +1,6 @@
.TH SEMODULE_PACKAGE "8" "Nov 2005" "Security Enhanced Linux" NSA
.SH NAME
-semodule_unpackage \- Extract polciy module and file context file from an SELinux policy module unpackage.
+semodule_unpackage \- Extract policy module and file context file from an SELinux policy module unpackage.
.SH SYNOPSIS
.B semodule_unpackage <module> [<file contexts>]
diff --git a/policycoreutils/sestatus/sestatus.conf.5 b/policycoreutils/sestatus/sestatus.conf.5
index d2bb3fe..acfedf6 100644
--- a/policycoreutils/sestatus/sestatus.conf.5
+++ b/policycoreutils/sestatus/sestatus.conf.5
@@ -49,7 +49,7 @@ The start of the file list block.
.RE
.I file_name
.RS
-One or more fully qualified file names, each on a new line will that will have its context displayed. If the file does not exist, then it is ignored. If the file is a symbolic link, then \fBsestatus -v\fR will also display the target file context.
+One or more fully qualified file names, each on a new line will that will have its context displayed. If the file does not exist, then it is ignored. If the file is a symbolic link, then \fBsestatus \-v\fR will also display the target file context.
.RE
.sp
.B [process]
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index 80b6d6e..672bbd2 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -4,10 +4,10 @@ restorecon \- restore file(s) default SELinux security contexts.
.SH "SYNOPSIS"
.B restorecon
-.I [\-o outfilename] [\-R] [\-n] [\-p] [\-v] [\-e directory] pathname...
+.I [\-R] [\-n] [\-p] [\-v] [\-e directory] pathname...
.P
.B restorecon
-.I \-f infilename [\-o outfilename] [\-e directory] [\-R] [\-n] [\-p] [\-v] [\-F]
+.I \-f infilename [\-e directory] [\-R] [\-n] [\-p] [\-v] [\-F]
.SH "DESCRIPTION"
This manual page describes the
@@ -20,17 +20,21 @@ This program is primarily used to set the security context
It can also be run at any other time to correct inconsistent labels, to add
support for newly-installed policy or, by using the \-n option, to passively
check whether the file contexts are all set as specified by the active policy
-(default behavior) or by some other policy (see the \-c option).
+(default behavior).
.P
If a file object does not have a context, restorecon will write the default
context to the file object's extended attributes. If a file object has a
context, restorecon will only modify the type portion of the security context.
The -F option will force a replacement of the entire context.
+.P
+It is the same executable as
+.BR setfiles
+but operates in a slightly different manner depending on it's argv[0].
.SH "OPTIONS"
.TP
.B \-e directory
-exclude a directory (repeat the option to exclude more than one directory).
+exclude a directory (repeat the option to exclude more than one directory, Requires full path).
.TP
.B \-f infilename
infilename contains a list of files to be processed. Use \- for stdin.
@@ -46,10 +50,10 @@ display usage information and exit.
ignore files that do not exist.
.TP
.B \-n
-don't change any file labels (passive check).
+don't change any file labels (passive check). To display the files whose labels would be changed, add -v.
.TP
.B \-o outfilename
-save list of files with incorrect context in outfilename.
+Deprecated, SELinux policy will probably block this access. Use shell redirection to save list of files with incorrect context in filename.
.TP
.B \-p
show progress by printing * every STAR_COUNT files. (If you relabel the entire OS, this will show you the percentage complete.)
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 89d2a49..57067d2 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -4,7 +4,7 @@ setfiles \- set SELinux file security contexts.
.SH "SYNOPSIS"
.B setfiles
-.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
+.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-p] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
.SH "DESCRIPTION"
This manual page describes the
.BR setfiles
@@ -23,7 +23,7 @@ check whether the file contexts are all set as specified by the active policy
If a file object does not have a context, setfiles will write the default
context to the file object's extended attributes. If a file object has a
context, setfiles will only modify the type portion of the security context.
-The -F option will force a replacement of the entire context.
+The \-F option will force a replacement of the entire context.
.SH "OPTIONS"
.TP
.B \-c
@@ -57,7 +57,7 @@ log changes in file labels to syslog.
don't change any file labels (passive check).
.TP
.B \-o filename
-save list of files with incorrect context in filename.
+Deprecated, SELinux policy will probably block this access. Use shell redirection to save list of files with incorrect context in filename.
.TP
.B \-p
show progress by printing * every STAR_COUNT files. (If you relabel the entire OS, this will show you the percentage complete.)
diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
index 38abeb8..916a58c 100644
--- a/policycoreutils/setsebool/setsebool.8
+++ b/policycoreutils/setsebool/setsebool.8
@@ -4,21 +4,23 @@ setsebool \- set SELinux boolean value
.SH "SYNOPSIS"
.B setsebool
-.I "[ -PN ] boolean value | bool1=val1 bool2=val2 ..."
+.I "[ \-PNV ] boolean value | bool1=val1 bool2=val2 ..."
.SH "DESCRIPTION"
.B setsebool
sets the current state of a particular SELinux boolean or a list of booleans
to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
-Without the -P option, only the current boolean value is
+Without the \-P option, only the current boolean value is
affected; the boot-time default settings
are not changed.
-If the -P option is given, all pending values are written to
+If the \-P option is given, all pending values are written to
the policy file on disk. So they will be persistent across reboots.
-If the -N option is given, the policy on disk is not reloaded into the kernel.
+If the \-N option is given, the policy on disk is not reloaded into the kernel.
+
+If the \-V option is given, verbose error messages will be printed from semanage libraries.
.SH AUTHOR
@@ -26,4 +28,4 @@ This manual page was written by Dan Walsh <dwalsh@xxxxxxxxxx>.
The program was written by Tresys Technology.
.SH "SEE ALSO"
-getsebool(8), booleans(8), togglesebool(8)
+getsebool(8), booleans(8), togglesebool(8), semanage(8)
--
1.8.3.1
