-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In an effort to better document semanage we have broken it up into many
different man pages.
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJpNDYACgkQrlYvE4MpobPl9ACgpXgPKgIi2fC4F8nbePx782aH
ogYAoL8XmduKDWKdcLiV5K08ZzEAlFAM
=eK2l
-----END PGP SIGNATURE-----
>From cc994ba28b68d8cdc8c3f41f7e432b641612c693 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Fri, 11 Oct 2013 08:34:44 -0400
Subject: [PATCH 42/74] Break the semanage man page into different man pages
per category.
This adds a lot of new man pages but cleans up the descriptions and makes it
much easier to handle.
---
policycoreutils/semanage/Makefile | 2 +-
policycoreutils/semanage/semanage-boolean.8 | 61 +++++++
policycoreutils/semanage/semanage-dontaudit.8 | 34 ++++
policycoreutils/semanage/semanage-export.8 | 37 ++++
policycoreutils/semanage/semanage-fcontext.8 | 87 ++++++++++
policycoreutils/semanage/semanage-import.8 | 36 ++++
policycoreutils/semanage/semanage-interface.8 | 63 +++++++
policycoreutils/semanage/semanage-login.8 | 68 ++++++++
policycoreutils/semanage/semanage-module.8 | 60 +++++++
policycoreutils/semanage/semanage-node.8 | 58 +++++++
policycoreutils/semanage/semanage-permissive.8 | 45 +++++
policycoreutils/semanage/semanage-port.8 | 68 ++++++++
policycoreutils/semanage/semanage-user.8 | 71 ++++++++
policycoreutils/semanage/semanage.8 | 231 +++++--------------------
14 files changed, 731 insertions(+), 190 deletions(-)
create mode 100644 policycoreutils/semanage/semanage-boolean.8
create mode 100644 policycoreutils/semanage/semanage-dontaudit.8
create mode 100644 policycoreutils/semanage/semanage-export.8
create mode 100644 policycoreutils/semanage/semanage-fcontext.8
create mode 100644 policycoreutils/semanage/semanage-import.8
create mode 100644 policycoreutils/semanage/semanage-interface.8
create mode 100644 policycoreutils/semanage/semanage-login.8
create mode 100644 policycoreutils/semanage/semanage-module.8
create mode 100644 policycoreutils/semanage/semanage-node.8
create mode 100644 policycoreutils/semanage/semanage-permissive.8
create mode 100644 policycoreutils/semanage/semanage-port.8
create mode 100644 policycoreutils/semanage/semanage-user.8
diff --git a/policycoreutils/semanage/Makefile b/policycoreutils/semanage/Makefile
index b797d83..6624f03 100644
--- a/policycoreutils/semanage/Makefile
+++ b/policycoreutils/semanage/Makefile
@@ -17,7 +17,7 @@ install: all
[ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8
-mkdir -p $(SBINDIR)
install -m 755 semanage $(SBINDIR)
- install -m 644 semanage.8 $(MANDIR)/man8
+ install -m 644 *.8 $(MANDIR)/man8
test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages
install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages
-mkdir -p $(BASHCOMPLETIONDIR)
diff --git a/policycoreutils/semanage/semanage-boolean.8 b/policycoreutils/semanage/semanage-boolean.8
new file mode 100644
index 0000000..361a8d3
--- /dev/null
+++ b/policycoreutils/semanage/semanage-boolean.8
@@ -0,0 +1,61 @@
+.TH "semanage-boolean" "8" "20130617" "" ""
+.SH "NAME"
+semanage boolean\- SELinux Policy Management boolean tool
+.SH "SYNOPSIS"
+.B semanage boolean [\-h] [\-n] [\-N] [\-s STORE] [ \-\-extract | \-\-deleteall | \-\-list [\-C] | \-\-modify ( \-\-on | \-\-off ) boolean ]
+
+.SH "DESCRIPTION"
+semanage is used to configure certain elements of
+SELinux policy without requiring modification to or recompilation
+from policy sources. semanage boolean command controls the settings of booleans in SELinux policy. booleans are if\-then\-else rules written in SELinux Policy. They can be used to customize the way that SELinux Policy rules effect a confined domain.
+.SH "OPTIONS"
+.TP
+.I \-h, \-\-help
+show this help message and exit
+.TP
+.I \-n, \-\-noheading
+Do not print heading when listing the specified object type
+.TP
+.I \-N, \-\-noreload
+Do not reload policy after commit
+.TP
+.I \-S STORE, \-\-store STORE
+Select an alternate SELinux Policy Store to manage
+.TP
+.I \-C, \-\-locallist
+List local customizations
+.TP
+.I \-m, \-\-modify
+Modify a record of the specified object type
+.TP
+.I \-l, \-\-list
+List records of the specified object type
+.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
+.I \-D, \-\-deleteall
+Remove all local customizations
+.TP
+.I \-1, \-\-on
+Enable the boolean
+.TP
+.I \-0, \-\-off
+Disable the boolean
+
+.SH EXAMPLE
+.nf
+Turn on the apache can send mail boolan
+# semanage boolean \-m \-\-on httpd_can_sendmail
+
+List customized booleans
+# semanage boolean \-l \-C
+
+.SH "SEE ALSO"
+.B selinux (8),
+.B semanage (8)
+.B setsebool (8)
+.B getsebool (8)
+
+.SH "AUTHOR"
+This man page was written by Daniel Walsh <dwalsh@xxxxxxxxxx>
diff --git a/policycoreutils/semanage/semanage-dontaudit.8 b/policycoreutils/semanage/semanage-dontaudit.8
new file mode 100644
index 0000000..65002f3
--- /dev/null
+++ b/policycoreutils/semanage/semanage-dontaudit.8
@@ -0,0 +1,34 @@
+.TH "semanage-dontaudit" "8" "20130617" "" ""
+.SH "NAME"
+.B semanage dontaudit\- SELinux Policy Management dontaudit tool
+.SH "SYNOPSIS"
+.B semanage dontaudit [\-h] [\-S STORE] [\-N] {on,off}
+
+.SH "DESCRIPTION"
+semanage is used to configure certain elements of
+SELinux policy without requiring modification to or recompilation
+from policy sources. semanage dontaudit toggles whether or not dontaudit rules will be in the policy. Policy writers use dontaudit rules to cause
+confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Some times dontaudit rules can cause bugs in applications but policy writers will not relize it since the AVC is not audited. Turning off dontaudit rules with this command to see if the kernel is blocking an access.
+
+.SH "OPTIONS"
+.TP
+.I \-h, \-\-help
+show this help message and exit
+.TP
+.I \-S STORE, \-\-store STORE
+Select an alternate SELinux Policy Store to manage
+.TP
+.I \-N, \-\-noreload
+Do not reload the policy after commit
+
+.SH EXAMPLE
+.nf
+Turn off dontaudit rules
+# semanage dontaudit off
+
+.SH "SEE ALSO"
+.B selinux (8),
+.B semanage (8)
+
+.SH "AUTHOR"
+This man page was written by Daniel Walsh <dwalsh@xxxxxxxxxx>
diff --git a/policycoreutils/semanage/semanage-export.8 b/policycoreutils/semanage/semanage-export.8
new file mode 100644
index 0000000..1b20c82
--- /dev/null
+++ b/policycoreutils/semanage/semanage-export.8
@@ -0,0 +1,37 @@
+.TH "semanage-export" "8" "20130617" "" ""
+.SH "NAME"
+.B semanage export\- SELinux Policy Management import tool
+.SH "SYNOPSIS"
+.B semanage export [\-h] [\-S STORE] [\-f OUTPUT_FILE]
+
+.SH "DESCRIPTION"
+semanage is used to configure certain elements of
+SELinux policy without requiring modification to or recompilation
+from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a hole group of semanage commands within a file and apply them to a machine in a single transaction.
+
+.SH "OPTIONS"
+.TP
+.I \-h, \-\-help
+show this help message and exit
+.TP
+.I \-S STORE, \-\-store STORE
+Select an alternate SELinux Policy Store to manage
+.TP
+.I \-f OUTPUT_FILE, \-\-output_file OUTPUT_FILE
+Output file
+
+.SH EXAMPLE
+.nf
+Import semanage modifications from another machine
+# semanage export -f semanage.mods
+# scp semanage.mod remotemachine:
+# ssh remotemachine
+# semanage import -f semanage.mods
+
+.SH "SEE ALSO"
+.B selinux (8),
+.B semanage (8),
+.B semanage-import (8)
+
+.SH "AUTHOR"
+This man page was written by Daniel Walsh <dwalsh@xxxxxxxxxx>
diff --git a/policycoreutils/semanage/semanage-fcontext.8 b/policycoreutils/semanage/semanage-fcontext.8
new file mode 100644
index 0000000..3fdd937
--- /dev/null
+++ b/policycoreutils/semanage/semanage-fcontext.8
@@ -0,0 +1,87 @@
+.TH "semanage-fcontext" "8" "20130617" "" ""
+.SH "NAME"
+semanage fcontext\- SELinux Policy Management file context tool
+
+.SH "SYNOPSIS"
+.B semanage fcontext [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) | \-\-delete ( \-t TYPE \-f FTYPE | \-e EQUAL ) FILE_SPEC ) | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) ]
+
+.SH "DESCRIPTION"
+semanage is used to configure certain elements of
+SELinux policy without requiring modification to or recompilation
+from policy sources. semanage fcontext is used to manage the default
+file system labeling on an SELinux system. This command maps file paths using regular expressions to SELinux labels.
+
+.SH "OPTIONS"
+.TP
+.I \-h, \-\-help
+show this help message and exit
+.TP
+.I \-n, \-\-noheading
+Do not print heading when listing the specified object type
+.TP
+.I \-N, \-\-noreload
+Do not reload policy after commit
+.TP
+.I \-C, \-\-locallist
+List local customizations
+.TP
+.I \-S STORE, \-\-store STORE
+Select an alternate SELinux Policy Store to manage
+.TP
+.I \-a, \-\-add
+Add a record of the specified object type
+.TP
+.I \-d, \-\-delete
+Delete a record of the specified object type
+.TP
+.I \-m, \-\-modify
+Modify a record of the specified object type
+.TP
+.I \-l, \-\-list
+List records of the specified object type
+.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
+.I \-D, \-\-deleteall
+Remove all local customizations
+.TP
+.I \-e EQUAL, \-\-equal EQUAL
+Substitute target path with sourcepath when generating default label. This is used with fcontext. Requires source and target path arguments. The context labeling for the target subtree is made equivalent to that defined for the source.
+.TP
+.I \-f [{a,f,d,c,b,s,l,p}], \-\-ftype [{a,f,d,c,b,s,l,p}]
+File Type. This is used with fcontext. Requires a file type as shown in the mode field by ls, e.g. use 'd' to match only directories or 'f' to match only regular files. The following file type options can be passed: f (regular file),d (directory),c (character device), b (block device),s (socket),l (symbolic link),p (named pipe). If you do not specify a file type, the file type will default to "all files".
+
+.TP
+.I \-s SEUSER, \-\-seuser SEUSER
+SELinux user name
+.TP
+.I \-t TYPE, \-\-type TYPE
+SELinux Type for the object
+.TP
+.I \-r RANGE, \-\-range RANGE
+MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
+
+.SH EXAMPLE
+.nf
+.I remember to run restorecon after you set the file context
+Add file-context for everything under /web
+# semanage fcontext \-a \-t httpd_sys_content_t "/web(/.*)?"
+# restorecon \-R \-v /web
+
+Substitute /home1 with /home when setting file context
+# semanage fcontext \-a \-e /home /home1
+# restorecon \-R \-v /home1
+
+For home directories under top level directory, for example /disk6/home,
+execute the following commands.
+# semanage fcontext \-a \-t home_root_t "/disk6"
+# semanage fcontext \-a \-e /home /disk6/home
+# restorecon \-R \-v /disk6
+
+.SH "SEE ALSO"
+.B selinux (8),
+.B semanage (8)
+
+.SH "AUTHOR"
+This man page was written by Daniel Walsh <dwalsh@xxxxxxxxxx>
diff --git a/policycoreutils/semanage/semanage-import.8 b/policycoreutils/semanage/semanage-import.8
new file mode 100644
index 0000000..fb95a04
--- /dev/null
+++ b/policycoreutils/semanage/semanage-import.8
@@ -0,0 +1,36 @@
+.TH "semanage-import" "8" "20130617" "" ""
+.SH "NAME"
+.B semanage import\- SELinux Policy Management import tool
+.SH "SYNOPSIS"
+.B semanage import [\-h] [\-N] [\-S STORE] [\-f INPUT_FILE]
+
+.SH "DESCRIPTION"
+semanage is used to configure certain elements of
+SELinux policy without requiring modification to or recompilation
+from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a hole group of semanage commands within a file and apply them to a machine in a single transaction.
+
+.SH "OPTIONS"
+.TP
+.I \-h, \-\-help
+show this help message and exit
+.TP
+.I \-N, \-\-noreload
+Do not reload policy after commit
+.TP
+.I \-S STORE, \-\-store STORE
+Select an alternate SELinux Policy Store to manage
+.TP
+.I \-f INPUT_FILE, \-\-input_file INPUT_FILE
+Input file
+.SH EXAMPLE
+.nf
+Import semanage modifications from another machine
+# semanage import -f semanage.mods
+
+.SH "SEE ALSO"
+.B selinux (8),
+.B semanage (8),
+.B semanage-export (8)
+
+.SH "AUTHOR"
+This man page was written by Daniel Walsh <dwalsh@xxxxxxxxxx>
diff --git a/policycoreutils/semanage/semanage-interface.8 b/policycoreutils/semanage/semanage-interface.8
new file mode 100644
index 0000000..c9dd59c
--- /dev/null
+++ b/policycoreutils/semanage/semanage-interface.8
@@ -0,0 +1,63 @@
+.TH "semanage-interface" "8" "20130617" "" ""
+.SH "NAME"
+.B semanage interface\- SELinux Policy Management network interface tool
+.SH "SYNOPSIS"
+.B semanage interface [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-t TYPE \-r RANGE interface | \-\-delete interface | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-r RANGE interface ]
+
+.SH "DESCRIPTION"
+semanage is used to configure certain elements of
+SELinux policy without requiring modification to or recompilation
+from policy sources. semanage interface controls the labels assigned to network interfaces.
+
+.SH "OPTIONS"
+.TP
+.I \-h, \-\-help
+show this help message and exit
+.TP
+.I \-n, \-\-noheading
+Do not print heading when listing the specified object type
+.TP
+.I \-N, \-\-noreload
+Do not reload policy after commit
+.TP
+.I \-S STORE, \-\-store STORE
+Select an alternate SELinux Policy Store to manage
+.TP
+.I \-C, \-\-locallist
+List local customizations
+.TP
+.I \-a, \-\-add
+Add a record of the specified object type
+.TP
+.I \-d, \-\-delete
+Delete a record of the specified object type
+.TP
+.I \-m, \-\-modify
+Modify a record of the specified object type
+.TP
+.I \-l, \-\-list
+List records of the specified object type
+.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
+.I \-D, \-\-deleteall
+Remove all local customizations
+.TP
+.I \-t TYPE, \-\-type TYPE
+SELinux type for the object
+.TP
+.I \-r RANGE, \-\-range RANGE
+MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
+
+.SH EXAMPLE
+.nf
+list all interface defitions
+# semanage interface -l
+
+.SH "SEE ALSO"
+.B selinux (8),
+.B semanage (8)
+
+.SH "AUTHOR"
+This man page was written by Daniel Walsh <dwalsh@xxxxxxxxxx>
diff --git a/policycoreutils/semanage/semanage-login.8 b/policycoreutils/semanage/semanage-login.8
new file mode 100644
index 0000000..78a0ecb
--- /dev/null
+++ b/policycoreutils/semanage/semanage-login.8
@@ -0,0 +1,68 @@
+.TH "semanage-login" "8" "20130617" "" ""
+.SH "NAME"
+.B semanage login\- SELinux Policy Management linux user to SELinux User mapping tool
+.SH "SYNOPSIS"
+.B semanage login [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-s SEUSER \-r RANGE LOGIN | \-\-delete LOGIN | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-s SEUSER \-r RANGE LOGIN ]
+
+.SH "DESCRIPTION"
+semanage is used to configure certain elements of
+SELinux policy without requiring modification to or recompilation
+from policy sources. semanage login controls the mapping between a Linux User and the SELinux User. It can be used to turn on confined users. For example you could define that a particular user or group of users will login to a system as the user_u user. Prefix the group name with a '%' sign to indicate a group name.
+
+.SH "OPTIONS"
+.TP
+.I \-h, \-\-help
+show this help message and exit
+.TP
+.I \-n, \-\-noheading
+Do not print heading when listing the specified object type
+.TP
+.I \-N, \-\-noreload
+Do not reload policy after commit
+.TP
+.I \-C, \-\-locallist
+List local customizations
+.TP
+.I \-S STORE, \-\-store STORE
+Select an alternate SELinux Policy Store to manage
+.TP
+.I \-a, \-\-add
+Add a record of the specified object type
+.TP
+.I \-d, \-\-delete
+Delete a record of the specified object type
+.TP
+.I \-m, \-\-modify
+Modify a record of the specified object type
+.TP
+.I \-l, \-\-list
+List records of the specified object type
+.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
+.I \-D, \-\-deleteall
+Remove all local customizations
+.TP
+.I \-s SEUSER, \-\-seuser SEUSER
+SELinux user name
+.TP
+.I \-r RANGE, \-\-range RANGE
+MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
+
+.SH EXAMPLE
+.nf
+Modify the default user on the system to the guest_u user
+# semanage login -m -s guest_u __default__
+Assign gijoe user on an MLS machine a range and to the staff_u user
+# semanage login -a -s staff_u -rSystemLow-Secret gijoe
+Assign all users in the engineering group to the staff_u user
+# semanage login -a -s staff_u %engineering
+
+.SH "SEE ALSO"
+.B selinux (8),
+.B semanage (8),
+.B semanage-user (8)
+
+.SH "AUTHOR"
+This man page was written by Daniel Walsh <dwalsh@xxxxxxxxxx>
diff --git a/policycoreutils/semanage/semanage-module.8 b/policycoreutils/semanage/semanage-module.8
new file mode 100644
index 0000000..3f82535
--- /dev/null
+++ b/policycoreutils/semanage/semanage-module.8
@@ -0,0 +1,60 @@
+.TH "semanage-module" "8" "20130617" "" ""
+.SH "NAME"
+.B semanage module\\- SELinux Policy Management module mapping tool
+.SH "SYNOPSIS"
+.B semanage module [\-h] [\-n] [\-N] [\-S STORE] (\-a | \-r | \-e | \-d | \-\-extract | \-\-list [\-C] | \-\-deleteall) [module_name]
+
+.SH "DESCRIPTION"
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage module installs, removes, disables SELinux Policy modules.
+
+.SH "OPTIONS"
+.TP
+.I \-h, \-\-help
+show this help message and exit
+.TP
+.I \-n, \-\-noheading
+Do not print heading when listing the specified object type
+.TP
+.I \-N, \-\-noreload
+Do not reload policy after commit
+.TP
+.I \-S STORE, \-\-store STORE
+Select an alternate SELinux Policy Store to manage
+.TP
+.I \-a, \-\-add
+Install specified module
+.TP
+.I \-r, \-\-remove
+Remove specified module
+.TP
+.I \-d \-\-disable
+Disable specified module
+.TP
+.I \-e \-\-enable
+Enable specified module
+.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
+.I \-l, \-\-list
+List records of the specified object type
+.TP
+.I \-C, \-\-locallist
+List local customizations
+
+.SH EXAMPLE
+.nf
+List all modules
+# semanage module \-l
+Disable unconfined module
+# semanage module \-\-disable unconfined
+Install custom apache policy module
+# semanage module \-a myapache
+
+.SH "SEE ALSO"
+.B selinux (8),
+.B semanage (8)
+.B semodule (8)
+
+.SH "AUTHOR"
+This man page was written by Daniel Walsh <dwalsh@xxxxxxxxxx>
diff --git a/policycoreutils/semanage/semanage-node.8 b/policycoreutils/semanage/semanage-node.8
new file mode 100644
index 0000000..75c2d30
--- /dev/null
+++ b/policycoreutils/semanage/semanage-node.8
@@ -0,0 +1,58 @@
+.TH "semanage-node" "8" "20130617" "" ""
+.SH "NAME"
+.B semanage node\- SELinux Policy Management node mapping tool
+.SH "SYNOPSIS"
+.B semanage node [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node | \-\-delete \-M NETMASK \-p PROTOCOL node | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node ]
+
+.SH "DESCRIPTION"
+semanage is used to configure certain elements of
+SELinux policy without requiring modification to or recompilation
+from policy sources. semanage controls the ipaddress to node type definitions.
+
+.SH "OPTIONS"
+.TP
+.I \-h, \-\-help
+show this help message and exit
+.TP
+.I \-n, \-\-noheading
+Do not print heading when listing the specified object type
+.TP
+.I \-N, \-\-noreload
+Do not reload policy after commit
+.TP
+.I \-S STORE, \-\-store STORE
+Select an alternate SELinux Policy Store to manage
+.TP
+.I \-C, \-\-locallist
+List local customizations
+.TP
+.I \-a, \-\-add
+Add a record of the specified object type
+.TP
+.I \-d, \-\-delete
+Delete a record of the specified object type
+.TP
+.I \-m, \-\-modify
+Modify a record of the specified object type
+.TP
+.I \-l, \-\-list
+List records of the specified object type
+.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
+.I \-D, \-\-deleteall
+Remove all local customizations
+.TP
+.I \-M NETMASK, \-\-netmask NETMASK
+Network Mask
+.TP
+.I \-t TYPE, \-\-type TYPE
+SELinux type for the object
+.TP
+.I \-r RANGE, \-\-range RANGE
+MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
+.TP
+.I \-p PROTO, \-\-proto PROTO
+
+Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).
diff --git a/policycoreutils/semanage/semanage-permissive.8 b/policycoreutils/semanage/semanage-permissive.8
new file mode 100644
index 0000000..9a143df
--- /dev/null
+++ b/policycoreutils/semanage/semanage-permissive.8
@@ -0,0 +1,45 @@
+.TH "semanage-permissive" "8" "20130617" "" ""
+.SH "NAME"
+.B semanage permissive \- SELinux Policy Management permissive mapping tool
+.SH "SYNOPSIS"
+.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type]
+
+.SH "DESCRIPTION"
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module.
+
+.SH "OPTIONS"
+.TP
+.I \-h, \-\-help
+show this help message and exit
+.TP
+.I \-a, \-\-add
+Add a record of the specified object type
+.TP
+.I \-d, \-\-delete
+Delete a record of the specified object type
+.TP
+.I \-l, \-\-list
+List records of the specified object type
+.TP
+.I \-n, \-\-noheading
+Do not print heading when listing the specified object type
+.TP
+.I \-N, \-\-noreload
+Do not reload the policy after commit
+.TP
+.I \-S STORE, \-\-store STORE
+Select an alternate SELinux Policy Store to manage
+
+.SH EXAMPLE
+.nf
+List all permissive modules
+# semanage permissive \-l
+Make httpd_t (Web Server) a permissive domain
+# semanage permissive \-a httpd_t
+
+.SH "SEE ALSO"
+.B selinux (8),
+.B semanage (8)
+
+.SH "AUTHOR"
+This man page was written by Daniel Walsh <dwalsh@xxxxxxxxxx>
diff --git a/policycoreutils/semanage/semanage-port.8 b/policycoreutils/semanage/semanage-port.8
new file mode 100644
index 0000000..cd0a1b4
--- /dev/null
+++ b/policycoreutils/semanage/semanage-port.8
@@ -0,0 +1,68 @@
+.TH "semanage-port" "8" "20130617" "" ""
+.SH "NAME"
+.B semanage port\- SELinux Policy Management port mapping tool
+.SH "SYNOPSIS"
+.B semanage port [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range | \-\-delete \-p PROTOCOL port_name | port_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range ]
+
+.SH "DESCRIPTION"
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage port controls the port number to port type defitions.
+
+.SH "OPTIONS"
+.TP
+.I \-h, \-\-help
+show this help message and exit
+.TP
+.I \-n, \-\-noheading
+Do not print heading when listing the specified object type
+.TP
+.I \-N, \-\-noreload
+Do not reload policy after commit
+.TP
+.I \-S STORE, \-\-store STORE
+Select an alternate SELinux Policy Store to manage
+.TP
+.I \-C, \-\-locallist
+List local customizations
+.TP
+.I \-a, \-\-add
+Add a record of the specified object type
+.TP
+.I \-d, \-\-delete
+Delete a record of the specified object type
+.TP
+.I \-m, \-\-modify
+Modify a record of the specified object type
+.TP
+.I \-l, \-\-list
+List records of the specified object type
+.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
+.I \-D, \-\-deleteall
+Remove all local customizations
+.TP
+.I \-t TYPE, \-\-type TYPE
+SELinux type for the object
+.TP
+.I \-r RANGE, \-\-range RANGE
+MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
+.TP
+.I \-p PROTO, \-\-proto PROTO
+Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).
+
+.SH EXAMPLE
+.nf
+List all port defitions
+# semanage port \-l
+Allow Apache to listen on tcp port 81
+# semanage port \-a \-t http_port_t \-p tcp 81
+Allow sshd to listen on tcp port 8991
+# semanage port \-a \-t ssh_port_t \-p tcp 8991
+
+.SH "SEE ALSO"
+.B selinux (8),
+.B semanage (8)
+
+.SH "AUTHOR"
+This man page was written by Daniel Walsh <dwalsh@xxxxxxxxxx>
diff --git a/policycoreutils/semanage/semanage-user.8 b/policycoreutils/semanage/semanage-user.8
new file mode 100644
index 0000000..6d8c0cb
--- /dev/null
+++ b/policycoreutils/semanage/semanage-user.8
@@ -0,0 +1,71 @@
+.TH "semanage-user" "8" "20130617" "" ""
+.SH "NAME"
+.B semanage user\- SELinux Policy Management SELinux User mapping tool
+.SH "SYNOPSIS"
+.B semanage user [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name) | \-\-delete selinux_name | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name ) ]
+
+.SH "DESCRIPTION"
+semanage is used to configure certain elements of
+SELinux policy without requiring modification to or recompilation
+from policy sources. semanage user controls the mapping between an SELinux User and the roles and MLS/MCS levels.
+
+.SH "OPTIONS"
+.TP
+.I \-h, \-\-help
+show this help message and exit
+.TP
+.I \-n, \-\-noheading
+Do not print heading when listing the specified object type
+.TP
+.I \-N, \-\-noreload
+Do not reload policy after commit
+.TP
+.I \-S STORE, \-\-store STORE
+Select an alternate SELinux Policy Store to manage
+.TP
+.I \-C, \-\-locallist
+List local customizations
+.TP
+.I \-a, \-\-add
+Add a record of the specified object type
+.TP
+.I \-d, \-\-delete
+Delete a record of the specified object type
+.TP
+.I \-m, \-\-modify
+Modify a record of the specified object type
+.TP
+.I \-l, \-\-list
+List records of the specified object type
+.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
+.I \-D, \-\-deleteall
+Remove all local customizations
+.TP
+.I \-L LEVEL, \-\-level LEVEL
+Default SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only)
+.TP
+.I \-r RANGE, \-\-range RANGE
+MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
+.TP
+.I \-R [ROLES], \-\-roles [ROLES]
+SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
+
+.SH EXAMPLE
+.nf
+List SELinux users
+# semanage user \-l
+Modify groups for staff_u user
+# semanage user \-m \-R "system_r unconfined_r staff_r" staff_u
+Add level for TopSecret Users
+# semanage user \-a \-R "staff_r" -rs0-TopSecret topsecret_u
+
+.SH "SEE ALSO"
+.B selinux (8),
+.B semanage (8)
+.B semanage\-login (8)
+
+.SH "AUTHOR"
+This man page was written by Daniel Walsh <dwalsh@xxxxxxxxxx>
diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8
index 28a9022..90b142e 100644
--- a/policycoreutils/semanage/semanage.8
+++ b/policycoreutils/semanage/semanage.8
@@ -3,70 +3,45 @@
semanage \- SELinux Policy Management tool
.SH "SYNOPSIS"
+.B semanage {import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit}
+ ...
+.B positional arguments:
+
+.B import
Output local customizations
-.br
-.B semanage [ -S store ] -o [ output_file | - ]
-Input local customizations
-.br
-.B semanage [ -S store ] -i [ input_file | - ]
+.B export
+Output local customizations
-Manage booleans. Booleans allow the administrator to modify the confinement of
-processes based on his configuration.
-.br
-.B semanage boolean [\-S store] \-{d|m|l|D} [\-nN] [\-\-on|\-\-off|\-\1|\-0] -F boolean | boolean_file
+.B login
+Manage login mappings between linux users and SELinux confined users
+.B user
Manage SELinux confined users (Roles and levels for an SELinux user)
-.br
-.B semanage user [\-S store] \-{a|d|m|l|D} [\-LnNPrR] selinux_name
-
-Manage login mappings between linux users and SELinux confined users.
-.br
-.B semanage login [\-S store] \-{a|d|m|l|D} [\-nNrs] login_name | %groupname
-
-Manage policy modules.
-.br
-.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] [\-N] module_name
+.B port
Manage network port type definitions
-.br
-.B semanage port [\-S store] \-{a|d|m|l|D} [\-nNrt] [\-p proto] port | port_range
-.br
+.B interface
Manage network interface type definitions
-.br
-.B semanage interface [\-S store] \-{a|d|m|l|D} [\-nNrt] interface_spec
+.B module
+Manage SELinux policy modules
+
+.B node
Manage network node type definitions
-.br
-.B semanage node [\-S store] -{a|d|m|l|D} [-nNrt] [ -p protocol ] [-M netmask] address
-.br
+.B fcontext
Manage file context mapping definitions
-.br
-.B semanage fcontext [\-S store] \-{l} [\-Cn]
-.br
-.B semanage fcontext [\-S store] \-D [\-N]
-.br
-.B semanage fcontext [\-S store] \-{a|d|m} [\-Nfrst] file_spec
-.br
-.B semanage fcontext [\-S store] \-{a|d|m} \-e replacement target
-.br
-Manage processes type enforcement mode
-.br
-.B semanage permissive [\-S store] \-{a|d|l|D} [\-nN] type
-.br
+.B boolean
+Manage booleans to selectively enable functionality
-Disable/Enable dontaudit rules in policy
-.br
-.B semanage dontaudit [\-N] [\-S store] [ on | off ]
-.P
+.B permissive
+Manage process type enforcement mode
-Execute multiple commands within a single transaction.
-.br
-.B semanage [\-S store] [\-N] \-i command-file
-.br
+.B dontaudit
+Disable/Enable dontaudit rules in policy
.SH "DESCRIPTION"
semanage is used to configure certain elements of
@@ -87,147 +62,23 @@ modification.
.SH "OPTIONS"
.TP
-.I \-a, \-\-add
-Add a OBJECT record NAME
-.TP
-.I \-d, \-\-delete
-Delete a OBJECT record NAME
-.TP
-.I \-D, \-\-deleteall
-Remove all OBJECTS local customizations
-.TP
-.I \-\-disable
-Disable a policy module, requires -m option
-
-Currently modules only.
-.TP
-.I \-\-enable
-Enable a disabled policy module, requires -m option
-
-Currently modules only.
-.TP
-.I \-e, \-\-equal
-Substitute target path with sourcepath when generating default label. This is used with
-fcontext. Requires source and target path arguments. The context
-labeling for the target subtree is made equivalent to that
-defined for the source.
-.TP
-.I \-f, \-\-ftype
-File Type. This is used with fcontext.
-Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
-.TP
-.I \-F, \-\-file
-Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format.
-
-Currently booleans only.
-
-.TP
-.I \-h, \-\-help
-display this message
-.TP
-.I \-l, \-\-list
-List the OBJECTS
-.TP
-.I \-C, \-\-locallist
-List only locally defined settings, not base policy settings.
-.TP
-.I \-L, \-\-level
-Default SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only)
-.TP
-.I \-m, \-\-modify
-Modify a OBJECT record NAME
-.TP
-.I \-M, \-\-mask
-Network Mask
-.TP
-.I \-n, \-\-noheading
-Do not print heading when listing OBJECTS.
-.TP
-.B \-N,\-\-noreload
-do not reload policy after commit
-.TP
-.I \-p, \-\-proto
-Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).
-.TP
-.I \-r, \-\-range
-MLS/MCS Security Range (MLS/MCS Systems only)
-SELinux Range for SELinux login mapping defaults to the SELinux user record range.
-SELinux Range for SELinux user defaults to s0.
-.TP
-.I \-R, \-\-roles
-SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
-.TP
-.I \-P, \-\-prefix
-SELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories.
-.TP
-.I \-s, \-\-seuser
-SELinux user name
-.TP
-.I \-S, \-\-store
-Select and alternate SELinux store to manage
-.TP
-.I \-t, \-\-type
-SELinux Type for the object
-.TP
-.I \-i, \-\-input
-Take a set of commands from a specified file and load them in a single
-transaction.
-.TP
-.I \-o, \-\-output
-Output all local customizations into a file. This file than can be used with the semanage -i command to customize other machines to match the local machine.
-
-.SH EXAMPLE
-.nf
-.B SELinux user
-List SELinux users
-# semanage user -l
-
-.B SELinux login
-Change joe to login as staff_u
-# semanage login -a -s staff_u joe
-Change the group clerks to login as user_u
-# semanage login -a -s user_u %clerks
-
-.B File contexts
-.i remember to run restorecon after you set the file context
-Add file-context for everything under /web
-# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
-# restorecon -R -v /web
-
-Substitute /home1 with /home when setting file context
-# semanage fcontext -a -e /home /home1
-# restorecon -R -v /home1
-
-For home directories under top level directory, for example /disk6/home,
-execute the following commands.
-# semanage fcontext -a -t home_root_t "/disk6"
-# semanage fcontext -a -e /home /disk6/home
-# restorecon -R -v /disk6
-
-.B Port contexts
-Allow Apache to listen on tcp port 81
-# semanage port -a -t http_port_t -p tcp 81
-
-.B Change apache to a permissive domain
-# semanage permissive -a httpd_t
-
-.B Turn off dontaudit rules
-# semanage dontaudit off
-
-.B Managing multiple machines
-Multiple machines that need the same customizations.
-Extract customizations off first machine, copy them
-to second and import them.
-
-# semanage -o /tmp/local.selinux
-# scp /tmp/local.selinux secondmachine:/tmp
-# ssh secondmachine
-# semanage -i /tmp/local.selinux
-
-If these customizations include file context, you need to apply the
-context using restorecon.
-
-.fi
+.I \-h, \-\-help
+List help information
+
+.SH "SEE ALSO"
+.B selinux (8),
+.B semanage-boolean (8),
+.B semanage-dontaudit (8),
+.B semanage-export (8),
+.B semanage-fcontext (8),
+.B semanage-import (8),
+.B semanage-interface (8),
+.B semanage-login (8),
+.B semanage-module (8),
+.B semanage-node (8),
+.B semanage-permissive (8),
+.B semanage-port (8),
+.B semanage-user (8)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@xxxxxxxxxx>
@@ -235,3 +86,5 @@ This man page was written by Daniel Walsh <dwalsh@xxxxxxxxxx>
and Russell Coker <rcoker@xxxxxxxxxx>.
.br
Examples by Thomas Bleher <ThomasBleher@xxxxxx>.
+usage: semanage [-h]
+
--
1.8.3.1
