Re: [PATCH 1/5] policycoreutils: Add examples to man pages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Vit Mojzis <vmojzis@xxxxxxxxxx> writes:

> While at it, remove trailing whitespaces.
>
> Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>

See my comments bellow.

> ---
>  policycoreutils/scripts/fixfiles.8          | 35 +++++++++++++--------
>  policycoreutils/secon/secon.1               | 12 +++++--
>  policycoreutils/semodule/semodule.8         | 14 ++++-----
>  policycoreutils/setfiles/restorecon.8       |  9 ++++++
>  policycoreutils/setfiles/restorecon_xattr.8 |  7 +++++
>  policycoreutils/setfiles/setfiles.8         |  9 ++++++
>  policycoreutils/setsebool/setsebool.8       | 16 +++++++---
>  7 files changed, 75 insertions(+), 27 deletions(-)
>
> diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
> index 9a317d91..2365df19 100644
> --- a/policycoreutils/scripts/fixfiles.8
> +++ b/policycoreutils/scripts/fixfiles.8
> @@ -14,7 +14,7 @@ fixfiles \- fix file SELinux security contexts.
>  .B fixfiles
>  .I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify }
>  
> -.B fixfiles 
> +.B fixfiles
>  .I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
>  
>  .B fixfiles
> @@ -31,7 +31,7 @@ This manual page describes the
>  script.
>  .P
>  This script is primarily used to correct the security context
> -database (extended attributes) on filesystems.  
> +database (extended attributes) on filesystems.
>  .P
>  It can also be run at any time to relabel when adding support for
>  new policy, or  just check whether the file contexts are all
> @@ -41,29 +41,29 @@ option.  You can use the \-R flag to use rpmpackages as an alternative.
>  The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
>  excluded from relabeling.
>  .P
> -.B fixfiles onboot 
> +.B fixfiles onboot
>  will setup the machine to relabel on the next reboot.
>  
>  .SH "OPTIONS"
> -.TP 
> +.TP
>  .B \-B
>  If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today.
>  .TP
>  .B \-F
>  Force reset of context to match file_context for customizable files
>  
> -.TP 
> +.TP
>  .B \-f
>  Clear /tmp directory with out prompt for removal.
>  
> -.TP 
> +.TP
>  .B \-R rpmpackagename[,rpmpackagename...]
>  Use the rpm database to discover all files within the specified packages and restore the file contexts.
>  .TP
>  .B \-C PREVIOUS_FILECONTEXT
>  Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.
>  
> -.TP 
> +.TP
>  .B \-N time
>  Only act on files created after the specified date.  Date must be specified in
>  "YYYY\-MM\-DD HH:MM" format.  Date field will be passed to find \-\-newermt command.
> @@ -83,19 +83,29 @@ Use parallel relabeling, see
>  
>  .SH "ARGUMENTS"
>  One of:
> -.TP 
> +.TP
>  .B check | verify
>  print any incorrect file context labels, showing old and new context, but do not change them.
> -.TP 
> +.TP
>  .B restore
>  change any incorrect file context labels.
> -.TP 
> +.TP
>  .B relabel
>  Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file.
> -.TP 
> -.B [[dir/file] ... ] 
> +.TP
> +.B [[dir/file] ... ]
>  List of files or directories trees that you wish to check file context on.
>  
> +.SH EXAMPLE
> +.nf
> +Clear /tmp and relabel the whole filesystem, forcing relabeling of customizable types.
> +Note that all paths listed in /etc/selinux/fixfiles_exclude_dirs will be ignored
> +# fixfiles -f -F relabel

I think that leaning /tmp in running system could break user sessions so it's
important to note that. Or avoid -f in examples completely.

> +Schedule the machine to relabel on the next boot
> +# fixfiles onboot

I'd add (or change it) to `fixfiles -F onboot`

> +Check labeling of all files from the samba package (while not changing any labels)
> +# fixfiles -R samba check
> +
>  .SH "AUTHOR"
>  This man page was written by Richard Hally <rhally@xxxxxxxxxxxxxx>.
>  The script  was written by Dan Walsh <dwalsh@xxxxxxxxxx>
> @@ -103,4 +113,3 @@ The script  was written by Dan Walsh <dwalsh@xxxxxxxxxx>
>  .SH "SEE ALSO"
>  .BR setfiles (8),
>  .BR restorecon (8)
> -
> diff --git a/policycoreutils/secon/secon.1 b/policycoreutils/secon/secon.1
> index 501b5cb8..c0e8b05a 100644
> --- a/policycoreutils/secon/secon.1
> +++ b/policycoreutils/secon/secon.1
> @@ -107,16 +107,24 @@ then the context will be read from stdin.
>  .br
>  If there is no argument,
>  .B secon
> -will try reading a context from stdin, if that is not a tty, otherwise 
> +will try reading a context from stdin, if that is not a tty, otherwise
>  .B secon
>  will act as though \fB\-\-self\fR had been passed.
>  .PP
>  If none of \fB\-\-user\fR, \fB\-\-role\fR, \fB\-\-type\fR, \fB\-\-level\fR or
>  \fB\-\-mls\-range\fR is passed.
>  Then all of them will be output.
> +
> +.SH EXAMPLE
> +.nf
> +Show SElinux context of the init process
> +# secon --pid 1
> +Parse the type portion of given security context
> +# secon -t system_u:object_r:httpd_sys_rw_content_t:s0
> +
>  .PP
>  .SH SEE ALSO
>  .BR chcon (1)
>  .SH AUTHORS
>  .nf
> -James Antill (james.antill@xxxxxxxxxx) 
> +James Antill (james.antill@xxxxxxxxxx)
> diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
> index c56e580f..01757b00 100644
> --- a/policycoreutils/semodule/semodule.8
> +++ b/policycoreutils/semodule/semodule.8
> @@ -1,5 +1,5 @@
>  .TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
> -.SH NAME 
> +.SH NAME
>  semodule \- Manage SELinux policy modules.
>  
>  .SH SYNOPSIS
> @@ -8,7 +8,7 @@ semodule \- Manage SELinux policy modules.
>  .SH DESCRIPTION
>  .PP
>  semodule is the tool used to manage SELinux policy modules,
> -including installing, upgrading, listing and removing modules.  
> +including installing, upgrading, listing and removing modules.
>  semodule may also be used to force a rebuild of policy from the
>  module store and/or to force a reload of policy without performing
>  any other transaction.  semodule acts on module packages created
> @@ -39,7 +39,7 @@ install/replace a module package
>  .B  \-u,\-\-upgrade=MODULE_PKG
>  deprecated, alias for --install
>  .TP
> -.B  \-b,\-\-base=MODULE_PKG   
> +.B  \-b,\-\-base=MODULE_PKG
>  deprecated, alias for --install
>  .TP
>  .B  \-r,\-\-remove=MODULE_NAME
> @@ -77,7 +77,7 @@ name of the store to operate on
>  .B  \-n,\-\-noreload,\-N
>  do not reload policy after commit
>  .TP
> -.B  \-h,\-\-help        
> +.B  \-h,\-\-help
>  prints help message and quit
>  .TP
>  .B \-P,\-\-preserve_tunables
> @@ -92,7 +92,7 @@ Use an alternate path for the policy root
>  .B \-S,\-\-store-path
>  Use an alternate path for the policy store root
>  .TP
> -.B  \-v,\-\-verbose     
> +.B  \-v,\-\-verbose
>  be verbose
>  .TP
>  .B  \-c,\-\-cil
> @@ -131,8 +131,6 @@ $ semodule \-B
>  $ semodule \-d alsa
>  # Install a module at a specific priority.
>  $ semodule \-X 100 \-i alsa.pp
> -# List all modules.
> -$ semodule \-\-list=full

Why is this removed?


>  # Set an alternate path for the policy root
>  $ semodule \-B \-p "/tmp"
>  # Set an alternate path for the policy store root
> @@ -143,6 +141,8 @@ $ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
>  # Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
>  $ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
>  $ semodule -l -m | grep localmodule
> +# Translate binary module file into CIL (useful for debugging installation errors)
> +$ /usr/libexec/selinux/hll/pp alsa.pp > alsa.cil
>  .fi

I'd put this before the check above, i.e. translate a binary first and then get checksum so that
/usr/libexec/selinux/hll/pp is used only once and it's clear what it
does.


>  .SH SEE ALSO
> diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
> index e07db2c8..c3cc5c9b 100644
> --- a/policycoreutils/setfiles/restorecon.8
> +++ b/policycoreutils/setfiles/restorecon.8
> @@ -224,6 +224,15 @@ and provided the
>  option is NOT set and recursive mode is set, files will be relabeled as
>  required with the digests then being updated provided there are no errors.
>  
> +.SH EXAMPLE
> +.nf
> +Fix labeling of /var/www/ including all sub-directories and list all context changes
> +# restorecon -rv /var/www/
> +List mislabeled files in user home directory and what the correct label should be
> +# restorecon -nvr ~
> +Fix labeling of files listed in file_list file, ignoring any that do not exist
> +# restorecon -vif file_list
> +

I personally prefer when options are not joined - restorecon -n -v -r ...

>  .SH "AUTHOR"
>  This man page was written by Dan Walsh <dwalsh@xxxxxxxxxx>.
>  Some of the content of this man page was taken from the setfiles
> diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
> index e04528e6..51d12a4d 100644
> --- a/policycoreutils/setfiles/restorecon_xattr.8
> +++ b/policycoreutils/setfiles/restorecon_xattr.8
> @@ -112,6 +112,13 @@ If the option is not specified, then the default file_contexts will be used.
>  .br
>  the pathname of the directory tree to be searched.
>  
> +.SH EXAMPLE
> +.nf
> +List all paths that where assigned a checksum by "restorecon/setfiles -D"
> +# restorecon_xattr -r /
> +Remove all non-matching checksums
> +# restorecon_xattr -rd /
> +
>  .SH "SEE ALSO"
>  .BR restorecon (8),
>  .BR setfiles (8)
> diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
> index bf26e161..892a5062 100644
> --- a/policycoreutils/setfiles/setfiles.8
> +++ b/policycoreutils/setfiles/setfiles.8
> @@ -289,6 +289,15 @@ and provided the
>  option is NOT set, files will be relabeled as required with the digests then
>  being updated provided there are no errors.
>  
> +.SH EXAMPLE
> +.nf
> +Fix labeling of /var/www/ including all sub-directories, using targeted policy file context definitions and list all context changes
> +# setfiles -v /etc/selinux/targeted/contexts/files/file_contexts /var/www/
> +List mislabeled files in user home directory and what the label should be based on targeted policy file context definitions
> +# setfiles -nv /etc/selinux/targeted/contexts/files/file_contexts ~
> +Fix labeling of files listed in file_list file, ignoring any that do not exist
> +# setfiles -vif file_list /etc/selinux/targeted/contexts/files/file_contexts
> +
>  .SH "AUTHOR"
>  This man page was written by Russell Coker <russell@xxxxxxxxxxxx>.
>  The program was written by Stephen Smalley <sds@xxxxxxxxxxxxx>
> diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
> index 52936f5a..f54664fb 100644
> --- a/policycoreutils/setsebool/setsebool.8
> +++ b/policycoreutils/setsebool/setsebool.8
> @@ -7,13 +7,13 @@ setsebool \- set SELinux boolean value
>  .I "[ \-PNV ] boolean value | bool1=val1 bool2=val2 ..."
>  
>  .SH "DESCRIPTION"
> -.B setsebool 
> -sets the current state of a particular SELinux boolean or a list of booleans 
> -to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it. 
> +.B setsebool
> +sets the current state of a particular SELinux boolean or a list of booleans
> +to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
>  
>  Without the \-P option, only the current boolean value is
> -affected; the boot-time default settings 
> -are not changed. 
> +affected; the boot-time default settings
> +are not changed.
>  
>  If the \-P option is given, all pending values are written to
>  the policy file on disk. So they will be persistent across reboots.
> @@ -22,6 +22,12 @@ If the \-N option is given, the policy on disk is not reloaded into the kernel.
>  
>  If the \-V option is given, verbose error messages will be printed from semanage libraries.
>  
> +.SH EXAMPLE
> +.nf
> +Enable container_use_devices boolean (will return to persistent value after reboot)
> +# setsebool container_use_devices 1
> +Persistently enable samba_create_home_dirs and samba_enable_home_dirs booleans
> +# setsebool -P samba_create_home_dirs=on samba_enable_home_dirs=on
>  
>  .SH AUTHOR
>  This manual page was written by Dan Walsh <dwalsh@xxxxxxxxxx>.
> -- 
> 2.40.0




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux