Vit Mojzis <vmojzis@xxxxxxxxxx> writes:
> While at it, remove trailing whitespaces.
>
> Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>
See my comments bellow.
> ---
> policycoreutils/scripts/fixfiles.8 | 35 +++++++++++++--------
> policycoreutils/secon/secon.1 | 12 +++++--
> policycoreutils/semodule/semodule.8 | 14 ++++-----
> policycoreutils/setfiles/restorecon.8 | 9 ++++++
> policycoreutils/setfiles/restorecon_xattr.8 | 7 +++++
> policycoreutils/setfiles/setfiles.8 | 9 ++++++
> policycoreutils/setsebool/setsebool.8 | 16 +++++++---
> 7 files changed, 75 insertions(+), 27 deletions(-)
>
> diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
> index 9a317d91..2365df19 100644
> --- a/policycoreutils/scripts/fixfiles.8
> +++ b/policycoreutils/scripts/fixfiles.8
> @@ -14,7 +14,7 @@ fixfiles \- fix file SELinux security contexts.
> .B fixfiles
> .I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify }
>
> -.B fixfiles
> +.B fixfiles
> .I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
>
> .B fixfiles
> @@ -31,7 +31,7 @@ This manual page describes the
> script.
> .P
> This script is primarily used to correct the security context
> -database (extended attributes) on filesystems.
> +database (extended attributes) on filesystems.
> .P
> It can also be run at any time to relabel when adding support for
> new policy, or just check whether the file contexts are all
> @@ -41,29 +41,29 @@ option. You can use the \-R flag to use rpmpackages as an alternative.
> The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
> excluded from relabeling.
> .P
> -.B fixfiles onboot
> +.B fixfiles onboot
> will setup the machine to relabel on the next reboot.
>
> .SH "OPTIONS"
> -.TP
> +.TP
> .B \-B
> If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today.
> .TP
> .B \-F
> Force reset of context to match file_context for customizable files
>
> -.TP
> +.TP
> .B \-f
> Clear /tmp directory with out prompt for removal.
>
> -.TP
> +.TP
> .B \-R rpmpackagename[,rpmpackagename...]
> Use the rpm database to discover all files within the specified packages and restore the file contexts.
> .TP
> .B \-C PREVIOUS_FILECONTEXT
> Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.
>
> -.TP
> +.TP
> .B \-N time
> Only act on files created after the specified date. Date must be specified in
> "YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command.
> @@ -83,19 +83,29 @@ Use parallel relabeling, see
>
> .SH "ARGUMENTS"
> One of:
> -.TP
> +.TP
> .B check | verify
> print any incorrect file context labels, showing old and new context, but do not change them.
> -.TP
> +.TP
> .B restore
> change any incorrect file context labels.
> -.TP
> +.TP
> .B relabel
> Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file.
> -.TP
> -.B [[dir/file] ... ]
> +.TP
> +.B [[dir/file] ... ]
> List of files or directories trees that you wish to check file context on.
>
> +.SH EXAMPLE
> +.nf
> +Clear /tmp and relabel the whole filesystem, forcing relabeling of customizable types.
> +Note that all paths listed in /etc/selinux/fixfiles_exclude_dirs will be ignored
> +# fixfiles -f -F relabel
I think that leaning /tmp in running system could break user sessions so it's
important to note that. Or avoid -f in examples completely.
> +Schedule the machine to relabel on the next boot
> +# fixfiles onboot
I'd add (or change it) to `fixfiles -F onboot`
> +Check labeling of all files from the samba package (while not changing any labels)
> +# fixfiles -R samba check
> +
> .SH "AUTHOR"
> This man page was written by Richard Hally <rhally@xxxxxxxxxxxxxx>.
> The script was written by Dan Walsh <dwalsh@xxxxxxxxxx>
> @@ -103,4 +113,3 @@ The script was written by Dan Walsh <dwalsh@xxxxxxxxxx>
> .SH "SEE ALSO"
> .BR setfiles (8),
> .BR restorecon (8)
> -
> diff --git a/policycoreutils/secon/secon.1 b/policycoreutils/secon/secon.1
> index 501b5cb8..c0e8b05a 100644
> --- a/policycoreutils/secon/secon.1
> +++ b/policycoreutils/secon/secon.1
> @@ -107,16 +107,24 @@ then the context will be read from stdin.
> .br
> If there is no argument,
> .B secon
> -will try reading a context from stdin, if that is not a tty, otherwise
> +will try reading a context from stdin, if that is not a tty, otherwise
> .B secon
> will act as though \fB\-\-self\fR had been passed.
> .PP
> If none of \fB\-\-user\fR, \fB\-\-role\fR, \fB\-\-type\fR, \fB\-\-level\fR or
> \fB\-\-mls\-range\fR is passed.
> Then all of them will be output.
> +
> +.SH EXAMPLE
> +.nf
> +Show SElinux context of the init process
> +# secon --pid 1
> +Parse the type portion of given security context
> +# secon -t system_u:object_r:httpd_sys_rw_content_t:s0
> +
> .PP
> .SH SEE ALSO
> .BR chcon (1)
> .SH AUTHORS
> .nf
> -James Antill (james.antill@xxxxxxxxxx)
> +James Antill (james.antill@xxxxxxxxxx)
> diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
> index c56e580f..01757b00 100644
> --- a/policycoreutils/semodule/semodule.8
> +++ b/policycoreutils/semodule/semodule.8
> @@ -1,5 +1,5 @@
> .TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
> -.SH NAME
> +.SH NAME
> semodule \- Manage SELinux policy modules.
>
> .SH SYNOPSIS
> @@ -8,7 +8,7 @@ semodule \- Manage SELinux policy modules.
> .SH DESCRIPTION
> .PP
> semodule is the tool used to manage SELinux policy modules,
> -including installing, upgrading, listing and removing modules.
> +including installing, upgrading, listing and removing modules.
> semodule may also be used to force a rebuild of policy from the
> module store and/or to force a reload of policy without performing
> any other transaction. semodule acts on module packages created
> @@ -39,7 +39,7 @@ install/replace a module package
> .B \-u,\-\-upgrade=MODULE_PKG
> deprecated, alias for --install
> .TP
> -.B \-b,\-\-base=MODULE_PKG
> +.B \-b,\-\-base=MODULE_PKG
> deprecated, alias for --install
> .TP
> .B \-r,\-\-remove=MODULE_NAME
> @@ -77,7 +77,7 @@ name of the store to operate on
> .B \-n,\-\-noreload,\-N
> do not reload policy after commit
> .TP
> -.B \-h,\-\-help
> +.B \-h,\-\-help
> prints help message and quit
> .TP
> .B \-P,\-\-preserve_tunables
> @@ -92,7 +92,7 @@ Use an alternate path for the policy root
> .B \-S,\-\-store-path
> Use an alternate path for the policy store root
> .TP
> -.B \-v,\-\-verbose
> +.B \-v,\-\-verbose
> be verbose
> .TP
> .B \-c,\-\-cil
> @@ -131,8 +131,6 @@ $ semodule \-B
> $ semodule \-d alsa
> # Install a module at a specific priority.
> $ semodule \-X 100 \-i alsa.pp
> -# List all modules.
> -$ semodule \-\-list=full
Why is this removed?
> # Set an alternate path for the policy root
> $ semodule \-B \-p "/tmp"
> # Set an alternate path for the policy store root
> @@ -143,6 +141,8 @@ $ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
> # Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
> $ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
> $ semodule -l -m | grep localmodule
> +# Translate binary module file into CIL (useful for debugging installation errors)
> +$ /usr/libexec/selinux/hll/pp alsa.pp > alsa.cil
> .fi
I'd put this before the check above, i.e. translate a binary first and then get checksum so that
/usr/libexec/selinux/hll/pp is used only once and it's clear what it
does.
> .SH SEE ALSO
> diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
> index e07db2c8..c3cc5c9b 100644
> --- a/policycoreutils/setfiles/restorecon.8
> +++ b/policycoreutils/setfiles/restorecon.8
> @@ -224,6 +224,15 @@ and provided the
> option is NOT set and recursive mode is set, files will be relabeled as
> required with the digests then being updated provided there are no errors.
>
> +.SH EXAMPLE
> +.nf
> +Fix labeling of /var/www/ including all sub-directories and list all context changes
> +# restorecon -rv /var/www/
> +List mislabeled files in user home directory and what the correct label should be
> +# restorecon -nvr ~
> +Fix labeling of files listed in file_list file, ignoring any that do not exist
> +# restorecon -vif file_list
> +
I personally prefer when options are not joined - restorecon -n -v -r ...
> .SH "AUTHOR"
> This man page was written by Dan Walsh <dwalsh@xxxxxxxxxx>.
> Some of the content of this man page was taken from the setfiles
> diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
> index e04528e6..51d12a4d 100644
> --- a/policycoreutils/setfiles/restorecon_xattr.8
> +++ b/policycoreutils/setfiles/restorecon_xattr.8
> @@ -112,6 +112,13 @@ If the option is not specified, then the default file_contexts will be used.
> .br
> the pathname of the directory tree to be searched.
>
> +.SH EXAMPLE
> +.nf
> +List all paths that where assigned a checksum by "restorecon/setfiles -D"
> +# restorecon_xattr -r /
> +Remove all non-matching checksums
> +# restorecon_xattr -rd /
> +
> .SH "SEE ALSO"
> .BR restorecon (8),
> .BR setfiles (8)
> diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
> index bf26e161..892a5062 100644
> --- a/policycoreutils/setfiles/setfiles.8
> +++ b/policycoreutils/setfiles/setfiles.8
> @@ -289,6 +289,15 @@ and provided the
> option is NOT set, files will be relabeled as required with the digests then
> being updated provided there are no errors.
>
> +.SH EXAMPLE
> +.nf
> +Fix labeling of /var/www/ including all sub-directories, using targeted policy file context definitions and list all context changes
> +# setfiles -v /etc/selinux/targeted/contexts/files/file_contexts /var/www/
> +List mislabeled files in user home directory and what the label should be based on targeted policy file context definitions
> +# setfiles -nv /etc/selinux/targeted/contexts/files/file_contexts ~
> +Fix labeling of files listed in file_list file, ignoring any that do not exist
> +# setfiles -vif file_list /etc/selinux/targeted/contexts/files/file_contexts
> +
> .SH "AUTHOR"
> This man page was written by Russell Coker <russell@xxxxxxxxxxxx>.
> The program was written by Stephen Smalley <sds@xxxxxxxxxxxxx>
> diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
> index 52936f5a..f54664fb 100644
> --- a/policycoreutils/setsebool/setsebool.8
> +++ b/policycoreutils/setsebool/setsebool.8
> @@ -7,13 +7,13 @@ setsebool \- set SELinux boolean value
> .I "[ \-PNV ] boolean value | bool1=val1 bool2=val2 ..."
>
> .SH "DESCRIPTION"
> -.B setsebool
> -sets the current state of a particular SELinux boolean or a list of booleans
> -to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
> +.B setsebool
> +sets the current state of a particular SELinux boolean or a list of booleans
> +to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
>
> Without the \-P option, only the current boolean value is
> -affected; the boot-time default settings
> -are not changed.
> +affected; the boot-time default settings
> +are not changed.
>
> If the \-P option is given, all pending values are written to
> the policy file on disk. So they will be persistent across reboots.
> @@ -22,6 +22,12 @@ If the \-N option is given, the policy on disk is not reloaded into the kernel.
>
> If the \-V option is given, verbose error messages will be printed from semanage libraries.
>
> +.SH EXAMPLE
> +.nf
> +Enable container_use_devices boolean (will return to persistent value after reboot)
> +# setsebool container_use_devices 1
> +Persistently enable samba_create_home_dirs and samba_enable_home_dirs booleans
> +# setsebool -P samba_create_home_dirs=on samba_enable_home_dirs=on
>
> .SH AUTHOR
> This manual page was written by Dan Walsh <dwalsh@xxxxxxxxxx>.
> --
> 2.40.0
