From 57bf9f2c7265ce1021e1ea59480ca54d8e12368e Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jul 27 2012 15:03:47 +0000 Subject: - Regenerate man pages - Dontaudit mysqld_safe sending signull to random domains - Add interface for mysqld to dontaudit signull to all processes - Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group - Allow smbd to read cluster config - Add additional labelinf for passenger - Add labeling for /var/motion - Add amavis_use_jit boolean - Allow mongod to connet to postgresql port --- diff --git a/genman.py b/genman.py new file mode 100755 index 0000000..5d2c9bb --- /dev/null +++ b/genman.py @@ -0,0 +1,445 @@ +#! /usr/bin/python -Es +# Copyright (C) 2012 Red Hat +# AUTHOR: Dan Walsh +# see file 'COPYING' for use and warranty information +# +# semanage is a tool for managing SELinux configuration files +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +import seobject +import selinux +import datetime +import setools +import sys + +all_attributes = map(lambda x: x['name'], setools.seinfo(setools.ATTRIBUTE)) +entrypoints = setools.seinfo(setools.ATTRIBUTE,"entry_type")[0]["types"] +alldomains = setools.seinfo(setools.ATTRIBUTE,"domain")[0]["types"] +domains = [] + +for d in alldomains: + found = False + if d[:-2] + "_exec_t" not in entrypoints: + continue + name = d.split("_")[0] + if name in domains or name == "pam": + continue + domains.append(name) + +domains.sort() + +file_types = setools.seinfo(setools.ATTRIBUTE,"file_type")[0]["types"] +file_types.sort() + +port_types = setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"] +port_types.sort() + +portrecs = seobject.portRecords().get_all_by_type() +filerecs = seobject.fcontextRecords() +files_dict = {} +fdict = filerecs.get_all() +for i in fdict: + if fdict[i]: + if fdict[i][2] in files_dict: + files_dict[fdict[i][2]].append(i) + else: + files_dict[fdict[i][2]] = [i] +boolrecs = seobject.booleanRecords() +bools = seobject.booleans_dict.keys() + +man = {} +date = datetime.datetime.now().strftime("%d %b %Y") +def prettyprint(f,trim): + return " ".join(f[:-len(trim)].split("_")) + +class ManPage: + def __init__(self, domainname, path="/tmp"): + self.domainname = domainname + if self.domainname[-1]=='d': + self.short_name = self.domainname[:-1] + else: + self.short_name = domainname + + self.anon_list = [] + self.fd = open("%s/%s_selinux.8" % (path, domainname), 'w') + + self.attributes = {} + self.ptypes = [] + self.get_ptypes() + + for domain_type in self.ptypes: + self.attributes[domain_type] = setools.seinfo(setools.TYPE,("%s") % domain_type)[0]["attributes"] + + self.header() + self.booleans() + self.nsswitch_domain() + self.public_content() + self.file_context() + self.port_types() + self.process_types() + self.footer() + self.fd.close() + + def get_ptypes(self): + for f in alldomains: + if f.startswith(self.short_name): + self.ptypes.append(f) + + def header(self): + self.fd.write('.TH "%(domainname)s_selinux" "8" "%(domainname)s" "dwalsh@redhat.com" "%(domainname)s SELinux Policy documentation"' + % {'domainname':self.domainname}) + self.fd.write(r""" +.SH "NAME" +%(domainname)s_selinux \- Security Enhanced Linux Policy for the %(domainname)s processes +.SH "DESCRIPTION" + +Security-Enhanced Linux secures the %(domainname)s processes via flexible mandatory access +control. +""" % {'domainname':self.domainname}) + + + def explain(self, f): + if f.endswith("_var_run_t"): + return "store the %s files under the /run directory." % prettyprint(f, "_var_run_t") + if f.endswith("_pid_t"): + return "store the %s files under the /run directory." % prettyprint(f, "_pid_t") + if f.endswith("_var_lib_t"): + return "store the %s files under the /var/lib directory." % prettyprint(f, "_var_lib_t") + if f.endswith("_var_t"): + return "store the %s files under the /var directory." % prettyprint(f, "_var_lib_t") + if f.endswith("_var_spool_t"): + return "store the %s files under the /var/spool directory." % prettyprint(f, "_spool_t") + if f.endswith("_spool_t"): + return "store the %s files under the /var/spool directory." % prettyprint(f, "_spool_t") + if f.endswith("_cache_t") or f.endswith("_var_cache_t"): + return "store the files under the /var/cache directory." + if f.endswith("_keytab_t"): + return "treat the files as kerberos keytab files." + if f.endswith("_lock_t"): + return "treat the files as %s lock data, stored under the /var/lock directory" % prettyprint(f,"_lock_t") + if f.endswith("_log_t"): + return "treat the data as %s log data, usually stored under the /var/log directory." % prettyprint(f,"_log_t") + if f.endswith("_config_t"): + return "treat the files as %s configuration data, usually stored under the /etc directory." % prettyprint(f,"_config_t") + if f.endswith("_conf_t"): + return "treat the files as %s configuration data, usually stored under the /etc directory." % prettyprint(f,"_conf_t") + if f.endswith("_exec_t"): + return "transition an executable to the %s_t domain." % f[:-len("_exec_t")] + if f.endswith("_cgi_content_t"): + return "treat the files as %s cgi content." % prettyprint(f, "_cgi_content_t") + if f.endswith("_rw_content_t"): + return "treat the files as %s read/write content." % prettyprint(f,"_rw_content_t") + if f.endswith("_rw_t"): + return "treat the files as %s read/write content." % prettyprint(f,"_rw_t") + if f.endswith("_write_t"): + return "treat the files as %s read/write content." % prettyprint(f,"_write_t") + if f.endswith("_db_t"): + return "treat the files as %s database content." % prettyprint(f,"_db_t") + if f.endswith("_ra_content_t"): + return "treat the files as %s read/append content." % prettyprint(f,"_ra_conten_t") + if f.endswith("_cert_t"): + return "treat the files as %s certificate data." % prettyprint(f,"_cert_t") + if f.endswith("_key_t"): + return "treat the files as %s key data." % prettyprint(f,"_key_t") + + if f.endswith("_secret_t"): + return "treat the files as %s secret data." % prettyprint(f,"_key_t") + + if f.endswith("_ra_t"): + return "treat the files as %s read/append content." % prettyprint(f,"_ra_t") + + if f.endswith("_ro_t"): + return "treat the files as %s read/only content." % prettyprint(f,"_ro_t") + + if f.endswith("_modules_t"): + return "treat the files as %s modules." % prettyprint(f, "_modules_t") + + if f.endswith("_content_t"): + return "treat the files as %s content." % prettyprint(f, "_content_t") + + if f.endswith("_state_t"): + return "treat the files as %s state data." % prettyprint(f, "_state_t") + + if f.endswith("_files_t"): + return "treat the files as %s content." % prettyprint(f, "_files_t") + + if f.endswith("_file_t"): + return "treat the files as %s content." % prettyprint(f, "_file_t") + + if f.endswith("_data_t"): + return "treat the files as %s content." % prettyprint(f, "_data_t") + + if f.endswith("_file_t"): + return "treat the data as %s content." % prettyprint(f, "_file_t") + + if f.endswith("_tmp_t"): + return "store %s temporary files in the /tmp directories." % prettyprint(f, "_tmp_t") + if f.endswith("_etc_t"): + return "store %s files in the /etc directories." % prettyprint(f, "_tmp_t") + if f.endswith("_home_t"): + return "store %s files in the users home directory." % prettyprint(f, "_home_t") + if f.endswith("_tmpfs_t"): + return "store %s files on a tmpfs file system." % prettyprint(f, "_tmpfs_t") + if f.endswith("_unit_file_t"): + return "treat files as a systemd unit file." + if f.endswith("_htaccess_t"): + return "treat the file as a %s access file." % prettyprint(f, "_htaccess_t") + + return "treat the files as %s data." % prettyprint(f,"_t") + + def booleans(self): + self.booltext = "" + for b in bools: + if b.find(self.short_name) >= 0: + if b.endswith("anon_write"): + self.anon_list.append(b) + else: + desc = seobject.booleans_dict[b][2][0].lower() + seobject.booleans_dict[b][2][1:-1] + self.booltext += """ +.PP +If you want to %s, you must turn on the %s boolean. + +.EX +.B setsebool -P %s 1 +.EE +""" % (desc, b, b) + + if self.booltext != "": + self.fd.write(""" +.SH BOOLEANS +SELinux policy is customizable based on least access required. %s policy is extremely flexible and has several booleans that allow you to manipulate the policy and run %s with the tightest access possible. + +""" % (self.domainname, self.domainname)) + + self.fd.write(self.booltext) + + def nsswitch_domain(self): + nsswitch_types = [] + nsswitch_booleans = ['authlogin_nsswitch_use_ldap', 'allow_kerberos', 'allow_ypbind'] + nsswitchbooltext = "" + if "nsswitch_domain" in all_attributes: + self.fd.write(""" +.SH NSSWITCH DOMAIN +""") + for k in self.attributes.keys(): + if "nsswitch_domain" in self.attributes[k]: + nsswitch_types.append(k) + + if len(nsswitch_types): + for i in nsswitch_booleans: + desc = seobject.booleans_dict[i][2][0].lower() + seobject.booleans_dict[i][2][1:-1] + nsswitchbooltext += """ +.PP +If you want to %s for the %s, you must turn on the %s boolean. + +.EX +setsebool -P %s 1 +.EE +""" % (desc,(", ".join(nsswitch_types)), i, i) + + self.fd.write(nsswitchbooltext) + + def process_types(self): + if len(self.ptypes) == 0: + return + self.fd.write(r""" +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP +You can see the context of a process using the \fB\-Z\fP option to \fBps\bP +.PP +Policy governs the access confined processes have to files. +SELinux %(domainname)s policy is very flexible allowing users to setup their %(domainname)s processes in as secure a method as possible. +.PP +The following process types are defined for %(domainname)s: +""" % {'domainname':self.domainname}) + self.fd.write(""" +.EX +.B %s +.EE""" % ", ".join(self.ptypes)) + self.fd.write(""" +.PP +Note: +.B semanage permissive -a PROCESS_TYPE +can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. +""") + + def port_types(self): + self.ports = [] + for f in port_types: + if f.startswith(self.short_name): + self.ports.append(f) + + if len(self.ports) == 0: + return + self.fd.write(""" +.SH PORT TYPES +SELinux defines port types to represent TCP and UDP ports. +.PP +You can see the types associated with a port by using the following command: + +.B semanage port -l + +.PP +Policy governs the access confined processes have to these ports. +SELinux %(domainname)s policy is very flexible allowing users to setup their %(domainname)s processes in as secure a method as possible. +.PP +The following port types are defined for %(domainname)s:""" % {'domainname':self.domainname}) + + for p in self.ports: + self.fd.write(""" + +.EX +.TP 5 +.B %s +.TP 10 +.EE +""" % p) + once = True + for prot in ( "tcp", "udp" ): + if (p,prot) in portrecs: + if once: + self.fd.write(""" + +Default Defined Ports:""") + once = False + self.fd.write(r""" +%s %s +.EE""" % (prot, ",".join(portrecs[(p,prot)]))) + + def file_context(self): + self.fd.write(r""" +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP +You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP +Policy governs the access confined processes have to these files. +SELinux %(domainname)s policy is very flexible allowing users to setup their %(domainname)s processes in as secure a method as possible. +.PP +The following file types are defined for %(domainname)s: +""" % {'domainname':self.domainname}) + for f in file_types: + if f.startswith(self.domainname): + self.fd.write(""" + +.EX +.PP +.B %s +.EE + +- Set files with the %s type, if you want to %s +""" % (f, f, self.explain(f))) + + if f in files_dict: + plural = "" + if len(files_dict[f]) > 1: + plural = "s" + self.fd.write(""" +.br +.TP 5 +Path%s: +%s""" % (plural, files_dict[f][0][0])) + for x in files_dict[f][1:]: + self.fd.write(", %s" % x[0]) + + self.fd.write(""" + +.PP +Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon +to apply the labels. +""") + + def public_content(self): + if len(self.anon_list) > 0: + self.fd.write(""" +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. +.TP +Allow %(domainname)s servers to read the /var/%(domainname)s directory by adding the public_content_t file type to the directory and by restoring the file type. +.PP +.B +semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?" +.br +.B restorecon -F -R -v /var/%(domainname)s +.pp +.TP +Allow %(domainname)s servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_%(domainname)sd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/%(domainname)s/incoming(/.*)?" +.br +.B restorecon -F -R -v /var/%(domainname)s/incoming + +""" % {'domainname':self.domainname}) + for b in self.anon_list: + desc = seobject.booleans_dict[b][2][0].lower() + seobject.booleans_dict[b][2][1:] + self.fd.write(""" +.PP +If you want to %s, you must turn on the %s boolean. + +.EX +.B setsebool -P %s 1 +.EE +""" % (desc, b, b)) + + def footer(self): + self.fd.write(""" +.SH "COMMANDS" +.B semanage fcontext +can also be used to manipulate default file context mappings. +.PP +.B semanage permissive +can also be used to manipulate whether or not a process type is permissive. +.PP +.B semanage module +can also be used to enable/disable/install/remove policy modules. +""") + + if len(self.ports) > 0: + self.fd.write(""" +.B semanage port +can also be used to manipulate the port definitions +""") + + if self.booltext != "": + self.fd.write(""" +.B semanage boolean +can also be used to manipulate the booleans +""") + + self.fd.write(""" +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. + +.SH AUTHOR +This manual page was autogenerated by genman.py. + +.SH "SEE ALSO" +selinux(8), %s(8), semanage(8), restorecon(8), chcon(1) +""" % self.domainname) + + if self.booltext != "": + self.fd.write(", setsebool(8)") + +for domainname in domains: + ManPage(domainname, sys.argv[1]) diff --git a/policy-F16.patch b/policy-F16.patch index 65efd2f..ef8727d 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -42,23 +42,40 @@ index 168a14f..c2bf491 100644 ######################################## diff --git a/man/man8/NetworkManager_selinux.8 b/man/man8/NetworkManager_selinux.8 new file mode 100644 -index 0000000..74ab63c +index 0000000..b6061a8 --- /dev/null +++ b/man/man8/NetworkManager_selinux.8 -@@ -0,0 +1,169 @@ +@@ -0,0 +1,182 @@ +.TH "NetworkManager_selinux" "8" "NetworkManager" "dwalsh@redhat.com" "NetworkManager SELinux Policy documentation" +.SH "NAME" +NetworkManager_selinux \- Security Enhanced Linux Policy for the NetworkManager processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B NetworkManager -+(Manager for dynamically switching between networks) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the NetworkManager processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the NetworkManager_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the NetworkManager_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the NetworkManager_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -142,10 +159,6 @@ index 0000000..74ab63c + +- Set files with the NetworkManager_unit_file_t type, if you want to treat the files as NetworkManager unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/NetworkManager\.service, /lib/systemd/system/NetworkManager\.service + +.EX +.PP @@ -157,7 +170,7 @@ index 0000000..74ab63c +.br +.TP 5 +Paths: -+/etc/wicd/wired-settings.conf, /var/lib/wicd(/.*)?, /etc/wicd/manager-settings.conf, /etc/wicd/wireless-settings.conf, /var/lib/NetworkManager(/.*)? ++/etc/wicd/wired-settings.conf, /var/lib/wicd(/.*)?, /etc/dhcp/wired-settings.conf, /etc/dhcp/wireless-settings.conf, /etc/wicd/manager-settings.conf, /etc/dhcp/manager-settings.conf, /etc/wicd/wireless-settings.conf, /var/lib/NetworkManager(/.*)? + +.EX +.PP @@ -172,7 +185,7 @@ index 0000000..74ab63c +/var/run/nm-dhclient.*, /var/run/wpa_supplicant(/.*)?, /var/run/NetworkManager\.pid, /var/run/wpa_supplicant-global, /var/run/nm-dns-dnsmasq\.conf, /var/run/NetworkManager(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -217,24 +230,18 @@ index 0000000..74ab63c +selinux(8), NetworkManager(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/abrt_selinux.8 b/man/man8/abrt_selinux.8 new file mode 100644 -index 0000000..1acfb1b +index 0000000..b565daf --- /dev/null +++ b/man/man8/abrt_selinux.8 -@@ -0,0 +1,250 @@ +@@ -0,0 +1,279 @@ +.TH "abrt_selinux" "8" "abrt" "dwalsh@redhat.com" "abrt SELinux Policy documentation" +.SH "NAME" +abrt_selinux \- Security Enhanced Linux Policy for the abrt processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B abrt -+(ABRT - automated bug-reporting tool) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the abrt processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. abrt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run abrt with the tightest access possible. + @@ -246,6 +253,29 @@ index 0000000..1acfb1b +.B setsebool -P abrt_handle_event 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the abrt_helper_t, abrt_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the abrt_helper_t, abrt_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the abrt_helper_t, abrt_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. +.TP @@ -257,7 +287,7 @@ index 0000000..1acfb1b +.B restorecon -F -R -v /var/abrt +.pp +.TP -+Allow abrt servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_abrt_anon_write boolean to be set. ++Allow abrt servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_abrtd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/abrt/incoming(/.*)?" @@ -306,6 +336,10 @@ index 0000000..1acfb1b + +- Set files with the abrt_exec_t type, if you want to transition an executable to the abrt_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/abrtd, /usr/sbin/abrt-dbus + +.EX +.PP @@ -423,8 +457,16 @@ index 0000000..1acfb1b +Paths: +/var/run/abrtd?\.socket, /var/run/abrtd?\.lock, /var/run/abrt(/.*)?, /var/run/abrt\.pid + ++.EX +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B abrt_watch_log_exec_t ++.EE ++ ++- Set files with the abrt_watch_log_exec_t type, if you want to transition an executable to the abrt_watch_log_t domain. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -441,7 +483,7 @@ index 0000000..1acfb1b +The following process types are defined for abrt: + +.EX -+.B abrt_handle_event_t, abrt_helper_t, abrt_retrace_coredump_t, abrt_t, abrt_retrace_worker_t, abrt_dump_oops_t ++.B abrt_handle_event_t, abrt_helper_t, abrt_retrace_coredump_t, abrt_t, abrt_retrace_worker_t, abrt_dump_oops_t, abrt_watch_log_t +.EE +.PP +Note: @@ -474,23 +516,40 @@ index 0000000..1acfb1b \ No newline at end of file diff --git a/man/man8/accountsd_selinux.8 b/man/man8/accountsd_selinux.8 new file mode 100644 -index 0000000..4fe880f +index 0000000..e6f5c0b --- /dev/null +++ b/man/man8/accountsd_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,110 @@ +.TH "accountsd_selinux" "8" "accountsd" "dwalsh@redhat.com" "accountsd SELinux Policy documentation" +.SH "NAME" +accountsd_selinux \- Security Enhanced Linux Policy for the accountsd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B accountsd -+(AccountsService and daemon for manipulating user account information via D-Bus) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the accountsd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the accountsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the accountsd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the accountsd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -528,7 +587,7 @@ index 0000000..4fe880f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -573,23 +632,40 @@ index 0000000..4fe880f +selinux(8), accountsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/acct_selinux.8 b/man/man8/acct_selinux.8 new file mode 100644 -index 0000000..323cee4 +index 0000000..0496e0b --- /dev/null +++ b/man/man8/acct_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,110 @@ +.TH "acct_selinux" "8" "acct" "dwalsh@redhat.com" "acct SELinux Policy documentation" +.SH "NAME" +acct_selinux \- Security Enhanced Linux Policy for the acct processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B acct -+(Berkeley process accounting) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the acct processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the acct_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the acct_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the acct_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -627,7 +703,7 @@ index 0000000..323cee4 +/usr/sbin/accton, /sbin/accton, /etc/cron\.(daily|monthly)/acct + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -672,23 +748,19 @@ index 0000000..323cee4 +selinux(8), acct(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/afs_selinux.8 b/man/man8/afs_selinux.8 new file mode 100644 -index 0000000..7832fa4 +index 0000000..e64fee6 --- /dev/null +++ b/man/man8/afs_selinux.8 -@@ -0,0 +1,294 @@ +@@ -0,0 +1,292 @@ +.TH "afs_selinux" "8" "afs" "dwalsh@redhat.com" "afs SELinux Policy documentation" +.SH "NAME" +afs_selinux \- Security Enhanced Linux Policy for the afs processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B afs -+(Andrew Filesystem server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the afs processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -846,7 +918,7 @@ index 0000000..7832fa4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -873,7 +945,7 @@ index 0000000..7832fa4 + + +Default Defined Ports: -+tcp 8021 ++udp 7007 +.EE + +.EX @@ -884,7 +956,7 @@ index 0000000..7832fa4 + + +Default Defined Ports: -+tcp 8021 ++udp 7001 +.EE + +.EX @@ -895,7 +967,9 @@ index 0000000..7832fa4 + + +Default Defined Ports: -+tcp 8021 ++tcp 2040 ++.EE ++udp 7000,7005 +.EE + +.EX @@ -906,7 +980,7 @@ index 0000000..7832fa4 + + +Default Defined Ports: -+tcp 8021 ++udp 7004 +.EE + +.EX @@ -917,7 +991,7 @@ index 0000000..7832fa4 + + +Default Defined Ports: -+tcp 8021 ++udp 7002 +.EE + +.EX @@ -928,7 +1002,7 @@ index 0000000..7832fa4 + + +Default Defined Ports: -+tcp 8021 ++udp 7003 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -972,23 +1046,19 @@ index 0000000..7832fa4 +selinux(8), afs(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/aiccu_selinux.8 b/man/man8/aiccu_selinux.8 new file mode 100644 -index 0000000..efc06eb +index 0000000..0125c48 --- /dev/null +++ b/man/man8/aiccu_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "aiccu_selinux" "8" "aiccu" "dwalsh@redhat.com" "aiccu SELinux Policy documentation" +.SH "NAME" +aiccu_selinux \- Security Enhanced Linux Policy for the aiccu processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B aiccu -+(Automatic IPv6 Connectivity Client Utility) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the aiccu processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1034,7 +1104,7 @@ index 0000000..efc06eb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1079,23 +1149,19 @@ index 0000000..efc06eb +selinux(8), aiccu(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/aide_selinux.8 b/man/man8/aide_selinux.8 new file mode 100644 -index 0000000..0863697 +index 0000000..bc35581 --- /dev/null +++ b/man/man8/aide_selinux.8 -@@ -0,0 +1,97 @@ +@@ -0,0 +1,93 @@ +.TH "aide_selinux" "8" "aide" "dwalsh@redhat.com" "aide SELinux Policy documentation" +.SH "NAME" +aide_selinux \- Security Enhanced Linux Policy for the aide processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B aide -+(Aide filesystem integrity checker) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the aide processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1137,7 +1203,7 @@ index 0000000..0863697 +/var/log/aide\.log, /var/log/aide(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1182,23 +1248,40 @@ index 0000000..0863697 +selinux(8), aide(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/aisexec_selinux.8 b/man/man8/aisexec_selinux.8 new file mode 100644 -index 0000000..8d4a539 +index 0000000..2396470 --- /dev/null +++ b/man/man8/aisexec_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,142 @@ +.TH "aisexec_selinux" "8" "aisexec" "dwalsh@redhat.com" "aisexec SELinux Policy documentation" +.SH "NAME" +aisexec_selinux \- Security Enhanced Linux Policy for the aisexec processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B aisexec -+(Aisexec Cluster Engine) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the aisexec processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the aisexec_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the aisexec_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the aisexec_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1268,7 +1351,7 @@ index 0000000..8d4a539 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1313,23 +1396,40 @@ index 0000000..8d4a539 +selinux(8), aisexec(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ajaxterm_selinux.8 b/man/man8/ajaxterm_selinux.8 new file mode 100644 -index 0000000..3ff7f95 +index 0000000..0d35426 --- /dev/null +++ b/man/man8/ajaxterm_selinux.8 -@@ -0,0 +1,119 @@ +@@ -0,0 +1,136 @@ +.TH "ajaxterm_selinux" "8" "ajaxterm" "dwalsh@redhat.com" "ajaxterm SELinux Policy documentation" +.SH "NAME" +ajaxterm_selinux \- Security Enhanced Linux Policy for the ajaxterm processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ajaxterm -+(policy for ajaxterm) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ajaxterm processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the ajaxterm_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ajaxterm_ssh_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the ajaxterm_ssh_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1367,7 +1467,7 @@ index 0000000..3ff7f95 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1394,7 +1494,7 @@ index 0000000..3ff7f95 + + +Default Defined Ports: -+tcp 8021 ++tcp 8022 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -1438,23 +1538,40 @@ index 0000000..3ff7f95 +selinux(8), ajaxterm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/alsa_selinux.8 b/man/man8/alsa_selinux.8 new file mode 100644 -index 0000000..9a8a29d +index 0000000..961c6fd --- /dev/null +++ b/man/man8/alsa_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,142 @@ +.TH "alsa_selinux" "8" "alsa" "dwalsh@redhat.com" "alsa SELinux Policy documentation" +.SH "NAME" +alsa_selinux \- Security Enhanced Linux Policy for the alsa processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B alsa -+(Ainit ALSA configuration tool) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the alsa processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the alsa_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the alsa_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the alsa_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1524,7 +1641,7 @@ index 0000000..9a8a29d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1569,23 +1686,40 @@ index 0000000..9a8a29d +selinux(8), alsa(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/amanda_selinux.8 b/man/man8/amanda_selinux.8 new file mode 100644 -index 0000000..1ada188 +index 0000000..0b2b7e0 --- /dev/null +++ b/man/man8/amanda_selinux.8 -@@ -0,0 +1,219 @@ +@@ -0,0 +1,238 @@ +.TH "amanda_selinux" "8" "amanda" "dwalsh@redhat.com" "amanda SELinux Policy documentation" +.SH "NAME" +amanda_selinux \- Security Enhanced Linux Policy for the amanda processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B amanda -+(Advanced Maryland Automatic Network Disk Archiver) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the amanda processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the amanda_recover_t, amanda_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the amanda_recover_t, amanda_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the amanda_recover_t, amanda_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1720,10 +1854,10 @@ index 0000000..1ada188 +.br +.TP 5 +Paths: -+/var/lib/amanda, /var/lib/amanda/[^/]+/index(/.*)? ++/var/lib/amanda/[^/]+/index(/.*)?, /var/lib/amanda + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1750,7 +1884,9 @@ index 0000000..1ada188 + + +Default Defined Ports: -+tcp 8021 ++tcp 10080-10083 ++.EE ++udp 10080-10082 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -1794,26 +1930,40 @@ index 0000000..1ada188 +selinux(8), amanda(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/amavis_selinux.8 b/man/man8/amavis_selinux.8 new file mode 100644 -index 0000000..52d2f0d +index 0000000..13656c9 --- /dev/null +++ b/man/man8/amavis_selinux.8 -@@ -0,0 +1,193 @@ +@@ -0,0 +1,211 @@ +.TH "amavis_selinux" "8" "amavis" "dwalsh@redhat.com" "amavis SELinux Policy documentation" +.SH "NAME" +amavis_selinux \- Security Enhanced Linux Policy for the amavis processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B amavis -+( -+Daemon that interfaces mail transfer agents and content -+checkers, such as virus scanners. -+) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the amavis processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the amavis_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the amavis_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the amavis_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -1857,6 +2007,10 @@ index 0000000..52d2f0d + +- Set files with the amavis_initrc_exec_t type, if you want to transition an executable to the amavis_initrc_t domain. + ++.br ++.TP 5 ++Paths: ++/etc/rc\.d/init\.d/amavis, /etc/rc\.d/init\.d/amavisd-snmp + +.EX +.PP @@ -1892,7 +2046,7 @@ index 0000000..52d2f0d +.br +.TP 5 +Paths: -+/var/lib/amavis(/.*)?, /var/amavis(/.*)? ++/var/lib/amavis(/.*)?, /var/opt/f-secure(/.*)?, /var/amavis(/.*)? + +.EX +.PP @@ -1911,7 +2065,7 @@ index 0000000..52d2f0d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -1938,7 +2092,7 @@ index 0000000..52d2f0d + + +Default Defined Ports: -+tcp 8021 ++tcp 10024 +.EE + +.EX @@ -1949,7 +2103,7 @@ index 0000000..52d2f0d + + +Default Defined Ports: -+tcp 8021 ++tcp 10025 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -1993,23 +2147,19 @@ index 0000000..52d2f0d +selinux(8), amavis(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/amtu_selinux.8 b/man/man8/amtu_selinux.8 new file mode 100644 -index 0000000..511f260 +index 0000000..fe1dc7f --- /dev/null +++ b/man/man8/amtu_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "amtu_selinux" "8" "amtu" "dwalsh@redhat.com" "amtu SELinux Policy documentation" +.SH "NAME" +amtu_selinux \- Security Enhanced Linux Policy for the amtu processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B amtu -+(Abstract Machine Test Utility) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the amtu processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2031,7 +2181,7 @@ index 0000000..511f260 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2076,23 +2226,19 @@ index 0000000..511f260 +selinux(8), amtu(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/apcupsd_selinux.8 b/man/man8/apcupsd_selinux.8 new file mode 100644 -index 0000000..dab6c6a +index 0000000..068751c --- /dev/null +++ b/man/man8/apcupsd_selinux.8 -@@ -0,0 +1,159 @@ +@@ -0,0 +1,157 @@ +.TH "apcupsd_selinux" "8" "apcupsd" "dwalsh@redhat.com" "apcupsd SELinux Policy documentation" +.SH "NAME" +apcupsd_selinux \- Security Enhanced Linux Policy for the apcupsd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B apcupsd -+(APC UPS monitoring daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the apcupsd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2170,7 +2316,7 @@ index 0000000..dab6c6a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2197,7 +2343,9 @@ index 0000000..dab6c6a + + +Default Defined Ports: -+tcp 8021 ++tcp 3551 ++.EE ++udp 3551 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -2241,23 +2389,40 @@ index 0000000..dab6c6a +selinux(8), apcupsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/apm_selinux.8 b/man/man8/apm_selinux.8 new file mode 100644 -index 0000000..1c6243c +index 0000000..9e80c2f --- /dev/null +++ b/man/man8/apm_selinux.8 -@@ -0,0 +1,133 @@ +@@ -0,0 +1,150 @@ +.TH "apm_selinux" "8" "apm" "dwalsh@redhat.com" "apm SELinux Policy documentation" +.SH "NAME" +apm_selinux \- Security Enhanced Linux Policy for the apm processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B apm -+(Advanced power management daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the apm processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the apmd_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2335,7 +2500,7 @@ index 0000000..1c6243c +/var/run/\.?acpid\.socket, /var/run/apmd\.pid, /var/run/powersaved\.pid, /var/run/powersave_socket + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2380,17 +2545,40 @@ index 0000000..1c6243c +selinux(8), apm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/apmd_selinux.8 b/man/man8/apmd_selinux.8 new file mode 100644 -index 0000000..6449d94 +index 0000000..f8235b7 --- /dev/null +++ b/man/man8/apmd_selinux.8 -@@ -0,0 +1,127 @@ +@@ -0,0 +1,142 @@ +.TH "apmd_selinux" "8" "apmd" "dwalsh@redhat.com" "apmd SELinux Policy documentation" +.SH "NAME" +apmd_selinux \- Security Enhanced Linux Policy for the apmd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the apmd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the apmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the apmd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the apmd_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2405,14 +2593,6 @@ index 0000000..6449d94 + +.EX +.PP -+.B apm_exec_t -+.EE -+ -+- Set files with the apm_exec_t type, if you want to transition an executable to the apm_t domain. -+ -+ -+.EX -+.PP +.B apmd_exec_t +.EE + @@ -2468,7 +2648,7 @@ index 0000000..6449d94 +/var/run/\.?acpid\.socket, /var/run/apmd\.pid, /var/run/powersaved\.pid, /var/run/powersave_socket + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2513,23 +2693,40 @@ index 0000000..6449d94 +selinux(8), apmd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/arpwatch_selinux.8 b/man/man8/arpwatch_selinux.8 new file mode 100644 -index 0000000..8052609 +index 0000000..00f4d16 --- /dev/null +++ b/man/man8/arpwatch_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,138 @@ +.TH "arpwatch_selinux" "8" "arpwatch" "dwalsh@redhat.com" "arpwatch SELinux Policy documentation" +.SH "NAME" +arpwatch_selinux \- Security Enhanced Linux Policy for the arpwatch processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B arpwatch -+(Ethernet activity monitor) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the arpwatch processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the arpwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the arpwatch_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the arpwatch_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2595,7 +2792,7 @@ index 0000000..8052609 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2640,23 +2837,40 @@ index 0000000..8052609 +selinux(8), arpwatch(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/asterisk_selinux.8 b/man/man8/asterisk_selinux.8 new file mode 100644 -index 0000000..c00565c +index 0000000..0807f32 --- /dev/null +++ b/man/man8/asterisk_selinux.8 -@@ -0,0 +1,167 @@ +@@ -0,0 +1,186 @@ +.TH "asterisk_selinux" "8" "asterisk" "dwalsh@redhat.com" "asterisk SELinux Policy documentation" +.SH "NAME" +asterisk_selinux \- Security Enhanced Linux Policy for the asterisk processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B asterisk -+(Asterisk IP telephony server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the asterisk processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the asterisk_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the asterisk_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the asterisk_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2742,7 +2956,7 @@ index 0000000..c00565c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2769,7 +2983,9 @@ index 0000000..c00565c + + +Default Defined Ports: -+tcp 8021 ++tcp 1720 ++.EE ++udp 2427,2727,4569 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -2813,17 +3029,40 @@ index 0000000..c00565c +selinux(8), asterisk(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/audisp_selinux.8 b/man/man8/audisp_selinux.8 new file mode 100644 -index 0000000..dc30264 +index 0000000..2f31589 --- /dev/null +++ b/man/man8/audisp_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,118 @@ +.TH "audisp_selinux" "8" "audisp" "dwalsh@redhat.com" "audisp SELinux Policy documentation" +.SH "NAME" +audisp_selinux \- Security Enhanced Linux Policy for the audisp processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the audisp processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the audisp_t, audisp_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the audisp_t, audisp_remote_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the audisp_t, audisp_remote_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -2869,7 +3108,7 @@ index 0000000..dc30264 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -2985,17 +3224,19 @@ index 0000000..cba947e +selinux(8), semanage(8). diff --git a/man/man8/auditctl_selinux.8 b/man/man8/auditctl_selinux.8 new file mode 100644 -index 0000000..96a49e6 +index 0000000..b939685 --- /dev/null +++ b/man/man8/auditctl_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +.TH "auditctl_selinux" "8" "auditctl" "dwalsh@redhat.com" "auditctl SELinux Policy documentation" +.SH "NAME" +auditctl_selinux \- Security Enhanced Linux Policy for the auditctl processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the auditctl processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3021,7 +3262,7 @@ index 0000000..96a49e6 +/sbin/auditctl, /usr/sbin/auditctl + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3066,17 +3307,40 @@ index 0000000..96a49e6 +selinux(8), auditctl(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/auditd_selinux.8 b/man/man8/auditd_selinux.8 new file mode 100644 -index 0000000..50c15c2 +index 0000000..df2a7c4 --- /dev/null +++ b/man/man8/auditd_selinux.8 -@@ -0,0 +1,157 @@ +@@ -0,0 +1,172 @@ +.TH "auditd_selinux" "8" "auditd" "dwalsh@redhat.com" "auditd SELinux Policy documentation" +.SH "NAME" +auditd_selinux \- Security Enhanced Linux Policy for the auditd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the auditd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the auditadm_t, auditadm_gkeyringd_t, auditadm_su_t, auditd_t, auditadm_sudo_t, auditadm_screen_t, auditadm_wine_t, auditadm_seunshare_t, auditadm_dbusd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3091,14 +3355,6 @@ index 0000000..50c15c2 + +.EX +.PP -+.B audit_spool_t -+.EE -+ -+- Set files with the audit_spool_t type, if you want to store the audit files under the /var/spool directory. -+ -+ -+.EX -+.PP +.B auditd_etc_t +.EE + @@ -3158,7 +3414,7 @@ index 0000000..50c15c2 +/var/run/audit_events, /var/run/auditd_sock, /var/run/auditd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3185,7 +3441,7 @@ index 0000000..50c15c2 + + +Default Defined Ports: -+tcp 8021 ++tcp 60 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -3229,23 +3485,40 @@ index 0000000..50c15c2 +selinux(8), auditd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/automount_selinux.8 b/man/man8/automount_selinux.8 new file mode 100644 -index 0000000..ff75942 +index 0000000..c21ecc8 --- /dev/null +++ b/man/man8/automount_selinux.8 -@@ -0,0 +1,129 @@ +@@ -0,0 +1,146 @@ +.TH "automount_selinux" "8" "automount" "dwalsh@redhat.com" "automount SELinux Policy documentation" +.SH "NAME" +automount_selinux \- Security Enhanced Linux Policy for the automount processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B automount -+(Filesystem automounter service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the automount processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the automount_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the automount_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the automount_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3319,7 +3592,7 @@ index 0000000..ff75942 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3364,24 +3637,18 @@ index 0000000..ff75942 +selinux(8), automount(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/avahi_selinux.8 b/man/man8/avahi_selinux.8 new file mode 100644 -index 0000000..f489dad +index 0000000..6bbc174 --- /dev/null +++ b/man/man8/avahi_selinux.8 -@@ -0,0 +1,128 @@ +@@ -0,0 +1,145 @@ +.TH "avahi_selinux" "8" "avahi" "dwalsh@redhat.com" "avahi SELinux Policy documentation" +.SH "NAME" +avahi_selinux \- Security Enhanced Linux Policy for the avahi processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B avahi -+(mDNS/DNS-SD daemon implementing Apple ZeroConf architecture) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the avahi processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. avahi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run avahi with the tightest access possible. + @@ -3393,6 +3660,29 @@ index 0000000..f489dad +.B setsebool -P httpd_dbus_avahi 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the avahi_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the avahi_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the avahi_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -3449,7 +3739,7 @@ index 0000000..f489dad + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3499,26 +3789,19 @@ index 0000000..f489dad \ No newline at end of file diff --git a/man/man8/awstats_selinux.8 b/man/man8/awstats_selinux.8 new file mode 100644 -index 0000000..b76d620 +index 0000000..37d4a5d --- /dev/null +++ b/man/man8/awstats_selinux.8 -@@ -0,0 +1,96 @@ +@@ -0,0 +1,89 @@ +.TH "awstats_selinux" "8" "awstats" "dwalsh@redhat.com" "awstats SELinux Policy documentation" +.SH "NAME" +awstats_selinux \- Security Enhanced Linux Policy for the awstats processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B awstats -+( -+AWStats is a free powerful and featureful tool that generates advanced -+web, streaming, ftp or mail server statistics, graphically. -+) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the awstats processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3556,7 +3839,7 @@ index 0000000..b76d620 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3601,23 +3884,40 @@ index 0000000..b76d620 +selinux(8), awstats(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/bcfg2_selinux.8 b/man/man8/bcfg2_selinux.8 new file mode 100644 -index 0000000..fcb6393 +index 0000000..cddb14b --- /dev/null +++ b/man/man8/bcfg2_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,126 @@ +.TH "bcfg2_selinux" "8" "bcfg2" "dwalsh@redhat.com" "bcfg2 SELinux Policy documentation" +.SH "NAME" +bcfg2_selinux \- Security Enhanced Linux Policy for the bcfg2 processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B bcfg2 -+(policy for bcfg2) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the bcfg2 processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the bcfg2_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the bcfg2_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the bcfg2_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3662,8 +3962,16 @@ index 0000000..fcb6393 +- Set files with the bcfg2_var_lib_t type, if you want to store the bcfg2 files under the /var/lib directory. + + ++.EX +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B bcfg2_var_run_t ++.EE ++ ++- Set files with the bcfg2_var_run_t type, if you want to store the bcfg2 files under the /run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3708,23 +4016,40 @@ index 0000000..fcb6393 +selinux(8), bcfg2(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/bitlbee_selinux.8 b/man/man8/bitlbee_selinux.8 new file mode 100644 -index 0000000..7c1b8b9 +index 0000000..ee7a608 --- /dev/null +++ b/man/man8/bitlbee_selinux.8 -@@ -0,0 +1,133 @@ +@@ -0,0 +1,150 @@ +.TH "bitlbee_selinux" "8" "bitlbee" "dwalsh@redhat.com" "bitlbee SELinux Policy documentation" +.SH "NAME" +bitlbee_selinux \- Security Enhanced Linux Policy for the bitlbee processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B bitlbee -+(Bitlbee service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the bitlbee processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the bitlbee_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the bitlbee_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the bitlbee_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3802,7 +4127,7 @@ index 0000000..7c1b8b9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3847,17 +4172,17 @@ index 0000000..7c1b8b9 +selinux(8), bitlbee(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/blktap_selinux.8 b/man/man8/blktap_selinux.8 new file mode 100644 -index 0000000..4a344b5 +index 0000000..be40148 --- /dev/null +++ b/man/man8/blktap_selinux.8 -@@ -0,0 +1,98 @@ +@@ -0,0 +1,100 @@ +.TH "blktap_selinux" "8" "blktap" "dwalsh@redhat.com" "blktap SELinux Policy documentation" +.SH "NAME" +blktap_selinux \- Security Enhanced Linux Policy for the blktap processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the blktap processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. blktap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run blktap with the tightest access possible. @@ -3870,6 +4195,8 @@ index 0000000..4a344b5 +.B setsebool -P xend_run_blktap 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -3902,7 +4229,7 @@ index 0000000..4a344b5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -3952,23 +4279,40 @@ index 0000000..4a344b5 \ No newline at end of file diff --git a/man/man8/blueman_selinux.8 b/man/man8/blueman_selinux.8 new file mode 100644 -index 0000000..834703f +index 0000000..0ed11bf --- /dev/null +++ b/man/man8/blueman_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,102 @@ +.TH "blueman_selinux" "8" "blueman" "dwalsh@redhat.com" "blueman SELinux Policy documentation" +.SH "NAME" +blueman_selinux \- Security Enhanced Linux Policy for the blueman processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B blueman -+(policy for blueman) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the blueman processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the blueman_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the blueman_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the blueman_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -3989,8 +4333,16 @@ index 0000000..834703f +- Set files with the blueman_exec_t type, if you want to transition an executable to the blueman_t domain. + + ++.EX +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B blueman_var_lib_t ++.EE ++ ++- Set files with the blueman_var_lib_t type, if you want to store the blueman files under the /var/lib directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4035,24 +4387,18 @@ index 0000000..834703f +selinux(8), blueman(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/bluetooth_selinux.8 b/man/man8/bluetooth_selinux.8 new file mode 100644 -index 0000000..d344b7b +index 0000000..1143da5 --- /dev/null +++ b/man/man8/bluetooth_selinux.8 -@@ -0,0 +1,184 @@ +@@ -0,0 +1,201 @@ +.TH "bluetooth_selinux" "8" "bluetooth" "dwalsh@redhat.com" "bluetooth SELinux Policy documentation" +.SH "NAME" +bluetooth_selinux \- Security Enhanced Linux Policy for the bluetooth processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B bluetooth -+(Bluetooth tools and system services) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the bluetooth processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. bluetooth policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bluetooth with the tightest access possible. + @@ -4064,6 +4410,29 @@ index 0000000..d344b7b +.B setsebool -P xguest_use_bluetooth 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the bluetooth_t, bluetooth_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the bluetooth_t, bluetooth_helper_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the bluetooth_t, bluetooth_helper_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -4176,7 +4545,7 @@ index 0000000..d344b7b +/var/run/bluetoothd_address, /var/run/sdp + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4226,23 +4595,19 @@ index 0000000..d344b7b \ No newline at end of file diff --git a/man/man8/boinc_selinux.8 b/man/man8/boinc_selinux.8 new file mode 100644 -index 0000000..ae842c8 +index 0000000..685379f --- /dev/null +++ b/man/man8/boinc_selinux.8 -@@ -0,0 +1,166 @@ +@@ -0,0 +1,178 @@ +.TH "boinc_selinux" "8" "boinc" "dwalsh@redhat.com" "boinc SELinux Policy documentation" +.SH "NAME" +boinc_selinux \- Security Enhanced Linux Policy for the boinc processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B boinc -+(policy for boinc) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the boinc processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -4273,6 +4638,14 @@ index 0000000..ae842c8 + +.EX +.PP ++.B boinc_log_t ++.EE ++ ++- Set files with the boinc_log_t type, if you want to treat the data as boinc log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP +.B boinc_project_tmp_t +.EE + @@ -4309,6 +4682,14 @@ index 0000000..ae842c8 + +.EX +.PP ++.B boinc_unit_file_t ++.EE ++ ++- Set files with the boinc_unit_file_t type, if you want to treat the files as boinc unit content. ++ ++ ++.EX ++.PP +.B boinc_var_lib_t +.EE + @@ -4316,7 +4697,7 @@ index 0000000..ae842c8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4343,7 +4724,7 @@ index 0000000..ae842c8 + + +Default Defined Ports: -+tcp 8021 ++tcp 1043 +.EE + +.EX @@ -4354,7 +4735,7 @@ index 0000000..ae842c8 + + +Default Defined Ports: -+tcp 8021 ++tcp 31416 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -4398,24 +4779,18 @@ index 0000000..ae842c8 +selinux(8), boinc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/bootloader_selinux.8 b/man/man8/bootloader_selinux.8 new file mode 100644 -index 0000000..892a587 +index 0000000..51ec4e2 --- /dev/null +++ b/man/man8/bootloader_selinux.8 -@@ -0,0 +1,116 @@ +@@ -0,0 +1,141 @@ +.TH "bootloader_selinux" "8" "bootloader" "dwalsh@redhat.com" "bootloader SELinux Policy documentation" +.SH "NAME" +bootloader_selinux \- Security Enhanced Linux Policy for the bootloader processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B bootloader -+(Policy for the kernel modules, kernel image, and bootloader) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the bootloader processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. bootloader policy is extremely flexible and has several booleans that allow you to manipulate the policy and run bootloader with the tightest access possible. + @@ -4427,6 +4802,29 @@ index 0000000..892a587 +.B setsebool -P xdm_exec_bootloader 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the bootloader_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the bootloader_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the bootloader_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -4448,7 +4846,7 @@ index 0000000..892a587 +.br +.TP 5 +Paths: -+/etc/yaboot\.conf.*, /etc/default/grub, /etc/lilo\.conf.* ++/etc/zipl\.conf.*, /etc/yaboot\.conf.*, /etc/default/grub, /etc/lilo\.conf.* + +.EX +.PP @@ -4460,7 +4858,7 @@ index 0000000..892a587 +.br +.TP 5 +Paths: -+/usr/sbin/ybin.*, /usr/sbin/grub.*, /sbin/lilo.*, /sbin/ybin.*, /usr/sbin/lilo.*, /sbin/grub.* ++/usr/sbin/ybin.*, /usr/sbin/grub.*, /usr/sbin/zipl, /sbin/lilo.*, /sbin/ybin.*, /usr/sbin/lilo.*, /sbin/grub.*, /sbin/zipl + +.EX +.PP @@ -4470,8 +4868,16 @@ index 0000000..892a587 +- Set files with the bootloader_tmp_t type, if you want to store bootloader temporary files in the /tmp directories. + + ++.EX +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B bootloader_var_run_t ++.EE ++ ++- Set files with the bootloader_var_run_t type, if you want to store the bootloader files under the /run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4521,23 +4927,19 @@ index 0000000..892a587 \ No newline at end of file diff --git a/man/man8/brctl_selinux.8 b/man/man8/brctl_selinux.8 new file mode 100644 -index 0000000..664324c +index 0000000..c101394 --- /dev/null +++ b/man/man8/brctl_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "brctl_selinux" "8" "brctl" "dwalsh@redhat.com" "brctl SELinux Policy documentation" +.SH "NAME" +brctl_selinux \- Security Enhanced Linux Policy for the brctl processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B brctl -+(Utilities for configuring the linux ethernet bridge) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the brctl processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -4559,7 +4961,7 @@ index 0000000..664324c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4604,23 +5006,19 @@ index 0000000..664324c +selinux(8), brctl(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cachefilesd_selinux.8 b/man/man8/cachefilesd_selinux.8 new file mode 100644 -index 0000000..03e5916 +index 0000000..ae12188 --- /dev/null +++ b/man/man8/cachefilesd_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,85 @@ +.TH "cachefilesd_selinux" "8" "cachefilesd" "dwalsh@redhat.com" "cachefilesd SELinux Policy documentation" +.SH "NAME" +cachefilesd_selinux \- Security Enhanced Linux Policy for the cachefilesd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cachefilesd -+(policy for cachefilesd) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cachefilesd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -4635,18 +5033,6 @@ index 0000000..03e5916 + +.EX +.PP -+.B cachefiles_var_t -+.EE -+ -+- Set files with the cachefiles_var_t type, if you want to store the cachef files under the /var directory. -+ -+.br -+.TP 5 -+Paths: -+/var/run/cachefilesd\.pid, /var/fscache(/.*)?, /var/cache/fscache(/.*)? -+ -+.EX -+.PP +.B cachefilesd_exec_t +.EE + @@ -4666,7 +5052,7 @@ index 0000000..03e5916 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4711,23 +5097,40 @@ index 0000000..03e5916 +selinux(8), cachefilesd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/calamaris_selinux.8 b/man/man8/calamaris_selinux.8 new file mode 100644 -index 0000000..831d1b4 +index 0000000..c3ce06f --- /dev/null +++ b/man/man8/calamaris_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,110 @@ +.TH "calamaris_selinux" "8" "calamaris" "dwalsh@redhat.com" "calamaris SELinux Policy documentation" +.SH "NAME" +calamaris_selinux \- Security Enhanced Linux Policy for the calamaris processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B calamaris -+(Squid log analysis) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the calamaris processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the calamaris_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the calamaris_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the calamaris_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -4765,7 +5168,7 @@ index 0000000..831d1b4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4810,23 +5213,40 @@ index 0000000..831d1b4 +selinux(8), calamaris(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/callweaver_selinux.8 b/man/man8/callweaver_selinux.8 new file mode 100644 -index 0000000..00210e6 +index 0000000..a42a182 --- /dev/null +++ b/man/man8/callweaver_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,134 @@ +.TH "callweaver_selinux" "8" "callweaver" "dwalsh@redhat.com" "callweaver SELinux Policy documentation" +.SH "NAME" +callweaver_selinux \- Security Enhanced Linux Policy for the callweaver processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B callweaver -+(Open source PBX project) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the callweaver processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the callweaver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the callweaver_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the callweaver_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -4888,7 +5308,7 @@ index 0000000..00210e6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -4933,23 +5353,19 @@ index 0000000..00210e6 +selinux(8), callweaver(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/canna_selinux.8 b/man/man8/canna_selinux.8 new file mode 100644 -index 0000000..f254edc +index 0000000..82b8b66 --- /dev/null +++ b/man/man8/canna_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,121 @@ +.TH "canna_selinux" "8" "canna" "dwalsh@redhat.com" "canna SELinux Policy documentation" +.SH "NAME" +canna_selinux \- Security Enhanced Linux Policy for the canna processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B canna -+(Canna - kana-kanji conversion server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the canna processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5019,7 +5435,7 @@ index 0000000..f254edc +/var/run/\.iroha_unix/.*, /var/run/wnn-unix(/.*)?, /var/run/\.iroha_unix + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5064,17 +5480,19 @@ index 0000000..f254edc +selinux(8), canna(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cardmgr_selinux.8 b/man/man8/cardmgr_selinux.8 new file mode 100644 -index 0000000..a494bcb +index 0000000..9b896dc --- /dev/null +++ b/man/man8/cardmgr_selinux.8 -@@ -0,0 +1,111 @@ +@@ -0,0 +1,113 @@ +.TH "cardmgr_selinux" "8" "cardmgr" "dwalsh@redhat.com" "cardmgr SELinux Policy documentation" +.SH "NAME" +cardmgr_selinux \- Security Enhanced Linux Policy for the cardmgr processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the cardmgr processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5136,7 +5554,7 @@ index 0000000..a494bcb +/var/run/cardmgr\.pid, /var/run/stab, /var/lib/pcmcia(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5181,23 +5599,19 @@ index 0000000..a494bcb +selinux(8), cardmgr(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ccs_selinux.8 b/man/man8/ccs_selinux.8 new file mode 100644 -index 0000000..d2d4fde +index 0000000..e068e54 --- /dev/null +++ b/man/man8/ccs_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,121 @@ +.TH "ccs_selinux" "8" "ccs" "dwalsh@redhat.com" "ccs SELinux Policy documentation" +.SH "NAME" +ccs_selinux \- Security Enhanced Linux Policy for the ccs processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ccs -+(Cluster Configuration System) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ccs processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5267,7 +5681,7 @@ index 0000000..d2d4fde +/var/run/cluster/ccsd\.pid, /var/run/cluster/ccsd\.sock + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5312,17 +5726,40 @@ index 0000000..d2d4fde +selinux(8), ccs(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cdcc_selinux.8 b/man/man8/cdcc_selinux.8 new file mode 100644 -index 0000000..217f349 +index 0000000..aa40ba6 --- /dev/null +++ b/man/man8/cdcc_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,102 @@ +.TH "cdcc_selinux" "8" "cdcc" "dwalsh@redhat.com" "cdcc SELinux Policy documentation" +.SH "NAME" +cdcc_selinux \- Security Enhanced Linux Policy for the cdcc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the cdcc processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the cdcc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cdcc_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the cdcc_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5352,7 +5789,7 @@ index 0000000..217f349 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5397,24 +5834,18 @@ index 0000000..217f349 +selinux(8), cdcc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cdrecord_selinux.8 b/man/man8/cdrecord_selinux.8 new file mode 100644 -index 0000000..db2a2e1 +index 0000000..85cb1a9 --- /dev/null +++ b/man/man8/cdrecord_selinux.8 -@@ -0,0 +1,96 @@ +@@ -0,0 +1,92 @@ +.TH "cdrecord_selinux" "8" "cdrecord" "dwalsh@redhat.com" "cdrecord SELinux Policy documentation" +.SH "NAME" +cdrecord_selinux \- Security Enhanced Linux Policy for the cdrecord processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cdrecord -+(Policy for cdrecord) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cdrecord processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. cdrecord policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cdrecord with the tightest access possible. + @@ -5426,6 +5857,8 @@ index 0000000..db2a2e1 +.B setsebool -P cdrecord_read_content 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -5450,7 +5883,7 @@ index 0000000..db2a2e1 +/usr/bin/cdrecord, /usr/bin/wodim, /usr/bin/growisofs + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5500,23 +5933,40 @@ index 0000000..db2a2e1 \ No newline at end of file diff --git a/man/man8/certmaster_selinux.8 b/man/man8/certmaster_selinux.8 new file mode 100644 -index 0000000..bf4f6c4 +index 0000000..3656b07 --- /dev/null +++ b/man/man8/certmaster_selinux.8 -@@ -0,0 +1,143 @@ +@@ -0,0 +1,160 @@ +.TH "certmaster_selinux" "8" "certmaster" "dwalsh@redhat.com" "certmaster SELinux Policy documentation" +.SH "NAME" +certmaster_selinux \- Security Enhanced Linux Policy for the certmaster processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B certmaster -+(Certmaster SSL certificate distribution service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the certmaster processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the certmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the certmaster_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the certmaster_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5578,7 +6028,7 @@ index 0000000..bf4f6c4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5605,7 +6055,7 @@ index 0000000..bf4f6c4 + + +Default Defined Ports: -+tcp 8021 ++tcp 51235 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -5649,23 +6099,40 @@ index 0000000..bf4f6c4 +selinux(8), certmaster(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/certmonger_selinux.8 b/man/man8/certmonger_selinux.8 new file mode 100644 -index 0000000..2f01973 +index 0000000..659e746 --- /dev/null +++ b/man/man8/certmonger_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,126 @@ +.TH "certmonger_selinux" "8" "certmonger" "dwalsh@redhat.com" "certmonger SELinux Policy documentation" +.SH "NAME" +certmonger_selinux \- Security Enhanced Linux Policy for the certmonger processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B certmonger -+(Certificate status monitor and PKI enrollment client) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the certmonger processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the certmonger_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the certmonger_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the certmonger_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5719,7 +6186,7 @@ index 0000000..2f01973 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5764,23 +6231,19 @@ index 0000000..2f01973 +selinux(8), certmonger(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/certwatch_selinux.8 b/man/man8/certwatch_selinux.8 new file mode 100644 -index 0000000..612259c +index 0000000..089cf20 --- /dev/null +++ b/man/man8/certwatch_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "certwatch_selinux" "8" "certwatch" "dwalsh@redhat.com" "certwatch SELinux Policy documentation" +.SH "NAME" +certwatch_selinux \- Security Enhanced Linux Policy for the certwatch processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B certwatch -+(Digital Certificate Tracking) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the certwatch processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5802,7 +6265,7 @@ index 0000000..612259c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5847,23 +6310,40 @@ index 0000000..612259c +selinux(8), certwatch(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cfengine_selinux.8 b/man/man8/cfengine_selinux.8 new file mode 100644 -index 0000000..0831deb +index 0000000..bac7466 --- /dev/null +++ b/man/man8/cfengine_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,138 @@ +.TH "cfengine_selinux" "8" "cfengine" "dwalsh@redhat.com" "cfengine SELinux Policy documentation" +.SH "NAME" +cfengine_selinux \- Security Enhanced Linux Policy for the cfengine processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cfengine -+(policy for cfengine) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cfengine processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the cfengine_execd_t, cfengine_monitord_t, cfengine_serverd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cfengine_execd_t, cfengine_monitord_t, cfengine_serverd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the cfengine_execd_t, cfengine_monitord_t, cfengine_serverd_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -5920,8 +6400,16 @@ index 0000000..0831deb +- Set files with the cfengine_var_lib_t type, if you want to store the cfengine files under the /var/lib directory. + + ++.EX +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++.B cfengine_var_log_t ++.EE ++ ++- Set files with the cfengine_var_log_t type, if you want to treat the data as cfengine var log data, usually stored under the /var/log directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -5966,17 +6454,19 @@ index 0000000..0831deb +selinux(8), cfengine(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cgclear_selinux.8 b/man/man8/cgclear_selinux.8 new file mode 100644 -index 0000000..8dc7a1f +index 0000000..2629bba --- /dev/null +++ b/man/man8/cgclear_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +.TH "cgclear_selinux" "8" "cgclear" "dwalsh@redhat.com" "cgclear SELinux Policy documentation" +.SH "NAME" +cgclear_selinux \- Security Enhanced Linux Policy for the cgclear processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the cgclear processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6002,7 +6492,7 @@ index 0000000..8dc7a1f +/sbin/cgclear, /usr/sbin/cgclear + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6047,17 +6537,40 @@ index 0000000..8dc7a1f +selinux(8), cgclear(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cgconfig_selinux.8 b/man/man8/cgconfig_selinux.8 new file mode 100644 -index 0000000..bf8323b +index 0000000..523a1ba --- /dev/null +++ b/man/man8/cgconfig_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,118 @@ +.TH "cgconfig_selinux" "8" "cgconfig" "dwalsh@redhat.com" "cgconfig SELinux Policy documentation" +.SH "NAME" +cgconfig_selinux \- Security Enhanced Linux Policy for the cgconfig processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the cgconfig processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the cgconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cgconfig_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the cgconfig_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6103,7 +6616,7 @@ index 0000000..bf8323b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6148,17 +6661,40 @@ index 0000000..bf8323b +selinux(8), cgconfig(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cgred_selinux.8 b/man/man8/cgred_selinux.8 new file mode 100644 -index 0000000..8cf1b40 +index 0000000..21bffd1 --- /dev/null +++ b/man/man8/cgred_selinux.8 -@@ -0,0 +1,99 @@ +@@ -0,0 +1,122 @@ +.TH "cgred_selinux" "8" "cgred" "dwalsh@redhat.com" "cgred SELinux Policy documentation" +.SH "NAME" +cgred_selinux \- Security Enhanced Linux Policy for the cgred processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the cgred processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the cgred_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cgred_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the cgred_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6208,7 +6744,7 @@ index 0000000..8cf1b40 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6253,17 +6789,19 @@ index 0000000..8cf1b40 +selinux(8), cgred(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/checkpc_selinux.8 b/man/man8/checkpc_selinux.8 new file mode 100644 -index 0000000..5c6fcde +index 0000000..9bcb086 --- /dev/null +++ b/man/man8/checkpc_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,81 @@ +.TH "checkpc_selinux" "8" "checkpc" "dwalsh@redhat.com" "checkpc SELinux Policy documentation" +.SH "NAME" +checkpc_selinux \- Security Enhanced Linux Policy for the checkpc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the checkpc processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6293,7 +6831,7 @@ index 0000000..5c6fcde + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6338,17 +6876,19 @@ index 0000000..5c6fcde +selinux(8), checkpc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/checkpolicy_selinux.8 b/man/man8/checkpolicy_selinux.8 new file mode 100644 -index 0000000..b67fcc4 +index 0000000..1ca072a --- /dev/null +++ b/man/man8/checkpolicy_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,73 @@ +.TH "checkpolicy_selinux" "8" "checkpolicy" "dwalsh@redhat.com" "checkpolicy SELinux Policy documentation" +.SH "NAME" +checkpolicy_selinux \- Security Enhanced Linux Policy for the checkpolicy processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the checkpolicy processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6370,7 +6910,7 @@ index 0000000..b67fcc4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6415,17 +6955,40 @@ index 0000000..b67fcc4 +selinux(8), checkpolicy(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/chfn_selinux.8 b/man/man8/chfn_selinux.8 new file mode 100644 -index 0000000..c81760f +index 0000000..c187c6e --- /dev/null +++ b/man/man8/chfn_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,98 @@ +.TH "chfn_selinux" "8" "chfn" "dwalsh@redhat.com" "chfn SELinux Policy documentation" +.SH "NAME" +chfn_selinux \- Security Enhanced Linux Policy for the chfn processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the chfn processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the chfn_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the chfn_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the chfn_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6451,7 +7014,7 @@ index 0000000..c81760f +/usr/bin/chfn, /usr/bin/chsh + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6496,17 +7059,40 @@ index 0000000..c81760f +selinux(8), chfn(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/chkpwd_selinux.8 b/man/man8/chkpwd_selinux.8 new file mode 100644 -index 0000000..03d8e09 +index 0000000..73be313 --- /dev/null +++ b/man/man8/chkpwd_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,98 @@ +.TH "chkpwd_selinux" "8" "chkpwd" "dwalsh@redhat.com" "chkpwd SELinux Policy documentation" +.SH "NAME" +chkpwd_selinux \- Security Enhanced Linux Policy for the chkpwd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the chkpwd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the chkpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the chkpwd_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the chkpwd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6529,10 +7115,10 @@ index 0000000..03d8e09 +.br +.TP 5 +Paths: -+/sbin/unix_verify, /sbin/unix_chkpwd, /usr/sbin/unix_verify, /usr/sbin/validate, /usr/sbin/unix_chkpwd ++/sbin/unix_chkpwd, /usr/sbin/unix_verify, /usr/sbin/validate, /sbin/unix_verify, /usr/sbin/unix_chkpwd + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6577,24 +7163,18 @@ index 0000000..03d8e09 +selinux(8), chkpwd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/chrome_selinux.8 b/man/man8/chrome_selinux.8 new file mode 100644 -index 0000000..e83770b +index 0000000..fec6ea8 --- /dev/null +++ b/man/man8/chrome_selinux.8 -@@ -0,0 +1,124 @@ +@@ -0,0 +1,120 @@ +.TH "chrome_selinux" "8" "chrome" "dwalsh@redhat.com" "chrome SELinux Policy documentation" +.SH "NAME" +chrome_selinux \- Security Enhanced Linux Policy for the chrome processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B chrome -+(policy for chrome) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the chrome processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. chrome policy is extremely flexible and has several booleans that allow you to manipulate the policy and run chrome with the tightest access possible. + @@ -6606,6 +7186,8 @@ index 0000000..e83770b +.B setsebool -P unconfined_chrome_sandbox_transition 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -6639,7 +7221,7 @@ index 0000000..e83770b +.br +.TP 5 +Paths: -+/usr/lib/chromium-browser/nacl_helper_bootstrap, /opt/google/chrome/nacl_helper_bootstrap ++/opt/google/chrome/nacl_helper_bootstrap, /usr/lib/chromium-browser/nacl_helper_bootstrap + +.EX +.PP @@ -6658,7 +7240,7 @@ index 0000000..e83770b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6708,23 +7290,40 @@ index 0000000..e83770b \ No newline at end of file diff --git a/man/man8/chronyd_selinux.8 b/man/man8/chronyd_selinux.8 new file mode 100644 -index 0000000..b178fb9 +index 0000000..0184471 --- /dev/null +++ b/man/man8/chronyd_selinux.8 -@@ -0,0 +1,167 @@ +@@ -0,0 +1,180 @@ +.TH "chronyd_selinux" "8" "chronyd" "dwalsh@redhat.com" "chronyd SELinux Policy documentation" +.SH "NAME" +chronyd_selinux \- Security Enhanced Linux Policy for the chronyd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B chronyd -+(Chrony NTP background daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the chronyd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the chronyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the chronyd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the chronyd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6776,10 +7375,6 @@ index 0000000..b178fb9 + +- Set files with the chronyd_unit_file_t type, if you want to treat the files as chronyd unit content. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/system/chrony.*, /usr/lib/systemd/system/chronyd.* + +.EX +.PP @@ -6810,7 +7405,7 @@ index 0000000..b178fb9 +/var/run/chronyd(/.*), /var/run/chronyd\.sock, /var/run/chronyd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6837,7 +7432,7 @@ index 0000000..b178fb9 + + +Default Defined Ports: -+tcp 8021 ++udp 323 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -6881,17 +7476,19 @@ index 0000000..b178fb9 +selinux(8), chronyd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ciped_selinux.8 b/man/man8/ciped_selinux.8 new file mode 100644 -index 0000000..e387cea +index 0000000..27d1a6b --- /dev/null +++ b/man/man8/ciped_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,73 @@ +.TH "ciped_selinux" "8" "ciped" "dwalsh@redhat.com" "ciped SELinux Policy documentation" +.SH "NAME" +ciped_selinux \- Security Enhanced Linux Policy for the ciped processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ciped processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -6913,7 +7510,7 @@ index 0000000..e387cea + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -6958,17 +7555,17 @@ index 0000000..e387cea +selinux(8), ciped(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/clamd_selinux.8 b/man/man8/clamd_selinux.8 new file mode 100644 -index 0000000..7ffdf73 +index 0000000..db9a26c --- /dev/null +++ b/man/man8/clamd_selinux.8 -@@ -0,0 +1,183 @@ +@@ -0,0 +1,221 @@ +.TH "clamd_selinux" "8" "clamd" "dwalsh@redhat.com" "clamd SELinux Policy documentation" +.SH "NAME" +clamd_selinux \- Security Enhanced Linux Policy for the clamd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the clamd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. clamd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clamd with the tightest access possible. @@ -6982,12 +7579,42 @@ index 0000000..7ffdf73 +.EE + +.PP ++If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. ++ ++.EX ++.B setsebool -P clamscan_can_scan_system 1 ++.EE ++ ++.PP +If you want to allow clamd to use JIT compile, you must turn on the clamd_use_jit boolean. + +.EX +.B setsebool -P clamd_use_jit 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the clamd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the clamd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the clamd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -7037,6 +7664,14 @@ index 0000000..7ffdf73 + +.EX +.PP ++.B clamd_unit_file_t ++.EE ++ ++- Set files with the clamd_unit_file_t type, if you want to treat the files as clamd unit content. ++ ++ ++.EX ++.PP +.B clamd_var_lib_t +.EE + @@ -7072,7 +7707,7 @@ index 0000000..7ffdf73 +/var/run/amavis(d)?/clamd\.pid, /var/run/clamd.*, /var/run/clamav.*, /var/spool/MailScanner(/.*)?, /var/spool/amavisd/clamd\.sock + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7099,7 +7734,7 @@ index 0000000..7ffdf73 + + +Default Defined Ports: -+tcp 8021 ++tcp 3310 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -7148,17 +7783,17 @@ index 0000000..7ffdf73 \ No newline at end of file diff --git a/man/man8/clamscan_selinux.8 b/man/man8/clamscan_selinux.8 new file mode 100644 -index 0000000..4b82f56 +index 0000000..dd41fa2 --- /dev/null +++ b/man/man8/clamscan_selinux.8 -@@ -0,0 +1,98 @@ +@@ -0,0 +1,107 @@ +.TH "clamscan_selinux" "8" "clamscan" "dwalsh@redhat.com" "clamscan SELinux Policy documentation" +.SH "NAME" +clamscan_selinux \- Security Enhanced Linux Policy for the clamscan processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the clamscan processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. clamscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run clamscan with the tightest access possible. @@ -7171,6 +7806,15 @@ index 0000000..4b82f56 +.B setsebool -P clamscan_read_user_content 1 +.EE + ++.PP ++If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. ++ ++.EX ++.B setsebool -P clamscan_can_scan_system 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -7203,7 +7847,7 @@ index 0000000..4b82f56 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7253,23 +7897,19 @@ index 0000000..4b82f56 \ No newline at end of file diff --git a/man/man8/clogd_selinux.8 b/man/man8/clogd_selinux.8 new file mode 100644 -index 0000000..c68d541 +index 0000000..2ec309f --- /dev/null +++ b/man/man8/clogd_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,89 @@ +.TH "clogd_selinux" "8" "clogd" "dwalsh@redhat.com" "clogd SELinux Policy documentation" +.SH "NAME" +clogd_selinux \- Security Enhanced Linux Policy for the clogd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B clogd -+(clogd - Clustered Mirror Log Server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the clogd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -7307,7 +7947,7 @@ index 0000000..c68d541 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7352,17 +7992,40 @@ index 0000000..c68d541 +selinux(8), clogd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/clvmd_selinux.8 b/man/man8/clvmd_selinux.8 new file mode 100644 -index 0000000..f25da6c +index 0000000..720ebeb --- /dev/null +++ b/man/man8/clvmd_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,118 @@ +.TH "clvmd_selinux" "8" "clvmd" "dwalsh@redhat.com" "clvmd SELinux Policy documentation" +.SH "NAME" +clvmd_selinux \- Security Enhanced Linux Policy for the clvmd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the clvmd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the clvmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the clvmd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the clvmd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -7408,7 +8071,7 @@ index 0000000..f25da6c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7453,23 +8116,19 @@ index 0000000..f25da6c +selinux(8), clvmd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cmirrord_selinux.8 b/man/man8/cmirrord_selinux.8 new file mode 100644 -index 0000000..056abd4 +index 0000000..4d708d4 --- /dev/null +++ b/man/man8/cmirrord_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "cmirrord_selinux" "8" "cmirrord" "dwalsh@redhat.com" "cmirrord SELinux Policy documentation" +.SH "NAME" +cmirrord_selinux \- Security Enhanced Linux Policy for the cmirrord processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cmirrord -+(Cluster mirror log daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cmirrord processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -7515,7 +8174,7 @@ index 0000000..056abd4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7560,17 +8219,17 @@ index 0000000..056abd4 +selinux(8), cmirrord(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cobblerd_selinux.8 b/man/man8/cobblerd_selinux.8 new file mode 100644 -index 0000000..9a63029 +index 0000000..0f5ed2b --- /dev/null +++ b/man/man8/cobblerd_selinux.8 -@@ -0,0 +1,211 @@ +@@ -0,0 +1,177 @@ +.TH "cobblerd_selinux" "8" "cobblerd" "dwalsh@redhat.com" "cobblerd SELinux Policy documentation" +.SH "NAME" +cobblerd_selinux \- Security Enhanced Linux Policy for the cobblerd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the cobblerd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. cobblerd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cobblerd with the tightest access possible. @@ -7604,6 +8263,8 @@ index 0000000..9a63029 +.B setsebool -P cobbler_use_cifs 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. +.TP @@ -7615,7 +8276,7 @@ index 0000000..9a63029 +.B restorecon -F -R -v /var/cobblerd +.pp +.TP -+Allow cobblerd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_cobblerd_anon_write boolean to be set. ++Allow cobblerd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_cobblerdd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/cobblerd/incoming(/.*)?" @@ -7643,42 +8304,6 @@ index 0000000..9a63029 + +.EX +.PP -+.B cobbler_etc_t -+.EE -+ -+- Set files with the cobbler_etc_t type, if you want to store cobbler files in the /etc directories. -+ -+ -+.EX -+.PP -+.B cobbler_tmp_t -+.EE -+ -+- Set files with the cobbler_tmp_t type, if you want to store cobbler temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B cobbler_var_lib_t -+.EE -+ -+- Set files with the cobbler_var_lib_t type, if you want to store the cobbler files under the /var/lib directory. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/cobbler(/.*)?, /var/www/cobbler/images(/.*)?, /var/www/cobbler/repo_mirror(/.*)?, /var/lib/tftpboot/pxelinux\.cfg(/.*)?, /var/lib/tftpboot/memdisk, /var/lib/tftpboot/s390x(/.*)?, /var/www/cobbler/links(/.*)?, /var/lib/tftpboot/menu\.c32, /var/lib/tftpboot/yaboot, /var/www/cobbler/localmirror(/.*)?, /var/www/cobbler/ks_mirror(/.*)?, /var/lib/tftpboot/grub(/.*)?, /var/www/cobbler/pub(/.*)?, /var/lib/tftpboot/ppc(/.*)?, /var/lib/tftpboot/pxelinux\.0, /var/lib/tftpboot/images(/.*)?, /var/lib/tftpboot/etc(/.*)?, /var/www/cobbler/rendered(/.*)? -+ -+.EX -+.PP -+.B cobbler_var_log_t -+.EE -+ -+- Set files with the cobbler_var_log_t type, if you want to treat the data as cobbler var log data, usually stored under the /var/log directory. -+ -+ -+.EX -+.PP +.B cobblerd_exec_t +.EE + @@ -7702,7 +8327,7 @@ index 0000000..9a63029 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7729,7 +8354,7 @@ index 0000000..9a63029 + + +Default Defined Ports: -+tcp 8021 ++tcp 25151 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -7778,24 +8403,18 @@ index 0000000..9a63029 \ No newline at end of file diff --git a/man/man8/collectd_selinux.8 b/man/man8/collectd_selinux.8 new file mode 100644 -index 0000000..6210747 +index 0000000..7e335f5 --- /dev/null +++ b/man/man8/collectd_selinux.8 -@@ -0,0 +1,124 @@ +@@ -0,0 +1,120 @@ +.TH "collectd_selinux" "8" "collectd" "dwalsh@redhat.com" "collectd SELinux Policy documentation" +.SH "NAME" +collectd_selinux \- Security Enhanced Linux Policy for the collectd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B collectd -+(policy for collectd) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the collectd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. collectd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run collectd with the tightest access possible. + @@ -7807,6 +8426,8 @@ index 0000000..6210747 +.B setsebool -P collectd_can_network_connect 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -7859,7 +8480,7 @@ index 0000000..6210747 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -7909,23 +8530,40 @@ index 0000000..6210747 \ No newline at end of file diff --git a/man/man8/colord_selinux.8 b/man/man8/colord_selinux.8 new file mode 100644 -index 0000000..7ed4ac6 +index 0000000..b1507ed --- /dev/null +++ b/man/man8/colord_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,134 @@ +.TH "colord_selinux" "8" "colord" "dwalsh@redhat.com" "colord SELinux Policy documentation" +.SH "NAME" +colord_selinux \- Security Enhanced Linux Policy for the colord processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B colord -+(GNOME color manager) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the colord processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the colord_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the colord_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the colord_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -7987,7 +8625,7 @@ index 0000000..7ed4ac6 +/var/lib/color(/.*)?, /var/lib/colord(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8032,23 +8670,40 @@ index 0000000..7ed4ac6 +selinux(8), colord(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/comsat_selinux.8 b/man/man8/comsat_selinux.8 new file mode 100644 -index 0000000..da3d8e9 +index 0000000..55863c1 --- /dev/null +++ b/man/man8/comsat_selinux.8 -@@ -0,0 +1,119 @@ +@@ -0,0 +1,136 @@ +.TH "comsat_selinux" "8" "comsat" "dwalsh@redhat.com" "comsat SELinux Policy documentation" +.SH "NAME" +comsat_selinux \- Security Enhanced Linux Policy for the comsat processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B comsat -+(Comsat, a biff server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the comsat processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the comsat_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the comsat_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the comsat_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8086,7 +8741,7 @@ index 0000000..da3d8e9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8113,7 +8768,7 @@ index 0000000..da3d8e9 + + +Default Defined Ports: -+tcp 8021 ++udp 512 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -8157,23 +8812,40 @@ index 0000000..da3d8e9 +selinux(8), comsat(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/consolekit_selinux.8 b/man/man8/consolekit_selinux.8 new file mode 100644 -index 0000000..cac5397 +index 0000000..a973042 --- /dev/null +++ b/man/man8/consolekit_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,130 @@ +.TH "consolekit_selinux" "8" "consolekit" "dwalsh@redhat.com" "consolekit SELinux Policy documentation" +.SH "NAME" +consolekit_selinux \- Security Enhanced Linux Policy for the consolekit processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B consolekit -+(Framework for facilitating multiple user sessions on desktops) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the consolekit processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the consolekit_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the consolekit_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the consolekit_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8231,7 +8903,7 @@ index 0000000..cac5397 +/var/run/console-kit-daemon\.pid, /var/run/ConsoleKit(/.*)?, /var/run/consolekit\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8276,25 +8948,19 @@ index 0000000..cac5397 +selinux(8), consolekit(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/consoletype_selinux.8 b/man/man8/consoletype_selinux.8 new file mode 100644 -index 0000000..931d27b +index 0000000..db62abe --- /dev/null +++ b/man/man8/consoletype_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,77 @@ +.TH "consoletype_selinux" "8" "consoletype" "dwalsh@redhat.com" "consoletype SELinux Policy documentation" +.SH "NAME" +consoletype_selinux \- Security Enhanced Linux Policy for the consoletype processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B consoletype -+( -+Determine of the console connected to the controlling terminal. -+) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the consoletype processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8320,7 +8986,7 @@ index 0000000..931d27b +/usr/sbin/consoletype, /sbin/consoletype + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8365,23 +9031,40 @@ index 0000000..931d27b +selinux(8), consoletype(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/corosync_selinux.8 b/man/man8/corosync_selinux.8 new file mode 100644 -index 0000000..a20c704 +index 0000000..b250a1d --- /dev/null +++ b/man/man8/corosync_selinux.8 -@@ -0,0 +1,149 @@ +@@ -0,0 +1,166 @@ +.TH "corosync_selinux" "8" "corosync" "dwalsh@redhat.com" "corosync SELinux Policy documentation" +.SH "NAME" +corosync_selinux \- Security Enhanced Linux Policy for the corosync processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B corosync -+(Corosync Cluster Engine) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the corosync processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the corosync_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the corosync_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the corosync_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8452,7 +9135,7 @@ index 0000000..a20c704 +.br +.TP 5 +Paths: -+/var/lib/corosync(/.*)?, /usr/lib(64)?/heartbeat(/.*)? ++/var/lib/heartbeat(/.*)?, /var/lib/corosync(/.*)? + +.EX +.PP @@ -8472,10 +9155,10 @@ index 0000000..a20c704 +.br +.TP 5 +Paths: -+/var/run/hearbeat(/.*)?, /var/run/corosync\.pid, /var/run/cman_.* ++/var/run/rsctmp(/.*)?, /var/run/corosync\.pid, /var/run/cman_.*, /var/run/heartbeat(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8520,23 +9203,40 @@ index 0000000..a20c704 +selinux(8), corosync(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/couchdb_selinux.8 b/man/man8/couchdb_selinux.8 new file mode 100644 -index 0000000..61ec71c +index 0000000..b0e2605 --- /dev/null +++ b/man/man8/couchdb_selinux.8 -@@ -0,0 +1,151 @@ +@@ -0,0 +1,170 @@ +.TH "couchdb_selinux" "8" "couchdb" "dwalsh@redhat.com" "couchdb SELinux Policy documentation" +.SH "NAME" +couchdb_selinux \- Security Enhanced Linux Policy for the couchdb processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B couchdb -+(policy for couchdb) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the couchdb processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the couchdb_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the couchdb_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the couchdb_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8606,7 +9306,7 @@ index 0000000..61ec71c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8633,7 +9333,9 @@ index 0000000..61ec71c + + +Default Defined Ports: -+tcp 8021 ++tcp 5984 ++.EE ++udp 5984 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -8677,23 +9379,40 @@ index 0000000..61ec71c +selinux(8), couchdb(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/courier_selinux.8 b/man/man8/courier_selinux.8 new file mode 100644 -index 0000000..3dc9d81 +index 0000000..63c1492 --- /dev/null +++ b/man/man8/courier_selinux.8 -@@ -0,0 +1,165 @@ +@@ -0,0 +1,182 @@ +.TH "courier_selinux" "8" "courier" "dwalsh@redhat.com" "courier SELinux Policy documentation" +.SH "NAME" +courier_selinux \- Security Enhanced Linux Policy for the courier processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B courier -+(Courier IMAP and POP3 email servers) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the courier processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the courier_authdaemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the courier_authdaemon_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the courier_authdaemon_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8803,7 +9522,7 @@ index 0000000..3dc9d81 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8848,23 +9567,19 @@ index 0000000..3dc9d81 +selinux(8), courier(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cpucontrol_selinux.8 b/man/man8/cpucontrol_selinux.8 new file mode 100644 -index 0000000..e50677e +index 0000000..b16af55 --- /dev/null +++ b/man/man8/cpucontrol_selinux.8 -@@ -0,0 +1,89 @@ +@@ -0,0 +1,85 @@ +.TH "cpucontrol_selinux" "8" "cpucontrol" "dwalsh@redhat.com" "cpucontrol SELinux Policy documentation" +.SH "NAME" +cpucontrol_selinux \- Security Enhanced Linux Policy for the cpucontrol processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cpucontrol -+(Services for loading CPU microcode and CPU frequency scaling) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cpucontrol processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8898,7 +9613,7 @@ index 0000000..e50677e +/sbin/microcode_ctl, /usr/sbin/microcode_ctl + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -8943,23 +9658,19 @@ index 0000000..e50677e +selinux(8), cpucontrol(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cpufreqselector_selinux.8 b/man/man8/cpufreqselector_selinux.8 new file mode 100644 -index 0000000..e7b10a3 +index 0000000..2f76dc7 --- /dev/null +++ b/man/man8/cpufreqselector_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "cpufreqselector_selinux" "8" "cpufreqselector" "dwalsh@redhat.com" "cpufreqselector SELinux Policy documentation" +.SH "NAME" +cpufreqselector_selinux \- Security Enhanced Linux Policy for the cpufreqselector processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cpufreqselector -+(Command-line CPU frequency settings) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cpufreqselector processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -8981,7 +9692,7 @@ index 0000000..e7b10a3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9026,17 +9737,19 @@ index 0000000..e7b10a3 +selinux(8), cpufreqselector(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cpuspeed_selinux.8 b/man/man8/cpuspeed_selinux.8 new file mode 100644 -index 0000000..8142e64 +index 0000000..91ed60d --- /dev/null +++ b/man/man8/cpuspeed_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,85 @@ +.TH "cpuspeed_selinux" "8" "cpuspeed" "dwalsh@redhat.com" "cpuspeed SELinux Policy documentation" +.SH "NAME" +cpuspeed_selinux \- Security Enhanced Linux Policy for the cpuspeed processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the cpuspeed processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9070,7 +9783,7 @@ index 0000000..8142e64 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9115,17 +9828,19 @@ index 0000000..8142e64 +selinux(8), cpuspeed(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/crack_selinux.8 b/man/man8/crack_selinux.8 new file mode 100644 -index 0000000..328fc4d +index 0000000..c17fa55 --- /dev/null +++ b/man/man8/crack_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "crack_selinux" "8" "crack" "dwalsh@redhat.com" "crack SELinux Policy documentation" +.SH "NAME" +crack_selinux \- Security Enhanced Linux Policy for the crack processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the crack processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9171,7 +9886,7 @@ index 0000000..328fc4d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9216,17 +9931,17 @@ index 0000000..328fc4d +selinux(8), crack(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/crond_selinux.8 b/man/man8/crond_selinux.8 new file mode 100644 -index 0000000..b717fd8 +index 0000000..66668e5 --- /dev/null +++ b/man/man8/crond_selinux.8 -@@ -0,0 +1,173 @@ +@@ -0,0 +1,160 @@ +.TH "crond_selinux" "8" "crond" "dwalsh@redhat.com" "crond SELinux Policy documentation" +.SH "NAME" +crond_selinux \- Security Enhanced Linux Policy for the crond processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the crond processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. crond policy is extremely flexible and has several booleans that allow you to manipulate the policy and run crond with the tightest access possible. @@ -9246,51 +9961,38 @@ index 0000000..b717fd8 +.B setsebool -P cron_can_relabel 1 +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux crond policy is very flexible allowing users to setup their crond processes in as secure a method as possible. -+.PP -+The following file types are defined for crond: -+ ++.SH NSSWITCH DOMAIN + -+.EX +.PP -+.B cron_log_t -+.EE -+ -+- Set files with the cron_log_t type, if you want to treat the data as cron log data, usually stored under the /var/log directory. -+ ++If you want to allow users to login using a sssd serve for the crontab_t, crond_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B cron_spool_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the cron_spool_t type, if you want to store the cron files under the /var/spool directory. -+ -+.br -+.TP 5 -+Paths: -+/var/spool/fcron, /var/spool/cron/crontabs ++.PP ++If you want to allow confined applications to run with kerberos for the crontab_t, crond_t, you must turn on the allow_kerberos boolean. + +.EX -+.PP -+.B cron_var_lib_t ++setsebool -P allow_kerberos 1 +.EE + -+- Set files with the cron_var_lib_t type, if you want to store the cron files under the /var/lib directory. -+ ++.PP ++If you want to allow system to run with NI for the crontab_t, crond_t, you must turn on the allow_ypbind boolean. + +.EX -+.PP -+.B cron_var_run_t ++setsebool -P allow_ypbind 1 +.EE + -+- Set files with the cron_var_run_t type, if you want to store the cron files under the /run directory. ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux crond policy is very flexible allowing users to setup their crond processes in as secure a method as possible. ++.PP ++The following file types are defined for crond: + + +.EX @@ -9331,7 +10033,7 @@ index 0000000..b717fd8 +.br +.TP 5 +Paths: -+/lib/systemd/system/atd\.service, /usr/lib/systemd/system/crond\.service, /lib/systemd/system/crond\.service ++/usr/lib/systemd/system/crond.*, /usr/lib/systemd/system/atd.* + +.EX +.PP @@ -9346,7 +10048,7 @@ index 0000000..b717fd8 +/var/run/crond?\.pid, /var/run/.*cron.*, /var/run/fcron\.pid, /var/run/crond?\.reboot, /var/run/fcron\.fifo, /var/run/atd\.pid, /var/run/anacron\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9396,17 +10098,40 @@ index 0000000..b717fd8 \ No newline at end of file diff --git a/man/man8/crontab_selinux.8 b/man/man8/crontab_selinux.8 new file mode 100644 -index 0000000..3de534f +index 0000000..b70e2e9 --- /dev/null +++ b/man/man8/crontab_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,106 @@ +.TH "crontab_selinux" "8" "crontab" "dwalsh@redhat.com" "crontab SELinux Policy documentation" +.SH "NAME" +crontab_selinux \- Security Enhanced Linux Policy for the crontab processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the crontab processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the crontab_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the crontab_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the crontab_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9440,7 +10165,7 @@ index 0000000..3de534f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9485,23 +10210,19 @@ index 0000000..3de534f +selinux(8), crontab(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ctdbd_selinux.8 b/man/man8/ctdbd_selinux.8 new file mode 100644 -index 0000000..1da47eb +index 0000000..569b571 --- /dev/null +++ b/man/man8/ctdbd_selinux.8 -@@ -0,0 +1,155 @@ +@@ -0,0 +1,153 @@ +.TH "ctdbd_selinux" "8" "ctdbd" "dwalsh@redhat.com" "ctdbd SELinux Policy documentation" +.SH "NAME" +ctdbd_selinux \- Security Enhanced Linux Policy for the ctdbd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ctdbd -+(policy for ctdbd) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ctdbd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9575,7 +10296,7 @@ index 0000000..1da47eb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9602,7 +10323,9 @@ index 0000000..1da47eb + + +Default Defined Ports: -+tcp 8021 ++tcp 4379 ++.EE ++udp 4379 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -9646,23 +10369,40 @@ index 0000000..1da47eb +selinux(8), ctdbd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cups_selinux.8 b/man/man8/cups_selinux.8 new file mode 100644 -index 0000000..8bedca4 +index 0000000..ed7b4a9 --- /dev/null +++ b/man/man8/cups_selinux.8 -@@ -0,0 +1,225 @@ +@@ -0,0 +1,242 @@ +.TH "cups_selinux" "8" "cups" "dwalsh@redhat.com" "cups SELinux Policy documentation" +.SH "NAME" +cups_selinux \- Security Enhanced Linux Policy for the cups processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cups -+(Common UNIX printing system) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cups processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -9765,7 +10505,7 @@ index 0000000..8bedca4 +.br +.TP 5 +Paths: -+/var/log/cups(/.*)?, /usr/local/Brother/fax/.*\.log, /var/log/turboprint.* ++/var/log/cups(/.*)?, /var/log/turboprint.*, /usr/local/Brother/fax/.*\.log + +.EX +.PP @@ -9801,7 +10541,7 @@ index 0000000..8bedca4 +.br +.TP 5 +Paths: -+/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /etc/cups/subscriptions.*, /usr/local/Brother/(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/lib/cups/certs, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids ++/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /etc/cups/subscriptions.*, /opt/brother/Printers(.*/)?inf(/.*)?, /usr/local/Brother/(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?, /var/lib/cups/certs, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids + +.EX +.PP @@ -9832,7 +10572,7 @@ index 0000000..8bedca4 +/var/ccpd(/.*)?, /var/ekpd(/.*)?, /var/turboprint(/.*)?, /var/run/cups(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -9877,43 +10617,50 @@ index 0000000..8bedca4 +selinux(8), cups(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cupsd_selinux.8 b/man/man8/cupsd_selinux.8 new file mode 100644 -index 0000000..2ce03af +index 0000000..2fb7e72 --- /dev/null +++ b/man/man8/cupsd_selinux.8 -@@ -0,0 +1,219 @@ +@@ -0,0 +1,226 @@ +.TH "cupsd_selinux" "8" "cupsd" "dwalsh@redhat.com" "cupsd SELinux Policy documentation" +.SH "NAME" +cupsd_selinux \- Security Enhanced Linux Policy for the cupsd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the cupsd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP -+Policy governs the access confined processes have to these files. -+SELinux cupsd policy is very flexible allowing users to setup their cupsd processes in as secure a method as possible. -+.PP -+The following file types are defined for cupsd: -+ ++If you want to allow users to login using a sssd serve for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B cups_pdf_exec_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the cups_pdf_exec_t type, if you want to transition an executable to the cups_pdf_t domain. -+ ++.PP ++If you want to allow confined applications to run with kerberos for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the allow_kerberos boolean. + +.EX ++setsebool -P allow_kerberos 1 ++.EE ++ +.PP -+.B cups_pdf_tmp_t ++If you want to allow system to run with NI for the cups_pdf_t, cupsd_config_t, cupsd_lpd_t, cupsd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 +.EE + -+- Set files with the cups_pdf_tmp_t type, if you want to store cups pdf temporary files in the /tmp directories. ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux cupsd policy is very flexible allowing users to setup their cupsd processes in as secure a method as possible. ++.PP ++The following file types are defined for cupsd: + + +.EX @@ -9990,7 +10737,7 @@ index 0000000..2ce03af +.br +.TP 5 +Paths: -+/var/log/cups(/.*)?, /usr/local/Brother/fax/.*\.log, /var/log/turboprint.* ++/var/log/cups(/.*)?, /var/log/turboprint.*, /usr/local/Brother/fax/.*\.log + +.EX +.PP @@ -10026,7 +10773,7 @@ index 0000000..2ce03af +.br +.TP 5 +Paths: -+/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /etc/cups/subscriptions.*, /usr/local/Brother/(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/lib/cups/certs, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids ++/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /etc/cups/subscriptions.*, /opt/brother/Printers(.*/)?inf(/.*)?, /usr/local/Brother/(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?, /var/lib/cups/certs, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids + +.EX +.PP @@ -10057,7 +10804,7 @@ index 0000000..2ce03af +/var/ccpd(/.*)?, /var/ekpd(/.*)?, /var/turboprint(/.*)?, /var/run/cups(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10102,24 +10849,18 @@ index 0000000..2ce03af +selinux(8), cupsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cvs_selinux.8 b/man/man8/cvs_selinux.8 new file mode 100644 -index 0000000..5047556 +index 0000000..29680fe --- /dev/null +++ b/man/man8/cvs_selinux.8 -@@ -0,0 +1,162 @@ +@@ -0,0 +1,181 @@ +.TH "cvs_selinux" "8" "cvs" "dwalsh@redhat.com" "cvs SELinux Policy documentation" +.SH "NAME" +cvs_selinux \- Security Enhanced Linux Policy for the cvs processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cvs -+(Concurrent versions system) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cvs processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. cvs policy is extremely flexible and has several booleans that allow you to manipulate the policy and run cvs with the tightest access possible. + @@ -10131,6 +10872,29 @@ index 0000000..5047556 +.B setsebool -P allow_cvs_read_shadow 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the cvs_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cvs_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the cvs_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -10195,7 +10959,7 @@ index 0000000..5047556 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10222,7 +10986,9 @@ index 0000000..5047556 + + +Default Defined Ports: -+tcp 8021 ++tcp 2401 ++.EE ++udp 2401 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -10271,23 +11037,19 @@ index 0000000..5047556 \ No newline at end of file diff --git a/man/man8/cyphesis_selinux.8 b/man/man8/cyphesis_selinux.8 new file mode 100644 -index 0000000..25cbcca +index 0000000..d1d00eb --- /dev/null +++ b/man/man8/cyphesis_selinux.8 -@@ -0,0 +1,127 @@ +@@ -0,0 +1,125 @@ +.TH "cyphesis_selinux" "8" "cyphesis" "dwalsh@redhat.com" "cyphesis SELinux Policy documentation" +.SH "NAME" +cyphesis_selinux \- Security Enhanced Linux Policy for the cyphesis processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cyphesis -+(Cyphesis WorldForge game server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cyphesis processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10333,7 +11095,7 @@ index 0000000..25cbcca + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10360,7 +11122,9 @@ index 0000000..25cbcca + + +Default Defined Ports: -+tcp 8021 ++tcp 6767,6769,6780-6799 ++.EE ++udp 32771 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -10404,23 +11168,40 @@ index 0000000..25cbcca +selinux(8), cyphesis(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/cyrus_selinux.8 b/man/man8/cyrus_selinux.8 new file mode 100644 -index 0000000..d9b68c2 +index 0000000..51b11cf --- /dev/null +++ b/man/man8/cyrus_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,142 @@ +.TH "cyrus_selinux" "8" "cyrus" "dwalsh@redhat.com" "cyrus SELinux Policy documentation" +.SH "NAME" +cyrus_selinux \- Security Enhanced Linux Policy for the cyrus processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B cyrus -+(Cyrus is an IMAP service intended to be run on sealed servers) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the cyrus processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the cyrus_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the cyrus_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the cyrus_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10490,7 +11271,7 @@ index 0000000..d9b68c2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10606,17 +11387,40 @@ index 0000000..4bbec80 +selinux(8), semanage(8). diff --git a/man/man8/dbskkd_selinux.8 b/man/man8/dbskkd_selinux.8 new file mode 100644 -index 0000000..224a13a +index 0000000..d9bb6a4 --- /dev/null +++ b/man/man8/dbskkd_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,136 @@ +.TH "dbskkd_selinux" "8" "dbskkd" "dwalsh@redhat.com" "dbskkd SELinux Policy documentation" +.SH "NAME" +dbskkd_selinux \- Security Enhanced Linux Policy for the dbskkd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the dbskkd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the dbskkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dbskkd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the dbskkd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10654,7 +11458,7 @@ index 0000000..224a13a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10681,7 +11485,7 @@ index 0000000..224a13a + + +Default Defined Ports: -+tcp 8021 ++tcp 1178 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -10725,23 +11529,40 @@ index 0000000..224a13a +selinux(8), dbskkd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dcc_selinux.8 b/man/man8/dcc_selinux.8 new file mode 100644 -index 0000000..ac78346 +index 0000000..2e793ca --- /dev/null +++ b/man/man8/dcc_selinux.8 -@@ -0,0 +1,246 @@ +@@ -0,0 +1,265 @@ +.TH "dcc_selinux" "8" "dcc" "dwalsh@redhat.com" "dcc SELinux Policy documentation" +.SH "NAME" +dcc_selinux \- Security Enhanced Linux Policy for the dcc processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dcc -+(Distributed checksum clearinghouse spam filtering) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dcc processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -10895,7 +11716,7 @@ index 0000000..ac78346 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -10922,7 +11743,7 @@ index 0000000..ac78346 + + +Default Defined Ports: -+tcp 8021 ++udp 6276,6277 +.EE + +.EX @@ -10933,7 +11754,9 @@ index 0000000..ac78346 + + +Default Defined Ports: -+tcp 8021 ++tcp 5679 ++.EE ++udp 5679 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -10977,92 +11800,51 @@ index 0000000..ac78346 +selinux(8), dcc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dccd_selinux.8 b/man/man8/dccd_selinux.8 new file mode 100644 -index 0000000..2da502a +index 0000000..2c83b36 --- /dev/null +++ b/man/man8/dccd_selinux.8 -@@ -0,0 +1,188 @@ +@@ -0,0 +1,149 @@ +.TH "dccd_selinux" "8" "dccd" "dwalsh@redhat.com" "dccd SELinux Policy documentation" +.SH "NAME" +dccd_selinux \- Security Enhanced Linux Policy for the dccd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the dccd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible. -+.PP -+The following file types are defined for dccd: -+ ++If you want to allow users to login using a sssd serve for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B dcc_client_exec_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the dcc_client_exec_t type, if you want to transition an executable to the dcc_client_t domain. -+ -+ -+.EX +.PP -+.B dcc_client_map_t -+.EE -+ -+- Set files with the dcc_client_map_t type, if you want to treat the files as dcc client map data. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/dcc/map, /etc/dcc/map, /var/run/dcc/map, /var/dcc/map ++If you want to allow confined applications to run with kerberos for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the allow_kerberos boolean. + +.EX -+.PP -+.B dcc_client_tmp_t ++setsebool -P allow_kerberos 1 +.EE + -+- Set files with the dcc_client_tmp_t type, if you want to store dcc client temporary files in the /tmp directories. -+ -+ -+.EX +.PP -+.B dcc_dbclean_exec_t -+.EE -+ -+- Set files with the dcc_dbclean_exec_t type, if you want to transition an executable to the dcc_dbclean_t domain. -+ ++If you want to allow system to run with NI for the dccifd_t, dccm_t, dcc_client_t, dcc_dbclean_t, dccd_t, you must turn on the allow_ypbind boolean. + +.EX -+.PP -+.B dcc_dbclean_tmp_t ++setsebool -P allow_ypbind 1 +.EE + -+- Set files with the dcc_dbclean_tmp_t type, if you want to store dcc dbclean temporary files in the /tmp directories. -+ -+ -+.EX ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. +.PP -+.B dcc_var_run_t -+.EE -+ -+- Set files with the dcc_var_run_t type, if you want to store the dcc files under the /run directory. -+ -+ -+.EX ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP -+.B dcc_var_t -+.EE -+ -+- Set files with the dcc_var_t type, if you want to store the files under the /var directory. ++Policy governs the access confined processes have to these files. ++SELinux dccd policy is very flexible allowing users to setup their dccd processes in as secure a method as possible. ++.PP ++The following file types are defined for dccd: + -+.br -+.TP 5 -+Paths: -+/etc/dcc(/.*)?, /var/dcc(/.*)?, /var/lib/dcc(/.*)? + +.EX +.PP @@ -11089,7 +11871,7 @@ index 0000000..2da502a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11116,7 +11898,7 @@ index 0000000..2da502a + + +Default Defined Ports: -+tcp 8021 ++udp 6276,6277 +.EE + +.EX @@ -11127,7 +11909,9 @@ index 0000000..2da502a + + +Default Defined Ports: -+tcp 8021 ++tcp 5679 ++.EE ++udp 5679 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -11171,17 +11955,40 @@ index 0000000..2da502a +selinux(8), dccd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dccifd_selinux.8 b/man/man8/dccifd_selinux.8 new file mode 100644 -index 0000000..c80e92b +index 0000000..8d7958a --- /dev/null +++ b/man/man8/dccifd_selinux.8 -@@ -0,0 +1,91 @@ +@@ -0,0 +1,114 @@ +.TH "dccifd_selinux" "8" "dccifd" "dwalsh@redhat.com" "dccifd SELinux Policy documentation" +.SH "NAME" +dccifd_selinux \- Security Enhanced Linux Policy for the dccifd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the dccifd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the dccifd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dccifd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the dccifd_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11223,7 +12030,7 @@ index 0000000..c80e92b +/etc/dcc/dccifd, /var/run/dcc/dccifd + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11268,17 +12075,40 @@ index 0000000..c80e92b +selinux(8), dccifd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dccm_selinux.8 b/man/man8/dccm_selinux.8 new file mode 100644 -index 0000000..a9a2caa +index 0000000..66de7b4 --- /dev/null +++ b/man/man8/dccm_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,138 @@ +.TH "dccm_selinux" "8" "dccm" "dwalsh@redhat.com" "dccm SELinux Policy documentation" +.SH "NAME" +dccm_selinux \- Security Enhanced Linux Policy for the dccm processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the dccm processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the dccm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dccm_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the dccm_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11316,7 +12146,7 @@ index 0000000..a9a2caa + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11343,7 +12173,9 @@ index 0000000..a9a2caa + + +Default Defined Ports: -+tcp 8021 ++tcp 5679 ++.EE ++udp 5679 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -11387,17 +12219,19 @@ index 0000000..a9a2caa +selinux(8), dccm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dcerpcd_selinux.8 b/man/man8/dcerpcd_selinux.8 new file mode 100644 -index 0000000..7e28fe1 +index 0000000..6cbed0f --- /dev/null +++ b/man/man8/dcerpcd_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "dcerpcd_selinux" "8" "dcerpcd" "dwalsh@redhat.com" "dcerpcd SELinux Policy documentation" +.SH "NAME" +dcerpcd_selinux \- Security Enhanced Linux Policy for the dcerpcd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the dcerpcd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11443,7 +12277,7 @@ index 0000000..7e28fe1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11488,23 +12322,19 @@ index 0000000..7e28fe1 +selinux(8), dcerpcd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ddclient_selinux.8 b/man/man8/ddclient_selinux.8 new file mode 100644 -index 0000000..13df14d +index 0000000..7682599 --- /dev/null +++ b/man/man8/ddclient_selinux.8 -@@ -0,0 +1,145 @@ +@@ -0,0 +1,141 @@ +.TH "ddclient_selinux" "8" "ddclient" "dwalsh@redhat.com" "ddclient SELinux Policy documentation" +.SH "NAME" +ddclient_selinux \- Security Enhanced Linux Policy for the ddclient processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ddclient -+(Update dynamic IP address at DynDNS.org) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ddclient processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11594,7 +12424,7 @@ index 0000000..13df14d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11639,17 +12469,40 @@ index 0000000..13df14d +selinux(8), ddclient(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/deltacloudd_selinux.8 b/man/man8/deltacloudd_selinux.8 new file mode 100644 -index 0000000..7d2381f +index 0000000..78b4f5a --- /dev/null +++ b/man/man8/deltacloudd_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,118 @@ +.TH "deltacloudd_selinux" "8" "deltacloudd" "dwalsh@redhat.com" "deltacloudd SELinux Policy documentation" +.SH "NAME" +deltacloudd_selinux \- Security Enhanced Linux Policy for the deltacloudd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the deltacloudd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the deltacloudd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the deltacloudd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the deltacloudd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11695,7 +12548,7 @@ index 0000000..7d2381f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11740,23 +12593,40 @@ index 0000000..7d2381f +selinux(8), deltacloudd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/denyhosts_selinux.8 b/man/man8/denyhosts_selinux.8 new file mode 100644 -index 0000000..ff32a2b +index 0000000..81b9501 --- /dev/null +++ b/man/man8/denyhosts_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,126 @@ +.TH "denyhosts_selinux" "8" "denyhosts" "dwalsh@redhat.com" "denyhosts SELinux Policy documentation" +.SH "NAME" +denyhosts_selinux \- Security Enhanced Linux Policy for the denyhosts processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B denyhosts -+(DenyHosts SSH dictionary attack mitigation) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the denyhosts processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the denyhosts_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the denyhosts_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the denyhosts_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11810,7 +12680,7 @@ index 0000000..ff32a2b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11855,17 +12725,19 @@ index 0000000..ff32a2b +selinux(8), denyhosts(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/depmod_selinux.8 b/man/man8/depmod_selinux.8 new file mode 100644 -index 0000000..b5dcbff +index 0000000..49b8acb --- /dev/null +++ b/man/man8/depmod_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +.TH "depmod_selinux" "8" "depmod" "dwalsh@redhat.com" "depmod SELinux Policy documentation" +.SH "NAME" +depmod_selinux \- Security Enhanced Linux Policy for the depmod processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the depmod processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11891,7 +12763,7 @@ index 0000000..b5dcbff +/sbin/depmod.*, /usr/sbin/depmod.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -11936,23 +12808,40 @@ index 0000000..b5dcbff +selinux(8), depmod(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/devicekit_selinux.8 b/man/man8/devicekit_selinux.8 new file mode 100644 -index 0000000..fbd38fb +index 0000000..ac99c20 --- /dev/null +++ b/man/man8/devicekit_selinux.8 -@@ -0,0 +1,145 @@ +@@ -0,0 +1,162 @@ +.TH "devicekit_selinux" "8" "devicekit" "dwalsh@redhat.com" "devicekit SELinux Policy documentation" +.SH "NAME" +devicekit_selinux \- Security Enhanced Linux Policy for the devicekit processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B devicekit -+(Devicekit modular hardware abstraction layer) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the devicekit processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the devicekit_disk_t, devicekit_power_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the devicekit_disk_t, devicekit_power_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the devicekit_disk_t, devicekit_power_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -11975,7 +12864,7 @@ index 0000000..fbd38fb +.br +.TP 5 +Paths: -+/usr/lib/udev/udisks-part-id, /lib/udisks2/udisksd, /usr/lib/udisks2/udisksd, /lib/udev/udisks-part-id, /usr/libexec/devkit-disks-daemon, /usr/libexec/udisks-daemon ++/usr/lib/udev/udisks-part-id, /usr/libexec/devkit-disks-daemon, /lib/udisks2/udisksd, /usr/lib/udisks2/udisksd, /lib/udev/udisks-part-id, /usr/libexec/udisks-daemon + +.EX +.PP @@ -12042,7 +12931,7 @@ index 0000000..fbd38fb +/var/run/upower(/.*)?, /var/run/udisks.*, /var/run/devkit(/.*)?, /var/run/DeviceKit-disks(/.*)?, /var/run/pm-utils(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12087,17 +12976,17 @@ index 0000000..fbd38fb +selinux(8), devicekit(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dhcpc_selinux.8 b/man/man8/dhcpc_selinux.8 new file mode 100644 -index 0000000..b805e27 +index 0000000..5d89a68 --- /dev/null +++ b/man/man8/dhcpc_selinux.8 -@@ -0,0 +1,152 @@ +@@ -0,0 +1,177 @@ +.TH "dhcpc_selinux" "8" "dhcpc" "dwalsh@redhat.com" "dhcpc SELinux Policy documentation" +.SH "NAME" +dhcpc_selinux \- Security Enhanced Linux Policy for the dhcpc processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the dhcpc processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. dhcpc policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpc with the tightest access possible. @@ -12110,6 +12999,29 @@ index 0000000..b805e27 +.B setsebool -P dhcpc_exec_iptables 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dhcpc_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the dhcpc_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -12170,7 +13082,7 @@ index 0000000..b805e27 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12197,7 +13109,9 @@ index 0000000..b805e27 + + +Default Defined Ports: -+tcp 8021 ++tcp 68,546 ++.EE ++udp 68,546 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -12246,17 +13160,17 @@ index 0000000..b805e27 \ No newline at end of file diff --git a/man/man8/dhcpd_selinux.8 b/man/man8/dhcpd_selinux.8 new file mode 100644 -index 0000000..db3ea11 +index 0000000..18e030d --- /dev/null +++ b/man/man8/dhcpd_selinux.8 -@@ -0,0 +1,191 @@ +@@ -0,0 +1,194 @@ +.TH "dhcpd_selinux" "8" "dhcpd" "dwalsh@redhat.com" "dhcpd SELinux Policy documentation" +.SH "NAME" +dhcpd_selinux \- Security Enhanced Linux Policy for the dhcpd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the dhcpd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. dhcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dhcpd with the tightest access possible. @@ -12269,35 +13183,38 @@ index 0000000..db3ea11 +.B setsebool -P dhcpc_exec_iptables 1 +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible. -+.PP -+The following file types are defined for dhcpd: ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the dhcpd_t, dhcpc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B dhcp_etc_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the dhcp_etc_t type, if you want to store dhcp files in the /etc directories. -+ -+.br -+.TP 5 -+Paths: -+/etc/dhcp3(/.*)?, /etc/dhcp3?/dhclient.*, /etc/dhcpd(6)?\.conf, /etc/dhcpc.*, /etc/dhclient-script, /etc/dhclient.*conf, /etc/dhcp/dhcpd(6)?\.conf ++.PP ++If you want to allow confined applications to run with kerberos for the dhcpd_t, dhcpc_t, you must turn on the allow_kerberos boolean. + +.EX ++setsebool -P allow_kerberos 1 ++.EE ++ +.PP -+.B dhcp_state_t ++If you want to allow system to run with NI for the dhcpd_t, dhcpc_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 +.EE + -+- Set files with the dhcp_state_t type, if you want to treat the files as dhcp state data. ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux dhcpd policy is very flexible allowing users to setup their dhcpd processes in as secure a method as possible. ++.PP ++The following file types are defined for dhcpd: + + +.EX @@ -12343,10 +13260,6 @@ index 0000000..db3ea11 + +- Set files with the dhcpd_unit_file_t type, if you want to treat the files as dhcpd unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/dhcpcd.*, /lib/systemd/system/dhcpcd.* + +.EX +.PP @@ -12357,7 +13270,7 @@ index 0000000..db3ea11 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12384,7 +13297,9 @@ index 0000000..db3ea11 + + +Default Defined Ports: -+tcp 8021 ++tcp 68,546 ++.EE ++udp 68,546 +.EE + +.EX @@ -12395,7 +13310,9 @@ index 0000000..db3ea11 + + +Default Defined Ports: -+tcp 8021 ++tcp 547,548,647,847,7911 ++.EE ++udp 67,547,548,647,847 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -12444,23 +13361,40 @@ index 0000000..db3ea11 \ No newline at end of file diff --git a/man/man8/dictd_selinux.8 b/man/man8/dictd_selinux.8 new file mode 100644 -index 0000000..53e911a +index 0000000..e7d4ed2 --- /dev/null +++ b/man/man8/dictd_selinux.8 -@@ -0,0 +1,135 @@ +@@ -0,0 +1,152 @@ +.TH "dictd_selinux" "8" "dictd" "dwalsh@redhat.com" "dictd SELinux Policy documentation" +.SH "NAME" +dictd_selinux \- Security Enhanced Linux Policy for the dictd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dictd -+(Dictionary daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dictd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the dictd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dictd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the dictd_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -12514,7 +13448,7 @@ index 0000000..53e911a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12541,7 +13475,7 @@ index 0000000..53e911a + + +Default Defined Ports: -+tcp 8021 ++tcp 2628 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -12585,23 +13519,40 @@ index 0000000..53e911a +selinux(8), dictd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dirsrv_selinux.8 b/man/man8/dirsrv_selinux.8 new file mode 100644 -index 0000000..7c06f47 +index 0000000..b62508a --- /dev/null +++ b/man/man8/dirsrv_selinux.8 -@@ -0,0 +1,217 @@ +@@ -0,0 +1,234 @@ +.TH "dirsrv_selinux" "8" "dirsrv" "dwalsh@redhat.com" "dirsrv SELinux Policy documentation" +.SH "NAME" +dirsrv_selinux \- Security Enhanced Linux Policy for the dirsrv processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dirsrv -+(policy for dirsrv) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dirsrv processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the dirsrv_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dirsrv_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the dirsrv_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -12763,7 +13714,7 @@ index 0000000..7c06f47 +/usr/lib/dirsrv/cgi-bin/ds_remove, /usr/lib/dirsrv/cgi-bin/ds_create + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12808,17 +13759,19 @@ index 0000000..7c06f47 +selinux(8), dirsrv(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dirsrvadmin_selinux.8 b/man/man8/dirsrvadmin_selinux.8 new file mode 100644 -index 0000000..f314f5a +index 0000000..1566389 --- /dev/null +++ b/man/man8/dirsrvadmin_selinux.8 -@@ -0,0 +1,115 @@ +@@ -0,0 +1,117 @@ +.TH "dirsrvadmin_selinux" "8" "dirsrvadmin" "dwalsh@redhat.com" "dirsrvadmin SELinux Policy documentation" +.SH "NAME" +dirsrvadmin_selinux \- Security Enhanced Linux Policy for the dirsrvadmin processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the dirsrvadmin processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -12884,7 +13837,7 @@ index 0000000..f314f5a +/usr/lib/dirsrv/cgi-bin/ds_remove, /usr/lib/dirsrv/cgi-bin/ds_create + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -12929,17 +13882,19 @@ index 0000000..f314f5a +selinux(8), dirsrvadmin(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/disk_selinux.8 b/man/man8/disk_selinux.8 new file mode 100644 -index 0000000..d3d396c +index 0000000..ebf8c64 --- /dev/null +++ b/man/man8/disk_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,85 @@ +.TH "disk_selinux" "8" "disk" "dwalsh@redhat.com" "disk SELinux Policy documentation" +.SH "NAME" +disk_selinux \- Security Enhanced Linux Policy for the disk processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the disk processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -12973,7 +13928,7 @@ index 0000000..d3d396c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13018,23 +13973,40 @@ index 0000000..d3d396c +selinux(8), disk(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dkim_selinux.8 b/man/man8/dkim_selinux.8 new file mode 100644 -index 0000000..ff5f6d1 +index 0000000..0e402ab --- /dev/null +++ b/man/man8/dkim_selinux.8 -@@ -0,0 +1,97 @@ +@@ -0,0 +1,114 @@ +.TH "dkim_selinux" "8" "dkim" "dwalsh@redhat.com" "dkim SELinux Policy documentation" +.SH "NAME" +dkim_selinux \- Security Enhanced Linux Policy for the dkim processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dkim -+(DomainKeys Identified Mail milter) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dkim processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the dkim_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dkim_milter_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the dkim_milter_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13076,7 +14048,7 @@ index 0000000..ff5f6d1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13121,17 +14093,19 @@ index 0000000..ff5f6d1 +selinux(8), dkim(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dlm_selinux.8 b/man/man8/dlm_selinux.8 new file mode 100644 -index 0000000..d1bdbac +index 0000000..a848021 --- /dev/null +++ b/man/man8/dlm_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "dlm_selinux" "8" "dlm" "dwalsh@redhat.com" "dlm SELinux Policy documentation" +.SH "NAME" +dlm_selinux \- Security Enhanced Linux Policy for the dlm processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the dlm processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13177,7 +14151,7 @@ index 0000000..d1bdbac + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13222,24 +14196,18 @@ index 0000000..d1bdbac +selinux(8), dlm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dmesg_selinux.8 b/man/man8/dmesg_selinux.8 new file mode 100644 -index 0000000..7ba27b0 +index 0000000..34ef559 --- /dev/null +++ b/man/man8/dmesg_selinux.8 -@@ -0,0 +1,96 @@ +@@ -0,0 +1,92 @@ +.TH "dmesg_selinux" "8" "dmesg" "dwalsh@redhat.com" "dmesg SELinux Policy documentation" +.SH "NAME" +dmesg_selinux \- Security Enhanced Linux Policy for the dmesg processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dmesg -+(Policy for dmesg) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dmesg processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. dmesg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run dmesg with the tightest access possible. + @@ -13251,6 +14219,8 @@ index 0000000..7ba27b0 +.B setsebool -P user_dmesg 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -13275,7 +14245,7 @@ index 0000000..7ba27b0 +/usr/bin/dmesg, /bin/dmesg + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13325,23 +14295,19 @@ index 0000000..7ba27b0 \ No newline at end of file diff --git a/man/man8/dmidecode_selinux.8 b/man/man8/dmidecode_selinux.8 new file mode 100644 -index 0000000..d2c6acf +index 0000000..3a1ca3d --- /dev/null +++ b/man/man8/dmidecode_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,77 @@ +.TH "dmidecode_selinux" "8" "dmidecode" "dwalsh@redhat.com" "dmidecode SELinux Policy documentation" +.SH "NAME" +dmidecode_selinux \- Security Enhanced Linux Policy for the dmidecode processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dmidecode -+(Decode DMI data for x86/ia64 bioses) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dmidecode processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13367,7 +14333,7 @@ index 0000000..d2c6acf +/usr/sbin/ownership, /usr/sbin/dmidecode, /usr/sbin/vpddecode + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13412,23 +14378,40 @@ index 0000000..d2c6acf +selinux(8), dmidecode(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dnsmasq_selinux.8 b/man/man8/dnsmasq_selinux.8 new file mode 100644 -index 0000000..2913852 +index 0000000..4d812e8 --- /dev/null +++ b/man/man8/dnsmasq_selinux.8 -@@ -0,0 +1,137 @@ +@@ -0,0 +1,150 @@ +.TH "dnsmasq_selinux" "8" "dnsmasq" "dwalsh@redhat.com" "dnsmasq SELinux Policy documentation" +.SH "NAME" +dnsmasq_selinux \- Security Enhanced Linux Policy for the dnsmasq processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dnsmasq -+(dnsmasq DNS forwarder and DHCP server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dnsmasq processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the dnsmasq_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dnsmasq_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the dnsmasq_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13484,10 +14467,6 @@ index 0000000..2913852 + +- Set files with the dnsmasq_unit_file_t type, if you want to treat the files as dnsmasq unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/dnsmasq.*, /lib/systemd/system/dnsmasq.* + +.EX +.PP @@ -13510,7 +14489,7 @@ index 0000000..2913852 +/var/run/dnsmasq\.pid, /var/run/libvirt/network(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13555,23 +14534,19 @@ index 0000000..2913852 +selinux(8), dnsmasq(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dnssec_selinux.8 b/man/man8/dnssec_selinux.8 new file mode 100644 -index 0000000..c8a6a53 +index 0000000..2e5ce91 --- /dev/null +++ b/man/man8/dnssec_selinux.8 -@@ -0,0 +1,123 @@ +@@ -0,0 +1,119 @@ +.TH "dnssec_selinux" "8" "dnssec" "dwalsh@redhat.com" "dnssec SELinux Policy documentation" +.SH "NAME" +dnssec_selinux \- Security Enhanced Linux Policy for the dnssec processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dnssec -+(policy for dnssec_trigger) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dnssec processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13613,7 +14588,7 @@ index 0000000..c8a6a53 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13640,7 +14615,7 @@ index 0000000..c8a6a53 + + +Default Defined Ports: -+tcp 8021 ++tcp 8955 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -13684,23 +14659,40 @@ index 0000000..c8a6a53 +selinux(8), dnssec(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dovecot_selinux.8 b/man/man8/dovecot_selinux.8 new file mode 100644 -index 0000000..9dccfb5 +index 0000000..916be7a --- /dev/null +++ b/man/man8/dovecot_selinux.8 -@@ -0,0 +1,213 @@ +@@ -0,0 +1,230 @@ +.TH "dovecot_selinux" "8" "dovecot" "dwalsh@redhat.com" "dovecot SELinux Policy documentation" +.SH "NAME" +dovecot_selinux \- Security Enhanced Linux Policy for the dovecot processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dovecot -+(Dovecot POP and IMAP mail server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dovecot processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the dovecot_auth_t, dovecot_t, dovecot_deliver_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13743,7 +14735,7 @@ index 0000000..9dccfb5 +.br +.TP 5 +Paths: -+/usr/share/ssl/private/dovecot\.pem, /etc/pki/dovecot(/.*)?, /usr/share/ssl/certs/dovecot\.pem ++/usr/share/ssl/certs/dovecot\.pem, /usr/share/ssl/private/dovecot\.pem, /etc/pki/dovecot(/.*)? + +.EX +.PP @@ -13858,7 +14850,7 @@ index 0000000..9dccfb5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -13903,23 +14895,19 @@ index 0000000..9dccfb5 +selinux(8), dovecot(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/drbd_selinux.8 b/man/man8/drbd_selinux.8 new file mode 100644 -index 0000000..9cd65f4 +index 0000000..c0f3851 --- /dev/null +++ b/man/man8/drbd_selinux.8 -@@ -0,0 +1,97 @@ +@@ -0,0 +1,93 @@ +.TH "drbd_selinux" "8" "drbd" "dwalsh@redhat.com" "drbd SELinux Policy documentation" +.SH "NAME" +drbd_selinux \- Security Enhanced Linux Policy for the drbd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B drbd -+(policy for drbd) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the drbd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -13961,7 +14949,7 @@ index 0000000..9cd65f4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14006,23 +14994,40 @@ index 0000000..9cd65f4 +selinux(8), drbd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/dspam_selinux.8 b/man/man8/dspam_selinux.8 new file mode 100644 -index 0000000..fba374b +index 0000000..ca6e604 --- /dev/null +++ b/man/man8/dspam_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,134 @@ +.TH "dspam_selinux" "8" "dspam" "dwalsh@redhat.com" "dspam SELinux Policy documentation" +.SH "NAME" +dspam_selinux \- Security Enhanced Linux Policy for the dspam processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B dspam -+(policy for dspam) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the dspam processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the dspam_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the dspam_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the dspam_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -14084,7 +15089,7 @@ index 0000000..fba374b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14129,24 +15134,18 @@ index 0000000..fba374b +selinux(8), dspam(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/entropyd_selinux.8 b/man/man8/entropyd_selinux.8 new file mode 100644 -index 0000000..907170c +index 0000000..c2a47fa --- /dev/null +++ b/man/man8/entropyd_selinux.8 -@@ -0,0 +1,108 @@ +@@ -0,0 +1,125 @@ +.TH "entropyd_selinux" "8" "entropyd" "dwalsh@redhat.com" "entropyd SELinux Policy documentation" +.SH "NAME" +entropyd_selinux \- Security Enhanced Linux Policy for the entropyd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B entropyd -+(Generate entropy from audio input) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the entropyd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. entropyd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run entropyd with the tightest access possible. + @@ -14158,6 +15157,29 @@ index 0000000..907170c +.B setsebool -P entropyd_use_audio 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the entropyd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the entropyd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the entropyd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -14194,7 +15216,7 @@ index 0000000..907170c +/var/run/audio-entropyd\.pid, /var/run/haveged\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14244,17 +15266,19 @@ index 0000000..907170c \ No newline at end of file diff --git a/man/man8/eventlogd_selinux.8 b/man/man8/eventlogd_selinux.8 new file mode 100644 -index 0000000..01e8f18 +index 0000000..781e7e8 --- /dev/null +++ b/man/man8/eventlogd_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "eventlogd_selinux" "8" "eventlogd" "dwalsh@redhat.com" "eventlogd SELinux Policy documentation" +.SH "NAME" +eventlogd_selinux \- Security Enhanced Linux Policy for the eventlogd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the eventlogd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -14300,7 +15324,7 @@ index 0000000..01e8f18 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14345,17 +15369,19 @@ index 0000000..01e8f18 +selinux(8), eventlogd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/evtchnd_selinux.8 b/man/man8/evtchnd_selinux.8 new file mode 100644 -index 0000000..fc58144 +index 0000000..cb2c624 --- /dev/null +++ b/man/man8/evtchnd_selinux.8 -@@ -0,0 +1,91 @@ +@@ -0,0 +1,93 @@ +.TH "evtchnd_selinux" "8" "evtchnd" "dwalsh@redhat.com" "evtchnd SELinux Policy documentation" +.SH "NAME" +evtchnd_selinux \- Security Enhanced Linux Policy for the evtchnd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the evtchnd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -14394,10 +15420,10 @@ index 0000000..fc58144 +.br +.TP 5 +Paths: -+/var/run/evtchnd, /var/run/evtchnd\.pid ++/var/run/evtchnd\.pid, /var/run/evtchnd + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14442,24 +15468,18 @@ index 0000000..fc58144 +selinux(8), evtchnd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/exim_selinux.8 b/man/man8/exim_selinux.8 new file mode 100644 -index 0000000..bb54ea6 +index 0000000..0ec643c --- /dev/null +++ b/man/man8/exim_selinux.8 -@@ -0,0 +1,158 @@ +@@ -0,0 +1,175 @@ +.TH "exim_selinux" "8" "exim" "dwalsh@redhat.com" "exim SELinux Policy documentation" +.SH "NAME" +exim_selinux \- Security Enhanced Linux Policy for the exim processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B exim -+(Exim mail transfer agent) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the exim processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. exim policy is extremely flexible and has several booleans that allow you to manipulate the policy and run exim with the tightest access possible. + @@ -14485,6 +15505,29 @@ index 0000000..bb54ea6 +.B setsebool -P exim_manage_user_files 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the exim_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the exim_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the exim_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -14557,7 +15600,7 @@ index 0000000..bb54ea6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14607,23 +15650,40 @@ index 0000000..bb54ea6 \ No newline at end of file diff --git a/man/man8/fail2ban_selinux.8 b/man/man8/fail2ban_selinux.8 new file mode 100644 -index 0000000..8084e6e +index 0000000..3e60c7f --- /dev/null +++ b/man/man8/fail2ban_selinux.8 -@@ -0,0 +1,129 @@ +@@ -0,0 +1,146 @@ +.TH "fail2ban_selinux" "8" "fail2ban" "dwalsh@redhat.com" "fail2ban SELinux Policy documentation" +.SH "NAME" +fail2ban_selinux \- Security Enhanced Linux Policy for the fail2ban processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B fail2ban -+(Update firewall filtering to ban IP addresses with too many password failures) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the fail2ban processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the fail2ban_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the fail2ban_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the fail2ban_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -14697,7 +15757,7 @@ index 0000000..8084e6e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14742,23 +15802,19 @@ index 0000000..8084e6e +selinux(8), fail2ban(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fcoemon_selinux.8 b/man/man8/fcoemon_selinux.8 new file mode 100644 -index 0000000..7f07e27 +index 0000000..f3611a7 --- /dev/null +++ b/man/man8/fcoemon_selinux.8 -@@ -0,0 +1,89 @@ +@@ -0,0 +1,85 @@ +.TH "fcoemon_selinux" "8" "fcoemon" "dwalsh@redhat.com" "fcoemon SELinux Policy documentation" +.SH "NAME" +fcoemon_selinux \- Security Enhanced Linux Policy for the fcoemon processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B fcoemon -+(policy for fcoemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the fcoemon processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -14792,7 +15848,7 @@ index 0000000..7f07e27 +/var/run/fcm(/.*)?, /var/run/fcoemon\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14837,17 +15893,17 @@ index 0000000..7f07e27 +selinux(8), fcoemon(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fenced_selinux.8 b/man/man8/fenced_selinux.8 new file mode 100644 -index 0000000..8a95cd7 +index 0000000..5d4c45a --- /dev/null +++ b/man/man8/fenced_selinux.8 -@@ -0,0 +1,141 @@ +@@ -0,0 +1,164 @@ +.TH "fenced_selinux" "8" "fenced" "dwalsh@redhat.com" "fenced SELinux Policy documentation" +.SH "NAME" +fenced_selinux \- Security Enhanced Linux Policy for the fenced processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the fenced processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. fenced policy is extremely flexible and has several booleans that allow you to manipulate the policy and run fenced with the tightest access possible. @@ -14867,6 +15923,29 @@ index 0000000..8a95cd7 +.B setsebool -P fenced_can_network_connect 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the fenced_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the fenced_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the fenced_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -14888,7 +15967,7 @@ index 0000000..8a95cd7 +.br +.TP 5 +Paths: -+/usr/sbin/fence_node, /usr/sbin/fence_tool, /usr/sbin/fenced ++/usr/sbin/fence_tool, /usr/sbin/fence_node, /usr/sbin/fenced + +.EX +.PP @@ -14935,7 +16014,7 @@ index 0000000..8a95cd7 +/var/run/cluster/fenced_override, /var/run/cluster/fence_scsi.*, /var/run/fenced\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -14985,23 +16064,19 @@ index 0000000..8a95cd7 \ No newline at end of file diff --git a/man/man8/fetchmail_selinux.8 b/man/man8/fetchmail_selinux.8 new file mode 100644 -index 0000000..65f9aa3 +index 0000000..f88fec0 --- /dev/null +++ b/man/man8/fetchmail_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,105 @@ +.TH "fetchmail_selinux" "8" "fetchmail" "dwalsh@redhat.com" "fetchmail SELinux Policy documentation" +.SH "NAME" +fetchmail_selinux \- Security Enhanced Linux Policy for the fetchmail processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B fetchmail -+(Remote-mail retrieval and forwarding utility) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the fetchmail processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15055,7 +16130,7 @@ index 0000000..65f9aa3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15100,17 +16175,40 @@ index 0000000..65f9aa3 +selinux(8), fetchmail(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fingerd_selinux.8 b/man/man8/fingerd_selinux.8 new file mode 100644 -index 0000000..b1c9f85 +index 0000000..2f9e367 --- /dev/null +++ b/man/man8/fingerd_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,148 @@ +.TH "fingerd_selinux" "8" "fingerd" "dwalsh@redhat.com" "fingerd SELinux Policy documentation" +.SH "NAME" +fingerd_selinux \- Security Enhanced Linux Policy for the fingerd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the fingerd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the fingerd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the fingerd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the fingerd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15160,7 +16258,7 @@ index 0000000..b1c9f85 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15187,7 +16285,7 @@ index 0000000..b1c9f85 + + +Default Defined Ports: -+tcp 8021 ++tcp 79 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -15231,23 +16329,40 @@ index 0000000..b1c9f85 +selinux(8), fingerd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/firewalld_selinux.8 b/man/man8/firewalld_selinux.8 new file mode 100644 -index 0000000..c6d98d6 +index 0000000..be08df9 --- /dev/null +++ b/man/man8/firewalld_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,138 @@ +.TH "firewalld_selinux" "8" "firewalld" "dwalsh@redhat.com" "firewalld SELinux Policy documentation" +.SH "NAME" +firewalld_selinux \- Security Enhanced Linux Policy for the firewalld processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B firewalld -+(policy for firewalld) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the firewalld processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the firewallgui_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15310,10 +16425,10 @@ index 0000000..c6d98d6 +.br +.TP 5 +Paths: -+/var/run/firewalld(/.*)?, /var/run/firewalld\.pid ++/var/run/firewalld\.pid, /var/run/firewalld(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15358,23 +16473,40 @@ index 0000000..c6d98d6 +selinux(8), firewalld(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/firewallgui_selinux.8 b/man/man8/firewallgui_selinux.8 new file mode 100644 -index 0000000..6fd604e +index 0000000..5487b63 --- /dev/null +++ b/man/man8/firewallgui_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,102 @@ +.TH "firewallgui_selinux" "8" "firewallgui" "dwalsh@redhat.com" "firewallgui SELinux Policy documentation" +.SH "NAME" +firewallgui_selinux \- Security Enhanced Linux Policy for the firewallgui processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B firewallgui -+(policy for firewallgui) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the firewallgui processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the firewallgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the firewallgui_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the firewallgui_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15404,7 +16536,7 @@ index 0000000..6fd604e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15449,26 +16581,19 @@ index 0000000..6fd604e +selinux(8), firewallgui(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/firstboot_selinux.8 b/man/man8/firstboot_selinux.8 new file mode 100644 -index 0000000..b1bbe5c +index 0000000..b6706ee --- /dev/null +++ b/man/man8/firstboot_selinux.8 -@@ -0,0 +1,100 @@ +@@ -0,0 +1,85 @@ +.TH "firstboot_selinux" "8" "firstboot" "dwalsh@redhat.com" "firstboot SELinux Policy documentation" +.SH "NAME" +firstboot_selinux \- Security Enhanced Linux Policy for the firstboot processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B firstboot -+( -+Final system configuration run during the first boot -+after installation of Red Hat/Fedora systems. -+) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the firstboot processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15501,16 +16626,8 @@ index 0000000..b1bbe5c +Paths: +/usr/share/firstboot/firstboot\.py, /usr/sbin/firstboot + -+.EX -+.PP -+.B firstboot_tmp_t -+.EE -+ -+- Set files with the firstboot_tmp_t type, if you want to store firstboot temporary files in the /tmp directories. -+ -+ +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15555,17 +16672,19 @@ index 0000000..b1bbe5c +selinux(8), firstboot(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/foghorn_selinux.8 b/man/man8/foghorn_selinux.8 new file mode 100644 -index 0000000..828ba62 +index 0000000..a9d286f --- /dev/null +++ b/man/man8/foghorn_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "foghorn_selinux" "8" "foghorn" "dwalsh@redhat.com" "foghorn SELinux Policy documentation" +.SH "NAME" +foghorn_selinux \- Security Enhanced Linux Policy for the foghorn processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the foghorn processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15611,7 +16730,7 @@ index 0000000..828ba62 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15656,23 +16775,40 @@ index 0000000..828ba62 +selinux(8), foghorn(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fprintd_selinux.8 b/man/man8/fprintd_selinux.8 new file mode 100644 -index 0000000..cd72389 +index 0000000..26e0514 --- /dev/null +++ b/man/man8/fprintd_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,102 @@ +.TH "fprintd_selinux" "8" "fprintd" "dwalsh@redhat.com" "fprintd SELinux Policy documentation" +.SH "NAME" +fprintd_selinux \- Security Enhanced Linux Policy for the fprintd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B fprintd -+(DBus fingerprint reader service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the fprintd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the fprintd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the fprintd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the fprintd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15702,7 +16838,7 @@ index 0000000..cd72389 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15747,17 +16883,40 @@ index 0000000..cd72389 +selinux(8), fprintd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/freshclam_selinux.8 b/man/man8/freshclam_selinux.8 new file mode 100644 -index 0000000..f012b28 +index 0000000..8e0e9e4 --- /dev/null +++ b/man/man8/freshclam_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,106 @@ +.TH "freshclam_selinux" "8" "freshclam" "dwalsh@redhat.com" "freshclam SELinux Policy documentation" +.SH "NAME" +freshclam_selinux \- Security Enhanced Linux Policy for the freshclam processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the freshclam processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the freshclam_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the freshclam_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the freshclam_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15791,7 +16950,7 @@ index 0000000..f012b28 +/var/log/clamav/freshclam.*, /var/log/freshclam.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15836,17 +16995,19 @@ index 0000000..f012b28 +selinux(8), freshclam(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fsadm_selinux.8 b/man/man8/fsadm_selinux.8 new file mode 100644 -index 0000000..9400571 +index 0000000..f104a8a --- /dev/null +++ b/man/man8/fsadm_selinux.8 -@@ -0,0 +1,91 @@ +@@ -0,0 +1,93 @@ +.TH "fsadm_selinux" "8" "fsadm" "dwalsh@redhat.com" "fsadm SELinux Policy documentation" +.SH "NAME" +fsadm_selinux \- Security Enhanced Linux Policy for the fsadm processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the fsadm processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15869,7 +17030,7 @@ index 0000000..9400571 +.br +.TP 5 +Paths: -+/sbin/partx, /usr/sbin/fdisk, /sbin/mkfs.*, /sbin/blockdev, /usr/sbin/sfdisk, /sbin/dumpe2fs, /sbin/mkdosfs, /sbin/mke2fs, /sbin/e4fsck, /usr/sbin/dosfsck, /usr/sbin/blockdev, /usr/sbin/lsraid, /usr/bin/partition_uuid, /sbin/raidautorun, /usr/sbin/findfs, /usr/sbin/scsi_info, /usr/sbin/raidstart, /sbin/mkreiserfs, /sbin/sfdisk, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/sbin/partx, /usr/sbin/resize.*fs, /usr/sbin/fsck.*, /usr/sbin/dumpe2fs, /usr/sbin/mkdosfs, /sbin/blkid, /usr/sbin/hdparm, /sbin/make_reiser4, /sbin/dump, /sbin/swapon.*, /usr/sbin/jfs_.*, /usr/bin/scsi_unique_id, /sbin/findfs, /usr/sbin/smartctl, /usr/bin/syslinux, /usr/sbin/blkid, /usr/sbin/mke2fs, /sbin/tune2fs, /sbin/losetup.*, /sbin/resize.*fs, /usr/sbin/tune2fs, /usr/lib/systemd/systemd-fsck, /sbin/parted, /sbin/partprobe, /sbin/dosfsck, /usr/sbin/mkfs.*, /sbin/e2label, /lib/systemd/systemd-fsck, /usr/sbin/reiserfs(ck|tune), /sbin/mkraid, /sbin/install-mbr, /sbin/scsi_info, /sbin/e2fsck, /sbin/fsck.*, /usr/sbin/install-mbr, /usr/sbin/clubufflush, /sbin/jfs_.*, /sbin/raidstart, /sbin/lsraid, /usr/sbin/losetup.*, /usr/sbin/mkreiserfs, /usr/sbin/swapon.*, /usr/sbin/e2fsck, /sbin/reiserfs(ck|tune), /usr/sbin/e4fsck, /usr/sbin/dump, /usr/sbin/partprobe, /sbin/fdisk, /usr/sbin/e2label, /usr/sbin/parted, /usr/bin/raw, /sbin/mke4fs, /usr/sbin/cfdisk, /usr/sbin/mke4fs, /sbin/cfdisk, /usr/sbin/mkraid, /sbin/hdparm ++/sbin/partx, /usr/sbin/fdisk, /sbin/mkfs.*, /sbin/blockdev, /usr/sbin/sfdisk, /sbin/dumpe2fs, /sbin/mkdosfs, /sbin/mke2fs, /sbin/e4fsck, /usr/sbin/dosfsck, /usr/sbin/blockdev, /sbin/dosfsck, /usr/sbin/lsraid, /usr/bin/partition_uuid, /sbin/raidautorun, /usr/sbin/findfs, /usr/sbin/scsi_info, /usr/sbin/raidstart, /sbin/mkreiserfs, /sbin/sfdisk, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/sbin/partx, /usr/sbin/resize.*fs, /usr/sbin/fsck.*, /usr/sbin/dumpe2fs, /sbin/tune2fs, /usr/sbin/mkdosfs, /sbin/blkid, /usr/sbin/hdparm, /sbin/make_reiser4, /sbin/dump, /sbin/swapon.*, /usr/sbin/jfs_.*, /usr/bin/scsi_unique_id, /sbin/findfs, /usr/sbin/smartctl, /usr/bin/syslinux, /usr/sbin/blkid, /usr/sbin/mke2fs, /sbin/losetup.*, /sbin/resize.*fs, /usr/sbin/tune2fs, /usr/lib/systemd/systemd-fsck, /sbin/parted, /sbin/partprobe, /usr/sbin/mkfs.*, /sbin/e2label, /usr/sbin/reiserfs(ck|tune), /sbin/mkraid, /sbin/install-mbr, /sbin/scsi_info, /sbin/fsck.*, /usr/sbin/install-mbr, /usr/sbin/clubufflush, /sbin/jfs_.*, /sbin/raidstart, /sbin/lsraid, /usr/sbin/losetup.*, /usr/sbin/mkreiserfs, /usr/sbin/swapon.*, /usr/sbin/e2fsck, /sbin/reiserfs(ck|tune), /usr/sbin/e4fsck, /usr/sbin/dump, /usr/sbin/partprobe, /sbin/fdisk, /sbin/e2fsck, /usr/sbin/e2label, /usr/sbin/parted, /usr/bin/raw, /sbin/mke4fs, /usr/sbin/cfdisk, /usr/sbin/mke4fs, /sbin/cfdisk, /usr/sbin/mkraid, /sbin/hdparm + +.EX +.PP @@ -15888,7 +17049,7 @@ index 0000000..9400571 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -15933,17 +17094,19 @@ index 0000000..9400571 +selinux(8), fsadm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/fsdaemon_selinux.8 b/man/man8/fsdaemon_selinux.8 new file mode 100644 -index 0000000..0f3466e +index 0000000..c1d45a3 --- /dev/null +++ b/man/man8/fsdaemon_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "fsdaemon_selinux" "8" "fsdaemon" "dwalsh@redhat.com" "fsdaemon SELinux Policy documentation" +.SH "NAME" +fsdaemon_selinux \- Security Enhanced Linux Policy for the fsdaemon processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the fsdaemon processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -15989,7 +17152,7 @@ index 0000000..0f3466e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16033,10 +17196,10 @@ index 0000000..0f3466e +.SH "SEE ALSO" +selinux(8), fsdaemon(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8 -index 5bebd82..c617a6e 100644 +index 5bebd82..b50a33d 100644 --- a/man/man8/ftpd_selinux.8 +++ b/man/man8/ftpd_selinux.8 -@@ -1,65 +1,321 @@ +@@ -1,65 +1,353 @@ -.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation" +.TH "ftpd_selinux" "8" "ftpd" "dwalsh@redhat.com" "ftpd SELinux Policy documentation" .SH "NAME" @@ -16045,8 +17208,8 @@ index 5bebd82..c617a6e 100644 +ftpd_selinux \- Security Enhanced Linux Policy for the ftpd processes .SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the ftpd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. ftpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ftpd with the tightest access possible. @@ -16133,6 +17296,20 @@ index 5bebd82..c617a6e 100644 .PP -.B -setsebool -P allow_ftpd_full_access on ++If you want to allow ftp servers to use bind to all unreserved ports for passive mod, you must turn on the ftpd_use_passive_mode boolean. ++ ++.EX ++.B setsebool -P ftpd_use_passive_mode 1 ++.EE ++ ++.PP ++If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. ++ ++.EX ++.B setsebool -P sftpd_write_ssh_home 1 ++.EE ++ ++.PP +If you want to allow sftp-internal to login to local users and read/write all files on the system, governed by DAC, you must turn on the sftpd_full_access boolean. + +.EX @@ -16153,11 +17330,27 @@ index 5bebd82..c617a6e 100644 +.B setsebool -P httpd_enable_ftp_server 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.PP -+If you want to allow internal-sftp to read and write files in the user ssh home directories, you must turn on the sftpd_write_ssh_home boolean. ++If you want to allow users to login using a sssd serve for the ftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.B setsebool -P sftpd_write_ssh_home 1 ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ftpd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the ftpd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 +.EE + +.SH SHARING FILES @@ -16174,7 +17367,7 @@ index 5bebd82..c617a6e 100644 +.pp .TP -Allow ftp servers to use nfs for public file transfer services. -+Allow ftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set. ++Allow ftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpdd_anon_write boolean to be set. .PP .B -setsebool -P allow_ftpd_use_nfs on @@ -16189,13 +17382,13 @@ index 5bebd82..c617a6e 100644 .PP -This manual page was written by Dan Walsh . +If you want to allow tftp to modify public files used for public file transfer services., you must turn on the tftp_anon_write boolean. - --.SH "SEE ALSO" ++ +.EX +.B setsebool -P tftp_anon_write 1 +.EE -+ -+.PP + +-.SH "SEE ALSO" + .PP +If you want to allow ftp servers to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t., you must turn on the allow_ftpd_anon_write boolean. + +.EX @@ -16219,7 +17412,8 @@ index 5bebd82..c617a6e 100644 +.PP +The following file types are defined for ftpd: + -+ + +-selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8) +.EX +.PP +.B ftpd_etc_t @@ -16301,11 +17495,10 @@ index 5bebd82..c617a6e 100644 + + +.EX - .PP ++.PP +.B ftpdctl_exec_t +.EE - --selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8) ++ +- Set files with the ftpdctl_exec_t type, if you want to transition an executable to the ftpdctl_t domain. + + @@ -16318,7 +17511,7 @@ index 5bebd82..c617a6e 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16345,7 +17538,7 @@ index 5bebd82..c617a6e 100644 + + +Default Defined Ports: -+tcp 8021 ++tcp 20 +.EE + +.EX @@ -16356,7 +17549,9 @@ index 5bebd82..c617a6e 100644 + + +Default Defined Ports: -+tcp 8021 ++tcp 21,990 ++.EE ++udp 990 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -16405,17 +17600,19 @@ index 5bebd82..c617a6e 100644 \ No newline at end of file diff --git a/man/man8/ftpdctl_selinux.8 b/man/man8/ftpdctl_selinux.8 new file mode 100644 -index 0000000..8903b4b +index 0000000..205df84 --- /dev/null +++ b/man/man8/ftpdctl_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,81 @@ +.TH "ftpdctl_selinux" "8" "ftpdctl" "dwalsh@redhat.com" "ftpdctl SELinux Policy documentation" +.SH "NAME" +ftpdctl_selinux \- Security Enhanced Linux Policy for the ftpdctl processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ftpdctl processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -16445,7 +17642,7 @@ index 0000000..8903b4b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16490,23 +17687,19 @@ index 0000000..8903b4b +selinux(8), ftpdctl(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/games_selinux.8 b/man/man8/games_selinux.8 new file mode 100644 -index 0000000..4ba69f7 +index 0000000..2d00e3f --- /dev/null +++ b/man/man8/games_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,113 @@ +.TH "games_selinux" "8" "games" "dwalsh@redhat.com" "games SELinux Policy documentation" +.SH "NAME" +games_selinux \- Security Enhanced Linux Policy for the games processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B games -+(Games) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the games processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -16541,7 +17734,7 @@ index 0000000..4ba69f7 +.br +.TP 5 +Paths: -+/usr/bin/sol, /usr/bin/blackjack, /usr/bin/micq, /usr/bin/gnome-stones, /usr/bin/gnotski, /usr/bin/kshisen, /usr/bin/klickety, /usr/bin/lskat, /usr/bin/atlantik, /usr/bin/ksame, /usr/bin/kgoldrunner, /usr/bin/lskatproc, /usr/bin/gataxx, /usr/bin/katomic, /usr/bin/Maelstrom, /usr/bin/ksmiletris, /usr/bin/gnotravex, /usr/bin/ksirtet, /usr/bin/ktuberling, /usr/bin/kbounce, /usr/bin/kenolaba, /usr/bin/kmahjongg, /usr/bin/ksnake, /usr/games/.*, /usr/bin/gnobots2, /usr/bin/civserver.*, /usr/bin/civclient.*, /usr/bin/kwin4, /usr/bin/ktron, /usr/bin/mahjongg, /usr/bin/kbackgammon, /usr/bin/kblackbox, /usr/bin/kjumpingcube, /usr/bin/gnect, /usr/bin/kbattleship, /usr/bin/same-gnome, /usr/bin/kasteroids, /usr/bin/ksokoban, /usr/bin/kolf, /usr/bin/konquest, /usr/bin/kreversi, /usr/bin/kpoker, /usr/lib/games(/.*)?, /usr/bin/glines, /usr/bin/kfouleggs, /usr/bin/kmines, /usr/bin/gnibbles, /usr/bin/kspaceduel, /usr/bin/gnomine, /usr/bin/kpat, /usr/bin/iagno, /usr/bin/gtali, /usr/bin/klines, /usr/bin/kwin4proc ++/usr/bin/sol, /usr/bin/blackjack, /usr/bin/micq, /usr/bin/gnotski, /usr/bin/kshisen, /usr/bin/klickety, /usr/bin/lskat, /usr/bin/atlantik, /usr/bin/ksame, /usr/bin/kgoldrunner, /usr/bin/lskatproc, /usr/bin/gataxx, /usr/bin/katomic, /usr/bin/Maelstrom, /usr/bin/ksmiletris, /usr/bin/gnotravex, /usr/bin/ksirtet, /usr/bin/kbattleship, /usr/bin/ktuberling, /usr/bin/kbounce, /usr/bin/kenolaba, /usr/bin/kmahjongg, /usr/bin/ksnake, /usr/games/.*, /usr/bin/gnobots2, /usr/bin/civserver.*, /usr/bin/civclient.*, /usr/bin/kwin4, /usr/bin/ktron, /usr/bin/mahjongg, /usr/bin/kbackgammon, /usr/bin/kblackbox, /usr/bin/kjumpingcube, /usr/bin/gnomine, /usr/bin/gnect, /usr/bin/same-gnome, /usr/bin/kasteroids, /usr/bin/ksokoban, /usr/bin/kolf, /usr/bin/konquest, /usr/bin/kreversi, /usr/bin/kpoker, /usr/lib/games(/.*)?, /usr/bin/glines, /usr/bin/kfouleggs, /usr/bin/kmines, /usr/bin/gnibbles, /usr/bin/kspaceduel, /usr/bin/kpat, /usr/bin/iagno, /usr/bin/gtali, /usr/bin/klines, /usr/bin/kwin4proc, /usr/bin/gnome-stones + +.EX +.PP @@ -16568,7 +17761,7 @@ index 0000000..4ba69f7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16613,17 +17806,19 @@ index 0000000..4ba69f7 +selinux(8), games(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gconfd_selinux.8 b/man/man8/gconfd_selinux.8 new file mode 100644 -index 0000000..6146c3a +index 0000000..60a90d3 --- /dev/null +++ b/man/man8/gconfd_selinux.8 -@@ -0,0 +1,107 @@ +@@ -0,0 +1,81 @@ +.TH "gconfd_selinux" "8" "gconfd" "dwalsh@redhat.com" "gconfd SELinux Policy documentation" +.SH "NAME" +gconfd_selinux \- Security Enhanced Linux Policy for the gconfd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the gconfd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -16638,34 +17833,6 @@ index 0000000..6146c3a + +.EX +.PP -+.B gconf_etc_t -+.EE -+ -+- Set files with the gconf_etc_t type, if you want to store gconf files in the /etc directories. -+ -+ -+.EX -+.PP -+.B gconf_home_t -+.EE -+ -+- Set files with the gconf_home_t type, if you want to store gconf files in the users home directory. -+ -+.br -+.TP 5 -+Paths: -+/root/\.gconf(d)?(/.*)?, /root/\.local.* -+ -+.EX -+.PP -+.B gconf_tmp_t -+.EE -+ -+- Set files with the gconf_tmp_t type, if you want to store gconf temporary files in the /tmp directories. -+ -+ -+.EX -+.PP +.B gconfd_exec_t +.EE + @@ -16681,7 +17848,7 @@ index 0000000..6146c3a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16726,17 +17893,19 @@ index 0000000..6146c3a +selinux(8), gconfd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gconfdefaultsm_selinux.8 b/man/man8/gconfdefaultsm_selinux.8 new file mode 100644 -index 0000000..71a23ac +index 0000000..57f2bed --- /dev/null +++ b/man/man8/gconfdefaultsm_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,73 @@ +.TH "gconfdefaultsm_selinux" "8" "gconfdefaultsm" "dwalsh@redhat.com" "gconfdefaultsm SELinux Policy documentation" +.SH "NAME" +gconfdefaultsm_selinux \- Security Enhanced Linux Policy for the gconfdefaultsm processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the gconfdefaultsm processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -16758,7 +17927,7 @@ index 0000000..71a23ac + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16803,23 +17972,40 @@ index 0000000..71a23ac +selinux(8), gconfdefaultsm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/getty_selinux.8 b/man/man8/getty_selinux.8 new file mode 100644 -index 0000000..85b78f2 +index 0000000..870a37b --- /dev/null +++ b/man/man8/getty_selinux.8 -@@ -0,0 +1,129 @@ +@@ -0,0 +1,146 @@ +.TH "getty_selinux" "8" "getty" "dwalsh@redhat.com" "getty SELinux Policy documentation" +.SH "NAME" +getty_selinux \- Security Enhanced Linux Policy for the getty processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B getty -+(Policy for getty) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the getty processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the getty_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the getty_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the getty_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -16893,7 +18079,7 @@ index 0000000..85b78f2 +/var/spool/voice(/.*)?, /var/spool/fax(/.*)?, /var/run/mgetty\.pid.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -16938,17 +18124,19 @@ index 0000000..85b78f2 +selinux(8), getty(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gfs_selinux.8 b/man/man8/gfs_selinux.8 new file mode 100644 -index 0000000..c681f11 +index 0000000..fe8cb5a --- /dev/null +++ b/man/man8/gfs_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "gfs_selinux" "8" "gfs" "dwalsh@redhat.com" "gfs SELinux Policy documentation" +.SH "NAME" +gfs_selinux \- Security Enhanced Linux Policy for the gfs processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the gfs processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -16994,7 +18182,7 @@ index 0000000..c681f11 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17228,24 +18416,18 @@ index 0000000..6031c31 +selinux(8), semanage(8). diff --git a/man/man8/gitosis_selinux.8 b/man/man8/gitosis_selinux.8 new file mode 100644 -index 0000000..0db16b5 +index 0000000..7bad946 --- /dev/null +++ b/man/man8/gitosis_selinux.8 -@@ -0,0 +1,108 @@ +@@ -0,0 +1,104 @@ +.TH "gitosis_selinux" "8" "gitosis" "dwalsh@redhat.com" "gitosis SELinux Policy documentation" +.SH "NAME" +gitosis_selinux \- Security Enhanced Linux Policy for the gitosis processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B gitosis -+(Tools for managing and hosting git repositories) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the gitosis processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. gitosis policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gitosis with the tightest access possible. + @@ -17257,6 +18439,8 @@ index 0000000..0db16b5 +.B setsebool -P gitosis_can_sendmail 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -17293,7 +18477,7 @@ index 0000000..0db16b5 +/var/lib/gitolite(/.*)?, /var/lib/gitosis(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17343,23 +18527,19 @@ index 0000000..0db16b5 \ No newline at end of file diff --git a/man/man8/glance_selinux.8 b/man/man8/glance_selinux.8 new file mode 100644 -index 0000000..5fe5fae +index 0000000..b34e8f0 --- /dev/null +++ b/man/man8/glance_selinux.8 -@@ -0,0 +1,167 @@ +@@ -0,0 +1,178 @@ +.TH "glance_selinux" "8" "glance" "dwalsh@redhat.com" "glance SELinux Policy documentation" +.SH "NAME" +glance_selinux \- Security Enhanced Linux Policy for the glance processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B glance -+(policy for glance) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the glance processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -17445,7 +18625,7 @@ index 0000000..5fe5fae + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17466,13 +18646,28 @@ index 0000000..5fe5fae + +.EX +.TP 5 ++.B glance_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 9292 ++.EE ++udp 9292 ++.EE ++ ++.EX ++.TP 5 +.B glance_registry_port_t +.TP 10 +.EE + + +Default Defined Ports: -+tcp 8021 ++tcp 9191 ++.EE ++udp 9191 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -17516,23 +18711,40 @@ index 0000000..5fe5fae +selinux(8), glance(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gnomeclock_selinux.8 b/man/man8/gnomeclock_selinux.8 new file mode 100644 -index 0000000..9664dd6 +index 0000000..ad6e159 --- /dev/null +++ b/man/man8/gnomeclock_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,98 @@ +.TH "gnomeclock_selinux" "8" "gnomeclock" "dwalsh@redhat.com" "gnomeclock SELinux Policy documentation" +.SH "NAME" +gnomeclock_selinux \- Security Enhanced Linux Policy for the gnomeclock processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B gnomeclock -+(Gnome clock handler for setting the time) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the gnomeclock processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the gnomeclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the gnomeclock_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the gnomeclock_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -17558,7 +18770,7 @@ index 0000000..9664dd6 +/usr/libexec/gsd-datetime-mechanism, /usr/libexec/kde(3|4)/kcmdatetimehelper, /usr/libexec/gnome-clock-applet-mechanism + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17603,17 +18815,19 @@ index 0000000..9664dd6 +selinux(8), gnomeclock(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gnomesystemmm_selinux.8 b/man/man8/gnomesystemmm_selinux.8 new file mode 100644 -index 0000000..d92b3e4 +index 0000000..d4a95e3 --- /dev/null +++ b/man/man8/gnomesystemmm_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +.TH "gnomesystemmm_selinux" "8" "gnomesystemmm" "dwalsh@redhat.com" "gnomesystemmm SELinux Policy documentation" +.SH "NAME" +gnomesystemmm_selinux \- Security Enhanced Linux Policy for the gnomesystemmm processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the gnomesystemmm processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -17639,7 +18853,7 @@ index 0000000..d92b3e4 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper, /usr/libexec/gnome-system-monitor-mechanism + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17684,24 +18898,18 @@ index 0000000..d92b3e4 +selinux(8), gnomesystemmm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gpg_selinux.8 b/man/man8/gpg_selinux.8 new file mode 100644 -index 0000000..9072646 +index 0000000..0be0689 --- /dev/null +++ b/man/man8/gpg_selinux.8 -@@ -0,0 +1,177 @@ +@@ -0,0 +1,194 @@ +.TH "gpg_selinux" "8" "gpg" "dwalsh@redhat.com" "gpg SELinux Policy documentation" +.SH "NAME" +gpg_selinux \- Security Enhanced Linux Policy for the gpg processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B gpg -+(Policy for GNU Privacy Guard and related programs) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the gpg processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. gpg policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gpg with the tightest access possible. + @@ -17720,6 +18928,29 @@ index 0000000..9072646 +.B setsebool -P httpd_use_gpg 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the gpg_t, gpg_helper_t, gpg_pinentry_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. +.TP @@ -17731,7 +18962,7 @@ index 0000000..9072646 +.B restorecon -F -R -v /var/gpg +.pp +.TP -+Allow gpg servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_gpg_anon_write boolean to be set. ++Allow gpg servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_gpgd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/gpg/incoming(/.*)?" @@ -17818,7 +19049,7 @@ index 0000000..9072646 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17868,23 +19099,19 @@ index 0000000..9072646 \ No newline at end of file diff --git a/man/man8/gpm_selinux.8 b/man/man8/gpm_selinux.8 new file mode 100644 -index 0000000..7c67dba +index 0000000..2aec05b --- /dev/null +++ b/man/man8/gpm_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,109 @@ +.TH "gpm_selinux" "8" "gpm" "dwalsh@redhat.com" "gpm SELinux Policy documentation" +.SH "NAME" +gpm_selinux \- Security Enhanced Linux Policy for the gpm processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B gpm -+(General Purpose Mouse driver) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the gpm processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -17942,7 +19169,7 @@ index 0000000..7c67dba +/dev/gpmctl, /dev/gpmdata + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -17987,23 +19214,40 @@ index 0000000..7c67dba +selinux(8), gpm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gpsd_selinux.8 b/man/man8/gpsd_selinux.8 new file mode 100644 -index 0000000..804e552 +index 0000000..aa3e430 --- /dev/null +++ b/man/man8/gpsd_selinux.8 -@@ -0,0 +1,131 @@ +@@ -0,0 +1,148 @@ +.TH "gpsd_selinux" "8" "gpsd" "dwalsh@redhat.com" "gpsd SELinux Policy documentation" +.SH "NAME" +gpsd_selinux \- Security Enhanced Linux Policy for the gpsd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B gpsd -+(gpsd monitor daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the gpsd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the gpsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the gpsd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the gpsd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -18053,7 +19297,7 @@ index 0000000..804e552 +/var/run/gpsd\.sock, /var/run/gpsd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18080,7 +19324,7 @@ index 0000000..804e552 + + +Default Defined Ports: -+tcp 8021 ++tcp 2947 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -18124,17 +19368,40 @@ index 0000000..804e552 +selinux(8), gpsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/greylist_selinux.8 b/man/man8/greylist_selinux.8 new file mode 100644 -index 0000000..893c92e +index 0000000..6a47137 --- /dev/null +++ b/man/man8/greylist_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,106 @@ +.TH "greylist_selinux" "8" "greylist" "dwalsh@redhat.com" "greylist SELinux Policy documentation" +.SH "NAME" +greylist_selinux \- Security Enhanced Linux Policy for the greylist processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the greylist processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the greylist_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the greylist_milter_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the greylist_milter_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -18168,7 +19435,7 @@ index 0000000..893c92e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18213,17 +19480,40 @@ index 0000000..893c92e +selinux(8), greylist(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/groupadd_selinux.8 b/man/man8/groupadd_selinux.8 new file mode 100644 -index 0000000..7774b5f +index 0000000..33c7a9b --- /dev/null +++ b/man/man8/groupadd_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,98 @@ +.TH "groupadd_selinux" "8" "groupadd" "dwalsh@redhat.com" "groupadd SELinux Policy documentation" +.SH "NAME" +groupadd_selinux \- Security Enhanced Linux Policy for the groupadd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the groupadd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the groupadd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the groupadd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -18249,7 +19539,7 @@ index 0000000..7774b5f +/usr/sbin/gpasswd, /usr/bin/gpasswd, /usr/sbin/groupdel, /usr/sbin/groupadd, /usr/sbin/groupmod + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18294,17 +19584,40 @@ index 0000000..7774b5f +selinux(8), groupadd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/groupd_selinux.8 b/man/man8/groupd_selinux.8 new file mode 100644 -index 0000000..7285b15 +index 0000000..9de0969 --- /dev/null +++ b/man/man8/groupd_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,118 @@ +.TH "groupd_selinux" "8" "groupd" "dwalsh@redhat.com" "groupd SELinux Policy documentation" +.SH "NAME" +groupd_selinux \- Security Enhanced Linux Policy for the groupd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the groupd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the groupadd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the groupadd_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -18350,7 +19663,7 @@ index 0000000..7285b15 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18395,17 +19708,17 @@ index 0000000..7285b15 +selinux(8), groupd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/gssd_selinux.8 b/man/man8/gssd_selinux.8 new file mode 100644 -index 0000000..2e36991 +index 0000000..fa9e1cb --- /dev/null +++ b/man/man8/gssd_selinux.8 -@@ -0,0 +1,106 @@ +@@ -0,0 +1,129 @@ +.TH "gssd_selinux" "8" "gssd" "dwalsh@redhat.com" "gssd SELinux Policy documentation" +.SH "NAME" +gssd_selinux \- Security Enhanced Linux Policy for the gssd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the gssd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. gssd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run gssd with the tightest access possible. @@ -18418,6 +19731,29 @@ index 0000000..2e36991 +.B setsebool -P allow_gssd_read_tmp 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the gssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the gssd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the gssd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -18458,7 +19794,7 @@ index 0000000..2e36991 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18702,23 +20038,19 @@ index 0000000..faeeaf7 +selinux(8), semanage(8). diff --git a/man/man8/hddtemp_selinux.8 b/man/man8/hddtemp_selinux.8 new file mode 100644 -index 0000000..132cb89 +index 0000000..feb44f3 --- /dev/null +++ b/man/man8/hddtemp_selinux.8 -@@ -0,0 +1,119 @@ +@@ -0,0 +1,115 @@ +.TH "hddtemp_selinux" "8" "hddtemp" "dwalsh@redhat.com" "hddtemp SELinux Policy documentation" +.SH "NAME" +hddtemp_selinux \- Security Enhanced Linux Policy for the hddtemp processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B hddtemp -+(hddtemp hard disk temperature tool running as a daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the hddtemp processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -18756,7 +20088,7 @@ index 0000000..132cb89 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18783,7 +20115,7 @@ index 0000000..132cb89 + + +Default Defined Ports: -+tcp 8021 ++tcp 7634 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -18827,23 +20159,19 @@ index 0000000..132cb89 +selinux(8), hddtemp(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/hostname_selinux.8 b/man/man8/hostname_selinux.8 new file mode 100644 -index 0000000..519b849 +index 0000000..2aa7e5a --- /dev/null +++ b/man/man8/hostname_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,77 @@ +.TH "hostname_selinux" "8" "hostname" "dwalsh@redhat.com" "hostname SELinux Policy documentation" +.SH "NAME" +hostname_selinux \- Security Enhanced Linux Policy for the hostname processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B hostname -+(Policy for changing the system host name) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the hostname processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -18869,7 +20197,7 @@ index 0000000..519b849 +/bin/hostname, /usr/bin/hostname + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -18914,17 +20242,19 @@ index 0000000..519b849 +selinux(8), hostname(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/hplip_selinux.8 b/man/man8/hplip_selinux.8 new file mode 100644 -index 0000000..05353ce +index 0000000..2f01849 --- /dev/null +++ b/man/man8/hplip_selinux.8 -@@ -0,0 +1,137 @@ +@@ -0,0 +1,139 @@ +.TH "hplip_selinux" "8" "hplip" "dwalsh@redhat.com" "hplip SELinux Policy documentation" +.SH "NAME" +hplip_selinux \- Security Enhanced Linux Policy for the hplip processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the hplip processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -18986,7 +20316,7 @@ index 0000000..05353ce +/var/run/hp.*\.pid, /var/run/hp.*\.port + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -19013,7 +20343,7 @@ index 0000000..05353ce + + +Default Defined Ports: -+tcp 8021 ++tcp 1782,2207,2208,8290,50000,50002,8292,9100,9101,9102,9220,9221,9222,9280,9281,9282,9290,9291 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -19056,10 +20386,10 @@ index 0000000..05353ce +.SH "SEE ALSO" +selinux(8), hplip(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 -index 16e8b13..335b09f 100644 +index 16e8b13..c6537b6 100644 --- a/man/man8/httpd_selinux.8 +++ b/man/man8/httpd_selinux.8 -@@ -1,120 +1,1514 @@ +@@ -1,120 +1,1580 @@ -.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation" -.de EX -.nf @@ -19076,15 +20406,14 @@ index 16e8b13..335b09f 100644 .SH "DESCRIPTION" -Security-Enhanced Linux secures the httpd server via flexible mandatory access -+ -+SELinux Linux secures -+.B httpd -+(Apache web server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the httpd processes via flexible mandatory access control. -.SH FILE_CONTEXTS -+ -+ +-SELinux requires files to have an extended attribute to define the file type. +-Policy governs the access daemons have to these files. +-SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible. +-.PP +-The following file contexts types are defined for httpd: + +.SH BOOLEANS +SELinux policy is customizable based on least access required. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. @@ -19098,6 +20427,13 @@ index 16e8b13..335b09f 100644 +.EE + +.PP ++If you want to allow httpd to communicate with oddjob to start up a servic, you must turn on the httpd_use_oddjob boolean. ++ ++.EX ++.B setsebool -P httpd_use_oddjob 1 ++.EE ++ ++.PP +If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean. + +.EX @@ -19126,6 +20462,13 @@ index 16e8b13..335b09f 100644 +.EE + +.PP ++If you want to allow Apache to run in stickshift mode, not transition to passenge, you must turn on the httpd_run_stickshift boolean. ++ ++.EX ++.B setsebool -P httpd_run_stickshift 1 ++.EE ++ ++.PP +If you want to allow Apache to use mod_auth_pa, you must turn on the allow_httpd_mod_auth_pam boolean. + +.EX @@ -19168,6 +20511,13 @@ index 16e8b13..335b09f 100644 +.EE + +.PP ++If you want to allow httpd to access FUSE file system, you must turn on the httpd_use_fusefs boolean. ++ ++.EX ++.B setsebool -P httpd_use_fusefs 1 ++.EE ++ ++.PP +If you want to allow httpd to connect to the ldap por, you must turn on the httpd_can_connect_ldap boolean. + +.EX @@ -19189,6 +20539,13 @@ index 16e8b13..335b09f 100644 +.EE + +.PP ++If you want to allow HTTPD to connect to port 80 for graceful shutdow, you must turn on the httpd_graceful_shutdown boolean. ++ ++.EX ++.B setsebool -P httpd_graceful_shutdown 1 ++.EE ++ ++.PP +If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral port, you must turn on the httpd_can_connect_ftp boolean. + +.EX @@ -19233,7 +20590,10 @@ index 16e8b13..335b09f 100644 +.PP +If you want to allow httpd to use built in scripting (usually php, you must turn on the httpd_builtin_scripting boolean. + -+.EX + .EX +-httpd_sys_content_t +-.EE +-- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access. +.B setsebool -P httpd_builtin_scripting 1 +.EE + @@ -19273,6 +20633,13 @@ index 16e8b13..335b09f 100644 +.EE + +.PP ++If you want to allow httpd to access openstack port, you must turn on the httpd_use_openstack boolean. ++ ++.EX ++.B setsebool -P httpd_use_openstack 1 ++.EE ++ ++.PP +If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean. + +.EX @@ -19282,18 +20649,54 @@ index 16e8b13..335b09f 100644 +.PP +If you want to allow http daemon to connect to zabbi, you must turn on the httpd_can_connect_zabbix boolean. + -+.EX + .EX +-httpd_sys_script_exec_t +-.EE +-- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. +.B setsebool -P httpd_can_connect_zabbix 1 +.EE + +.PP +If you want to allow httpd daemon to change system limit, you must turn on the httpd_setrlimit boolean. + -+.EX + .EX +-httpd_sys_content_rw_t +.B setsebool -P httpd_setrlimit 1 + .EE +-- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ + .EX +-httpd_sys_content_ra_t ++setsebool -P authlogin_nsswitch_use_ldap 1 + .EE +-- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access. ++ ++.PP ++If you want to allow confined applications to run with kerberos for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the allow_kerberos boolean. ++ + .EX +-httpd_unconfined_script_exec_t +-.EE +-- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. ++setsebool -P allow_kerberos 1 +.EE + -+.SH SHARING FILES ++.PP ++If you want to allow system to run with NI for the httpd_prewikka_script_t, httpd_passwd_t, httpd_t, httpd_php_t, httpd_git_script_t, httpd_suexec_t, httpd_sys_script_t, you must turn on the allow_ypbind boolean. + +-.SH NOTE +-With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. ++.EX ++setsebool -P allow_ypbind 1 ++.EE + + .SH SHARING FILES +-If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. +.TP +Allow httpd servers to read the /var/httpd directory by adding the public_content_t file type to the directory and by restoring the file type. @@ -19304,7 +20707,7 @@ index 16e8b13..335b09f 100644 +.B restorecon -F -R -v /var/httpd +.pp +.TP -+Allow httpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpd_anon_write boolean to be set. ++Allow httpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpdd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?" @@ -19314,47 +20717,45 @@ index 16e8b13..335b09f 100644 + +.PP +If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the allow_httpd_sys_script_anon_write boolean. -+ -+.EX + + .EX +-setsebool -P allow_httpd_anon_write=1 +.B setsebool -P allow_httpd_sys_script_anon_write 1 -+.EE -+ + .EE + +-or +.PP +If you want to allow Apache to modify public files used for public file transfer services, directories/files must be labeled public_content_rw_t., you must turn on the allow_httpd_anon_write boolean. -+ -+.EX + + .EX +-setsebool -P allow_httpd_sys_script_anon_write=1 +.B setsebool -P allow_httpd_anon_write 1 -+.EE -+ + .EE + +-.SH BOOLEANS +-SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. +.SH FILE CONTEXTS - SELinux requires files to have an extended attribute to define the file type. --Policy governs the access daemons have to these files. --SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible. ++SELinux requires files to have an extended attribute to define the file type. +.PP +You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP + .PP +-httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this +Policy governs the access confined processes have to these files. +SELinux httpd policy is very flexible allowing users to setup their httpd processes in as secure a method as possible. - .PP --The following file contexts types are defined for httpd: ++.PP +The following file types are defined for httpd: + + - .EX --httpd_sys_content_t --.EE --- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access. ++.EX +.PP +.B httpd_apcupsd_cgi_content_t +.EE + +- Set files with the httpd_apcupsd_cgi_content_t type, if you want to treat the files as httpd apcupsd cgi content. + -+ + .EX --httpd_sys_script_exec_t --.EE --- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. +-setsebool -P httpd_enable_cgi 1 +.PP +.B httpd_apcupsd_cgi_htaccess_t +.EE @@ -19362,95 +20763,87 @@ index 16e8b13..335b09f 100644 +- Set files with the httpd_apcupsd_cgi_htaccess_t type, if you want to treat the file as a httpd apcupsd cgi access file. + + - .EX --httpd_sys_content_rw_t ++.EX +.PP +.B httpd_apcupsd_cgi_ra_content_t .EE --- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. -+ -+- Set files with the httpd_apcupsd_cgi_ra_content_t type, if you want to treat the files as httpd apcupsd cgi read/append content. + ++- Set files with the httpd_apcupsd_cgi_ra_content_t type, if you want to treat the files as httpd apcupsd cgi read/append content. + + - .EX --httpd_sys_content_ra_t -+.PP ++.EX + .PP +-SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. +.B httpd_apcupsd_cgi_rw_content_t - .EE --- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access. ++.EE + +- Set files with the httpd_apcupsd_cgi_rw_content_t type, if you want to treat the files as httpd apcupsd cgi read/write content. + -+ + .EX --httpd_unconfined_script_exec_t --.EE --- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. +-setsebool -P httpd_enable_homedirs 1 +-chcon -R -t httpd_sys_content_t ~user/public_html +.PP +.B httpd_apcupsd_cgi_script_exec_t -+.EE + .EE --.SH NOTE --With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. +- Set files with the httpd_apcupsd_cgi_script_exec_t type, if you want to transition an executable to the httpd_apcupsd_cgi_script_t domain. - --.SH SHARING FILES --If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: ++ +.br +.TP 5 +Paths: -+/var/www/apcupsd/upsfstats\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/apcupsd/multimon\.cgi, /var/www/cgi-bin/apcgui(/.*)? - - .EX --setsebool -P allow_httpd_anon_write=1 -+.PP ++/var/www/apcupsd/upsfstats\.cgi, /var/www/apcupsd/multimon\.cgi, /var/www/apcupsd/upsstats\.cgi, /var/www/apcupsd/upsimage\.cgi, /var/www/cgi-bin/apcgui(/.*)? ++ ++.EX + .PP +-SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. +.B httpd_awstats_content_t - .EE - --or ++.EE ++ +- Set files with the httpd_awstats_content_t type, if you want to treat the files as httpd awstats content. + .EX --setsebool -P allow_httpd_sys_script_anon_write=1 +-setsebool -P httpd_tty_comm 1 +.PP +.B httpd_awstats_htaccess_t .EE --.SH BOOLEANS --SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. +- Set files with the httpd_awstats_htaccess_t type, if you want to treat the file as a httpd awstats access file. + + +.EX -+.PP -+.B httpd_awstats_ra_content_t -+.EE -+ -+- Set files with the httpd_awstats_ra_content_t type, if you want to treat the files as httpd awstats read/append content. -+ -+ -+.EX .PP --httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this -+.B httpd_awstats_rw_content_t +-httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another. ++.B httpd_awstats_ra_content_t +.EE + -+- Set files with the httpd_awstats_rw_content_t type, if you want to treat the files as httpd awstats read/write content. ++- Set files with the httpd_awstats_ra_content_t type, if you want to treat the files as httpd awstats read/append content. + .EX --setsebool -P httpd_enable_cgi 1 +-setsebool -P httpd_unified 0 +.PP -+.B httpd_awstats_script_exec_t ++.B httpd_awstats_rw_content_t .EE -+- Set files with the httpd_awstats_script_exec_t type, if you want to transition an executable to the httpd_awstats_script_t domain. ++- Set files with the httpd_awstats_rw_content_t type, if you want to treat the files as httpd awstats read/write content. + + +.EX .PP --SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. +-SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean. ++.B httpd_awstats_script_exec_t ++.EE ++ ++- Set files with the httpd_awstats_script_exec_t type, if you want to transition an executable to the httpd_awstats_script_t domain. ++ + + .EX +-setsebool -P httpd_can_sendmail 1 + .PP +-httpd can be configured to turn off internal scripting (PHP). PHP and other +-loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts. +.B httpd_bugzilla_content_t +.EE + @@ -19458,8 +20851,7 @@ index 16e8b13..335b09f 100644 + .EX --setsebool -P httpd_enable_homedirs 1 --chcon -R -t httpd_sys_content_t ~user/public_html +-setsebool -P httpd_builtin_scripting 0 +.PP +.B httpd_bugzilla_htaccess_t .EE @@ -19469,15 +20861,17 @@ index 16e8b13..335b09f 100644 + +.EX .PP --SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. +-SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. +-This would prevent a hacker from breaking into you httpd server and attacking +-other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. +.B httpd_bugzilla_ra_content_t +.EE + -+- Set files with the httpd_bugzilla_ra_content_t type, if you want to treat the files as httpd bugzilla read/append content. ++- Set files with the httpd_bugzilla_ra_content_t type, if you want to treat the files as httpd bugzilla read/append content. + .EX --setsebool -P httpd_tty_comm 1 +-setsebool -P httpd_can_network_connect 1 +.PP +.B httpd_bugzilla_rw_content_t .EE @@ -19487,25 +20881,27 @@ index 16e8b13..335b09f 100644 + +.EX .PP --httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another. +-system-config-selinux is a GUI tool available to customize SELinux policy settings. +-.SH AUTHOR +-This manual page was written by Dan Walsh . +.B httpd_bugzilla_script_exec_t +.EE -+ + +-.SH "SEE ALSO" +-selinux(8), httpd(8), chcon(1), setsebool(8) +- Set files with the httpd_bugzilla_script_exec_t type, if you want to transition an executable to the httpd_bugzilla_script_t domain. + - - .EX --setsebool -P httpd_unified 0 ++ ++.EX +.PP +.B httpd_bugzilla_tmp_t - .EE ++.EE +- Set files with the httpd_bugzilla_tmp_t type, if you want to store httpd bugzilla temporary files in the /tmp directories. -+ + + +.EX - .PP --SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean. ++.PP +.B httpd_cache_t +.EE + @@ -19514,61 +20910,48 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/var/cache/php-.*, /var/cache/mediawiki(/.*)?, /var/cache/lighttpd(/.*)?, /var/cache/php-mmcache(/.*)?, /var/cache/mod_gnutls(/.*)?, /var/cache/mod_ssl(/.*)?, /var/cache/jetty(/.*)?, /var/cache/mod_.*, /var/cache/ssl.*\.sem, /var/cache/httpd(/.*)?, /var/cache/rt3(/.*)?, /var/cache/php-eaccelerator(/.*)?, /var/cache/mason(/.*)?, /var/cache/mod_proxy(/.*)? - - .EX --setsebool -P httpd_can_sendmail 1 - .PP --httpd can be configured to turn off internal scripting (PHP). PHP and other --loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts. ++/var/cache/php-.*, /var/cache/mediawiki(/.*)?, /var/cache/lighttpd(/.*)?, /var/cache/php-mmcache(/.*)?, /var/cache/mod_gnutls(/.*)?, /var/cache/mod_ssl(/.*)?, /var/cache/mod_.*, /var/cache/ssl.*\.sem, /var/cache/httpd(/.*)?, /var/cache/rt3(/.*)?, /var/cache/php-eaccelerator(/.*)?, /var/cache/mason(/.*)?, /var/cache/mod_proxy(/.*)? ++ ++.EX ++.PP +.B httpd_cobbler_content_t +.EE + +- Set files with the httpd_cobbler_content_t type, if you want to treat the files as httpd cobbler content. + - - .EX --setsebool -P httpd_builtin_scripting 0 ++ ++.EX +.PP +.B httpd_cobbler_htaccess_t - .EE - ++.EE ++ +- Set files with the httpd_cobbler_htaccess_t type, if you want to treat the file as a httpd cobbler access file. + + +.EX - .PP --SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. --This would prevent a hacker from breaking into you httpd server and attacking --other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. ++.PP +.B httpd_cobbler_ra_content_t +.EE + -+- Set files with the httpd_cobbler_ra_content_t type, if you want to treat the files as httpd cobbler read/append content. ++- Set files with the httpd_cobbler_ra_content_t type, if you want to treat the files as httpd cobbler read/append content. + - - .EX --setsebool -P httpd_can_network_connect 1 ++ ++.EX +.PP +.B httpd_cobbler_rw_content_t - .EE - ++.EE ++ +- Set files with the httpd_cobbler_rw_content_t type, if you want to treat the files as httpd cobbler read/write content. + + +.EX - .PP --system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR --This manual page was written by Dan Walsh . ++.PP +.B httpd_cobbler_script_exec_t +.EE - --.SH "SEE ALSO" --selinux(8), httpd(8), chcon(1), setsebool(8) ++ +- Set files with the httpd_cobbler_script_exec_t type, if you want to transition an executable to the httpd_cobbler_script_t domain. - - ++ ++ +.EX +.PP +.B httpd_collectd_content_t @@ -19590,7 +20973,7 @@ index 16e8b13..335b09f 100644 +.B httpd_collectd_ra_content_t +.EE + -+- Set files with the httpd_collectd_ra_content_t type, if you want to treat the files as httpd collectd read/append content. ++- Set files with the httpd_collectd_ra_content_t type, if you want to treat the files as httpd collectd read/append content. + + +.EX @@ -19619,7 +21002,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/etc/vhosts, /etc/httpd(/.*)?, /etc/apache(2)?(/.*)?, /etc/apache-ssl(2)?(/.*)?, /etc/lighttpd(/.*)?, /var/lib/stickshift/.httpd.d(/.*)?, /etc/cherokee(/.*)? ++/etc/vhosts, /etc/httpd(/.*)?, /etc/apache(2)?(/.*)?, /etc/apache-ssl(2)?(/.*)?, /etc/lighttpd(/.*)?, /etc/cherokee(/.*)? + +.EX +.PP @@ -19642,7 +21025,7 @@ index 16e8b13..335b09f 100644 +.B httpd_cvs_ra_content_t +.EE + -+- Set files with the httpd_cvs_ra_content_t type, if you want to treat the files as httpd cvs read/append content. ++- Set files with the httpd_cvs_ra_content_t type, if you want to treat the files as httpd cvs read/append content. + + +.EX @@ -19686,7 +21069,7 @@ index 16e8b13..335b09f 100644 +.B httpd_dirsrvadmin_ra_content_t +.EE + -+- Set files with the httpd_dirsrvadmin_ra_content_t type, if you want to treat the files as httpd dirsrvadmin read/append content. ++- Set files with the httpd_dirsrvadmin_ra_content_t type, if you want to treat the files as httpd dirsrvadmin read/append content. + + +.EX @@ -19730,7 +21113,7 @@ index 16e8b13..335b09f 100644 +.B httpd_dspam_ra_content_t +.EE + -+- Set files with the httpd_dspam_ra_content_t type, if you want to treat the files as httpd dspam read/append content. ++- Set files with the httpd_dspam_ra_content_t type, if you want to treat the files as httpd dspam read/append content. + + +.EX @@ -19759,7 +21142,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/usr/sbin/apache(2)?, /usr/bin/mongrel_rails, /usr/lib/apache-ssl/.+, /usr/sbin/httpd\.event, /usr/sbin/httpd(\.worker)?, /usr/sbin/cherokee, /usr/sbin/apache-ssl(2)?, /usr/sbin/lighttpd ++/usr/sbin/apache(2)?, /usr/share/jetty/bin/jetty.sh, /usr/bin/mongrel_rails, /usr/lib/apache-ssl/.+, /usr/sbin/httpd\.event, /usr/sbin/httpd(\.worker)?, /usr/sbin/cherokee, /usr/sbin/apache-ssl(2)?, /usr/sbin/lighttpd + +.EX +.PP @@ -19782,7 +21165,7 @@ index 16e8b13..335b09f 100644 +.B httpd_git_ra_content_t +.EE + -+- Set files with the httpd_git_ra_content_t type, if you want to treat the files as httpd git read/append content. ++- Set files with the httpd_git_ra_content_t type, if you want to treat the files as httpd git read/append content. + + +.EX @@ -19839,63 +21222,75 @@ index 16e8b13..335b09f 100644 + +.EX +.PP -+.B httpd_libra_content_t ++.B httpd_lock_t +.EE + -+- Set files with the httpd_libra_content_t type, if you want to treat the files as httpd libra content. ++- Set files with the httpd_lock_t type, if you want to treat the files as httpd lock data, stored under the /var/lock directory + + +.EX +.PP -+.B httpd_libra_htaccess_t ++.B httpd_log_t +.EE + -+- Set files with the httpd_libra_htaccess_t type, if you want to treat the file as a httpd libra access file. ++- Set files with the httpd_log_t type, if you want to treat the data as httpd log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/apache-ssl(2)?(/.*)?, /var/log/httpd(/.*)?, /var/log/apache(2)?(/.*)?, /var/log/cherokee(/.*)?, /var/log/roundcubemail(/.*)?, /var/log/cgiwrap\.log.*, /var/log/php-fpm(/.*)?, /var/log/lighttpd(/.*)?, /var/log/suphp\.log, /var/log/cacti(/.*)?, /var/log/dirsrv/admin-serv(/.*)?, /etc/httpd/logs + +.EX +.PP -+.B httpd_libra_ra_content_t ++.B httpd_man2html_content_t +.EE + -+- Set files with the httpd_libra_ra_content_t type, if you want to treat the files as httpd libra read/append content. ++- Set files with the httpd_man2html_content_t type, if you want to treat the files as httpd man2html content. + + +.EX +.PP -+.B httpd_libra_rw_content_t ++.B httpd_man2html_htaccess_t +.EE + -+- Set files with the httpd_libra_rw_content_t type, if you want to treat the files as httpd libra read/write content. ++- Set files with the httpd_man2html_htaccess_t type, if you want to treat the file as a httpd man2html access file. + + +.EX +.PP -+.B httpd_libra_script_exec_t ++.B httpd_man2html_ra_content_t +.EE + -+- Set files with the httpd_libra_script_exec_t type, if you want to transition an executable to the httpd_libra_script_t domain. ++- Set files with the httpd_man2html_ra_content_t type, if you want to treat the files as httpd man2html read/append content. + + +.EX +.PP -+.B httpd_lock_t ++.B httpd_man2html_rw_content_t +.EE + -+- Set files with the httpd_lock_t type, if you want to treat the files as httpd lock data, stored under the /var/lock directory ++- Set files with the httpd_man2html_rw_content_t type, if you want to treat the files as httpd man2html read/write content. + + +.EX +.PP -+.B httpd_log_t ++.B httpd_man2html_script_cache_t +.EE + -+- Set files with the httpd_log_t type, if you want to treat the data as httpd log data, usually stored under the /var/log directory. ++- Set files with the httpd_man2html_script_cache_t type, if you want to store the files under the /var/cache directory. ++ ++ ++.EX ++.PP ++.B httpd_man2html_script_exec_t ++.EE ++ ++- Set files with the httpd_man2html_script_exec_t type, if you want to transition an executable to the httpd_man2html_script_t domain. + +.br +.TP 5 +Paths: -+/var/log/apache-ssl(2)?(/.*)?, /var/log/httpd(/.*)?, /var/log/apache(2)?(/.*)?, /var/log/cherokee(/.*)?, /var/log/roundcubemail(/.*)?, /var/log/cgiwrap\.log.*, /var/log/lighttpd(/.*)?, /var/log/suphp\.log, /var/log/cacti(/.*)?, /var/log/dirsrv/admin-serv(/.*)?, /etc/httpd/logs, /var/log/jetty(/.*)? ++/usr/lib/man2html/cgi-bin/man/manwhatis, /usr/lib/man2html/cgi-bin/man/man2html, /usr/lib/man2html/cgi-bin/man/mansec + +.EX +.PP @@ -19922,7 +21317,7 @@ index 16e8b13..335b09f 100644 +.B httpd_mediawiki_ra_content_t +.EE + -+- Set files with the httpd_mediawiki_ra_content_t type, if you want to treat the files as httpd mediawiki read/append content. ++- Set files with the httpd_mediawiki_ra_content_t type, if you want to treat the files as httpd mediawiki read/append content. + + +.EX @@ -19978,7 +21373,7 @@ index 16e8b13..335b09f 100644 +.B httpd_mojomojo_ra_content_t +.EE + -+- Set files with the httpd_mojomojo_ra_content_t type, if you want to treat the files as httpd mojomojo read/append content. ++- Set files with the httpd_mojomojo_ra_content_t type, if you want to treat the files as httpd mojomojo read/append content. + + +.EX @@ -20026,7 +21421,7 @@ index 16e8b13..335b09f 100644 +.B httpd_munin_ra_content_t +.EE + -+- Set files with the httpd_munin_ra_content_t type, if you want to treat the files as httpd munin read/append content. ++- Set files with the httpd_munin_ra_content_t type, if you want to treat the files as httpd munin read/append content. + + +.EX @@ -20066,7 +21461,7 @@ index 16e8b13..335b09f 100644 +.B httpd_nagios_ra_content_t +.EE + -+- Set files with the httpd_nagios_ra_content_t type, if you want to treat the files as httpd nagios read/append content. ++- Set files with the httpd_nagios_ra_content_t type, if you want to treat the files as httpd nagios read/append content. + + +.EX @@ -20110,7 +21505,7 @@ index 16e8b13..335b09f 100644 +.B httpd_nutups_cgi_ra_content_t +.EE + -+- Set files with the httpd_nutups_cgi_ra_content_t type, if you want to treat the files as httpd nutups cgi read/append content. ++- Set files with the httpd_nutups_cgi_ra_content_t type, if you want to treat the files as httpd nutups cgi read/append content. + + +.EX @@ -20178,7 +21573,7 @@ index 16e8b13..335b09f 100644 +.B httpd_prewikka_ra_content_t +.EE + -+- Set files with the httpd_prewikka_ra_content_t type, if you want to treat the files as httpd prewikka read/append content. ++- Set files with the httpd_prewikka_ra_content_t type, if you want to treat the files as httpd prewikka read/append content. + + +.EX @@ -20226,7 +21621,7 @@ index 16e8b13..335b09f 100644 +.B httpd_smokeping_cgi_ra_content_t +.EE + -+- Set files with the httpd_smokeping_cgi_ra_content_t type, if you want to treat the files as httpd smokeping cgi read/append content. ++- Set files with the httpd_smokeping_cgi_ra_content_t type, if you want to treat the files as httpd smokeping cgi read/append content. + + +.EX @@ -20266,7 +21661,7 @@ index 16e8b13..335b09f 100644 +.B httpd_squid_ra_content_t +.EE + -+- Set files with the httpd_squid_ra_content_t type, if you want to treat the files as httpd squid read/append content. ++- Set files with the httpd_squid_ra_content_t type, if you want to treat the files as httpd squid read/append content. + + +.EX @@ -20323,7 +21718,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/usr/share/icecast(/.*)?, /usr/share/htdig(/.*)?, /etc/htdig(/.*)?, /var/www/svn/conf(/.*)?, /usr/share/doc/ghc/html(/.*)?, /usr/share/mythtv/data(/.*)?, /var/lib/htdig(/.*)?, /srv/gallery2(/.*)?, /srv/([^/]*/)?www(/.*)?, /usr/share/ntop/html(/.*)?, /usr/share/mythweb(/.*)?, /var/lib/cacti/rra(/.*)?, /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-policy[^/]*/html(/.*)?, /usr/share/drupal.*, /var/lib/trac(/.*)?, /var/www(/.*)?, /var/www/icons(/.*)? ++/usr/share/icecast(/.*)?, /usr/share/htdig(/.*)?, /etc/htdig(/.*)?, /var/www/svn/conf(/.*)?, /usr/share/doc/ghc/html(/.*)?, /usr/share/mythtv/data(/.*)?, /var/lib/htdig(/.*)?, /srv/gallery2(/.*)?, /srv/([^/]*/)?www(/.*)?, /usr/share/ntop/html(/.*)?, /usr/share/mythweb(/.*)?, /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-policy[^/]*/html(/.*)?, /usr/share/drupal.*, /var/lib/cacti/rra(/.*)?, /var/lib/trac(/.*)?, /var/www(/.*)?, /var/www/icons(/.*)? + +.EX +.PP @@ -20338,7 +21733,7 @@ index 16e8b13..335b09f 100644 +.B httpd_sys_ra_content_t +.EE + -+- Set files with the httpd_sys_ra_content_t type, if you want to treat the files as httpd sys read/append content. ++- Set files with the httpd_sys_ra_content_t type, if you want to treat the files as httpd sys read/append content. + + +.EX @@ -20351,7 +21746,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/var/spool/viewvc(/.*)?, /etc/WebCalendar(/.*)?, /etc/mock/koji(/.*)?, /var/lib/svn(/.*)?, /var/spool/gosa(/.*)?, /etc/zabbix/web(/.*)?, /var/lib/pootle/po(/.*)?, /etc/drupal.*, /var/www/gallery/albums(/.*)?, /usr/share/wordpress/wp-content/uploads(/.*)?, /var/www/html/configuration\.php, /usr/share/wordpress/wp-content/upgrade(/.*)?, /var/lib/drupal.*, /usr/share/wordpress-mu/wp-content(/.*)?, /var/lib/dokuwiki(/.*)?, /var/www/moodledata(/.*)?, /var/www/svn(/.*)?, /var/www/html/wp-content(/.*)? ++/var/www/html/[^/]*/sites/default/settings\.php, /var/spool/viewvc(/.*)?, /etc/WebCalendar(/.*)?, /etc/mock/koji(/.*)?, /var/lib/svn(/.*)?, /var/spool/gosa(/.*)?, /etc/zabbix/web(/.*)?, /var/lib/pootle/po(/.*)?, /etc/drupal.*, /var/www/gallery/albums(/.*)?, /usr/share/wordpress/wp-content/uploads(/.*)?, /var/www/html/configuration\.php, /usr/share/wordpress/wp-content/upgrade(/.*)?, /var/lib/drupal.*, /usr/share/wordpress-mu/wp-content(/.*)?, /var/lib/dokuwiki(/.*)?, /var/www/moodledata(/.*)?, /var/www/html/[^/]*/sites/default/files(/.*)?, /var/www/svn(/.*)?, /var/www/html/wp-content(/.*)? + +.EX +.PP @@ -20363,7 +21758,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/var/www/svn/hooks(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress/.*\.php, /usr/lib/cgi-bin(/.*)?, /var/www/perl(/.*)?, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/wordpress-mu/wp-config\.php, /var/www/html/[^/]*/cgi-bin(/.*)?, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)? ++/var/www/svn/hooks(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress/.*\.php, /usr/lib/cgi-bin(/.*)?, /var/www/perl(/.*)?, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/wordpress-mu/wp-config\.php, /var/www/html/[^/]*/cgi-bin(/.*)?, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /usr/share/wordpress/wp-includes/.*\.php + +.EX +.PP @@ -20391,7 +21786,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/usr/lib/systemd/system/httpd.?\.service, /lib/systemd/system/jetty.*\.service, /lib/systemd/system/httpd.*\.service ++/usr/lib/systemd/system/httpd.*, /usr/lib/systemd/system/jetty.* + +.EX +.PP @@ -20414,7 +21809,7 @@ index 16e8b13..335b09f 100644 +.B httpd_user_ra_content_t +.EE + -+- Set files with the httpd_user_ra_content_t type, if you want to treat the files as httpd user read/append content. ++- Set files with the httpd_user_ra_content_t type, if you want to treat the files as httpd user read/append content. + + +.EX @@ -20443,7 +21838,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/var/lib/rt3/data/RT-Shredder(/.*)?, /var/lib/jetty(/.*)?, /var/lib/httpd(/.*)?, /var/lib/cherokee(/.*)?, /var/lib/dav(/.*)? ++/var/lib/rt3/data/RT-Shredder(/.*)?, /var/lib/lighttpd(/.*)?, /var/lib/httpd(/.*)?, /var/lib/cherokee(/.*)?, /var/lib/dav(/.*)? + +.EX +.PP @@ -20455,7 +21850,7 @@ index 16e8b13..335b09f 100644 +.br +.TP 5 +Paths: -+/var/run/mod_.*, /var/run/wsgi.*, /var/run/apache.*, /var/run/jetty(/.*)?, /var/run/gcache_port, /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?, /var/run/httpd.*, /var/run/dirsrv/admin-serv.*, /var/lib/php/session(/.*)?, /var/run/lighttpd(/.*)? ++/var/run/mod_.*, /var/run/wsgi.*, /var/run/apache.*, /var/run/cherokee\.pid, /var/run/gcache_port, /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?, /var/run/httpd.*, /var/run/dirsrv/admin-serv.*, /var/lib/php/session(/.*)?, /var/run/lighttpd(/.*)? + +.EX +.PP @@ -20478,7 +21873,7 @@ index 16e8b13..335b09f 100644 +.B httpd_w3c_validator_ra_content_t +.EE + -+- Set files with the httpd_w3c_validator_ra_content_t type, if you want to treat the files as httpd w3c validator read/append content. ++- Set files with the httpd_w3c_validator_ra_content_t type, if you want to treat the files as httpd w3c validator read/append content. + + +.EX @@ -20530,7 +21925,7 @@ index 16e8b13..335b09f 100644 +.B httpd_zoneminder_ra_content_t +.EE + -+- Set files with the httpd_zoneminder_ra_content_t type, if you want to treat the files as httpd zoneminder read/append content. ++- Set files with the httpd_zoneminder_ra_content_t type, if you want to treat the files as httpd zoneminder read/append content. + + +.EX @@ -20550,7 +21945,7 @@ index 16e8b13..335b09f 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -20577,7 +21972,9 @@ index 16e8b13..335b09f 100644 + + +Default Defined Ports: -+tcp 8021 ++tcp 8080,8118,8123,10001-10010 ++.EE ++udp 3130 +.EE + +.EX @@ -20588,7 +21985,7 @@ index 16e8b13..335b09f 100644 + + +Default Defined Ports: -+tcp 8021 ++tcp 80,443,488,8008,8009,8443 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -20601,7 +21998,7 @@ index 16e8b13..335b09f 100644 +The following process types are defined for httpd: + +.EX -+.B httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_mojomojo_script_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_libra_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_zoneminder_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_t, httpd_passwd_t, httpd_helper_t, httpd_squid_script_t, httpd_cobbler_script_t, httpd_mediawiki_script_t ++.B httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_mojomojo_script_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_zoneminder_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_t, httpd_man2html_script_t, httpd_passwd_t, httpd_helper_t, httpd_squid_script_t, httpd_cobbler_script_t, httpd_mediawiki_script_t +.EE +.PP +Note: @@ -20637,17 +22034,40 @@ index 16e8b13..335b09f 100644 \ No newline at end of file diff --git a/man/man8/hwclock_selinux.8 b/man/man8/hwclock_selinux.8 new file mode 100644 -index 0000000..1928dc4 +index 0000000..15bed4c --- /dev/null +++ b/man/man8/hwclock_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,98 @@ +.TH "hwclock_selinux" "8" "hwclock" "dwalsh@redhat.com" "hwclock SELinux Policy documentation" +.SH "NAME" +hwclock_selinux \- Security Enhanced Linux Policy for the hwclock processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the hwclock processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the hwclock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the hwclock_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the hwclock_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -20673,7 +22093,7 @@ index 0000000..1928dc4 +/usr/sbin/hwclock, /sbin/hwclock + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -20718,17 +22138,19 @@ index 0000000..1928dc4 +selinux(8), hwclock(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/iceauth_selinux.8 b/man/man8/iceauth_selinux.8 new file mode 100644 -index 0000000..53e495f +index 0000000..0db3d9c --- /dev/null +++ b/man/man8/iceauth_selinux.8 -@@ -0,0 +1,87 @@ +@@ -0,0 +1,89 @@ +.TH "iceauth_selinux" "8" "iceauth" "dwalsh@redhat.com" "iceauth SELinux Policy documentation" +.SH "NAME" +iceauth_selinux \- Security Enhanced Linux Policy for the iceauth processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the iceauth processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -20766,7 +22188,7 @@ index 0000000..53e495f +/root/\.DCOP.*, /root/\.ICEauthority.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -20811,24 +22233,18 @@ index 0000000..53e495f +selinux(8), iceauth(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/icecast_selinux.8 b/man/man8/icecast_selinux.8 new file mode 100644 -index 0000000..ca10859 +index 0000000..0e50b21 --- /dev/null +++ b/man/man8/icecast_selinux.8 -@@ -0,0 +1,116 @@ +@@ -0,0 +1,133 @@ +.TH "icecast_selinux" "8" "icecast" "dwalsh@redhat.com" "icecast SELinux Policy documentation" +.SH "NAME" +icecast_selinux \- Security Enhanced Linux Policy for the icecast processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B icecast -+( ShoutCast compatible streaming media server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the icecast processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. icecast policy is extremely flexible and has several booleans that allow you to manipulate the policy and run icecast with the tightest access possible. + @@ -20840,6 +22256,29 @@ index 0000000..ca10859 +.B setsebool -P icecast_connect_any 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the icecast_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the icecast_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the icecast_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -20884,7 +22323,7 @@ index 0000000..ca10859 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -20934,17 +22373,40 @@ index 0000000..ca10859 \ No newline at end of file diff --git a/man/man8/ifconfig_selinux.8 b/man/man8/ifconfig_selinux.8 new file mode 100644 -index 0000000..b2444a2 +index 0000000..bd16411 --- /dev/null +++ b/man/man8/ifconfig_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,98 @@ +.TH "ifconfig_selinux" "8" "ifconfig" "dwalsh@redhat.com" "ifconfig SELinux Policy documentation" +.SH "NAME" +ifconfig_selinux \- Security Enhanced Linux Policy for the ifconfig processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ifconfig processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the ifconfig_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ifconfig_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the ifconfig_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -20967,10 +22429,10 @@ index 0000000..b2444a2 +.br +.TP 5 +Paths: -+/usr/sbin/ipx_internal_net, /sbin/ipx_configure, /sbin/tc, /usr/sbin/ipx_configure, /usr/sbin/iwconfig, /usr/sbin/ipx_interface, /usr/sbin/mii-tool, /usr/sbin/ethtool, /sbin/ipx_internal_net, /usr/sbin/ifconfig, /bin/ip, /usr/bin/ip, /usr/sbin/tc, /sbin/iwconfig, /sbin/ifconfig, /sbin/mii-tool, /sbin/ethtool, /usr/sbin/ip, /sbin/ipx_interface, /sbin/ip ++/usr/sbin/ipx_internal_net, /sbin/ipx_configure, /sbin/tc, /usr/sbin/ipx_configure, /usr/sbin/iwconfig, /usr/sbin/ipx_interface, /usr/sbin/mii-tool, /usr/sbin/ethtool, /usr/sbin/ifconfig, /sbin/ipx_interface, /bin/ip, /usr/bin/ip, /usr/sbin/tc, /sbin/iwconfig, /sbin/ifconfig, /sbin/mii-tool, /sbin/ethtool, /usr/sbin/ip, /sbin/ip, /sbin/ipx_internal_net + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21015,23 +22477,40 @@ index 0000000..b2444a2 +selinux(8), ifconfig(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/inetd_selinux.8 b/man/man8/inetd_selinux.8 new file mode 100644 -index 0000000..122a8f9 +index 0000000..07cb6a4 --- /dev/null +++ b/man/man8/inetd_selinux.8 -@@ -0,0 +1,159 @@ +@@ -0,0 +1,178 @@ +.TH "inetd_selinux" "8" "inetd" "dwalsh@redhat.com" "inetd SELinux Policy documentation" +.SH "NAME" +inetd_selinux \- Security Enhanced Linux Policy for the inetd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B inetd -+(Internet services daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the inetd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the inetd_t, inetd_child_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the inetd_t, inetd_child_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the inetd_t, inetd_child_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -21109,7 +22588,7 @@ index 0000000..122a8f9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21136,7 +22615,9 @@ index 0000000..122a8f9 + + +Default Defined Ports: -+tcp 8021 ++tcp 1,9,13,19,512,543,544,891,892,2105,5666 ++.EE ++udp 1,9,13,19,891,892 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -21180,24 +22661,18 @@ index 0000000..122a8f9 +selinux(8), inetd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/init_selinux.8 b/man/man8/init_selinux.8 new file mode 100644 -index 0000000..ce0a398 +index 0000000..24ad2a6 --- /dev/null +++ b/man/man8/init_selinux.8 -@@ -0,0 +1,167 @@ +@@ -0,0 +1,184 @@ +.TH "init_selinux" "8" "init" "dwalsh@redhat.com" "init SELinux Policy documentation" +.SH "NAME" +init_selinux \- Security Enhanced Linux Policy for the init processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B init -+(System initialization programs (init and init scripts)) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the init processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. init policy is extremely flexible and has several booleans that allow you to manipulate the policy and run init with the tightest access possible. + @@ -21216,6 +22691,29 @@ index 0000000..ce0a398 +.B setsebool -P init_systemd 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the init_t, initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the init_t, initrc_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the init_t, initrc_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -21237,7 +22735,7 @@ index 0000000..ce0a398 +.br +.TP 5 +Paths: -+/usr/sbin/init(ng)?, /lib/systemd/[^/]*, /sbin/init(ng)?, /bin/systemd, /usr/lib/systemd/system-generators/[^/]*, /usr/bin/systemd, /lib/systemd/system-generators/[^/]*, /sbin/upstart, /usr/sbin/upstart, /usr/lib/systemd/[^/]* ++/usr/sbin/init(ng)?, /sbin/init(ng)?, /bin/systemd, /usr/lib/systemd/system-generators/[^/]*, /usr/bin/systemd, /sbin/upstart, /usr/sbin/upstart, /usr/lib/systemd/[^/]* + +.EX +.PP @@ -21273,7 +22771,7 @@ index 0000000..ce0a398 +.br +.TP 5 +Paths: -+/usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /usr/share/system-config-services/system-config-services-mechanism\.py, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /usr/libexec/dcc/start-.*, /usr/sbin/apachectl, /usr/sbin/restart-dirsrv, /etc/init\.d/.*, /usr/bin/sepg_ctl ++/usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/restart-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /usr/libexec/dcc/start-.*, /usr/share/system-config-services/system-config-services-mechanism\.py, /usr/sbin/apachectl, /etc/init\.d/.*, /usr/bin/sepg_ctl + +.EX +.PP @@ -21304,7 +22802,7 @@ index 0000000..ce0a398 +/var/run/setmixer_flag, /var/run/runlevel\.dir, /var/run/random-seed, /var/run/utmp + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21354,17 +22852,40 @@ index 0000000..ce0a398 \ No newline at end of file diff --git a/man/man8/initrc_selinux.8 b/man/man8/initrc_selinux.8 new file mode 100644 -index 0000000..2fa2434 +index 0000000..bc95e70 --- /dev/null +++ b/man/man8/initrc_selinux.8 -@@ -0,0 +1,111 @@ +@@ -0,0 +1,134 @@ +.TH "initrc_selinux" "8" "initrc" "dwalsh@redhat.com" "initrc SELinux Policy documentation" +.SH "NAME" +initrc_selinux \- Security Enhanced Linux Policy for the initrc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the initrc processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the initrc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the initrc_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the initrc_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -21395,7 +22916,7 @@ index 0000000..2fa2434 +.br +.TP 5 +Paths: -+/usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /usr/share/system-config-services/system-config-services-mechanism\.py, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /usr/libexec/dcc/start-.*, /usr/sbin/apachectl, /usr/sbin/restart-dirsrv, /etc/init\.d/.*, /usr/bin/sepg_ctl ++/usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/restart-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /usr/libexec/dcc/start-.*, /usr/share/system-config-services/system-config-services-mechanism\.py, /usr/sbin/apachectl, /etc/init\.d/.*, /usr/bin/sepg_ctl + +.EX +.PP @@ -21426,7 +22947,7 @@ index 0000000..2fa2434 +/var/run/setmixer_flag, /var/run/runlevel\.dir, /var/run/random-seed, /var/run/utmp + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21471,17 +22992,19 @@ index 0000000..2fa2434 +selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/innd_selinux.8 b/man/man8/innd_selinux.8 new file mode 100644 -index 0000000..541f9e9 +index 0000000..2f7366a --- /dev/null +++ b/man/man8/innd_selinux.8 -@@ -0,0 +1,145 @@ +@@ -0,0 +1,147 @@ +.TH "innd_selinux" "8" "innd" "dwalsh@redhat.com" "innd SELinux Policy documentation" +.SH "NAME" +innd_selinux \- Security Enhanced Linux Policy for the innd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the innd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -21512,7 +23035,7 @@ index 0000000..541f9e9 +.br +.TP 5 +Paths: -+/usr/bin/suck, /usr/lib/news/bin/convdate, /usr/lib/news/bin/filechan, /usr/lib/news/bin/nntpget, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/shlock, /usr/lib/news/bin/archive, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/innd, /usr/lib/news/bin/actsync, /usr/lib/news/bin/innxbatch, /usr/bin/inews, /usr/lib/news/bin/batcher, /usr/sbin/innd.*, /usr/lib/news/bin/expire, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/ctlinnd, /usr/bin/rpost, /usr/lib/news/bin/buffchan, /etc/news/boot, /usr/lib/news/bin/ovdb_recover, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/makedbz, /usr/bin/rnews, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/getlist, /usr/lib/news/bin/sm, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/rnews, /usr/lib/news/bin/overchan, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/prunehistory, /usr/lib/news/bin/inews, /usr/lib/news/bin/shrinkfile, /usr/lib/news/bin/expireover, /usr/lib/news/bin/inndf ++/usr/bin/suck, /usr/lib/news/bin/convdate, /usr/lib/news/bin/filechan, /usr/lib/news/bin/nntpget, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/shlock, /usr/lib/news/bin/archive, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/actsync, /usr/lib/news/bin/innxbatch, /usr/bin/inews, /usr/lib/news/bin/batcher, /usr/sbin/innd.*, /usr/lib/news/bin/expire, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/ctlinnd, /usr/bin/rpost, /usr/lib/news/bin/buffchan, /usr/lib/news/bin/ovdb_recover, /etc/news/boot, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/innd, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/makedbz, /usr/bin/rnews, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/getlist, /usr/lib/news/bin/sm, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/rnews, /usr/lib/news/bin/overchan, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/prunehistory, /usr/lib/news/bin/inews, /usr/lib/news/bin/shrinkfile, /usr/lib/news/bin/expireover, /usr/lib/news/bin/inndf + +.EX +.PP @@ -21551,7 +23074,7 @@ index 0000000..541f9e9 +/var/run/innd(/.*)?, /var/run/news(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21578,7 +23101,7 @@ index 0000000..541f9e9 + + +Default Defined Ports: -+tcp 8021 ++tcp 119 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -21622,17 +23145,17 @@ index 0000000..541f9e9 +selinux(8), innd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/insmod_selinux.8 b/man/man8/insmod_selinux.8 new file mode 100644 -index 0000000..0e25a12 +index 0000000..bf85b2a --- /dev/null +++ b/man/man8/insmod_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,128 @@ +.TH "insmod_selinux" "8" "insmod" "dwalsh@redhat.com" "insmod SELinux Policy documentation" +.SH "NAME" +insmod_selinux \- Security Enhanced Linux Policy for the insmod processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the insmod processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. insmod policy is extremely flexible and has several booleans that allow you to manipulate the policy and run insmod with the tightest access possible. @@ -21652,6 +23175,29 @@ index 0000000..0e25a12 +.B setsebool -P pppd_can_insmod 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the insmod_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the insmod_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the insmod_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -21684,7 +23230,7 @@ index 0000000..0e25a12 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21734,23 +23280,40 @@ index 0000000..0e25a12 \ No newline at end of file diff --git a/man/man8/ipsec_selinux.8 b/man/man8/ipsec_selinux.8 new file mode 100644 -index 0000000..3273369 +index 0000000..f3dfbaa --- /dev/null +++ b/man/man8/ipsec_selinux.8 -@@ -0,0 +1,199 @@ +@@ -0,0 +1,218 @@ +.TH "ipsec_selinux" "8" "ipsec" "dwalsh@redhat.com" "ipsec SELinux Policy documentation" +.SH "NAME" +ipsec_selinux \- Security Enhanced Linux Policy for the ipsec processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ipsec -+(TCP/IP encryption) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ipsec processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the ipsec_t, ipsec_mgmt_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ipsec_t, ipsec_mgmt_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the ipsec_t, ipsec_mgmt_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -21829,7 +23392,7 @@ index 0000000..3273369 +.br +.TP 5 +Paths: -+/usr/lib/ipsec/_plutorun, /usr/libexec/ipsec/_plutoload, /usr/libexec/nm-openswan-service, /usr/lib/ipsec/_plutoload, /usr/sbin/ipsec, /usr/libexec/ipsec/_plutorun ++/usr/lib/ipsec/_plutorun, /usr/libexec/ipsec/_plutoload, /usr/libexec/nm-openswan-service, /usr/sbin/ipsec, /usr/lib/ipsec/_plutoload, /usr/libexec/ipsec/_plutorun + +.EX +.PP @@ -21868,7 +23431,7 @@ index 0000000..3273369 +/var/run/racoon\.pid, /var/run/pluto(/.*)?, /var/racoon(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -21895,7 +23458,9 @@ index 0000000..3273369 + + +Default Defined Ports: -+tcp 8021 ++tcp 4500 ++.EE ++udp 4500 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -21939,24 +23504,18 @@ index 0000000..3273369 +selinux(8), ipsec(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/iptables_selinux.8 b/man/man8/iptables_selinux.8 new file mode 100644 -index 0000000..8e6b3de +index 0000000..685d74f --- /dev/null +++ b/man/man8/iptables_selinux.8 -@@ -0,0 +1,136 @@ +@@ -0,0 +1,153 @@ +.TH "iptables_selinux" "8" "iptables" "dwalsh@redhat.com" "iptables SELinux Policy documentation" +.SH "NAME" +iptables_selinux \- Security Enhanced Linux Policy for the iptables processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B iptables -+(Policy for iptables) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the iptables processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. iptables policy is extremely flexible and has several booleans that allow you to manipulate the policy and run iptables with the tightest access possible. + @@ -21968,6 +23527,29 @@ index 0000000..8e6b3de +.B setsebool -P dhcpc_exec_iptables 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the iptables_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the iptables_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the iptables_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -21989,7 +23571,7 @@ index 0000000..8e6b3de +.br +.TP 5 +Paths: -+/sbin/ebtables-restore, /usr/sbin/ipvsadm-restore, /usr/sbin/ipchains.*, /usr/sbin/ip6?tables, /sbin/ebtables, /usr/sbin/ip6?tables-restore, /usr/sbin/xtables-multi, /sbin/ipchains.*, /sbin/ip6?tables, /usr/sbin/ebtables-restore, /usr/sbin/ebtables, /sbin/ipvsadm, /usr/sbin/ipvsadm-save, /sbin/xtables-multi, /sbin/ipvsadm-restore, /usr/sbin/ip6?tables-multi, /sbin/ip6?tables-multi, /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /sbin/ip6?tables-restore ++/sbin/ebtables-restore, /usr/sbin/ipvsadm-restore, /usr/sbin/ipchains.*, /sbin/ebtables, /usr/sbin/ip6?tables, /usr/sbin/ip6?tables-restore, /usr/sbin/xtables-multi, /sbin/ipchains.*, /sbin/ip6?tables, /usr/sbin/ebtables-restore, /usr/sbin/ebtables, /sbin/ipvsadm, /usr/sbin/ipvsadm-save, /sbin/xtables-multi, /sbin/ipvsadm-restore, /usr/sbin/ip6?tables-multi, /sbin/ip6?tables-multi, /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /sbin/ip6?tables-restore + +.EX +.PP @@ -22021,7 +23603,7 @@ index 0000000..8e6b3de +.br +.TP 5 +Paths: -+/lib/systemd/system/vsftpd.*, /usr/lib/systemd/system/proftpd.*, /usr/lib/systemd/system/iptables6?.service, /lib/systemd/system/ip6tables.service, /lib/systemd/system/slapd.*, /usr/lib/systemd/system/vsftpd.*, /lib/systemd/system/ppp.*, /usr/lib/systemd/system/kdump.service, /usr/lib/systemd/system/slapd.*, /usr/lib/systemd/system/ppp.*, /lib/systemd/system/kdump.service, /lib/systemd/system/proftpd.*, /lib/systemd/system/iptables.service ++/usr/lib/systemd/system/ip6tables.*, /usr/lib/systemd/system/proftpd.*, /usr/lib/systemd/system/vsftpd.*, /usr/lib/systemd/system/slapd.*, /usr/lib/systemd/system/ppp.*, /usr/lib/systemd/system/iptables.* + +.EX +.PP @@ -22032,7 +23614,7 @@ index 0000000..8e6b3de + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22082,23 +23664,19 @@ index 0000000..8e6b3de \ No newline at end of file diff --git a/man/man8/irc_selinux.8 b/man/man8/irc_selinux.8 new file mode 100644 -index 0000000..6bd8081 +index 0000000..8742397 --- /dev/null +++ b/man/man8/irc_selinux.8 -@@ -0,0 +1,123 @@ +@@ -0,0 +1,119 @@ +.TH "irc_selinux" "8" "irc" "dwalsh@redhat.com" "irc SELinux Policy documentation" +.SH "NAME" +irc_selinux \- Security Enhanced Linux Policy for the irc processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B irc -+(IRC client policy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the irc processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -22121,7 +23699,7 @@ index 0000000..6bd8081 +.br +.TP 5 +Paths: -+/usr/bin/ircII, /usr/bin/tinyirc, /usr/bin/[st]irc ++/usr/bin/tinyirc, /usr/bin/[st]irc, /usr/bin/ircII + +.EX +.PP @@ -22140,7 +23718,7 @@ index 0000000..6bd8081 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22167,7 +23745,7 @@ index 0000000..6bd8081 + + +Default Defined Ports: -+tcp 8021 ++tcp 6667 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -22211,23 +23789,19 @@ index 0000000..6bd8081 +selinux(8), irc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/irqbalance_selinux.8 b/man/man8/irqbalance_selinux.8 new file mode 100644 -index 0000000..daf7657 +index 0000000..8cafced --- /dev/null +++ b/man/man8/irqbalance_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,81 @@ +.TH "irqbalance_selinux" "8" "irqbalance" "dwalsh@redhat.com" "irqbalance SELinux Policy documentation" +.SH "NAME" +irqbalance_selinux \- Security Enhanced Linux Policy for the irqbalance processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B irqbalance -+(IRQ balancing daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the irqbalance processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -22257,7 +23831,7 @@ index 0000000..daf7657 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22302,17 +23876,17 @@ index 0000000..daf7657 +selinux(8), irqbalance(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/irssi_selinux.8 b/man/man8/irssi_selinux.8 new file mode 100644 -index 0000000..3320869 +index 0000000..b2ac83e --- /dev/null +++ b/man/man8/irssi_selinux.8 -@@ -0,0 +1,102 @@ +@@ -0,0 +1,125 @@ +.TH "irssi_selinux" "8" "irssi" "dwalsh@redhat.com" "irssi SELinux Policy documentation" +.SH "NAME" +irssi_selinux \- Security Enhanced Linux Policy for the irssi processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the irssi processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. irssi policy is extremely flexible and has several booleans that allow you to manipulate the policy and run irssi with the tightest access possible. @@ -22325,6 +23899,29 @@ index 0000000..3320869 +.B setsebool -P irssi_use_full_network 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the irssi_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the irssi_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the irssi_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -22361,7 +23958,7 @@ index 0000000..3320869 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22411,71 +24008,50 @@ index 0000000..3320869 \ No newline at end of file diff --git a/man/man8/iscsid_selinux.8 b/man/man8/iscsid_selinux.8 new file mode 100644 -index 0000000..4f0d9c3 +index 0000000..263305f --- /dev/null +++ b/man/man8/iscsid_selinux.8 -@@ -0,0 +1,145 @@ +@@ -0,0 +1,124 @@ +.TH "iscsid_selinux" "8" "iscsid" "dwalsh@redhat.com" "iscsid SELinux Policy documentation" +.SH "NAME" +iscsid_selinux \- Security Enhanced Linux Policy for the iscsid processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the iscsid processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. +.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible. -+.PP -+The following file types are defined for iscsid: -+ ++If you want to allow users to login using a sssd serve for the iscsid_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B iscsi_lock_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the iscsi_lock_t type, if you want to treat the files as iscsi lock data, stored under the /var/lock directory -+ -+ -+.EX +.PP -+.B iscsi_log_t -+.EE -+ -+- Set files with the iscsi_log_t type, if you want to treat the data as iscsi log data, usually stored under the /var/log directory. -+ -+.br -+.TP 5 -+Paths: -+/var/log/iscsiuio\.log.*, /var/log/brcm-iscsi\.log ++If you want to allow confined applications to run with kerberos for the iscsid_t, you must turn on the allow_kerberos boolean. + +.EX -+.PP -+.B iscsi_tmp_t ++setsebool -P allow_kerberos 1 +.EE + -+- Set files with the iscsi_tmp_t type, if you want to store iscsi temporary files in the /tmp directories. -+ -+ -+.EX +.PP -+.B iscsi_var_lib_t -+.EE -+ -+- Set files with the iscsi_var_lib_t type, if you want to store the iscsi files under the /var/lib directory. -+ ++If you want to allow system to run with NI for the iscsid_t, you must turn on the allow_ypbind boolean. + +.EX -+.PP -+.B iscsi_var_run_t ++setsebool -P allow_ypbind 1 +.EE + -+- Set files with the iscsi_var_run_t type, if you want to store the iscsi files under the /run directory. ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux iscsid policy is very flexible allowing users to setup their iscsid processes in as secure a method as possible. ++.PP ++The following file types are defined for iscsid: + + +.EX @@ -22491,7 +24067,7 @@ index 0000000..4f0d9c3 +/sbin/brcm_iscsiuio, /sbin/iscsiuio, /usr/sbin/iscsiuio, /usr/sbin/iscsid, /usr/sbin/brcm_iscsiuio, /sbin/iscsid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22518,7 +24094,7 @@ index 0000000..4f0d9c3 + + +Default Defined Ports: -+tcp 8021 ++tcp 3260 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -22562,17 +24138,19 @@ index 0000000..4f0d9c3 +selinux(8), iscsid(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/iwhd_selinux.8 b/man/man8/iwhd_selinux.8 new file mode 100644 -index 0000000..2031201 +index 0000000..a0ae96c --- /dev/null +++ b/man/man8/iwhd_selinux.8 -@@ -0,0 +1,103 @@ +@@ -0,0 +1,105 @@ +.TH "iwhd_selinux" "8" "iwhd" "dwalsh@redhat.com" "iwhd SELinux Policy documentation" +.SH "NAME" +iwhd_selinux \- Security Enhanced Linux Policy for the iwhd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the iwhd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -22626,7 +24204,7 @@ index 0000000..2031201 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22671,17 +24249,19 @@ index 0000000..2031201 +selinux(8), iwhd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/jabberd_selinux.8 b/man/man8/jabberd_selinux.8 new file mode 100644 -index 0000000..5f3d39d +index 0000000..dd38cf4 --- /dev/null +++ b/man/man8/jabberd_selinux.8 -@@ -0,0 +1,151 @@ +@@ -0,0 +1,153 @@ +.TH "jabberd_selinux" "8" "jabberd" "dwalsh@redhat.com" "jabberd SELinux Policy documentation" +.SH "NAME" +jabberd_selinux \- Security Enhanced Linux Policy for the jabberd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the jabberd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -22735,7 +24315,7 @@ index 0000000..5f3d39d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22762,7 +24342,7 @@ index 0000000..5f3d39d + + +Default Defined Ports: -+tcp 8021 ++tcp 5222,5223 +.EE + +.EX @@ -22773,7 +24353,7 @@ index 0000000..5f3d39d + + +Default Defined Ports: -+tcp 8021 ++tcp 5269 +.EE + +.EX @@ -22784,7 +24364,7 @@ index 0000000..5f3d39d + + +Default Defined Ports: -+tcp 8021 ++tcp 5347 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -22828,23 +24408,19 @@ index 0000000..5f3d39d +selinux(8), jabberd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/jockey_selinux.8 b/man/man8/jockey_selinux.8 new file mode 100644 -index 0000000..239af62 +index 0000000..92a2c36 --- /dev/null +++ b/man/man8/jockey_selinux.8 -@@ -0,0 +1,97 @@ +@@ -0,0 +1,93 @@ +.TH "jockey_selinux" "8" "jockey" "dwalsh@redhat.com" "jockey SELinux Policy documentation" +.SH "NAME" +jockey_selinux \- Security Enhanced Linux Policy for the jockey processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B jockey -+(policy for jockey) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the jockey processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -22886,7 +24462,7 @@ index 0000000..239af62 +/var/log/jockey\.log, /var/log/jockey(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -22931,17 +24507,19 @@ index 0000000..239af62 +selinux(8), jockey(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kadmind_selinux.8 b/man/man8/kadmind_selinux.8 new file mode 100644 -index 0000000..b56c5c1 +index 0000000..f5d4608 --- /dev/null +++ b/man/man8/kadmind_selinux.8 -@@ -0,0 +1,99 @@ +@@ -0,0 +1,101 @@ +.TH "kadmind_selinux" "8" "kadmind" "dwalsh@redhat.com" "kadmind SELinux Policy documentation" +.SH "NAME" +kadmind_selinux \- Security Enhanced Linux Policy for the kadmind processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the kadmind processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -22991,7 +24569,7 @@ index 0000000..b56c5c1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23036,23 +24614,40 @@ index 0000000..b56c5c1 +selinux(8), kadmind(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kdump_selinux.8 b/man/man8/kdump_selinux.8 new file mode 100644 -index 0000000..b47a14d +index 0000000..7097ced --- /dev/null +++ b/man/man8/kdump_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,162 @@ +.TH "kdump_selinux" "8" "kdump" "dwalsh@redhat.com" "kdump SELinux Policy documentation" +.SH "NAME" +kdump_selinux \- Security Enhanced Linux Policy for the kdump processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B kdump -+(Kernel crash dumping mechanism) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the kdump processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the kdumpgui_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23103,6 +24698,30 @@ index 0000000..b47a14d + +.EX +.PP ++.B kdumpctl_exec_t ++.EE ++ ++- Set files with the kdumpctl_exec_t type, if you want to transition an executable to the kdumpctl_t domain. ++ ++ ++.EX ++.PP ++.B kdumpctl_tmp_t ++.EE ++ ++- Set files with the kdumpctl_tmp_t type, if you want to store kdumpctl temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B kdumpctl_unit_file_t ++.EE ++ ++- Set files with the kdumpctl_unit_file_t type, if you want to treat the files as kdumpctl unit content. ++ ++ ++.EX ++.PP +.B kdumpgui_exec_t +.EE + @@ -23118,7 +24737,7 @@ index 0000000..b47a14d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23135,7 +24754,7 @@ index 0000000..b47a14d +The following process types are defined for kdump: + +.EX -+.B kdumpgui_t, kdump_t ++.B kdumpgui_t, kdumpctl_t, kdump_t +.EE +.PP +Note: @@ -23163,23 +24782,40 @@ index 0000000..b47a14d +selinux(8), kdump(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kdumpgui_selinux.8 b/man/man8/kdumpgui_selinux.8 new file mode 100644 -index 0000000..82754b0 +index 0000000..25c390e --- /dev/null +++ b/man/man8/kdumpgui_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,102 @@ +.TH "kdumpgui_selinux" "8" "kdumpgui" "dwalsh@redhat.com" "kdumpgui SELinux Policy documentation" +.SH "NAME" +kdumpgui_selinux \- Security Enhanced Linux Policy for the kdumpgui processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B kdumpgui -+(system-config-kdump GUI) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the kdumpgui processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the kdumpgui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the kdumpgui_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the kdumpgui_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23209,7 +24845,7 @@ index 0000000..82754b0 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23254,23 +24890,19 @@ index 0000000..82754b0 +selinux(8), kdumpgui(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/keyboardd_selinux.8 b/man/man8/keyboardd_selinux.8 new file mode 100644 -index 0000000..782e48f +index 0000000..1eebbe8 --- /dev/null +++ b/man/man8/keyboardd_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "keyboardd_selinux" "8" "keyboardd" "dwalsh@redhat.com" "keyboardd SELinux Policy documentation" +.SH "NAME" +keyboardd_selinux \- Security Enhanced Linux Policy for the keyboardd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B keyboardd -+(policy for system-setup-keyboard daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the keyboardd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23292,7 +24924,7 @@ index 0000000..782e48f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23337,23 +24969,40 @@ index 0000000..782e48f +selinux(8), keyboardd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/keystone_selinux.8 b/man/man8/keystone_selinux.8 new file mode 100644 -index 0000000..1c2d5b6 +index 0000000..fb4d1dd --- /dev/null +++ b/man/man8/keystone_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,154 @@ +.TH "keystone_selinux" "8" "keystone" "dwalsh@redhat.com" "keystone SELinux Policy documentation" +.SH "NAME" +keystone_selinux \- Security Enhanced Linux Policy for the keystone processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B keystone -+(policy for keystone) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the keystone processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the keystone_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the keystone_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the keystone_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23407,12 +25056,37 @@ index 0000000..1c2d5b6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon +to apply the labels. + ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux keystone policy is very flexible allowing users to setup their keystone processes in as secure a method as possible. ++.PP ++The following port types are defined for keystone: ++ ++.EX ++.TP 5 ++.B keystone_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 5000 ++.EE ++udp 5000 ++.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -23441,6 +25115,9 @@ index 0000000..1c2d5b6 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage port ++can also be used to manipulate the port definitions ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -23452,23 +25129,40 @@ index 0000000..1c2d5b6 +selinux(8), keystone(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kismet_selinux.8 b/man/man8/kismet_selinux.8 new file mode 100644 -index 0000000..678bdc4 +index 0000000..81a7181 --- /dev/null +++ b/man/man8/kismet_selinux.8 -@@ -0,0 +1,151 @@ +@@ -0,0 +1,168 @@ +.TH "kismet_selinux" "8" "kismet" "dwalsh@redhat.com" "kismet SELinux Policy documentation" +.SH "NAME" +kismet_selinux \- Security Enhanced Linux Policy for the kismet processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B kismet -+(Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the kismet processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the kismet_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the kismet_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the kismet_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23538,7 +25232,7 @@ index 0000000..678bdc4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23565,7 +25259,7 @@ index 0000000..678bdc4 + + +Default Defined Ports: -+tcp 8021 ++tcp 2501 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -23609,17 +25303,19 @@ index 0000000..678bdc4 +selinux(8), kismet(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/klogd_selinux.8 b/man/man8/klogd_selinux.8 new file mode 100644 -index 0000000..9dcdb4f +index 0000000..ba261fe --- /dev/null +++ b/man/man8/klogd_selinux.8 -@@ -0,0 +1,91 @@ +@@ -0,0 +1,93 @@ +.TH "klogd_selinux" "8" "klogd" "dwalsh@redhat.com" "klogd SELinux Policy documentation" +.SH "NAME" +klogd_selinux \- Security Enhanced Linux Policy for the klogd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the klogd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23661,7 +25357,7 @@ index 0000000..9dcdb4f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23706,17 +25402,19 @@ index 0000000..9dcdb4f +selinux(8), klogd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/kpropd_selinux.8 b/man/man8/kpropd_selinux.8 new file mode 100644 -index 0000000..5ad7425 +index 0000000..8720d94 --- /dev/null +++ b/man/man8/kpropd_selinux.8 -@@ -0,0 +1,97 @@ +@@ -0,0 +1,99 @@ +.TH "kpropd_selinux" "8" "kpropd" "dwalsh@redhat.com" "kpropd SELinux Policy documentation" +.SH "NAME" +kpropd_selinux \- Security Enhanced Linux Policy for the kpropd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the kpropd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23738,7 +25436,7 @@ index 0000000..5ad7425 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23765,7 +25463,7 @@ index 0000000..5ad7425 + + +Default Defined Ports: -+tcp 8021 ++tcp 754 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -23809,17 +25507,19 @@ index 0000000..5ad7425 +selinux(8), kpropd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/krb5kdc_selinux.8 b/man/man8/krb5kdc_selinux.8 new file mode 100644 -index 0000000..8a01b27 +index 0000000..e96b9e3 --- /dev/null +++ b/man/man8/krb5kdc_selinux.8 -@@ -0,0 +1,131 @@ +@@ -0,0 +1,133 @@ +.TH "krb5kdc_selinux" "8" "krb5kdc" "dwalsh@redhat.com" "krb5kdc SELinux Policy documentation" +.SH "NAME" +krb5kdc_selinux \- Security Enhanced Linux Policy for the krb5kdc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the krb5kdc processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -23901,7 +25601,7 @@ index 0000000..8a01b27 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -23946,23 +25646,40 @@ index 0000000..8a01b27 +selinux(8), krb5kdc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ksmtuned_selinux.8 b/man/man8/ksmtuned_selinux.8 new file mode 100644 -index 0000000..5874ff2 +index 0000000..d0ec31b --- /dev/null +++ b/man/man8/ksmtuned_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,118 @@ +.TH "ksmtuned_selinux" "8" "ksmtuned" "dwalsh@redhat.com" "ksmtuned SELinux Policy documentation" +.SH "NAME" +ksmtuned_selinux \- Security Enhanced Linux Policy for the ksmtuned processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ksmtuned -+(Kernel Samepage Merging (KSM) Tuning Daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ksmtuned processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the ksmtuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ksmtuned_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the ksmtuned_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24008,7 +25725,7 @@ index 0000000..5874ff2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24053,17 +25770,40 @@ index 0000000..5874ff2 +selinux(8), ksmtuned(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ktalkd_selinux.8 b/man/man8/ktalkd_selinux.8 new file mode 100644 -index 0000000..2b084b7 +index 0000000..269f06a --- /dev/null +++ b/man/man8/ktalkd_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,148 @@ +.TH "ktalkd_selinux" "8" "ktalkd" "dwalsh@redhat.com" "ktalkd SELinux Policy documentation" +.SH "NAME" +ktalkd_selinux \- Security Enhanced Linux Policy for the ktalkd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ktalkd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the ktalkd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ktalkd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the ktalkd_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24113,7 +25853,7 @@ index 0000000..2b084b7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24140,7 +25880,7 @@ index 0000000..2b084b7 + + +Default Defined Ports: -+tcp 8021 ++udp 517,518 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -24184,23 +25924,19 @@ index 0000000..2b084b7 +selinux(8), ktalkd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/l2tpd_selinux.8 b/man/man8/l2tpd_selinux.8 new file mode 100644 -index 0000000..be9e0f9 +index 0000000..79edab7 --- /dev/null +++ b/man/man8/l2tpd_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,137 @@ +.TH "l2tpd_selinux" "8" "l2tpd" "dwalsh@redhat.com" "l2tpd SELinux Policy documentation" +.SH "NAME" +l2tpd_selinux \- Security Enhanced Linux Policy for the l2tpd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B l2tpd -+(policy for l2tpd) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the l2tpd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24223,7 +25959,7 @@ index 0000000..be9e0f9 +.br +.TP 5 +Paths: -+/usr/sbin/xl2tpd, /usr/sbin/openl2tpd ++/usr/sbin/xl2tpd, /usr/sbin/prol2tpd, /usr/sbin/openl2tpd + +.EX +.PP @@ -24235,7 +25971,15 @@ index 0000000..be9e0f9 +.br +.TP 5 +Paths: -+/etc/rc\.d/init\.d/xl2tpd, /etc/rc\.d/init\.d/openl2tpd ++/etc/rc\.d/init\.d/xl2tpd, /etc/rc\.d/init\.d/prol2tpd, /etc/rc\.d/init\.d/openl2tpd ++ ++.EX ++.PP ++.B l2tpd_tmp_t ++.EE ++ ++- Set files with the l2tpd_tmp_t type, if you want to store l2tpd temporary files in the /tmp directories. ++ + +.EX +.PP @@ -24247,15 +25991,40 @@ index 0000000..be9e0f9 +.br +.TP 5 +Paths: -+/var/run/xl2tpd(/.*)?, /var/run/xl2tpd\.pid ++/var/run/prol2tpd(/.*)?, /var/run/prol2tpd\.pid, /var/run/prol2tpd\.ctl, /var/run/xl2tpd\.pid, /var/run/openl2tpd\.pid, /var/run/xl2tpd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon +to apply the labels. + ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux l2tpd policy is very flexible allowing users to setup their l2tpd processes in as secure a method as possible. ++.PP ++The following port types are defined for l2tpd: ++ ++.EX ++.TP 5 ++.B l2tp_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 1701 ++.EE ++udp 1701 ++.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -24284,6 +26053,9 @@ index 0000000..be9e0f9 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage port ++can also be used to manipulate the port definitions ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -24295,17 +26067,19 @@ index 0000000..be9e0f9 +selinux(8), l2tpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ldconfig_selinux.8 b/man/man8/ldconfig_selinux.8 new file mode 100644 -index 0000000..488c36b +index 0000000..1e6fe8a --- /dev/null +++ b/man/man8/ldconfig_selinux.8 -@@ -0,0 +1,91 @@ +@@ -0,0 +1,93 @@ +.TH "ldconfig_selinux" "8" "ldconfig" "dwalsh@redhat.com" "ldconfig SELinux Policy documentation" +.SH "NAME" +ldconfig_selinux \- Security Enhanced Linux Policy for the ldconfig processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ldconfig processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24347,7 +26121,7 @@ index 0000000..488c36b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24571,23 +26345,19 @@ index 0000000..8b6ac6e +selinux(8), libra(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lircd_selinux.8 b/man/man8/lircd_selinux.8 new file mode 100644 -index 0000000..6b5ddb1 +index 0000000..a6199d5 --- /dev/null +++ b/man/man8/lircd_selinux.8 -@@ -0,0 +1,135 @@ +@@ -0,0 +1,131 @@ +.TH "lircd_selinux" "8" "lircd" "dwalsh@redhat.com" "lircd SELinux Policy documentation" +.SH "NAME" +lircd_selinux \- Security Enhanced Linux Policy for the lircd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B lircd -+(Linux infared remote control daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the lircd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24641,7 +26411,7 @@ index 0000000..6b5ddb1 +/var/run/lirc(/.*)?, /var/run/lircd(/.*)?, /var/run/lircd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24668,7 +26438,7 @@ index 0000000..6b5ddb1 + + +Default Defined Ports: -+tcp 8021 ++tcp 8765 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -24712,23 +26482,19 @@ index 0000000..6b5ddb1 +selinux(8), lircd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/livecd_selinux.8 b/man/man8/livecd_selinux.8 new file mode 100644 -index 0000000..01c43d5 +index 0000000..bb62485 --- /dev/null +++ b/man/man8/livecd_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,81 @@ +.TH "livecd_selinux" "8" "livecd" "dwalsh@redhat.com" "livecd SELinux Policy documentation" +.SH "NAME" +livecd_selinux \- Security Enhanced Linux Policy for the livecd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B livecd -+(Livecd tool for building alternate livecd for different os and policy versions) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the livecd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24758,7 +26524,7 @@ index 0000000..01c43d5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24803,23 +26569,19 @@ index 0000000..01c43d5 +selinux(8), livecd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lldpad_selinux.8 b/man/man8/lldpad_selinux.8 new file mode 100644 -index 0000000..25e0ebf +index 0000000..c803575 --- /dev/null +++ b/man/man8/lldpad_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,105 @@ +.TH "lldpad_selinux" "8" "lldpad" "dwalsh@redhat.com" "lldpad SELinux Policy documentation" +.SH "NAME" +lldpad_selinux \- Security Enhanced Linux Policy for the lldpad processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B lldpad -+(policy for lldpad) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the lldpad processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -24873,7 +26635,7 @@ index 0000000..25e0ebf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -24918,17 +26680,17 @@ index 0000000..25e0ebf +selinux(8), lldpad(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/load_selinux.8 b/man/man8/load_selinux.8 new file mode 100644 -index 0000000..27bf215 +index 0000000..7a8cff3 --- /dev/null +++ b/man/man8/load_selinux.8 -@@ -0,0 +1,116 @@ +@@ -0,0 +1,118 @@ +.TH "load_selinux" "8" "load" "dwalsh@redhat.com" "load SELinux Policy documentation" +.SH "NAME" +load_selinux \- Security Enhanced Linux Policy for the load processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the load processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. load policy is extremely flexible and has several booleans that allow you to manipulate the policy and run load with the tightest access possible. @@ -24955,6 +26717,8 @@ index 0000000..27bf215 +.B setsebool -P domain_kernel_load_modules 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -24988,10 +26752,10 @@ index 0000000..27bf215 +.br +.TP 5 +Paths: -+/bin/unikeys, /usr/bin/unikeys, /bin/loadkeys, /usr/bin/loadkeys ++/bin/unikeys, /bin/loadkeys, /usr/bin/unikeys, /usr/bin/loadkeys + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25041,23 +26805,19 @@ index 0000000..27bf215 \ No newline at end of file diff --git a/man/man8/loadkeys_selinux.8 b/man/man8/loadkeys_selinux.8 new file mode 100644 -index 0000000..7ea5471 +index 0000000..4f7ed0a --- /dev/null +++ b/man/man8/loadkeys_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,77 @@ +.TH "loadkeys_selinux" "8" "loadkeys" "dwalsh@redhat.com" "loadkeys SELinux Policy documentation" +.SH "NAME" +loadkeys_selinux \- Security Enhanced Linux Policy for the loadkeys processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B loadkeys -+(Load keyboard mappings) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the loadkeys processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25080,10 +26840,10 @@ index 0000000..7ea5471 +.br +.TP 5 +Paths: -+/bin/unikeys, /usr/bin/unikeys, /bin/loadkeys, /usr/bin/loadkeys ++/bin/unikeys, /bin/loadkeys, /usr/bin/unikeys, /usr/bin/loadkeys + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25128,17 +26888,40 @@ index 0000000..7ea5471 +selinux(8), loadkeys(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/locate_selinux.8 b/man/man8/locate_selinux.8 new file mode 100644 -index 0000000..d9c0a33 +index 0000000..6c760a2 --- /dev/null +++ b/man/man8/locate_selinux.8 -@@ -0,0 +1,87 @@ +@@ -0,0 +1,110 @@ +.TH "locate_selinux" "8" "locate" "dwalsh@redhat.com" "locate SELinux Policy documentation" +.SH "NAME" +locate_selinux \- Security Enhanced Linux Policy for the locate processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the locate processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the locate_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the locate_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the locate_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25176,7 +26959,7 @@ index 0000000..d9c0a33 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25221,23 +27004,19 @@ index 0000000..d9c0a33 +selinux(8), locate(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lockdev_selinux.8 b/man/man8/lockdev_selinux.8 new file mode 100644 -index 0000000..c899a1b +index 0000000..b3a911c --- /dev/null +++ b/man/man8/lockdev_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,81 @@ +.TH "lockdev_selinux" "8" "lockdev" "dwalsh@redhat.com" "lockdev SELinux Policy documentation" +.SH "NAME" +lockdev_selinux \- Security Enhanced Linux Policy for the lockdev processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B lockdev -+(device locking policy for lockdev) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the lockdev processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25267,7 +27046,7 @@ index 0000000..c899a1b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25383,23 +27162,40 @@ index 0000000..0edd73f +selinux(8), semanage(8). diff --git a/man/man8/logrotate_selinux.8 b/man/man8/logrotate_selinux.8 new file mode 100644 -index 0000000..7f01fd7 +index 0000000..f5aed8f --- /dev/null +++ b/man/man8/logrotate_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,130 @@ +.TH "logrotate_selinux" "8" "logrotate" "dwalsh@redhat.com" "logrotate SELinux Policy documentation" +.SH "NAME" +logrotate_selinux \- Security Enhanced Linux Policy for the logrotate processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B logrotate -+(Rotate and archive system logs) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the logrotate processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the logrotate_t, logrotate_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the logrotate_t, logrotate_mail_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the logrotate_t, logrotate_mail_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25457,7 +27253,7 @@ index 0000000..7f01fd7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25502,23 +27298,40 @@ index 0000000..7f01fd7 +selinux(8), logrotate(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/logwatch_selinux.8 b/man/man8/logwatch_selinux.8 new file mode 100644 -index 0000000..a03fd51 +index 0000000..3bb0031 --- /dev/null +++ b/man/man8/logwatch_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,142 @@ +.TH "logwatch_selinux" "8" "logwatch" "dwalsh@redhat.com" "logwatch SELinux Policy documentation" +.SH "NAME" +logwatch_selinux \- Security Enhanced Linux Policy for the logwatch processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B logwatch -+(System log analyzer and reporter) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the logwatch processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the logwatch_mail_t, logwatch_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the logwatch_mail_t, logwatch_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the logwatch_mail_t, logwatch_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25588,7 +27401,7 @@ index 0000000..a03fd51 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25633,24 +27446,18 @@ index 0000000..a03fd51 +selinux(8), logwatch(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lpd_selinux.8 b/man/man8/lpd_selinux.8 new file mode 100644 -index 0000000..f69947a +index 0000000..e7c1233 --- /dev/null +++ b/man/man8/lpd_selinux.8 -@@ -0,0 +1,112 @@ +@@ -0,0 +1,129 @@ +.TH "lpd_selinux" "8" "lpd" "dwalsh@redhat.com" "lpd SELinux Policy documentation" +.SH "NAME" +lpd_selinux \- Security Enhanced Linux Policy for the lpd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B lpd -+(Line printer daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the lpd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. lpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run lpd with the tightest access possible. + @@ -25662,6 +27469,29 @@ index 0000000..f69947a +.B setsebool -P use_lpd_server 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the lpr_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -25699,10 +27529,10 @@ index 0000000..f69947a +.br +.TP 5 +Paths: -+/var/run/lprng(/.*)?, /var/spool/turboprint(/.*)? ++/var/spool/turboprint(/.*)?, /var/run/lprng(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25752,17 +27582,40 @@ index 0000000..f69947a \ No newline at end of file diff --git a/man/man8/lpr_selinux.8 b/man/man8/lpr_selinux.8 new file mode 100644 -index 0000000..90d47ef +index 0000000..fcddadc --- /dev/null +++ b/man/man8/lpr_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,106 @@ +.TH "lpr_selinux" "8" "lpr" "dwalsh@redhat.com" "lpr SELinux Policy documentation" +.SH "NAME" +lpr_selinux \- Security Enhanced Linux Policy for the lpr processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the lpr processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the lpr_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the lpr_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the lpr_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25785,7 +27638,7 @@ index 0000000..90d47ef +.br +.TP 5 +Paths: -+/usr/sbin/accept, /usr/bin/cancel(\.cups)?, /usr/bin/lp(\.cups)?, /usr/bin/lpstat(\.cups)?, /usr/sbin/lpc(\.cups)?, /usr/local/linuxprinter/bin/l?lpr, /usr/bin/lpoptions, /usr/sbin/lpadmin, /usr/sbin/lpinfo, /opt/gutenprint/s?bin(/.*)?, /usr/bin/lpr(\.cups)?, /usr/bin/lpq(\.cups)?, /usr/sbin/lpmove, /usr/bin/lprm(\.cups)? ++/usr/sbin/accept, /opt/gutenprint/s?bin(/.*)?, /usr/bin/cancel(\.cups)?, /usr/bin/lp(\.cups)?, /usr/bin/lpstat(\.cups)?, /usr/sbin/lpc(\.cups)?, /usr/local/linuxprinter/bin/l?lpr, /usr/bin/lpoptions, /usr/sbin/lpadmin, /usr/sbin/lpinfo, /usr/bin/lpr(\.cups)?, /usr/bin/lpq(\.cups)?, /usr/sbin/lpmove, /usr/bin/lprm(\.cups)? + +.EX +.PP @@ -25796,7 +27649,7 @@ index 0000000..90d47ef + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25841,17 +27694,19 @@ index 0000000..90d47ef +selinux(8), lpr(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lsassd_selinux.8 b/man/man8/lsassd_selinux.8 new file mode 100644 -index 0000000..087cd7b +index 0000000..2114550 --- /dev/null +++ b/man/man8/lsassd_selinux.8 -@@ -0,0 +1,111 @@ +@@ -0,0 +1,113 @@ +.TH "lsassd_selinux" "8" "lsassd" "dwalsh@redhat.com" "lsassd SELinux Policy documentation" +.SH "NAME" +lsassd_selinux \- Security Enhanced Linux Policy for the lsassd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the lsassd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -25913,7 +27768,7 @@ index 0000000..087cd7b +/var/lib/likewise-open/rpc/lsass, /var/lib/likewise-open/\.lsassd, /var/lib/likewise-open/\.ntlmd + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -25958,23 +27813,19 @@ index 0000000..087cd7b +selinux(8), lsassd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lvm_selinux.8 b/man/man8/lvm_selinux.8 new file mode 100644 -index 0000000..20c9a41 +index 0000000..e1e6185 --- /dev/null +++ b/man/man8/lvm_selinux.8 -@@ -0,0 +1,141 @@ +@@ -0,0 +1,137 @@ +.TH "lvm_selinux" "8" "lvm" "dwalsh@redhat.com" "lvm SELinux Policy documentation" +.SH "NAME" +lvm_selinux \- Security Enhanced Linux Policy for the lvm processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B lvm -+(Policy for logical volume management programs) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the lvm processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26005,7 +27856,7 @@ index 0000000..20c9a41 +.br +.TP 5 +Paths: -+/sbin/dmsetup, /usr/sbin/dmsetup, /usr/sbin/pvchange, /sbin/dmraid, /sbin/pvremove, /sbin/vgextend, /sbin/vgmerge, /sbin/vgscan\.static, /usr/sbin/pvdisplay, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /usr/sbin/vgremove, /usr/lib/lvm-10/.*, /sbin/pvs, /sbin/lvmdiskscan, /sbin/lvresize, /sbin/vgmknodes, /usr/sbin/lvdisplay, /usr/sbin/mount\.crypt, /usr/sbin/vgsplit, /usr/lib/systemd/systemd-cryptsetup, /sbin/pvmove, /sbin/multipath\.static, /usr/sbin/pvcreate, /usr/sbin/lvmdiskscan, /usr/sbin/vgcfgbackup, /usr/sbin/vgimport, /sbin/vgck, /sbin/pvscan, /usr/sbin/lvmchange, /sbin/lvreduce, /sbin/vgremove, /sbin/vgscan, /sbin/lvremove, /lib/lvm-200/.*, /usr/sbin/lvremove, /sbin/pvcreate, /usr/sbin/lvrename, /usr/sbin/lvmsadc, /usr/sbin/lvm, /usr/lib/lvm-200/.*, /usr/sbin/pvdata, /sbin/vgchange, /sbin/lvm\.static, /sbin/vgcfgbackup, /sbin/e2fsadm, /sbin/lvm, /sbin/pvdata, /usr/sbin/lvmiopversion, /usr/sbin/vgextend, /sbin/lvextend, /usr/lib/udev/udisks-lvm-pv-export, /sbin/vgcfgrestore, /usr/sbin/vgscan, /sbin/vgs, /sbin/lvmchange, /sbin/vgimport, /usr/sbin/lvscan, /usr/sbin/pvscan, /usr/sbin/vgreduce, /usr/sbin/dmsetup\.static, /usr/sbin/vgchange\.static, /usr/sbin/vgexport, /usr/sbin/lvextend, /usr/sbin/cryptsetup, /usr/sbin/dmraid, /usr/sbin/lvresize, /sbin/dmsetup\.static, /sbin/lvmsar, /usr/sbin/vgs, /usr/sbin/vgrename, /usr/sbin/lvs, /sbin/vgchange\.static, /usr/sbin/pvmove, /sbin/lvmsadc, /usr/sbin/vgmknodes, /sbin/lvmiopversion, /usr/sbin/vgscan\.static, /sbin/pvdisplay, /sbin/vgsplit, /usr/sbin/vgcfgrestore, /usr/sbin/kpartx, /sbin/cryptsetup, /usr/sbin/lvcreate, /lib/udev/udisks-lvm-pv-export, /sbin/vgwrapper, /sbin/lvchange, /sbin/pvchange, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/mount\.crypt, /sbin/vgcreate, /sbin/vgreduce, /usr/sbin/lvreduce, /usr/sbin/vgwrapper, /sbin/lvrename, /lib/systemd/systemd-cryptsetup, /sbin/multipathd, /usr/sbin/vgcreate, /usr/sbin/vgmerge, /sbin/vgexport, /usr/sbin/lvchange, /sbin/lvs, /usr/sbin/lvmsar, /usr/sbin/multipath\.static, /usr/sbin/vgdisplay, /usr/sbin/vgchange, /sbin/kpartx, /usr/sbin/pvs, /lib/lvm-10/.*, /sbin/lvscan, /sbin/lvcreate, /sbin/vgdisplay, /usr/sbin/pvremove, /usr/sbin/e2fsadm ++/sbin/dmsetup, /usr/sbin/dmsetup, /usr/sbin/pvchange, /sbin/dmraid, /sbin/pvremove, /sbin/vgextend, /sbin/vgscan\.static, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /usr/sbin/vgmknodes, /usr/lib/lvm-10/.*, /sbin/pvs, /sbin/lvmdiskscan, /sbin/lvresize, /sbin/vgmknodes, /usr/sbin/lvdisplay, /usr/sbin/mount\.crypt, /usr/sbin/pvs, /usr/sbin/vgsplit, /usr/lib/systemd/systemd-cryptsetup, /sbin/pvmove, /sbin/multipath\.static, /usr/sbin/pvcreate, /usr/sbin/lvmdiskscan, /usr/sbin/vgcfgbackup, /usr/sbin/lvmiopversion, /usr/sbin/vgimport, /sbin/vgck, /sbin/pvscan, /usr/sbin/lvmchange, /sbin/lvreduce, /sbin/vgremove, /sbin/vgscan, /sbin/vgsplit, /lib/lvm-200/.*, /usr/sbin/lvremove, /sbin/vgmerge, /usr/sbin/vgchange\.static, /sbin/pvcreate, /usr/sbin/lvm, /usr/sbin/lvrename, /usr/sbin/lvmsadc, /usr/lib/lvm-200/.*, /usr/sbin/pvdata, /usr/sbin/lvmetad, /sbin/vgchange, /sbin/lvm\.static, /sbin/vgcfgbackup, /sbin/e2fsadm, /sbin/lvm, /sbin/pvdata, /usr/sbin/lvcreate, /usr/sbin/vgextend, /sbin/lvextend, /usr/lib/udev/udisks-lvm-pv-export, /sbin/vgcfgrestore, /usr/sbin/vgscan, /sbin/vgs, /sbin/lvmchange, /sbin/vgimport, /usr/sbin/lvscan, /usr/sbin/pvscan, /usr/sbin/vgreduce, /usr/sbin/dmsetup\.static, /usr/sbin/vgexport, /usr/sbin/lvextend, /usr/sbin/cryptsetup, /usr/sbin/dmraid, /usr/sbin/lvresize, /sbin/dmsetup\.static, /sbin/lvmsar, /usr/sbin/vgs, /usr/sbin/vgrename, /usr/sbin/lvs, /sbin/vgchange\.static, /usr/sbin/pvmove, /sbin/lvmsadc, /sbin/lvmetad, /sbin/lvmiopversion, /usr/sbin/pvdisplay, /usr/sbin/vgremove, /usr/sbin/vgscan\.static, /sbin/pvdisplay, /usr/sbin/vgcfgrestore, /usr/sbin/kpartx, /sbin/cryptsetup, /lib/udev/udisks-lvm-pv-export, /sbin/vgwrapper, /sbin/lvchange, /sbin/pvchange, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/mount\.crypt, /sbin/vgcreate, /usr/sbin/vgwrapper, /sbin/vgreduce, /usr/sbin/lvreduce, /sbin/lvrename, /sbin/multipathd, /usr/sbin/vgcreate, /usr/sbin/vgmerge, /sbin/vgexport, /usr/sbin/lvchange, /sbin/lvs, /usr/sbin/lvmsar, /usr/sbin/multipath\.static, /usr/sbin/vgchange, /sbin/kpartx, /lib/lvm-10/.*, /sbin/lvscan, /sbin/lvcreate, /sbin/vgdisplay, /usr/sbin/vgdisplay, /sbin/lvremove, /usr/sbin/pvremove, /usr/sbin/e2fsadm + +.EX +.PP @@ -26060,7 +27911,7 @@ index 0000000..20c9a41 +/var/run/lvm(/.*)?, /var/run/multipathd\.sock, /var/run/dmevent.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26105,17 +27956,19 @@ index 0000000..20c9a41 +selinux(8), lvm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lwiod_selinux.8 b/man/man8/lwiod_selinux.8 new file mode 100644 -index 0000000..39b80fc +index 0000000..ac1ec18 --- /dev/null +++ b/man/man8/lwiod_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "lwiod_selinux" "8" "lwiod" "dwalsh@redhat.com" "lwiod SELinux Policy documentation" +.SH "NAME" +lwiod_selinux \- Security Enhanced Linux Policy for the lwiod processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the lwiod processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26161,7 +28014,7 @@ index 0000000..39b80fc + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26206,17 +28059,19 @@ index 0000000..39b80fc +selinux(8), lwiod(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lwregd_selinux.8 b/man/man8/lwregd_selinux.8 new file mode 100644 -index 0000000..e954cd1 +index 0000000..1498718 --- /dev/null +++ b/man/man8/lwregd_selinux.8 -@@ -0,0 +1,99 @@ +@@ -0,0 +1,101 @@ +.TH "lwregd_selinux" "8" "lwregd" "dwalsh@redhat.com" "lwregd SELinux Policy documentation" +.SH "NAME" +lwregd_selinux \- Security Enhanced Linux Policy for the lwregd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the lwregd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26266,7 +28121,7 @@ index 0000000..e954cd1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26311,17 +28166,19 @@ index 0000000..e954cd1 +selinux(8), lwregd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/lwsmd_selinux.8 b/man/man8/lwsmd_selinux.8 new file mode 100644 -index 0000000..96c1b69 +index 0000000..5fc974a --- /dev/null +++ b/man/man8/lwsmd_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "lwsmd_selinux" "8" "lwsmd" "dwalsh@redhat.com" "lwsmd SELinux Policy documentation" +.SH "NAME" +lwsmd_selinux \- Security Enhanced Linux Policy for the lwsmd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the lwsmd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26367,7 +28224,7 @@ index 0000000..96c1b69 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26412,17 +28269,17 @@ index 0000000..96c1b69 +selinux(8), lwsmd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mail_selinux.8 b/man/man8/mail_selinux.8 new file mode 100644 -index 0000000..bd12996 +index 0000000..fa8711d --- /dev/null +++ b/man/man8/mail_selinux.8 -@@ -0,0 +1,277 @@ +@@ -0,0 +1,300 @@ +.TH "mail_selinux" "8" "mail" "dwalsh@redhat.com" "mail SELinux Policy documentation" +.SH "NAME" +mail_selinux \- Security Enhanced Linux Policy for the mail processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the mail processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. mail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mail with the tightest access possible. @@ -26456,6 +28313,29 @@ index 0000000..bd12996 +.B setsebool -P gitosis_can_sendmail 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the mailman_mail_t, mailman_cgi_t, mailman_queue_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mailman_mail_t, mailman_cgi_t, mailman_queue_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the mailman_mail_t, mailman_cgi_t, mailman_queue_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -26620,7 +28500,7 @@ index 0000000..bd12996 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26647,7 +28527,7 @@ index 0000000..bd12996 + + +Default Defined Ports: -+tcp 8021 ++tcp 2000,3905 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -26696,23 +28576,40 @@ index 0000000..bd12996 \ No newline at end of file diff --git a/man/man8/mailman_selinux.8 b/man/man8/mailman_selinux.8 new file mode 100644 -index 0000000..2cc348b +index 0000000..ca4b45e --- /dev/null +++ b/man/man8/mailman_selinux.8 -@@ -0,0 +1,169 @@ +@@ -0,0 +1,186 @@ +.TH "mailman_selinux" "8" "mailman" "dwalsh@redhat.com" "mailman SELinux Policy documentation" +.SH "NAME" +mailman_selinux \- Security Enhanced Linux Policy for the mailman processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mailman -+(Mailman is for managing electronic mail discussion and e-newsletter lists) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mailman processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the mailman_mail_t, mailman_cgi_t, mailman_queue_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mailman_mail_t, mailman_cgi_t, mailman_queue_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the mailman_mail_t, mailman_cgi_t, mailman_queue_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26826,7 +28723,7 @@ index 0000000..2cc348b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -26871,23 +28768,19 @@ index 0000000..2cc348b +selinux(8), mailman(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/matahari_selinux.8 b/man/man8/matahari_selinux.8 new file mode 100644 -index 0000000..6cbe09a +index 0000000..9c085f6 --- /dev/null +++ b/man/man8/matahari_selinux.8 -@@ -0,0 +1,243 @@ +@@ -0,0 +1,225 @@ +.TH "matahari_selinux" "8" "matahari" "dwalsh@redhat.com" "matahari SELinux Policy documentation" +.SH "NAME" +matahari_selinux \- Security Enhanced Linux Policy for the matahari processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B matahari -+(policy for matahari) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the matahari processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -26919,10 +28812,6 @@ index 0000000..6cbe09a + +- Set files with the matahari_hostd_unit_file_t type, if you want to treat the files as matahari hostd unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/matahari-host\.service, /lib/systemd/system/matahari-host\.service + +.EX +.PP @@ -26934,7 +28823,7 @@ index 0000000..6cbe09a +.br +.TP 5 +Paths: -+/etc/rc\.d/init\.d/matahari-sysconfig, /etc/rc\.d/init\.d/matahari-host, /etc/rc\.d/init\.d/matahari-service, /etc/init.d/matahari-sysconfig-console, /etc/rc\.d/init\.d/matahari-net ++/etc/rc\.d/init\.d/matahari-sysconfig, /etc/rc\.d/init\.d/matahari-host, /etc/rc\.d/init\.d/matahari-service, /etc/rc\.d/init.d/matahari-sysconfig-console, /etc/rc\.d/init\.d/matahari-net + +.EX +.PP @@ -26946,7 +28835,7 @@ index 0000000..6cbe09a +.br +.TP 5 +Paths: -+/usr/sbin/matahari-qmf-networkd, /usr/sbin/matahari-dbus-networkd, /usr/sbin/matahari-netd ++/usr/sbin/matahari-qmf-networkd, /usr/sbin/matahari-netd, /usr/sbin/matahari-dbus-networkd + +.EX +.PP @@ -26955,10 +28844,6 @@ index 0000000..6cbe09a + +- Set files with the matahari_netd_unit_file_t type, if you want to treat the files as matahari netd unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/matahari-network\.service, /lib/systemd/system/matahari-network\.service + +.EX +.PP @@ -26975,10 +28860,6 @@ index 0000000..6cbe09a + +- Set files with the matahari_rpcd_unit_file_t type, if you want to treat the files as matahari rpcd unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/matahari-rpc.service, /lib/systemd/system/matahari-rpc.service + +.EX +.PP @@ -26999,10 +28880,6 @@ index 0000000..6cbe09a + +- Set files with the matahari_serviced_unit_file_t type, if you want to treat the files as matahari serviced unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/matahari-service\.service, /lib/systemd/system/matahari-service\.service + +.EX +.PP @@ -27014,7 +28891,7 @@ index 0000000..6cbe09a +.br +.TP 5 +Paths: -+/usr/sbin/matahari-qmf-sysconfigd, /usr/sbin/matahari-qmf-sysconfig-consoled ++/usr/sbin/matahari-qmf-sysconfig-consoled, /usr/sbin/matahari-dbus-sysconfigd, /usr/sbin/matahari-qmf-sysconfigd + +.EX +.PP @@ -27026,7 +28903,7 @@ index 0000000..6cbe09a +.br +.TP 5 +Paths: -+/usr/lib/systemd/system/matahari-sysconfig-console\.service, /lib/systemd/system/matahari-sysconfig\.service, /usr/lib/systemd/system/matahari-sysconfig\.service, /lib/systemd/system/matahari-sysconfig-console\.service ++/usr/lib/systemd/system/matahari-sysconfig-console.*, /usr/lib/systemd/system/matahari-sysconfig.* + +.EX +.PP @@ -27049,7 +28926,7 @@ index 0000000..6cbe09a +/var/run/matahari(/.*)?, /var/run/matahari\.pid, /var/run/matahari-broker\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27076,7 +28953,9 @@ index 0000000..6cbe09a + + +Default Defined Ports: -+tcp 8021 ++tcp 49000 ++.EE ++udp 49000 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -27120,23 +28999,19 @@ index 0000000..6cbe09a +selinux(8), matahari(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mcelog_selinux.8 b/man/man8/mcelog_selinux.8 new file mode 100644 -index 0000000..7292383 +index 0000000..263046c --- /dev/null +++ b/man/man8/mcelog_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,89 @@ +.TH "mcelog_selinux" "8" "mcelog" "dwalsh@redhat.com" "mcelog SELinux Policy documentation" +.SH "NAME" +mcelog_selinux \- Security Enhanced Linux Policy for the mcelog processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mcelog -+(policy for mcelog) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mcelog processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -27174,7 +29049,7 @@ index 0000000..7292383 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27219,17 +29094,40 @@ index 0000000..7292383 +selinux(8), mcelog(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mdadm_selinux.8 b/man/man8/mdadm_selinux.8 new file mode 100644 -index 0000000..ab79be5 +index 0000000..16da3ea --- /dev/null +++ b/man/man8/mdadm_selinux.8 -@@ -0,0 +1,87 @@ +@@ -0,0 +1,110 @@ +.TH "mdadm_selinux" "8" "mdadm" "dwalsh@redhat.com" "mdadm SELinux Policy documentation" +.SH "NAME" +mdadm_selinux \- Security Enhanced Linux Policy for the mdadm processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the mdadm processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the mdadm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mdadm_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the mdadm_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -27267,7 +29165,7 @@ index 0000000..ab79be5 +/var/run/mdadm(/.*)?, /dev/md/.*, /dev/.mdadm\.map + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27312,24 +29210,18 @@ index 0000000..ab79be5 +selinux(8), mdadm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/memcached_selinux.8 b/man/man8/memcached_selinux.8 new file mode 100644 -index 0000000..62d286c +index 0000000..8a6865b --- /dev/null +++ b/man/man8/memcached_selinux.8 -@@ -0,0 +1,138 @@ +@@ -0,0 +1,157 @@ +.TH "memcached_selinux" "8" "memcached" "dwalsh@redhat.com" "memcached SELinux Policy documentation" +.SH "NAME" +memcached_selinux \- Security Enhanced Linux Policy for the memcached processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B memcached -+(high-performance memory object caching system) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the memcached processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. memcached policy is extremely flexible and has several booleans that allow you to manipulate the policy and run memcached with the tightest access possible. + @@ -27341,6 +29233,29 @@ index 0000000..62d286c +.B setsebool -P httpd_can_network_memcache 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the memcached_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the memcached_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the memcached_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -27381,7 +29296,7 @@ index 0000000..62d286c +/var/run/ipa_memcached(/.*)?, /var/run/memcached(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27408,7 +29323,9 @@ index 0000000..62d286c + + +Default Defined Ports: -+tcp 8021 ++tcp 11211 ++.EE ++udp 11211 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -27457,17 +29374,19 @@ index 0000000..62d286c \ No newline at end of file diff --git a/man/man8/mencoder_selinux.8 b/man/man8/mencoder_selinux.8 new file mode 100644 -index 0000000..aa093ee +index 0000000..57779c6 --- /dev/null +++ b/man/man8/mencoder_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,73 @@ +.TH "mencoder_selinux" "8" "mencoder" "dwalsh@redhat.com" "mencoder SELinux Policy documentation" +.SH "NAME" +mencoder_selinux \- Security Enhanced Linux Policy for the mencoder processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the mencoder processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -27489,7 +29408,7 @@ index 0000000..aa093ee + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27534,24 +29453,18 @@ index 0000000..aa093ee +selinux(8), mencoder(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mock_selinux.8 b/man/man8/mock_selinux.8 new file mode 100644 -index 0000000..e7cc7e3 +index 0000000..4918991 --- /dev/null +++ b/man/man8/mock_selinux.8 -@@ -0,0 +1,132 @@ +@@ -0,0 +1,149 @@ +.TH "mock_selinux" "8" "mock" "dwalsh@redhat.com" "mock SELinux Policy documentation" +.SH "NAME" +mock_selinux \- Security Enhanced Linux Policy for the mock processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mock -+(policy for mock) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mock processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. mock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mock with the tightest access possible. + @@ -27563,6 +29476,29 @@ index 0000000..e7cc7e3 +.B setsebool -P mock_enable_homedirs 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the mock_t, mock_build_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mock_t, mock_build_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the mock_t, mock_build_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -27623,7 +29559,7 @@ index 0000000..e7cc7e3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27673,23 +29609,19 @@ index 0000000..e7cc7e3 \ No newline at end of file diff --git a/man/man8/modemmanager_selinux.8 b/man/man8/modemmanager_selinux.8 new file mode 100644 -index 0000000..3772dfe +index 0000000..144fd3c --- /dev/null +++ b/man/man8/modemmanager_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "modemmanager_selinux" "8" "modemmanager" "dwalsh@redhat.com" "modemmanager SELinux Policy documentation" +.SH "NAME" +modemmanager_selinux \- Security Enhanced Linux Policy for the modemmanager processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B modemmanager -+(Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the modemmanager processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -27711,7 +29643,7 @@ index 0000000..3772dfe + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27756,17 +29688,19 @@ index 0000000..3772dfe +selinux(8), modemmanager(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mongod_selinux.8 b/man/man8/mongod_selinux.8 new file mode 100644 -index 0000000..7282fb2 +index 0000000..b428089 --- /dev/null +++ b/man/man8/mongod_selinux.8 -@@ -0,0 +1,145 @@ +@@ -0,0 +1,151 @@ +.TH "mongod_selinux" "8" "mongod" "dwalsh@redhat.com" "mongod SELinux Policy documentation" +.SH "NAME" +mongod_selinux \- Security Enhanced Linux Policy for the mongod processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the mongod processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -27806,6 +29740,10 @@ index 0000000..7282fb2 + +- Set files with the mongod_log_t type, if you want to treat the data as mongod log data, usually stored under the /var/log directory. + ++.br ++.TP 5 ++Paths: ++/var/log/aeolus-conductor/dbomatic\.log, /var/log/mongodb(/.*)? + +.EX +.PP @@ -27836,7 +29774,7 @@ index 0000000..7282fb2 +/var/run/mongodb(/.*)?, /var/run/aeolus/dbomatic\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -27863,7 +29801,7 @@ index 0000000..7282fb2 + + +Default Defined Ports: -+tcp 8021 ++tcp 27017 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -27907,24 +29845,18 @@ index 0000000..7282fb2 +selinux(8), mongod(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mount_selinux.8 b/man/man8/mount_selinux.8 new file mode 100644 -index 0000000..9744fa7 +index 0000000..19ab1b5 --- /dev/null +++ b/man/man8/mount_selinux.8 -@@ -0,0 +1,131 @@ +@@ -0,0 +1,168 @@ +.TH "mount_selinux" "8" "mount" "dwalsh@redhat.com" "mount SELinux Policy documentation" +.SH "NAME" +mount_selinux \- Security Enhanced Linux Policy for the mount processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mount -+(Policy for mount) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mount processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. mount policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mount with the tightest access possible. + @@ -27943,6 +29875,29 @@ index 0000000..9744fa7 +.B setsebool -P xguest_mount_media 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the mount_t, mount_ecryptfs_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mount_t, mount_ecryptfs_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the mount_t, mount_ecryptfs_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -27956,6 +29911,26 @@ index 0000000..9744fa7 + +.EX +.PP ++.B mount_ecryptfs_exec_t ++.EE ++ ++- Set files with the mount_ecryptfs_exec_t type, if you want to transition an executable to the mount_ecryptfs_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/mount\.ecryptfs_private, /usr/sbin/mount\.ecryptfs, /usr/sbin/umount\.ecryptfs, /usr/sbin/umount\.ecryptfs_private ++ ++.EX ++.PP ++.B mount_ecryptfs_tmpfs_t ++.EE ++ ++- Set files with the mount_ecryptfs_tmpfs_t type, if you want to store mount ecryptfs files on a tmpfs file system. ++ ++ ++.EX ++.PP +.B mount_exec_t +.EE + @@ -27995,7 +29970,7 @@ index 0000000..9744fa7 +/run/mount(/.*)?, /dev/\.mount(/.*)?, /var/run/mount(/.*)?, /var/run/davfs2(/.*)?, /var/cache/davfs2(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28012,7 +29987,7 @@ index 0000000..9744fa7 +The following process types are defined for mount: + +.EX -+.B mount_t ++.B mount_t, mount_ecryptfs_t +.EE +.PP +Note: @@ -28045,24 +30020,18 @@ index 0000000..9744fa7 \ No newline at end of file diff --git a/man/man8/mozilla_selinux.8 b/man/man8/mozilla_selinux.8 new file mode 100644 -index 0000000..2b94a8b +index 0000000..227bf9f --- /dev/null +++ b/man/man8/mozilla_selinux.8 -@@ -0,0 +1,179 @@ +@@ -0,0 +1,203 @@ +.TH "mozilla_selinux" "8" "mozilla" "dwalsh@redhat.com" "mozilla SELinux Policy documentation" +.SH "NAME" +mozilla_selinux \- Security Enhanced Linux Policy for the mozilla processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mozilla -+(Policy for Mozilla and related web browsers) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mozilla processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. mozilla policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mozilla with the tightest access possible. + @@ -28081,6 +30050,36 @@ index 0000000..2b94a8b +.B setsebool -P unconfined_mozilla_plugin_transition 1 +.EE + ++.PP ++If you want to allow mozilla_plugins to create random content in the users home director, you must turn on the mozilla_plugin_enable_homedirs boolean. ++ ++.EX ++.B setsebool -P mozilla_plugin_enable_homedirs 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the mozilla_plugin_config_t, mozilla_t, mozilla_plugin_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -28181,7 +30180,7 @@ index 0000000..2b94a8b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28231,47 +30230,41 @@ index 0000000..2b94a8b \ No newline at end of file diff --git a/man/man8/mpd_selinux.8 b/man/man8/mpd_selinux.8 new file mode 100644 -index 0000000..76210f5 +index 0000000..2074388 --- /dev/null +++ b/man/man8/mpd_selinux.8 -@@ -0,0 +1,206 @@ +@@ -0,0 +1,223 @@ +.TH "mpd_selinux" "8" "mpd" "dwalsh@redhat.com" "mpd SELinux Policy documentation" +.SH "NAME" +mpd_selinux \- Security Enhanced Linux Policy for the mpd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mpd -+(Music Player Daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mpd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. mpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mpd with the tightest access possible. + + +.PP -+If you want to allow mplayer executable stac, you must turn on the allow_mplayer_execstack boolean. ++If you want to allow all daemons to write corefiles to , you must turn on the allow_daemons_dump_core boolean. + +.EX -+.B setsebool -P allow_mplayer_execstack 1 ++.B setsebool -P allow_daemons_dump_core 1 +.EE + +.PP -+If you want to allow all daemons to write corefiles to , you must turn on the allow_daemons_dump_core boolean. ++If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean. + +.EX -+.B setsebool -P allow_daemons_dump_core 1 ++.B setsebool -P httpd_tmp_exec 1 +.EE + +.PP -+If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean. ++If you want to allow mplayer executable stac, you must turn on the allow_mplayer_execstack boolean. + +.EX -+.B setsebool -P httpd_tmp_exec 1 ++.B setsebool -P allow_mplayer_execstack 1 +.EE + +.PP @@ -28288,6 +30281,29 @@ index 0000000..76210f5 +.B setsebool -P allow_gssd_read_tmp 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the mpd_t, mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mpd_t, mplayer_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the mpd_t, mplayer_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -28368,7 +30384,7 @@ index 0000000..76210f5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28395,7 +30411,7 @@ index 0000000..76210f5 + + +Default Defined Ports: -+tcp 8021 ++tcp 6600 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -28444,24 +30460,18 @@ index 0000000..76210f5 \ No newline at end of file diff --git a/man/man8/mplayer_selinux.8 b/man/man8/mplayer_selinux.8 new file mode 100644 -index 0000000..0098b19 +index 0000000..60f8f87 --- /dev/null +++ b/man/man8/mplayer_selinux.8 -@@ -0,0 +1,127 @@ +@@ -0,0 +1,144 @@ +.TH "mplayer_selinux" "8" "mplayer" "dwalsh@redhat.com" "mplayer SELinux Policy documentation" +.SH "NAME" +mplayer_selinux \- Security Enhanced Linux Policy for the mplayer processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mplayer -+(Mplayer media player and encoder) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mplayer processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. mplayer policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mplayer with the tightest access possible. + @@ -28480,6 +30490,29 @@ index 0000000..0098b19 +.B setsebool -P unconfined_mplayer 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the mplayer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mplayer_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the mplayer_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -28528,7 +30561,7 @@ index 0000000..0098b19 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28578,23 +30611,40 @@ index 0000000..0098b19 \ No newline at end of file diff --git a/man/man8/mrtg_selinux.8 b/man/man8/mrtg_selinux.8 new file mode 100644 -index 0000000..0ca59e6 +index 0000000..c8cc81f --- /dev/null +++ b/man/man8/mrtg_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,138 @@ +.TH "mrtg_selinux" "8" "mrtg" "dwalsh@redhat.com" "mrtg SELinux Policy documentation" +.SH "NAME" +mrtg_selinux \- Security Enhanced Linux Policy for the mrtg processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B mrtg -+(Network traffic graphing) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the mrtg processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the mrtg_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mrtg_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the mrtg_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -28660,7 +30710,7 @@ index 0000000..0ca59e6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28705,17 +30755,17 @@ index 0000000..0ca59e6 +selinux(8), mrtg(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mscan_selinux.8 b/man/man8/mscan_selinux.8 new file mode 100644 -index 0000000..1b9091c +index 0000000..4404182 --- /dev/null +++ b/man/man8/mscan_selinux.8 -@@ -0,0 +1,122 @@ +@@ -0,0 +1,152 @@ +.TH "mscan_selinux" "8" "mscan" "dwalsh@redhat.com" "mscan SELinux Policy documentation" +.SH "NAME" +mscan_selinux \- Security Enhanced Linux Policy for the mscan processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the mscan processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. mscan policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mscan with the tightest access possible. @@ -28728,6 +30778,36 @@ index 0000000..1b9091c +.B setsebool -P clamscan_read_user_content 1 +.EE + ++.PP ++If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. ++ ++.EX ++.B setsebool -P clamscan_can_scan_system 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the mscan_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mscan_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the mscan_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -28784,7 +30864,7 @@ index 0000000..1b9091c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28834,23 +30914,40 @@ index 0000000..1b9091c \ No newline at end of file diff --git a/man/man8/munin_selinux.8 b/man/man8/munin_selinux.8 new file mode 100644 -index 0000000..17b161d +index 0000000..0bcbabb --- /dev/null +++ b/man/man8/munin_selinux.8 -@@ -0,0 +1,163 @@ +@@ -0,0 +1,182 @@ +.TH "munin_selinux" "8" "munin" "dwalsh@redhat.com" "munin SELinux Policy documentation" +.SH "NAME" +munin_selinux \- Security Enhanced Linux Policy for the munin processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B munin -+(Munin network-wide load graphing (formerly LRRD)) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the munin processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the munin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the munin_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the munin_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -28932,7 +31029,7 @@ index 0000000..17b161d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -28959,7 +31056,9 @@ index 0000000..17b161d + + +Default Defined Ports: -+tcp 8021 ++tcp 4949 ++.EE ++udp 4949 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -29003,17 +31102,17 @@ index 0000000..17b161d +selinux(8), munin(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/mysqld_selinux.8 b/man/man8/mysqld_selinux.8 new file mode 100644 -index 0000000..9f5bb25 +index 0000000..ca5fd01 --- /dev/null +++ b/man/man8/mysqld_selinux.8 -@@ -0,0 +1,214 @@ +@@ -0,0 +1,237 @@ +.TH "mysqld_selinux" "8" "mysqld" "dwalsh@redhat.com" "mysqld SELinux Policy documentation" +.SH "NAME" +mysqld_selinux \- Security Enhanced Linux Policy for the mysqld processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the mysqld processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. mysqld policy is extremely flexible and has several booleans that allow you to manipulate the policy and run mysqld with the tightest access possible. @@ -29033,6 +31132,29 @@ index 0000000..9f5bb25 +.B setsebool -P mysql_connect_any 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the mysqld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the mysqld_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the mysqld_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -29137,7 +31259,7 @@ index 0000000..9f5bb25 +/var/run/mysqld(/.*)?, /var/lib/mysql/mysql\.sock + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29164,7 +31286,7 @@ index 0000000..9f5bb25 + + +Default Defined Ports: -+tcp 8021 ++tcp 1186,3306,63132-63164 +.EE + +.EX @@ -29175,7 +31297,7 @@ index 0000000..9f5bb25 + + +Default Defined Ports: -+tcp 8021 ++tcp 2273 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -29224,17 +31346,19 @@ index 0000000..9f5bb25 \ No newline at end of file diff --git a/man/man8/mysqlmanagerd_selinux.8 b/man/man8/mysqlmanagerd_selinux.8 new file mode 100644 -index 0000000..6bce1f8 +index 0000000..8b2a8e0 --- /dev/null +++ b/man/man8/mysqlmanagerd_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,115 @@ +.TH "mysqlmanagerd_selinux" "8" "mysqlmanagerd" "dwalsh@redhat.com" "mysqlmanagerd SELinux Policy documentation" +.SH "NAME" +mysqlmanagerd_selinux \- Security Enhanced Linux Policy for the mysqlmanagerd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the mysqlmanagerd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -29272,7 +31396,7 @@ index 0000000..6bce1f8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29299,7 +31423,7 @@ index 0000000..6bce1f8 + + +Default Defined Ports: -+tcp 8021 ++tcp 2273 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -29343,23 +31467,40 @@ index 0000000..6bce1f8 +selinux(8), mysqlmanagerd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nagios_selinux.8 b/man/man8/nagios_selinux.8 new file mode 100644 -index 0000000..c1343c2 +index 0000000..2f56c72 --- /dev/null +++ b/man/man8/nagios_selinux.8 -@@ -0,0 +1,225 @@ +@@ -0,0 +1,242 @@ +.TH "nagios_selinux" "8" "nagios" "dwalsh@redhat.com" "nagios SELinux Policy documentation" +.SH "NAME" +nagios_selinux \- Security Enhanced Linux Policy for the nagios processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B nagios -+(Net Saint / NAGIOS - network monitoring server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the nagios processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the nagios_services_plugin_t, nagios_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nagios_services_plugin_t, nagios_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the nagios_services_plugin_t, nagios_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -29466,7 +31607,7 @@ index 0000000..c1343c2 +.br +.TP 5 +Paths: -+/usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_fping, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_mysql, /usr/lib/nagios/plugins/check_icmp, /usr/lib/nagios/plugins/check_http, /usr/lib/nagios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_mysql_query, /usr/lib/nagios/plugins/check_dns ++/usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_mysql_query, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_mysql, /usr/lib/nagios/plugins/check_icmp, /usr/lib/nagios/plugins/check_http, /usr/lib/nagios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_fping, /usr/lib/nagios/plugins/check_dns + +.EX +.PP @@ -29486,7 +31627,7 @@ index 0000000..c1343c2 +.br +.TP 5 +Paths: -+/usr/lib/nagios/plugins/check_log, /usr/lib/nagios/plugins/check_load, /usr/lib/nagios/plugins/check_flexlm, /usr/lib/nagios/plugins/check_swap, /usr/lib/nagios/plugins/check_users, /usr/lib/nagios/plugins/check_ifstatus, /usr/lib/nagios/plugins/check_ifoperstatus, /usr/lib/nagios/plugins/check_nagios, /usr/lib/nagios/plugins/check_sensors, /usr/lib/nagios/plugins/check_wave, /usr/lib/nagios/plugins/check_mrtgtraf, /usr/lib/nagios/plugins/check_nwstat, /usr/lib/nagios/plugins/check_procs, /usr/lib/nagios/plugins/check_mrtg, /usr/lib/nagios/plugins/check_overcr ++/usr/lib/nagios/plugins/check_log, /usr/lib/nagios/plugins/check_load, /usr/lib/nagios/plugins/check_nwstat, /usr/lib/nagios/plugins/check_flexlm, /usr/lib/nagios/plugins/check_swap, /usr/lib/nagios/plugins/check_users, /usr/lib/nagios/plugins/check_ifstatus, /usr/lib/nagios/plugins/check_ifoperstatus, /usr/lib/nagios/plugins/check_nagios, /usr/lib/nagios/plugins/check_wave, /usr/lib/nagios/plugins/check_mrtgtraf, /usr/lib/nagios/plugins/check_procs, /usr/lib/nagios/plugins/check_sensors, /usr/lib/nagios/plugins/check_mrtg, /usr/lib/nagios/plugins/check_overcr + +.EX +.PP @@ -29529,7 +31670,7 @@ index 0000000..c1343c2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29573,10 +31714,10 @@ index 0000000..c1343c2 +.SH "SEE ALSO" +selinux(8), nagios(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8 -index fce0b48..653c29b 100644 +index fce0b48..fda5526 100644 --- a/man/man8/named_selinux.8 +++ b/man/man8/named_selinux.8 -@@ -1,30 +1,211 @@ +@@ -1,30 +1,228 @@ -.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation" -.de EX -.nf @@ -29593,15 +31734,9 @@ index fce0b48..653c29b 100644 .SH "DESCRIPTION" -Security-Enhanced Linux secures the named server via flexible mandatory access -+ -+SELinux Linux secures -+.B named -+(Berkeley internet name domain DNS server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the named processes via flexible mandatory access control. + -+ -+ .SH BOOLEANS -SELinux policy is customizable based on least access required. So by -default SELinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean. @@ -29628,6 +31763,29 @@ index fce0b48..653c29b 100644 +.B setsebool -P named_bind_http_port 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the namespace_init_t, named_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the namespace_init_t, named_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the namespace_init_t, named_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -29637,8 +31795,8 @@ index fce0b48..653c29b 100644 +SELinux named policy is very flexible allowing users to setup their named processes in as secure a method as possible. +.PP +The following file types are defined for named: -+ -+ + + +.EX +.PP +.B named_cache_t @@ -29733,15 +31891,15 @@ index fce0b48..653c29b 100644 +.br +.TP 5 +Paths: -+/lib/systemd/system/named.service, /usr/lib/systemd/system/named.service, /lib/systemd/system/unbound.service, /lib/systemd/system/unbound-keygen.service ++/usr/lib/systemd/system/unbound.*, /usr/lib/systemd/system/named.* + +.EX +.PP +.B named_var_run_t +.EE - ++ +- Set files with the named_var_run_t type, if you want to store the named files under the /run directory. - ++ +.br +.TP 5 +Paths: @@ -29760,7 +31918,7 @@ index fce0b48..653c29b 100644 +/var/named/chroot/var/named(/.*)?, /var/named(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29810,23 +31968,40 @@ index fce0b48..653c29b 100644 \ No newline at end of file diff --git a/man/man8/namespace_selinux.8 b/man/man8/namespace_selinux.8 new file mode 100644 -index 0000000..7572442 +index 0000000..40c9bc7 --- /dev/null +++ b/man/man8/namespace_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,94 @@ +.TH "namespace_selinux" "8" "namespace" "dwalsh@redhat.com" "namespace SELinux Policy documentation" +.SH "NAME" +namespace_selinux \- Security Enhanced Linux Policy for the namespace processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B namespace -+(policy for namespace) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the namespace processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the namespace_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the namespace_init_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the namespace_init_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -29848,7 +32023,7 @@ index 0000000..7572442 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29893,23 +32068,19 @@ index 0000000..7572442 +selinux(8), namespace(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ncftool_selinux.8 b/man/man8/ncftool_selinux.8 new file mode 100644 -index 0000000..394997f +index 0000000..35fe63a --- /dev/null +++ b/man/man8/ncftool_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "ncftool_selinux" "8" "ncftool" "dwalsh@redhat.com" "ncftool SELinux Policy documentation" +.SH "NAME" +ncftool_selinux \- Security Enhanced Linux Policy for the ncftool processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ncftool -+(Netcf network configuration tool (ncftool)) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ncftool processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -29931,7 +32102,7 @@ index 0000000..394997f + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -29976,17 +32147,40 @@ index 0000000..394997f +selinux(8), ncftool(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ndc_selinux.8 b/man/man8/ndc_selinux.8 new file mode 100644 -index 0000000..fe49fef +index 0000000..048d7b5 --- /dev/null +++ b/man/man8/ndc_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,94 @@ +.TH "ndc_selinux" "8" "ndc" "dwalsh@redhat.com" "ndc SELinux Policy documentation" +.SH "NAME" +ndc_selinux \- Security Enhanced Linux Policy for the ndc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ndc processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the ndc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ndc_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the ndc_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30008,7 +32202,7 @@ index 0000000..fe49fef + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30053,23 +32247,19 @@ index 0000000..fe49fef +selinux(8), ndc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/netlabel_selinux.8 b/man/man8/netlabel_selinux.8 new file mode 100644 -index 0000000..8d7e496 +index 0000000..ef88282 --- /dev/null +++ b/man/man8/netlabel_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,77 @@ +.TH "netlabel_selinux" "8" "netlabel" "dwalsh@redhat.com" "netlabel SELinux Policy documentation" +.SH "NAME" +netlabel_selinux \- Security Enhanced Linux Policy for the netlabel processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B netlabel -+(NetLabel/CIPSO labeled networking management) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the netlabel processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30095,7 +32285,7 @@ index 0000000..8d7e496 +/sbin/netlabelctl, /usr/sbin/netlabelctl + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30140,17 +32330,19 @@ index 0000000..8d7e496 +selinux(8), netlabel(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/netlogond_selinux.8 b/man/man8/netlogond_selinux.8 new file mode 100644 -index 0000000..3e7dc32 +index 0000000..2567762 --- /dev/null +++ b/man/man8/netlogond_selinux.8 -@@ -0,0 +1,99 @@ +@@ -0,0 +1,101 @@ +.TH "netlogond_selinux" "8" "netlogond" "dwalsh@redhat.com" "netlogond SELinux Policy documentation" +.SH "NAME" +netlogond_selinux \- Security Enhanced Linux Policy for the netlogond processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the netlogond processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30200,7 +32392,7 @@ index 0000000..3e7dc32 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30245,23 +32437,40 @@ index 0000000..3e7dc32 +selinux(8), netlogond(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/netutils_selinux.8 b/man/man8/netutils_selinux.8 new file mode 100644 -index 0000000..55eb6c1 +index 0000000..d2b45c5 --- /dev/null +++ b/man/man8/netutils_selinux.8 -@@ -0,0 +1,89 @@ +@@ -0,0 +1,106 @@ +.TH "netutils_selinux" "8" "netutils" "dwalsh@redhat.com" "netutils SELinux Policy documentation" +.SH "NAME" +netutils_selinux \- Security Enhanced Linux Policy for the netutils processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B netutils -+(Network analysis utilities) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the netutils processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the netutils_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the netutils_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the netutils_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30295,7 +32504,7 @@ index 0000000..55eb6c1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30340,17 +32549,40 @@ index 0000000..55eb6c1 +selinux(8), netutils(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/newrole_selinux.8 b/man/man8/newrole_selinux.8 new file mode 100644 -index 0000000..bdc4376 +index 0000000..c0a15b8 --- /dev/null +++ b/man/man8/newrole_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,94 @@ +.TH "newrole_selinux" "8" "newrole" "dwalsh@redhat.com" "newrole SELinux Policy documentation" +.SH "NAME" +newrole_selinux \- Security Enhanced Linux Policy for the newrole processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the newrole processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the newrole_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the newrole_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the newrole_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30372,7 +32604,7 @@ index 0000000..bdc4376 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30417,17 +32649,17 @@ index 0000000..bdc4376 +selinux(8), newrole(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nfsd_selinux.8 b/man/man8/nfsd_selinux.8 new file mode 100644 -index 0000000..e664bc1 +index 0000000..d9c3bce --- /dev/null +++ b/man/man8/nfsd_selinux.8 -@@ -0,0 +1,284 @@ +@@ -0,0 +1,297 @@ +.TH "nfsd_selinux" "8" "nfsd" "dwalsh@redhat.com" "nfsd SELinux Policy documentation" +.SH "NAME" +nfsd_selinux \- Security Enhanced Linux Policy for the nfsd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the nfsd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. nfsd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nfsd with the tightest access possible. @@ -30504,7 +32736,7 @@ index 0000000..e664bc1 +.EE + +.PP -+If you want to allow confined virtual guests to manage nfs file, you must turn on the sanlock_use_nfs boolean. ++If you want to allow sanlock to manage nfs file, you must turn on the sanlock_use_nfs boolean. + +.EX +.B setsebool -P sanlock_use_nfs 1 @@ -30538,6 +32770,29 @@ index 0000000..e664bc1 +.B setsebool -P nfs_export_all_ro 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the nfsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nfsd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the nfsd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. +.TP @@ -30549,7 +32804,7 @@ index 0000000..e664bc1 +.B restorecon -F -R -v /var/nfsd +.pp +.TP -+Allow nfsd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_nfsd_anon_write boolean to be set. ++Allow nfsd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_nfsdd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/nfsd/incoming(/.*)?" @@ -30577,14 +32832,6 @@ index 0000000..e664bc1 + +.EX +.PP -+.B nfs_t -+.EE -+ -+- Set files with the nfs_t type, if you want to treat the files as nfs data. -+ -+ -+.EX -+.PP +.B nfsd_exec_t +.EE + @@ -30626,13 +32873,9 @@ index 0000000..e664bc1 + +- Set files with the nfsd_unit_file_t type, if you want to treat the files as nfsd unit content. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/system/nfs.*, /usr/lib/systemd/system/nfs.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30659,7 +32902,9 @@ index 0000000..e664bc1 + + +Default Defined Ports: -+tcp 8021 ++tcp 2049,20048-20049 ++.EE ++udp 2049,20048-20049 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -30817,17 +33062,40 @@ index 0000000..87983d6 +selinux(8), nginx(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nmbd_selinux.8 b/man/man8/nmbd_selinux.8 new file mode 100644 -index 0000000..bfcd1db +index 0000000..cfa6020 --- /dev/null +++ b/man/man8/nmbd_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,132 @@ +.TH "nmbd_selinux" "8" "nmbd" "dwalsh@redhat.com" "nmbd SELinux Policy documentation" +.SH "NAME" +nmbd_selinux \- Security Enhanced Linux Policy for the nmbd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the nmbd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the nmbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nmbd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the nmbd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30858,10 +33126,10 @@ index 0000000..bfcd1db +.br +.TP 5 +Paths: -+/var/run/samba/messages\.tdb, /var/run/samba/namelist\.debug, /var/run/nmbd(/.*)?, /var/run/samba/unexpected\.tdb, /var/run/samba/nmbd\.pid ++/var/run/samba/nmbd(/.*)?, /var/run/samba/messages\.tdb, /var/run/samba/namelist\.debug, /var/run/nmbd(/.*)?, /var/run/samba/unexpected\.tdb, /var/run/samba/nmbd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -30888,7 +33156,7 @@ index 0000000..bfcd1db + + +Default Defined Ports: -+tcp 8021 ++udp 137,138 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -30932,23 +33200,40 @@ index 0000000..bfcd1db +selinux(8), nmbd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nova_selinux.8 b/man/man8/nova_selinux.8 new file mode 100644 -index 0000000..c55585f +index 0000000..cf7c9ea --- /dev/null +++ b/man/man8/nova_selinux.8 -@@ -0,0 +1,365 @@ +@@ -0,0 +1,390 @@ +.TH "nova_selinux" "8" "nova" "dwalsh@redhat.com" "nova SELinux Policy documentation" +.SH "NAME" +nova_selinux \- Security Enhanced Linux Policy for the nova processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B nova -+(openstack-nova) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the nova processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the nova_console_t, nova_cert_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nova_console_t, nova_cert_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the nova_console_t, nova_cert_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -30992,6 +33277,10 @@ index 0000000..c55585f + +- Set files with the nova_api_exec_t type, if you want to transition an executable to the nova_api_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/nova-api, /usr//bin/nova-api-metadata + +.EX +.PP @@ -31011,7 +33300,7 @@ index 0000000..c55585f +.br +.TP 5 +Paths: -+/usr/lib/systemd/system/openstack-nova-api\.service, /lib/systemd/system/openstack-nova-api\.service ++/usr/lib/systemd/system/openstack-nova-metadata-api.service.*, /usr/lib/systemd/system/openstack-nova-api.* + +.EX +.PP @@ -31036,10 +33325,6 @@ index 0000000..c55585f + +- Set files with the nova_cert_unit_file_t type, if you want to treat the files as nova cert unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/openstack-nova-cert\.service, /lib/systemd/system/openstack-nova-cert\.service + +.EX +.PP @@ -31067,6 +33352,30 @@ index 0000000..c55585f + +.EX +.PP ++.B nova_console_exec_t ++.EE ++ ++- Set files with the nova_console_exec_t type, if you want to transition an executable to the nova_console_t domain. ++ ++ ++.EX ++.PP ++.B nova_console_tmp_t ++.EE ++ ++- Set files with the nova_console_tmp_t type, if you want to store nova console temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B nova_console_unit_file_t ++.EE ++ ++- Set files with the nova_console_unit_file_t type, if you want to treat the files as nova console unit content. ++ ++ ++.EX ++.PP +.B nova_direct_exec_t +.EE + @@ -31088,10 +33397,6 @@ index 0000000..c55585f + +- Set files with the nova_direct_unit_file_t type, if you want to treat the files as nova direct unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/openstack-nova-ajax-console-proxy\.service, /lib/systemd/system/openstack-nova-direct-api\.service, /lib/systemd/system/openstack-nova-ajax-console-proxy\.service, /usr/lib/systemd/system/openstack-nova-direct-api\.service + +.EX +.PP @@ -31124,10 +33429,6 @@ index 0000000..c55585f + +- Set files with the nova_network_unit_file_t type, if you want to treat the files as nova network unit content. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/system/openstack-nova-network\.service, /usr/lib/systemd/system/openstack-nova-network\.service + +.EX +.PP @@ -31152,10 +33453,6 @@ index 0000000..c55585f + +- Set files with the nova_objectstore_unit_file_t type, if you want to treat the files as nova objectstore unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/openstack-nova-objectstore\.service, /lib/systemd/system/openstack-nova-objectstore\.service + +.EX +.PP @@ -31180,10 +33477,6 @@ index 0000000..c55585f + +- Set files with the nova_scheduler_unit_file_t type, if you want to treat the files as nova scheduler unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/openstack-nova-scheduler\.service, /lib/systemd/system/openstack-nova-scheduler\.service + +.EX +.PP @@ -31208,6 +33501,10 @@ index 0000000..c55585f + +- Set files with the nova_vncproxy_exec_t type, if you want to transition an executable to the nova_vncproxy_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/nova-vncproxy, /usr/bin/nova-xvpvncproxy + +.EX +.PP @@ -31227,7 +33524,7 @@ index 0000000..c55585f +.br +.TP 5 +Paths: -+/lib/systemd/system/openstack-nova-vncproxy\.service, /usr/lib/systemd/system/openstack-nova-vncproxy\.service ++/usr/lib/systemd/system/openstack-nova-xvpvncproxy.*, /usr/lib/systemd/system/openstack-nova-vncproxy.* + +.EX +.PP @@ -31252,13 +33549,9 @@ index 0000000..c55585f + +- Set files with the nova_volume_unit_file_t type, if you want to treat the files as nova volume unit content. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/system/openstack-nova-volume\.service, /usr/lib/systemd/system/openstack-nova-volume\.service + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31275,7 +33568,7 @@ index 0000000..c55585f +The following process types are defined for nova: + +.EX -+.B nova_api_t, nova_compute_t, nova_network_t, nova_objectstore_t, nova_vncproxy_t, nova_volume_t, nova_scheduler_t, nova_ajax_t, nova_cert_t, nova_direct_t ++.B nova_api_t, nova_compute_t, nova_console_t, nova_network_t, nova_objectstore_t, nova_vncproxy_t, nova_volume_t, nova_scheduler_t, nova_ajax_t, nova_cert_t, nova_direct_t +.EE +.PP +Note: @@ -31303,17 +33596,40 @@ index 0000000..c55585f +selinux(8), nova(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nrpe_selinux.8 b/man/man8/nrpe_selinux.8 new file mode 100644 -index 0000000..f6a3c05 +index 0000000..1990e67 --- /dev/null +++ b/man/man8/nrpe_selinux.8 -@@ -0,0 +1,87 @@ +@@ -0,0 +1,110 @@ +.TH "nrpe_selinux" "8" "nrpe" "dwalsh@redhat.com" "nrpe SELinux Policy documentation" +.SH "NAME" +nrpe_selinux \- Security Enhanced Linux Policy for the nrpe processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the nrpe processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the nrpe_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nrpe_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the nrpe_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -31351,7 +33667,7 @@ index 0000000..f6a3c05 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31396,24 +33712,18 @@ index 0000000..f6a3c05 +selinux(8), nrpe(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nscd_selinux.8 b/man/man8/nscd_selinux.8 new file mode 100644 -index 0000000..01045df +index 0000000..0609287 --- /dev/null +++ b/man/man8/nscd_selinux.8 -@@ -0,0 +1,128 @@ +@@ -0,0 +1,145 @@ +.TH "nscd_selinux" "8" "nscd" "dwalsh@redhat.com" "nscd SELinux Policy documentation" +.SH "NAME" +nscd_selinux \- Security Enhanced Linux Policy for the nscd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B nscd -+(Name service cache daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the nscd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. nscd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run nscd with the tightest access possible. + @@ -31425,6 +33735,29 @@ index 0000000..01045df +.B setsebool -P nscd_use_shm 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the nscd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nscd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the nscd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -31481,7 +33814,7 @@ index 0000000..01045df +/var/run/nscd\.pid, /var/run/nscd(/.*)?, /var/db/nscd(/.*)?, /var/run/\.nscd_socket, /var/cache/nscd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31531,23 +33864,40 @@ index 0000000..01045df \ No newline at end of file diff --git a/man/man8/nslcd_selinux.8 b/man/man8/nslcd_selinux.8 new file mode 100644 -index 0000000..a9a427d +index 0000000..9516eeb --- /dev/null +++ b/man/man8/nslcd_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,118 @@ +.TH "nslcd_selinux" "8" "nslcd" "dwalsh@redhat.com" "nslcd SELinux Policy documentation" +.SH "NAME" +nslcd_selinux \- Security Enhanced Linux Policy for the nslcd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B nslcd -+(nslcd - local LDAP name service daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the nslcd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the nslcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nslcd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the nslcd_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -31593,7 +33943,7 @@ index 0000000..a9a427d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31638,23 +33988,40 @@ index 0000000..a9a427d +selinux(8), nslcd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ntop_selinux.8 b/man/man8/ntop_selinux.8 new file mode 100644 -index 0000000..cb7f3a4 +index 0000000..57b0bef --- /dev/null +++ b/man/man8/ntop_selinux.8 -@@ -0,0 +1,143 @@ +@@ -0,0 +1,162 @@ +.TH "ntop_selinux" "8" "ntop" "dwalsh@redhat.com" "ntop SELinux Policy documentation" +.SH "NAME" +ntop_selinux \- Security Enhanced Linux Policy for the ntop processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ntop -+(Network Top) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ntop processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the ntop_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ntop_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the ntop_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -31716,7 +34083,7 @@ index 0000000..cb7f3a4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31743,7 +34110,9 @@ index 0000000..cb7f3a4 + + +Default Defined Ports: -+tcp 8021 ++tcp 3000-3001 ++.EE ++udp 3000-3001 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -31787,17 +34156,40 @@ index 0000000..cb7f3a4 +selinux(8), ntop(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ntpd_selinux.8 b/man/man8/ntpd_selinux.8 new file mode 100644 -index 0000000..515419d +index 0000000..8cbf3dc --- /dev/null +++ b/man/man8/ntpd_selinux.8 -@@ -0,0 +1,189 @@ +@@ -0,0 +1,196 @@ +.TH "ntpd_selinux" "8" "ntpd" "dwalsh@redhat.com" "ntpd SELinux Policy documentation" +.SH "NAME" +ntpd_selinux \- Security Enhanced Linux Policy for the ntpd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ntpd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the ntpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ntpd_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the ntpd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -31812,18 +34204,6 @@ index 0000000..515419d + +.EX +.PP -+.B ntp_drift_t -+.EE -+ -+- Set files with the ntp_drift_t type, if you want to treat the files as ntp drift data. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/ntp(/.*)?, /etc/ntp/data(/.*)? -+ -+.EX -+.PP +.B ntpd_exec_t +.EE + @@ -31889,10 +34269,6 @@ index 0000000..515419d + +- Set files with the ntpd_unit_file_t type, if you want to treat the files as ntpd unit content. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/system/ntpd\.service, /usr/lib/systemd/system/ntpd\.service + +.EX +.PP @@ -31911,7 +34287,7 @@ index 0000000..515419d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -31938,7 +34314,7 @@ index 0000000..515419d + + +Default Defined Ports: -+tcp 8021 ++udp 123 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -31982,23 +34358,19 @@ index 0000000..515419d +selinux(8), ntpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/numad_selinux.8 b/man/man8/numad_selinux.8 new file mode 100644 -index 0000000..7a63255 +index 0000000..e92cd9a --- /dev/null +++ b/man/man8/numad_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "numad_selinux" "8" "numad" "dwalsh@redhat.com" "numad SELinux Policy documentation" +.SH "NAME" +numad_selinux \- Security Enhanced Linux Policy for the numad processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B numad -+(policy for numad) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the numad processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32044,7 +34416,7 @@ index 0000000..7a63255 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32089,23 +34461,40 @@ index 0000000..7a63255 +selinux(8), numad(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nut_selinux.8 b/man/man8/nut_selinux.8 new file mode 100644 -index 0000000..fe354e5 +index 0000000..764d442 --- /dev/null +++ b/man/man8/nut_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,130 @@ +.TH "nut_selinux" "8" "nut" "dwalsh@redhat.com" "nut SELinux Policy documentation" +.SH "NAME" +nut_selinux \- Security Enhanced Linux Policy for the nut processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B nut -+(nut - Network UPS Tools ) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the nut processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the nut_upsmon_t, nut_upsdrvctl_t, nut_upsd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32163,7 +34552,7 @@ index 0000000..fe354e5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32208,23 +34597,40 @@ index 0000000..fe354e5 +selinux(8), nut(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/nx_selinux.8 b/man/man8/nx_selinux.8 new file mode 100644 -index 0000000..ef2c5aa +index 0000000..0d20d9d --- /dev/null +++ b/man/man8/nx_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,138 @@ +.TH "nx_selinux" "8" "nx" "dwalsh@redhat.com" "nx SELinux Policy documentation" +.SH "NAME" +nx_selinux \- Security Enhanced Linux Policy for the nx processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B nx -+(NX remote desktop) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the nx processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the nx_server_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the nx_server_ssh_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the nx_server_ssh_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32279,7 +34685,7 @@ index 0000000..ef2c5aa +.br +.TP 5 +Paths: -+/usr/NX/home(/.*)?, /opt/NX/home(/.*)?, /var/lib/nxserver(/.*)? ++/opt/NX/home(/.*)?, /usr/NX/home(/.*)?, /var/lib/nxserver(/.*)? + +.EX +.PP @@ -32290,7 +34696,7 @@ index 0000000..ef2c5aa + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32397,23 +34803,19 @@ index 0000000..2746ea3 +selinux(8), semanage(8). diff --git a/man/man8/obex_selinux.8 b/man/man8/obex_selinux.8 new file mode 100644 -index 0000000..a6b6598 +index 0000000..0455948 --- /dev/null +++ b/man/man8/obex_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "obex_selinux" "8" "obex" "dwalsh@redhat.com" "obex SELinux Policy documentation" +.SH "NAME" +obex_selinux \- Security Enhanced Linux Policy for the obex processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B obex -+(SELinux policy for obex-data-server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the obex processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32435,7 +34837,7 @@ index 0000000..a6b6598 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32480,27 +34882,51 @@ index 0000000..a6b6598 +selinux(8), obex(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/oddjob_selinux.8 b/man/man8/oddjob_selinux.8 new file mode 100644 -index 0000000..88a1ce7 +index 0000000..9ff2c89 --- /dev/null +++ b/man/man8/oddjob_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,129 @@ +.TH "oddjob_selinux" "8" "oddjob" "dwalsh@redhat.com" "oddjob SELinux Policy documentation" +.SH "NAME" +oddjob_selinux \- Security Enhanced Linux Policy for the oddjob processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B oddjob -+( -+Oddjob provides a mechanism by which unprivileged applications can -+request that specified privileged operations be performed on their -+behalf. -+) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the oddjob processes via flexible mandatory access +control. + ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. oddjob policy is extremely flexible and has several booleans that allow you to manipulate the policy and run oddjob with the tightest access possible. ++ ++ ++.PP ++If you want to allow httpd to communicate with oddjob to start up a servic, you must turn on the httpd_use_oddjob boolean. ++ ++.EX ++.B setsebool -P httpd_use_oddjob 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the oddjob_mkhomedir_t, oddjob_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the oddjob_mkhomedir_t, oddjob_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the oddjob_mkhomedir_t, oddjob_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32542,7 +34968,7 @@ index 0000000..88a1ce7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32576,6 +35002,9 @@ index 0000000..88a1ce7 +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -32585,25 +35014,23 @@ index 0000000..88a1ce7 + +.SH "SEE ALSO" +selinux(8), oddjob(8), semanage(8), restorecon(8), chcon(1) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/openct_selinux.8 b/man/man8/openct_selinux.8 new file mode 100644 -index 0000000..b21e586 +index 0000000..f3ec094 --- /dev/null +++ b/man/man8/openct_selinux.8 -@@ -0,0 +1,89 @@ +@@ -0,0 +1,85 @@ +.TH "openct_selinux" "8" "openct" "dwalsh@redhat.com" "openct SELinux Policy documentation" +.SH "NAME" +openct_selinux \- Security Enhanced Linux Policy for the openct processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B openct -+(Service for handling smart card readers) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the openct processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32637,7 +35064,7 @@ index 0000000..b21e586 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32682,24 +35109,18 @@ index 0000000..b21e586 +selinux(8), openct(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/openvpn_selinux.8 b/man/man8/openvpn_selinux.8 new file mode 100644 -index 0000000..9a9b8b8 +index 0000000..431511a --- /dev/null +++ b/man/man8/openvpn_selinux.8 -@@ -0,0 +1,166 @@ +@@ -0,0 +1,185 @@ +.TH "openvpn_selinux" "8" "openvpn" "dwalsh@redhat.com" "openvpn SELinux Policy documentation" +.SH "NAME" +openvpn_selinux \- Security Enhanced Linux Policy for the openvpn processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B openvpn -+(full-featured SSL VPN solution) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the openvpn processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. openvpn policy is extremely flexible and has several booleans that allow you to manipulate the policy and run openvpn with the tightest access possible. + @@ -32711,6 +35132,29 @@ index 0000000..9a9b8b8 +.B setsebool -P openvpn_enable_homedirs 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the openvpn_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the openvpn_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the openvpn_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -32779,7 +35223,7 @@ index 0000000..9a9b8b8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32806,7 +35250,9 @@ index 0000000..9a9b8b8 + + +Default Defined Ports: -+tcp 8021 ++tcp 1194 ++.EE ++udp 1194 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -32855,23 +35301,40 @@ index 0000000..9a9b8b8 \ No newline at end of file diff --git a/man/man8/pacemaker_selinux.8 b/man/man8/pacemaker_selinux.8 new file mode 100644 -index 0000000..a43fb5b +index 0000000..5e28f03 --- /dev/null +++ b/man/man8/pacemaker_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,130 @@ +.TH "pacemaker_selinux" "8" "pacemaker" "dwalsh@redhat.com" "pacemaker SELinux Policy documentation" +.SH "NAME" +pacemaker_selinux \- Security Enhanced Linux Policy for the pacemaker processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B pacemaker -+(policy for pacemaker) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the pacemaker processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the pacemaker_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pacemaker_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the pacemaker_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -32929,7 +35392,7 @@ index 0000000..a43fb5b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -32974,23 +35437,19 @@ index 0000000..a43fb5b +selinux(8), pacemaker(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pads_selinux.8 b/man/man8/pads_selinux.8 new file mode 100644 -index 0000000..f2bc8e8 +index 0000000..8ebf008 --- /dev/null +++ b/man/man8/pads_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,101 @@ +.TH "pads_selinux" "8" "pads" "dwalsh@redhat.com" "pads SELinux Policy documentation" +.SH "NAME" +pads_selinux \- Security Enhanced Linux Policy for the pads processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B pads -+(Passive Asset Detection System) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the pads processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -33040,7 +35499,7 @@ index 0000000..f2bc8e8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33085,23 +35544,40 @@ index 0000000..f2bc8e8 +selinux(8), pads(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/passenger_selinux.8 b/man/man8/passenger_selinux.8 new file mode 100644 -index 0000000..872ce91 +index 0000000..7be4f27 --- /dev/null +++ b/man/man8/passenger_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,134 @@ +.TH "passenger_selinux" "8" "passenger" "dwalsh@redhat.com" "passenger SELinux Policy documentation" +.SH "NAME" +passenger_selinux \- Security Enhanced Linux Policy for the passenger processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B passenger -+(Ruby on rails deployment for Apache and Nginx servers) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the passenger processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the passenger_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the passenger_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the passenger_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -33163,7 +35639,7 @@ index 0000000..872ce91 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33208,17 +35684,40 @@ index 0000000..872ce91 +selinux(8), passenger(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/passwd_selinux.8 b/man/man8/passwd_selinux.8 new file mode 100644 -index 0000000..71d4cc4 +index 0000000..48736e0 --- /dev/null +++ b/man/man8/passwd_selinux.8 -@@ -0,0 +1,87 @@ +@@ -0,0 +1,110 @@ +.TH "passwd_selinux" "8" "passwd" "dwalsh@redhat.com" "passwd SELinux Policy documentation" +.SH "NAME" +passwd_selinux \- Security Enhanced Linux Policy for the passwd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the passwd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the passwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the passwd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the passwd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -33253,10 +35752,10 @@ index 0000000..71d4cc4 +.br +.TP 5 +Paths: -+/etc/passwd\.OLD, /etc/ptmptmp, /etc/passwd-?, /etc/group-? ++/etc/passwd\.OLD, /etc/ptmptmp, /etc/group[-\+]?, /etc/passwd[-\+]? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33301,23 +35800,19 @@ index 0000000..71d4cc4 +selinux(8), passwd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pcscd_selinux.8 b/man/man8/pcscd_selinux.8 new file mode 100644 -index 0000000..07f91c9 +index 0000000..f87af16 --- /dev/null +++ b/man/man8/pcscd_selinux.8 -@@ -0,0 +1,89 @@ +@@ -0,0 +1,85 @@ +.TH "pcscd_selinux" "8" "pcscd" "dwalsh@redhat.com" "pcscd SELinux Policy documentation" +.SH "NAME" +pcscd_selinux \- Security Enhanced Linux Policy for the pcscd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B pcscd -+(PCSC smart card service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the pcscd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -33351,7 +35846,7 @@ index 0000000..07f91c9 +/var/run/pcscd\.pid, /var/run/pcscd\.comm, /var/run/pcscd\.events(/.*)?, /var/run/pcscd\.pub, /var/run/pcscd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33396,23 +35891,40 @@ index 0000000..07f91c9 +selinux(8), pcscd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pegasus_selinux.8 b/man/man8/pegasus_selinux.8 new file mode 100644 -index 0000000..b015c87 +index 0000000..406004b --- /dev/null +++ b/man/man8/pegasus_selinux.8 -@@ -0,0 +1,162 @@ +@@ -0,0 +1,179 @@ +.TH "pegasus_selinux" "8" "pegasus" "dwalsh@redhat.com" "pegasus SELinux Policy documentation" +.SH "NAME" +pegasus_selinux \- Security Enhanced Linux Policy for the pegasus processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B pegasus -+(The Open Group Pegasus CIM/WBEM Server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the pegasus processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the pegasus_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pegasus_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the pegasus_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -33482,7 +35994,7 @@ index 0000000..b015c87 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33509,7 +36021,7 @@ index 0000000..b015c87 + + +Default Defined Ports: -+tcp 8021 ++tcp 5988 +.EE + +.EX @@ -33520,7 +36032,7 @@ index 0000000..b015c87 + + +Default Defined Ports: -+tcp 8021 ++tcp 5989 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -33564,17 +36076,17 @@ index 0000000..b015c87 +selinux(8), pegasus(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ping_selinux.8 b/man/man8/ping_selinux.8 new file mode 100644 -index 0000000..bda0235 +index 0000000..02d61ab --- /dev/null +++ b/man/man8/ping_selinux.8 -@@ -0,0 +1,148 @@ +@@ -0,0 +1,171 @@ +.TH "ping_selinux" "8" "ping" "dwalsh@redhat.com" "ping SELinux Policy documentation" +.SH "NAME" +ping_selinux \- Security Enhanced Linux Policy for the ping processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the ping processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. ping policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ping with the tightest access possible. @@ -33587,6 +36099,29 @@ index 0000000..bda0235 +.B setsebool -P user_ping 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the pingd_t, ping_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -33643,7 +36178,7 @@ index 0000000..bda0235 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33670,7 +36205,7 @@ index 0000000..bda0235 + + +Default Defined Ports: -+tcp 8021 ++tcp 9125 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -33719,24 +36254,18 @@ index 0000000..bda0235 \ No newline at end of file diff --git a/man/man8/pingd_selinux.8 b/man/man8/pingd_selinux.8 new file mode 100644 -index 0000000..1259587 +index 0000000..4dbbcc8 --- /dev/null +++ b/man/man8/pingd_selinux.8 -@@ -0,0 +1,154 @@ +@@ -0,0 +1,159 @@ +.TH "pingd_selinux" "8" "pingd" "dwalsh@redhat.com" "pingd SELinux Policy documentation" +.SH "NAME" +pingd_selinux \- Security Enhanced Linux Policy for the pingd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B pingd -+(Pingd of the Whatsup cluster node up/down detection utility) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the pingd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. pingd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pingd with the tightest access possible. + @@ -33748,6 +36277,29 @@ index 0000000..1259587 +.B setsebool -P user_ping 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the pingd_t, ping_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pingd_t, ping_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the pingd_t, ping_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -33761,18 +36313,6 @@ index 0000000..1259587 + +.EX +.PP -+.B ping_exec_t -+.EE -+ -+- Set files with the ping_exec_t type, if you want to transition an executable to the ping_t domain. -+ -+.br -+.TP 5 -+Paths: -+/usr/bin/ping.*, /usr/sbin/hping2, /usr/sbin/fping.*, /bin/ping.*, /usr/sbin/send_arp -+ -+.EX -+.PP +.B pingd_etc_t +.EE + @@ -33804,7 +36344,7 @@ index 0000000..1259587 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -33831,7 +36371,7 @@ index 0000000..1259587 + + +Default Defined Ports: -+tcp 8021 ++tcp 9125 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -33880,24 +36420,18 @@ index 0000000..1259587 \ No newline at end of file diff --git a/man/man8/piranha_selinux.8 b/man/man8/piranha_selinux.8 new file mode 100644 -index 0000000..cbd1451 +index 0000000..ce58216 --- /dev/null +++ b/man/man8/piranha_selinux.8 -@@ -0,0 +1,238 @@ +@@ -0,0 +1,251 @@ +.TH "piranha_selinux" "8" "piranha" "dwalsh@redhat.com" "piranha SELinux Policy documentation" +.SH "NAME" +piranha_selinux \- Security Enhanced Linux Policy for the piranha processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B piranha -+(policy for piranha) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the piranha processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. piranha policy is extremely flexible and has several booleans that allow you to manipulate the policy and run piranha with the tightest access possible. + @@ -33909,6 +36443,29 @@ index 0000000..cbd1451 +.B setsebool -P piranha_lvs_can_network_connect 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the piranha_pulse_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the piranha_pulse_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the piranha_pulse_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -34019,10 +36576,6 @@ index 0000000..cbd1451 + +- Set files with the piranha_web_exec_t type, if you want to transition an executable to the piranha_web_t domain. + -+.br -+.TP 5 -+Paths: -+/usr/sbin/piranha_gui, /usr/bin/paster + +.EX +.PP @@ -34049,7 +36602,7 @@ index 0000000..cbd1451 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -34076,7 +36629,7 @@ index 0000000..cbd1451 + + +Default Defined Ports: -+tcp 8021 ++tcp 3636 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -34635,17 +37188,19 @@ index 0000000..2272c46 +selinux(8), pki(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/plymouth_selinux.8 b/man/man8/plymouth_selinux.8 new file mode 100644 -index 0000000..581c9cb +index 0000000..9aa07b5 --- /dev/null +++ b/man/man8/plymouth_selinux.8 -@@ -0,0 +1,119 @@ +@@ -0,0 +1,121 @@ +.TH "plymouth_selinux" "8" "plymouth" "dwalsh@redhat.com" "plymouth SELinux Policy documentation" +.SH "NAME" +plymouth_selinux \- Security Enhanced Linux Policy for the plymouth processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the plymouth processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -34715,7 +37270,7 @@ index 0000000..581c9cb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -34760,23 +37315,19 @@ index 0000000..581c9cb +selinux(8), plymouth(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/plymouthd_selinux.8 b/man/man8/plymouthd_selinux.8 new file mode 100644 -index 0000000..a9addd8 +index 0000000..482fddc --- /dev/null +++ b/man/man8/plymouthd_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,109 @@ +.TH "plymouthd_selinux" "8" "plymouthd" "dwalsh@redhat.com" "plymouthd SELinux Policy documentation" +.SH "NAME" +plymouthd_selinux \- Security Enhanced Linux Policy for the plymouthd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B plymouthd -+(Plymouth graphical boot) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the plymouthd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -34791,18 +37342,6 @@ index 0000000..a9addd8 + +.EX +.PP -+.B plymouth_exec_t -+.EE -+ -+- Set files with the plymouth_exec_t type, if you want to transition an executable to the plymouth_t domain. -+ -+.br -+.TP 5 -+Paths: -+/usr/bin/plymouth, /bin/plymouth -+ -+.EX -+.PP +.B plymouthd_exec_t +.EE + @@ -34846,7 +37385,7 @@ index 0000000..a9addd8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -34891,23 +37430,19 @@ index 0000000..a9addd8 +selinux(8), plymouthd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/podsleuth_selinux.8 b/man/man8/podsleuth_selinux.8 new file mode 100644 -index 0000000..413dd33 +index 0000000..0170aa2 --- /dev/null +++ b/man/man8/podsleuth_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,101 @@ +.TH "podsleuth_selinux" "8" "podsleuth" "dwalsh@redhat.com" "podsleuth SELinux Policy documentation" +.SH "NAME" +podsleuth_selinux \- Security Enhanced Linux Policy for the podsleuth processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B podsleuth -+(Podsleuth is a tool to get information about an Apple (TM) iPod (TM)) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the podsleuth processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -34957,7 +37492,7 @@ index 0000000..413dd33 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -35002,23 +37537,40 @@ index 0000000..413dd33 +selinux(8), podsleuth(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/policykit_selinux.8 b/man/man8/policykit_selinux.8 new file mode 100644 -index 0000000..b14cbf9 +index 0000000..0271ab9 --- /dev/null +++ b/man/man8/policykit_selinux.8 -@@ -0,0 +1,153 @@ +@@ -0,0 +1,170 @@ +.TH "policykit_selinux" "8" "policykit" "dwalsh@redhat.com" "policykit SELinux Policy documentation" +.SH "NAME" +policykit_selinux \- Security Enhanced Linux Policy for the policykit processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B policykit -+(Policy framework for controlling privileges for system-wide services) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the policykit processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the policykit_grant_t, policykit_auth_t, policykit_t, policykit_resolve_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -35041,7 +37593,7 @@ index 0000000..b14cbf9 +.br +.TP 5 +Paths: -+/usr/libexec/polkit-read-auth-helper, /usr/lib/policykit/polkit-read-auth-helper, /usr/libexec/polkit-1/polkit-agent-helper-1 ++/usr/libexec/polkit-read-auth-helper, /usr/libexec/polkit-1/polkit-agent-helper-1, /usr/lib/policykit/polkit-read-auth-helper + +.EX +.PP @@ -35116,7 +37668,7 @@ index 0000000..b14cbf9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -35161,24 +37713,18 @@ index 0000000..b14cbf9 +selinux(8), policykit(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/polipo_selinux.8 b/man/man8/polipo_selinux.8 new file mode 100644 -index 0000000..ada080b +index 0000000..4fa9255 --- /dev/null +++ b/man/man8/polipo_selinux.8 -@@ -0,0 +1,191 @@ +@@ -0,0 +1,208 @@ +.TH "polipo_selinux" "8" "polipo" "dwalsh@redhat.com" "polipo SELinux Policy documentation" +.SH "NAME" +polipo_selinux \- Security Enhanced Linux Policy for the polipo processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B polipo -+(Caching web proxy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the polipo processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. polipo policy is extremely flexible and has several booleans that allow you to manipulate the policy and run polipo with the tightest access possible. + @@ -35225,6 +37771,29 @@ index 0000000..ada080b +.B setsebool -P polipo_use_nfs 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the polipo_t, polipo_session_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the polipo_t, polipo_session_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the polipo_t, polipo_session_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -35309,7 +37878,7 @@ index 0000000..ada080b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -35359,24 +37928,18 @@ index 0000000..ada080b \ No newline at end of file diff --git a/man/man8/portmap_selinux.8 b/man/man8/portmap_selinux.8 new file mode 100644 -index 0000000..7513001 +index 0000000..9bb3a30 --- /dev/null +++ b/man/man8/portmap_selinux.8 -@@ -0,0 +1,150 @@ +@@ -0,0 +1,169 @@ +.TH "portmap_selinux" "8" "portmap" "dwalsh@redhat.com" "portmap SELinux Policy documentation" +.SH "NAME" +portmap_selinux \- Security Enhanced Linux Policy for the portmap processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B portmap -+(RPC port mapping service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the portmap processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. portmap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run portmap with the tightest access possible. + @@ -35388,6 +37951,29 @@ index 0000000..7513001 +.B setsebool -P samba_portmapper 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the portmap_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the portmap_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the portmap_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -35440,7 +38026,7 @@ index 0000000..7513001 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -35467,7 +38053,9 @@ index 0000000..7513001 + + +Default Defined Ports: -+tcp 8021 ++tcp 111 ++.EE ++udp 111 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -35516,23 +38104,19 @@ index 0000000..7513001 \ No newline at end of file diff --git a/man/man8/portreserve_selinux.8 b/man/man8/portreserve_selinux.8 new file mode 100644 -index 0000000..909a5da +index 0000000..f40af74 --- /dev/null +++ b/man/man8/portreserve_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,101 @@ +.TH "portreserve_selinux" "8" "portreserve" "dwalsh@redhat.com" "portreserve SELinux Policy documentation" +.SH "NAME" +portreserve_selinux \- Security Enhanced Linux Policy for the portreserve processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B portreserve -+(Reserve well-known ports in the RPC port range) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the portreserve processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -35582,7 +38166,7 @@ index 0000000..909a5da + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -35627,24 +38211,18 @@ index 0000000..909a5da +selinux(8), portreserve(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/postfix_selinux.8 b/man/man8/postfix_selinux.8 new file mode 100644 -index 0000000..bb778bf +index 0000000..0146fa5 --- /dev/null +++ b/man/man8/postfix_selinux.8 -@@ -0,0 +1,422 @@ +@@ -0,0 +1,439 @@ +.TH "postfix_selinux" "8" "postfix" "dwalsh@redhat.com" "postfix SELinux Policy documentation" +.SH "NAME" +postfix_selinux \- Security Enhanced Linux Policy for the postfix processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B postfix -+(Postfix email server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the postfix processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. postfix policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postfix with the tightest access possible. + @@ -35656,6 +38234,29 @@ index 0000000..bb778bf +.B setsebool -P allow_postfix_local_write_mail_spool 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the postfix_smtp_t, postfix_map_t, postfix_showq_t, postfix_virtual_t, postfix_smtpd_t, postfix_local_t, postfix_cleanup_t, postfix_master_t, postfix_postdrop_t, postfix_pickup_t, postfix_bounce_t, postfix_qmgr_t, postfix_pipe_t, postfix_postqueue_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postfix_smtp_t, postfix_map_t, postfix_showq_t, postfix_virtual_t, postfix_smtpd_t, postfix_local_t, postfix_cleanup_t, postfix_master_t, postfix_postdrop_t, postfix_pickup_t, postfix_bounce_t, postfix_qmgr_t, postfix_pipe_t, postfix_postqueue_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the postfix_smtp_t, postfix_map_t, postfix_showq_t, postfix_virtual_t, postfix_smtpd_t, postfix_local_t, postfix_cleanup_t, postfix_master_t, postfix_postdrop_t, postfix_pickup_t, postfix_bounce_t, postfix_qmgr_t, postfix_pipe_t, postfix_postqueue_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -35893,7 +38494,7 @@ index 0000000..bb778bf +.br +.TP 5 +Paths: -+/usr/libexec/postfix/smtp, /usr/libexec/postfix/scache, /usr/libexec/postfix/lmtp ++/usr/libexec/postfix/lmtp, /usr/libexec/postfix/smtp, /usr/libexec/postfix/scache + +.EX +.PP @@ -35980,7 +38581,7 @@ index 0000000..bb778bf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36007,7 +38608,7 @@ index 0000000..bb778bf + + +Default Defined Ports: -+tcp 8021 ++tcp 10031 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -36056,24 +38657,18 @@ index 0000000..bb778bf \ No newline at end of file diff --git a/man/man8/postgresql_selinux.8 b/man/man8/postgresql_selinux.8 new file mode 100644 -index 0000000..da21d07 +index 0000000..6dd2e8e --- /dev/null +++ b/man/man8/postgresql_selinux.8 -@@ -0,0 +1,194 @@ +@@ -0,0 +1,207 @@ +.TH "postgresql_selinux" "8" "postgresql" "dwalsh@redhat.com" "postgresql SELinux Policy documentation" +.SH "NAME" +postgresql_selinux \- Security Enhanced Linux Policy for the postgresql processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B postgresql -+(PostgreSQL relational database) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the postgresql processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. postgresql policy is extremely flexible and has several booleans that allow you to manipulate the policy and run postgresql with the tightest access possible. + @@ -36085,6 +38680,29 @@ index 0000000..da21d07 +.B setsebool -P allow_user_postgresql_connect 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the postgresql_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the postgresql_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the postgresql_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -36106,7 +38724,7 @@ index 0000000..da21d07 +.br +.TP 5 +Paths: -+/var/lib/pgsql/data(/.*)?, /usr/share/jonas/pgsql(/.*)?, /var/lib/postgres(ql)?(/.*)?, /var/lib/sepgsql(/.*)?, /usr/lib/pgsql/test/regress(/.*)? ++/usr/share/jonas/pgsql(/.*)?, /var/lib/postgres(ql)?(/.*)?, /var/lib/sepgsql(/.*)?, /usr/lib/pgsql/test/regress(/.*)?, /var/lib/pgsql(/.*)? + +.EX +.PP @@ -36158,7 +38776,7 @@ index 0000000..da21d07 +.br +.TP 5 +Paths: -+/var/lib/pgsql/logfile(/.*)?, /var/lib/pgsql/pgstartup\.log, /var/log/postgresql(/.*)?, /var/log/postgres\.log.*, /var/lib/sepgsql/pgstartup\.log, /var/log/rhdb/rhdb(/.*)?, /var/log/sepostgresql\.log.* ++/var/lib/pgsql/logfile(/.*)?, /var/log/postgresql(/.*)?, /var/log/postgres\.log.*, /var/lib/sepgsql/pgstartup\.log, /var/log/rhdb/rhdb(/.*)?, /var/lib/pgsql/.*\.log, /var/log/sepostgresql\.log.* + +.EX +.PP @@ -36175,13 +38793,9 @@ index 0000000..da21d07 + +- Set files with the postgresql_var_run_t type, if you want to store the postgresql files under the /run directory. + -+.br -+.TP 5 -+Paths: -+/var/run/postmaster.*, /var/run/postgresql(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36208,7 +38822,7 @@ index 0000000..da21d07 + + +Default Defined Ports: -+tcp 8021 ++tcp 5432 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -36257,23 +38871,19 @@ index 0000000..da21d07 \ No newline at end of file diff --git a/man/man8/postgrey_selinux.8 b/man/man8/postgrey_selinux.8 new file mode 100644 -index 0000000..0d3079a +index 0000000..daf4f9f --- /dev/null +++ b/man/man8/postgrey_selinux.8 -@@ -0,0 +1,147 @@ +@@ -0,0 +1,143 @@ +.TH "postgrey_selinux" "8" "postgrey" "dwalsh@redhat.com" "postgrey SELinux Policy documentation" +.SH "NAME" +postgrey_selinux \- Security Enhanced Linux Policy for the postgrey processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B postgrey -+(Postfix grey-listing server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the postgrey processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -36339,7 +38949,7 @@ index 0000000..0d3079a +/var/run/postgrey\.pid, /var/run/postgrey(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36366,7 +38976,7 @@ index 0000000..0d3079a + + +Default Defined Ports: -+tcp 8021 ++tcp 60000 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -36410,17 +39020,17 @@ index 0000000..0d3079a +selinux(8), postgrey(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pppd_selinux.8 b/man/man8/pppd_selinux.8 new file mode 100644 -index 0000000..7b27311 +index 0000000..28da35e --- /dev/null +++ b/man/man8/pppd_selinux.8 -@@ -0,0 +1,189 @@ +@@ -0,0 +1,212 @@ +.TH "pppd_selinux" "8" "pppd" "dwalsh@redhat.com" "pppd SELinux Policy documentation" +.SH "NAME" +pppd_selinux \- Security Enhanced Linux Policy for the pppd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the pppd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. pppd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run pppd with the tightest access possible. @@ -36440,6 +39050,29 @@ index 0000000..7b27311 +.B setsebool -P pppd_can_insmod 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the pppd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pppd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the pppd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -36461,7 +39094,7 @@ index 0000000..7b27311 +.br +.TP 5 +Paths: -+/etc/ppp(/.*)?, /etc/ppp/peers(/.*)?, /etc/ppp/resolv\.conf ++/etc/ppp(/.*)?, /etc/ppp/resolv\.conf, /etc/ppp/peers(/.*)? + +.EX +.PP @@ -36556,7 +39189,7 @@ index 0000000..7b27311 +/var/run/pppd[0-9]*\.tdb, /var/run/ppp(/.*)?, /var/run/(i)?ppp.*pid[^/]* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36606,17 +39239,40 @@ index 0000000..7b27311 \ No newline at end of file diff --git a/man/man8/pptp_selinux.8 b/man/man8/pptp_selinux.8 new file mode 100644 -index 0000000..4f2fc1c +index 0000000..a64e3ec --- /dev/null +++ b/man/man8/pptp_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,138 @@ +.TH "pptp_selinux" "8" "pptp" "dwalsh@redhat.com" "pptp SELinux Policy documentation" +.SH "NAME" +pptp_selinux \- Security Enhanced Linux Policy for the pptp processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the pptp processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the pptp_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pptp_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the pptp_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -36654,7 +39310,7 @@ index 0000000..4f2fc1c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36681,7 +39337,9 @@ index 0000000..4f2fc1c + + +Default Defined Ports: -+tcp 8021 ++tcp 1723 ++.EE ++udp 1723 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -36725,23 +39383,40 @@ index 0000000..4f2fc1c +selinux(8), pptp(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/prelink_selinux.8 b/man/man8/prelink_selinux.8 new file mode 100644 -index 0000000..0be2626 +index 0000000..5fe1394 --- /dev/null +++ b/man/man8/prelink_selinux.8 -@@ -0,0 +1,133 @@ +@@ -0,0 +1,150 @@ +.TH "prelink_selinux" "8" "prelink" "dwalsh@redhat.com" "prelink SELinux Policy documentation" +.SH "NAME" +prelink_selinux \- Security Enhanced Linux Policy for the prelink processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B prelink -+(Prelink ELF shared library mappings) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the prelink processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the prelink_cron_system_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the prelink_cron_system_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the prelink_cron_system_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -36819,7 +39494,7 @@ index 0000000..0be2626 +/var/lib/prelink(/.*)?, /var/lib/misc/prelink.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -36864,23 +39539,40 @@ index 0000000..0be2626 +selinux(8), prelink(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/prelude_selinux.8 b/man/man8/prelude_selinux.8 new file mode 100644 -index 0000000..3955442 +index 0000000..6de339b --- /dev/null +++ b/man/man8/prelude_selinux.8 -@@ -0,0 +1,211 @@ +@@ -0,0 +1,230 @@ +.TH "prelude_selinux" "8" "prelude" "dwalsh@redhat.com" "prelude SELinux Policy documentation" +.SH "NAME" +prelude_selinux \- Security Enhanced Linux Policy for the prelude processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B prelude -+(Prelude hybrid intrusion detection system) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the prelude processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the prelude_lml_t, prelude_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the prelude_lml_t, prelude_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the prelude_lml_t, prelude_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37010,7 +39702,7 @@ index 0000000..3955442 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37037,7 +39729,9 @@ index 0000000..3955442 + + +Default Defined Ports: -+tcp 8021 ++tcp 4690 ++.EE ++udp 4690 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -37081,24 +39775,18 @@ index 0000000..3955442 +selinux(8), prelude(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/privoxy_selinux.8 b/man/man8/privoxy_selinux.8 new file mode 100644 -index 0000000..4371077 +index 0000000..7724d1d --- /dev/null +++ b/man/man8/privoxy_selinux.8 -@@ -0,0 +1,124 @@ +@@ -0,0 +1,141 @@ +.TH "privoxy_selinux" "8" "privoxy" "dwalsh@redhat.com" "privoxy SELinux Policy documentation" +.SH "NAME" +privoxy_selinux \- Security Enhanced Linux Policy for the privoxy processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B privoxy -+(Privacy enhancing web proxy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the privoxy processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. privoxy policy is extremely flexible and has several booleans that allow you to manipulate the policy and run privoxy with the tightest access possible. + @@ -37110,6 +39798,29 @@ index 0000000..4371077 +.B setsebool -P privoxy_connect_any 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the privoxy_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the privoxy_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the privoxy_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -37162,7 +39873,7 @@ index 0000000..4371077 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37212,23 +39923,40 @@ index 0000000..4371077 \ No newline at end of file diff --git a/man/man8/procmail_selinux.8 b/man/man8/procmail_selinux.8 new file mode 100644 -index 0000000..7a080ee +index 0000000..bdbacaa --- /dev/null +++ b/man/man8/procmail_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,122 @@ +.TH "procmail_selinux" "8" "procmail" "dwalsh@redhat.com" "procmail SELinux Policy documentation" +.SH "NAME" +procmail_selinux \- Security Enhanced Linux Policy for the procmail processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B procmail -+(Procmail mail delivery agent) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the procmail processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the procmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the procmail_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the procmail_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37278,7 +40006,7 @@ index 0000000..7a080ee + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37323,23 +40051,40 @@ index 0000000..7a080ee +selinux(8), procmail(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/psad_selinux.8 b/man/man8/psad_selinux.8 new file mode 100644 -index 0000000..f5331cf +index 0000000..c808106 --- /dev/null +++ b/man/man8/psad_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,142 @@ +.TH "psad_selinux" "8" "psad" "dwalsh@redhat.com" "psad SELinux Policy documentation" +.SH "NAME" +psad_selinux \- Security Enhanced Linux Policy for the psad processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B psad -+(Intrusion Detection and Log Analysis with iptables) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the psad processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the psad_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the psad_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the psad_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37409,7 +40154,7 @@ index 0000000..f5331cf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37454,17 +40199,19 @@ index 0000000..f5331cf +selinux(8), psad(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ptal_selinux.8 b/man/man8/ptal_selinux.8 new file mode 100644 -index 0000000..679eb3c +index 0000000..9b67e7c --- /dev/null +++ b/man/man8/ptal_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,123 @@ +.TH "ptal_selinux" "8" "ptal" "dwalsh@redhat.com" "ptal SELinux Policy documentation" +.SH "NAME" +ptal_selinux \- Security Enhanced Linux Policy for the ptal processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ptal processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37510,7 +40257,7 @@ index 0000000..679eb3c +/var/run/ptal-mlcd(/.*)?, /var/run/ptal-printd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37537,7 +40284,7 @@ index 0000000..679eb3c + + +Default Defined Ports: -+tcp 8021 ++tcp 5703 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -37581,23 +40328,19 @@ index 0000000..679eb3c +selinux(8), ptal(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ptchown_selinux.8 b/man/man8/ptchown_selinux.8 new file mode 100644 -index 0000000..3e1f7ab +index 0000000..2616592 --- /dev/null +++ b/man/man8/ptchown_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,73 @@ +.TH "ptchown_selinux" "8" "ptchown" "dwalsh@redhat.com" "ptchown SELinux Policy documentation" +.SH "NAME" +ptchown_selinux \- Security Enhanced Linux Policy for the ptchown processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ptchown -+(helper function for grantpt(3), changes ownship and permissions of pseudotty) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ptchown processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37619,7 +40362,7 @@ index 0000000..3e1f7ab + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37664,23 +40407,19 @@ index 0000000..3e1f7ab +selinux(8), ptchown(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/publicfile_selinux.8 b/man/man8/publicfile_selinux.8 new file mode 100644 -index 0000000..0235c45 +index 0000000..ac2f1cb --- /dev/null +++ b/man/man8/publicfile_selinux.8 -@@ -0,0 +1,89 @@ +@@ -0,0 +1,85 @@ +.TH "publicfile_selinux" "8" "publicfile" "dwalsh@redhat.com" "publicfile SELinux Policy documentation" +.SH "NAME" +publicfile_selinux \- Security Enhanced Linux Policy for the publicfile processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B publicfile -+(publicfile supplies files to the public through HTTP and FTP) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the publicfile processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37714,7 +40453,7 @@ index 0000000..0235c45 +/usr/bin/httpd, /usr/bin/ftpd + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37759,23 +40498,40 @@ index 0000000..0235c45 +selinux(8), publicfile(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/pulseaudio_selinux.8 b/man/man8/pulseaudio_selinux.8 new file mode 100644 -index 0000000..8ca72d3 +index 0000000..0f86fa2 --- /dev/null +++ b/man/man8/pulseaudio_selinux.8 -@@ -0,0 +1,139 @@ +@@ -0,0 +1,158 @@ +.TH "pulseaudio_selinux" "8" "pulseaudio" "dwalsh@redhat.com" "pulseaudio SELinux Policy documentation" +.SH "NAME" +pulseaudio_selinux \- Security Enhanced Linux Policy for the pulseaudio processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B pulseaudio -+(Pulseaudio network sound server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the pulseaudio processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the pulseaudio_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pulseaudio_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the pulseaudio_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -37806,7 +40562,7 @@ index 0000000..8ca72d3 +.br +.TP 5 +Paths: -+/root/\.pulse-cookie, /root/\.pulse(/.*)? ++/root/\.pulse-cookie, /root/\.pulse(/.*)?, /root/\.esd_auth + +.EX +.PP @@ -37833,7 +40589,7 @@ index 0000000..8ca72d3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -37860,7 +40616,9 @@ index 0000000..8ca72d3 + + +Default Defined Ports: -+tcp 8021 ++tcp 4713 ++.EE ++udp 4713 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -37904,24 +40662,18 @@ index 0000000..8ca72d3 +selinux(8), pulseaudio(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/puppet_selinux.8 b/man/man8/puppet_selinux.8 new file mode 100644 -index 0000000..c558047 +index 0000000..93b35ab --- /dev/null +++ b/man/man8/puppet_selinux.8 -@@ -0,0 +1,205 @@ +@@ -0,0 +1,222 @@ +.TH "puppet_selinux" "8" "puppet" "dwalsh@redhat.com" "puppet SELinux Policy documentation" +.SH "NAME" +puppet_selinux \- Security Enhanced Linux Policy for the puppet processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B puppet -+(Puppet client daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the puppet processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. puppet policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppet with the tightest access possible. + @@ -37940,6 +40692,29 @@ index 0000000..c558047 +.B setsebool -P puppetmaster_use_db 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the puppetmaster_t, puppet_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the puppetmaster_t, puppet_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the puppetmaster_t, puppet_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -38040,7 +40815,7 @@ index 0000000..c558047 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38067,7 +40842,7 @@ index 0000000..c558047 + + +Default Defined Ports: -+tcp 8021 ++tcp 8140 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -38116,17 +40891,19 @@ index 0000000..c558047 \ No newline at end of file diff --git a/man/man8/puppetca_selinux.8 b/man/man8/puppetca_selinux.8 new file mode 100644 -index 0000000..eb647c7 +index 0000000..7e4543c --- /dev/null +++ b/man/man8/puppetca_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,73 @@ +.TH "puppetca_selinux" "8" "puppetca" "dwalsh@redhat.com" "puppetca SELinux Policy documentation" +.SH "NAME" +puppetca_selinux \- Security Enhanced Linux Policy for the puppetca processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the puppetca processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -38148,7 +40925,7 @@ index 0000000..eb647c7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38193,17 +40970,17 @@ index 0000000..eb647c7 +selinux(8), puppetca(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/puppetmaster_selinux.8 b/man/man8/puppetmaster_selinux.8 new file mode 100644 -index 0000000..5d07daa +index 0000000..b464763 --- /dev/null +++ b/man/man8/puppetmaster_selinux.8 -@@ -0,0 +1,102 @@ +@@ -0,0 +1,125 @@ +.TH "puppetmaster_selinux" "8" "puppetmaster" "dwalsh@redhat.com" "puppetmaster SELinux Policy documentation" +.SH "NAME" +puppetmaster_selinux \- Security Enhanced Linux Policy for the puppetmaster processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the puppetmaster processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. puppetmaster policy is extremely flexible and has several booleans that allow you to manipulate the policy and run puppetmaster with the tightest access possible. @@ -38216,6 +40993,29 @@ index 0000000..5d07daa +.B setsebool -P puppetmaster_use_db 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the puppetmaster_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the puppetmaster_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the puppetmaster_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -38252,7 +41052,7 @@ index 0000000..5d07daa + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38302,23 +41102,40 @@ index 0000000..5d07daa \ No newline at end of file diff --git a/man/man8/pyicqt_selinux.8 b/man/man8/pyicqt_selinux.8 new file mode 100644 -index 0000000..7c291ab +index 0000000..9ce47d2 --- /dev/null +++ b/man/man8/pyicqt_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,118 @@ +.TH "pyicqt_selinux" "8" "pyicqt" "dwalsh@redhat.com" "pyicqt SELinux Policy documentation" +.SH "NAME" +pyicqt_selinux \- Security Enhanced Linux Policy for the pyicqt processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B pyicqt -+(PyICQt is an ICQ transport for XMPP server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the pyicqt processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the pyicqt_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the pyicqt_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the pyicqt_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -38364,7 +41181,7 @@ index 0000000..7c291ab + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38409,17 +41226,40 @@ index 0000000..7c291ab +selinux(8), pyicqt(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/qdiskd_selinux.8 b/man/man8/qdiskd_selinux.8 new file mode 100644 -index 0000000..fe306cf +index 0000000..669dbfb --- /dev/null +++ b/man/man8/qdiskd_selinux.8 -@@ -0,0 +1,103 @@ +@@ -0,0 +1,126 @@ +.TH "qdiskd_selinux" "8" "qdiskd" "dwalsh@redhat.com" "qdiskd SELinux Policy documentation" +.SH "NAME" +qdiskd_selinux \- Security Enhanced Linux Policy for the qdiskd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the qdiskd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the qdiskd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the qdiskd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the qdiskd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -38473,7 +41313,7 @@ index 0000000..fe306cf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38518,24 +41358,18 @@ index 0000000..fe306cf +selinux(8), qdiskd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/qemu_selinux.8 b/man/man8/qemu_selinux.8 new file mode 100644 -index 0000000..1ca4c43 +index 0000000..d303a54 --- /dev/null +++ b/man/man8/qemu_selinux.8 -@@ -0,0 +1,151 @@ +@@ -0,0 +1,147 @@ +.TH "qemu_selinux" "8" "qemu" "dwalsh@redhat.com" "qemu SELinux Policy documentation" +.SH "NAME" +qemu_selinux \- Security Enhanced Linux Policy for the qemu processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B qemu -+(QEMU machine emulator and virtualizer) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the qemu processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. qemu policy is extremely flexible and has several booleans that allow you to manipulate the policy and run qemu with the tightest access possible. + @@ -38582,6 +41416,8 @@ index 0000000..1ca4c43 +.B setsebool -P xend_run_qemu 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -38626,7 +41462,7 @@ index 0000000..1ca4c43 +/var/run/libvirt/qemu(/.*)?, /var/lib/libvirt/qemu(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38676,23 +41512,40 @@ index 0000000..1ca4c43 \ No newline at end of file diff --git a/man/man8/qmail_selinux.8 b/man/man8/qmail_selinux.8 new file mode 100644 -index 0000000..d0f7752 +index 0000000..0601a98 --- /dev/null +++ b/man/man8/qmail_selinux.8 -@@ -0,0 +1,213 @@ +@@ -0,0 +1,230 @@ +.TH "qmail_selinux" "8" "qmail" "dwalsh@redhat.com" "qmail SELinux Policy documentation" +.SH "NAME" +qmail_selinux \- Security Enhanced Linux Policy for the qmail processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B qmail -+(Qmail Mail Server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the qmail processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the qmail_local_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the qmail_local_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the qmail_local_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -38850,7 +41703,7 @@ index 0000000..d0f7752 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -38895,17 +41748,19 @@ index 0000000..d0f7752 +selinux(8), qmail(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/qpidd_selinux.8 b/man/man8/qpidd_selinux.8 new file mode 100644 -index 0000000..712a06e +index 0000000..3f60e17 --- /dev/null +++ b/man/man8/qpidd_selinux.8 -@@ -0,0 +1,107 @@ +@@ -0,0 +1,109 @@ +.TH "qpidd_selinux" "8" "qpidd" "dwalsh@redhat.com" "qpidd SELinux Policy documentation" +.SH "NAME" +qpidd_selinux \- Security Enhanced Linux Policy for the qpidd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the qpidd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -38963,7 +41818,7 @@ index 0000000..712a06e +/var/run/qpidd(/.*)?, /var/run/qpidd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39008,17 +41863,40 @@ index 0000000..712a06e +selinux(8), qpidd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/quantum_selinux.8 b/man/man8/quantum_selinux.8 new file mode 100644 -index 0000000..779196e +index 0000000..a94269a --- /dev/null +++ b/man/man8/quantum_selinux.8 -@@ -0,0 +1,107 @@ +@@ -0,0 +1,156 @@ +.TH "quantum_selinux" "8" "quantum" "dwalsh@redhat.com" "quantum SELinux Policy documentation" +.SH "NAME" +quantum_selinux \- Security Enhanced Linux Policy for the quantum processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the quantum processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the quantum_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the quantum_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the quantum_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -39076,12 +41954,35 @@ index 0000000..779196e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon +to apply the labels. + ++.SH PORT TYPES ++SELinux defines port types to represent TCP and UDP ports. ++.PP ++You can see the types associated with a port by using the following command: ++ ++.B semanage port -l ++ ++.PP ++Policy governs the access confined processes have to these ports. ++SELinux quantum policy is very flexible allowing users to setup their quantum processes in as secure a method as possible. ++.PP ++The following port types are defined for quantum: ++ ++.EX ++.TP 5 ++.B quantum_port_t ++.TP 10 ++.EE ++ ++ ++Default Defined Ports: ++tcp 9696 ++.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -39110,6 +42011,9 @@ index 0000000..779196e +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage port ++can also be used to manipulate the port definitions ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -39121,23 +42025,40 @@ index 0000000..779196e +selinux(8), quantum(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/quota_selinux.8 b/man/man8/quota_selinux.8 new file mode 100644 -index 0000000..b90411d +index 0000000..bafc815 --- /dev/null +++ b/man/man8/quota_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,134 @@ +.TH "quota_selinux" "8" "quota" "dwalsh@redhat.com" "quota SELinux Policy documentation" +.SH "NAME" +quota_selinux \- Security Enhanced Linux Policy for the quota processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B quota -+(File system quota management) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the quota processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the quota_nld_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the quota_nld_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the quota_nld_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -39160,7 +42081,7 @@ index 0000000..b90411d +.br +.TP 5 +Paths: -+/boot/a?quota\.(user|group), /etc/a?quota\.(user|group), /var/lib/stickshift/a?quota\.(user|group), /a?quota\.(user|group), /var/a?quota\.(user|group), /var/spool/(.*/)?a?quota\.(user|group) ++/boot/a?quota\.(user|group), /etc/a?quota\.(user|group), /a?quota\.(user|group), /var/a?quota\.(user|group), /var/spool/(.*/)?a?quota\.(user|group) + +.EX +.PP @@ -39199,7 +42120,7 @@ index 0000000..b90411d + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39244,23 +42165,19 @@ index 0000000..b90411d +selinux(8), quota(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rabbitmq_selinux.8 b/man/man8/rabbitmq_selinux.8 new file mode 100644 -index 0000000..dc1fda5 +index 0000000..0a0b7e4 --- /dev/null +++ b/man/man8/rabbitmq_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "rabbitmq_selinux" "8" "rabbitmq" "dwalsh@redhat.com" "rabbitmq SELinux Policy documentation" +.SH "NAME" +rabbitmq_selinux \- Security Enhanced Linux Policy for the rabbitmq processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rabbitmq -+(policy for rabbitmq) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rabbitmq processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -39306,7 +42223,7 @@ index 0000000..dc1fda5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39351,17 +42268,17 @@ index 0000000..dc1fda5 +selinux(8), rabbitmq(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/racoon_selinux.8 b/man/man8/racoon_selinux.8 new file mode 100644 -index 0000000..d573221 +index 0000000..b3464fe --- /dev/null +++ b/man/man8/racoon_selinux.8 -@@ -0,0 +1,94 @@ +@@ -0,0 +1,117 @@ +.TH "racoon_selinux" "8" "racoon" "dwalsh@redhat.com" "racoon SELinux Policy documentation" +.SH "NAME" +racoon_selinux \- Security Enhanced Linux Policy for the racoon processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the racoon processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. racoon policy is extremely flexible and has several booleans that allow you to manipulate the policy and run racoon with the tightest access possible. @@ -39374,6 +42291,29 @@ index 0000000..d573221 +.B setsebool -P racoon_read_shadow 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the racoon_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the racoon_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the racoon_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -39402,7 +42342,7 @@ index 0000000..d573221 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39452,17 +42392,17 @@ index 0000000..d573221 \ No newline at end of file diff --git a/man/man8/radiusd_selinux.8 b/man/man8/radiusd_selinux.8 new file mode 100644 -index 0000000..6494aab +index 0000000..235a92b --- /dev/null +++ b/man/man8/radiusd_selinux.8 -@@ -0,0 +1,172 @@ +@@ -0,0 +1,195 @@ +.TH "radiusd_selinux" "8" "radiusd" "dwalsh@redhat.com" "radiusd SELinux Policy documentation" +.SH "NAME" +radiusd_selinux \- Security Enhanced Linux Policy for the radiusd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the radiusd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. radiusd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run radiusd with the tightest access possible. @@ -39475,6 +42415,29 @@ index 0000000..6494aab +.B setsebool -P authlogin_radius 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the radiusd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the radiusd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the radiusd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -39555,7 +42518,7 @@ index 0000000..6494aab +/var/run/radiusd\.pid, /var/run/radiusd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39582,7 +42545,7 @@ index 0000000..6494aab + + +Default Defined Ports: -+tcp 8021 ++udp 1645,1812 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -39631,23 +42594,40 @@ index 0000000..6494aab \ No newline at end of file diff --git a/man/man8/radvd_selinux.8 b/man/man8/radvd_selinux.8 new file mode 100644 -index 0000000..e7f45e9 +index 0000000..f9ad4c2 --- /dev/null +++ b/man/man8/radvd_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,122 @@ +.TH "radvd_selinux" "8" "radvd" "dwalsh@redhat.com" "radvd SELinux Policy documentation" +.SH "NAME" +radvd_selinux \- Security Enhanced Linux Policy for the radvd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B radvd -+(IPv6 router advertisement daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the radvd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the radvd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the radvd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the radvd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -39697,7 +42677,7 @@ index 0000000..e7f45e9 +/var/run/radvd(/.*)?, /var/run/radvd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39742,23 +42722,19 @@ index 0000000..e7f45e9 +selinux(8), radvd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rdisc_selinux.8 b/man/man8/rdisc_selinux.8 new file mode 100644 -index 0000000..f04f9bd +index 0000000..a06b607 --- /dev/null +++ b/man/man8/rdisc_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,77 @@ +.TH "rdisc_selinux" "8" "rdisc" "dwalsh@redhat.com" "rdisc SELinux Policy documentation" +.SH "NAME" +rdisc_selinux \- Security Enhanced Linux Policy for the rdisc processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rdisc -+(Network router discovery daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rdisc processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -39784,7 +42760,7 @@ index 0000000..f04f9bd +/sbin/rdisc, /usr/sbin/rdisc + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39829,23 +42805,19 @@ index 0000000..f04f9bd +selinux(8), rdisc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/readahead_selinux.8 b/man/man8/readahead_selinux.8 new file mode 100644 -index 0000000..7966b58 +index 0000000..ef18581 --- /dev/null +++ b/man/man8/readahead_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "readahead_selinux" "8" "readahead" "dwalsh@redhat.com" "readahead SELinux Policy documentation" +.SH "NAME" +readahead_selinux \- Security Enhanced Linux Policy for the readahead processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B readahead -+(Readahead, read files into page cache for improved performance) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the readahead processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -39868,7 +42840,7 @@ index 0000000..7966b58 +.br +.TP 5 +Paths: -+/lib/systemd/systemd-readahead.*, /sbin/readahead.*, /usr/lib/systemd/systemd-readahead.*, /usr/sbin/readahead.* ++/sbin/readahead.*, /usr/lib/systemd/systemd-readahead.*, /usr/sbin/readahead.* + +.EX +.PP @@ -39891,7 +42863,7 @@ index 0000000..7966b58 +/var/run/systemd/readahead(/.*)?, /dev/\.systemd/readahead(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -39936,17 +42908,40 @@ index 0000000..7966b58 +selinux(8), readahead(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/regex_selinux.8 b/man/man8/regex_selinux.8 new file mode 100644 -index 0000000..529dc44 +index 0000000..6727bcf --- /dev/null +++ b/man/man8/regex_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,102 @@ +.TH "regex_selinux" "8" "regex" "dwalsh@redhat.com" "regex SELinux Policy documentation" +.SH "NAME" +regex_selinux \- Security Enhanced Linux Policy for the regex processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the regex processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the regex_milter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the regex_milter_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the regex_milter_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -39976,7 +42971,7 @@ index 0000000..529dc44 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40021,17 +43016,40 @@ index 0000000..529dc44 +selinux(8), regex(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/restorecond_selinux.8 b/man/man8/restorecond_selinux.8 new file mode 100644 -index 0000000..5258999 +index 0000000..ed3a488 --- /dev/null +++ b/man/man8/restorecond_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,102 @@ +.TH "restorecond_selinux" "8" "restorecond" "dwalsh@redhat.com" "restorecond SELinux Policy documentation" +.SH "NAME" +restorecond_selinux \- Security Enhanced Linux Policy for the restorecond processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the restorecond processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the restorecond_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the restorecond_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the restorecond_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -40061,7 +43079,7 @@ index 0000000..5258999 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40106,24 +43124,18 @@ index 0000000..5258999 +selinux(8), restorecond(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rgmanager_selinux.8 b/man/man8/rgmanager_selinux.8 new file mode 100644 -index 0000000..b003935 +index 0000000..86d5153 --- /dev/null +++ b/man/man8/rgmanager_selinux.8 -@@ -0,0 +1,136 @@ +@@ -0,0 +1,153 @@ +.TH "rgmanager_selinux" "8" "rgmanager" "dwalsh@redhat.com" "rgmanager SELinux Policy documentation" +.SH "NAME" +rgmanager_selinux \- Security Enhanced Linux Policy for the rgmanager processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rgmanager -+(rgmanager - Resource Group Manager) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rgmanager processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. rgmanager policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rgmanager with the tightest access possible. + @@ -40135,6 +43147,29 @@ index 0000000..b003935 +.B setsebool -P rgmanager_can_network_connect 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the rgmanager_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rgmanager_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the rgmanager_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -40199,7 +43234,7 @@ index 0000000..b003935 +/var/run/rgmanager\.pid, /var/run/cluster/rgmanager\.sk + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40249,23 +43284,40 @@ index 0000000..b003935 \ No newline at end of file diff --git a/man/man8/rhev_selinux.8 b/man/man8/rhev_selinux.8 new file mode 100644 -index 0000000..36bcd5b +index 0000000..0febb1a --- /dev/null +++ b/man/man8/rhev_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,130 @@ +.TH "rhev_selinux" "8" "rhev" "dwalsh@redhat.com" "rhev SELinux Policy documentation" +.SH "NAME" +rhev_selinux \- Security Enhanced Linux Policy for the rhev processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rhev -+(rhev polic module contains policies for rhev apps) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rhev processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the rhev_agentd_t, rhev_agentd_consolehelper_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -40313,10 +43365,6 @@ index 0000000..36bcd5b + +- Set files with the rhev_agentd_unit_file_t type, if you want to treat the files as rhev agentd unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/ovirt-guest-agent\.serviceservice, /lib/systemd/system/ovirt-guest-agent\.service + +.EX +.PP @@ -40327,7 +43375,7 @@ index 0000000..36bcd5b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40372,23 +43420,19 @@ index 0000000..36bcd5b +selinux(8), rhev(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rhgb_selinux.8 b/man/man8/rhgb_selinux.8 new file mode 100644 -index 0000000..af7a010 +index 0000000..b9ec7f2 --- /dev/null +++ b/man/man8/rhgb_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,81 @@ +.TH "rhgb_selinux" "8" "rhgb" "dwalsh@redhat.com" "rhgb SELinux Policy documentation" +.SH "NAME" +rhgb_selinux \- Security Enhanced Linux Policy for the rhgb processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rhgb -+( Red Hat Graphical Boot ) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rhgb processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -40418,7 +43462,7 @@ index 0000000..af7a010 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40463,23 +43507,19 @@ index 0000000..af7a010 +selinux(8), rhgb(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rhsmcertd_selinux.8 b/man/man8/rhsmcertd_selinux.8 new file mode 100644 -index 0000000..0ba79be +index 0000000..f3d9aae --- /dev/null +++ b/man/man8/rhsmcertd_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,121 @@ +.TH "rhsmcertd_selinux" "8" "rhsmcertd" "dwalsh@redhat.com" "rhsmcertd SELinux Policy documentation" +.SH "NAME" +rhsmcertd_selinux \- Security Enhanced Linux Policy for the rhsmcertd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rhsmcertd -+(Subscription Management Certificate Daemon policy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rhsmcertd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -40499,6 +43539,10 @@ index 0000000..0ba79be + +- Set files with the rhsmcertd_exec_t type, if you want to transition an executable to the rhsmcertd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/bin/rhsmcertd, /usr/sbin/rhnsd + +.EX +.PP @@ -40539,9 +43583,13 @@ index 0000000..0ba79be + +- Set files with the rhsmcertd_var_run_t type, if you want to store the rhsmcertd files under the /run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/rhsm(/.*)?, /var/run/rhnsd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40586,23 +43634,40 @@ index 0000000..0ba79be +selinux(8), rhsmcertd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ricci_selinux.8 b/man/man8/ricci_selinux.8 new file mode 100644 -index 0000000..3a36033 +index 0000000..458b0d7 --- /dev/null +++ b/man/man8/ricci_selinux.8 -@@ -0,0 +1,246 @@ +@@ -0,0 +1,267 @@ +.TH "ricci_selinux" "8" "ricci" "dwalsh@redhat.com" "ricci SELinux Policy documentation" +.SH "NAME" +ricci_selinux \- Security Enhanced Linux Policy for the ricci processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ricci -+(Ricci cluster management agent) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ricci processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the ricci_modstorage_t, ricci_modcluster_t, ricci_modclusterd_t, ricci_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -40756,7 +43821,7 @@ index 0000000..3a36033 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40783,7 +43848,9 @@ index 0000000..3a36033 + + +Default Defined Ports: -+tcp 8021 ++tcp 16851 ++.EE ++udp 16851 +.EE + +.EX @@ -40794,7 +43861,9 @@ index 0000000..3a36033 + + +Default Defined Ports: -+tcp 8021 ++tcp 11111 ++.EE ++udp 11111 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -40838,17 +43907,40 @@ index 0000000..3a36033 +selinux(8), ricci(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rlogind_selinux.8 b/man/man8/rlogind_selinux.8 new file mode 100644 -index 0000000..b86f39b +index 0000000..29b4788 --- /dev/null +++ b/man/man8/rlogind_selinux.8 -@@ -0,0 +1,137 @@ +@@ -0,0 +1,160 @@ +.TH "rlogind_selinux" "8" "rlogind" "dwalsh@redhat.com" "rlogind SELinux Policy documentation" +.SH "NAME" +rlogind_selinux \- Security Enhanced Linux Policy for the rlogind processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the rlogind processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the rlogind_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rlogind_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the rlogind_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -40910,7 +44002,7 @@ index 0000000..b86f39b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -40937,7 +44029,7 @@ index 0000000..b86f39b + + +Default Defined Ports: -+tcp 8021 ++tcp 513 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -40981,23 +44073,19 @@ index 0000000..b86f39b +selinux(8), rlogind(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/roundup_selinux.8 b/man/man8/roundup_selinux.8 new file mode 100644 -index 0000000..5269077 +index 0000000..d5119ed --- /dev/null +++ b/man/man8/roundup_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "roundup_selinux" "8" "roundup" "dwalsh@redhat.com" "roundup SELinux Policy documentation" +.SH "NAME" +roundup_selinux \- Security Enhanced Linux Policy for the roundup processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B roundup -+(Roundup Issue Tracking System policy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the roundup processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -41043,7 +44131,7 @@ index 0000000..5269077 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41088,23 +44176,19 @@ index 0000000..5269077 +selinux(8), roundup(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rpcbind_selinux.8 b/man/man8/rpcbind_selinux.8 new file mode 100644 -index 0000000..8fdfc21 +index 0000000..5089077 --- /dev/null +++ b/man/man8/rpcbind_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,109 @@ +.TH "rpcbind_selinux" "8" "rpcbind" "dwalsh@redhat.com" "rpcbind SELinux Policy documentation" +.SH "NAME" +rpcbind_selinux \- Security Enhanced Linux Policy for the rpcbind processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rpcbind -+(Universal Addresses to RPC Program Number Mapper) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rpcbind processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -41162,7 +44246,7 @@ index 0000000..8fdfc21 +/var/run/rpcbind\.sock, /var/run/rpcbind\.lock, /var/run/rpc.statd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41207,17 +44291,40 @@ index 0000000..8fdfc21 +selinux(8), rpcbind(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rpcd_selinux.8 b/man/man8/rpcd_selinux.8 new file mode 100644 -index 0000000..f86ef74 +index 0000000..d627f4c --- /dev/null +++ b/man/man8/rpcd_selinux.8 -@@ -0,0 +1,119 @@ +@@ -0,0 +1,130 @@ +.TH "rpcd_selinux" "8" "rpcd" "dwalsh@redhat.com" "rpcd SELinux Policy documentation" +.SH "NAME" +rpcd_selinux \- Security Enhanced Linux Policy for the rpcd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the rpcd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the rpcd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rpcd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the rpcd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -41232,14 +44339,6 @@ index 0000000..f86ef74 + +.EX +.PP -+.B rpc_pipefs_t -+.EE -+ -+- Set files with the rpc_pipefs_t type, if you want to treat the files as rpc pipefs data. -+ -+ -+.EX -+.PP +.B rpcd_exec_t +.EE + @@ -41269,10 +44368,6 @@ index 0000000..f86ef74 + +- Set files with the rpcd_unit_file_t type, if you want to treat the files as rpcd unit content. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/system/rpc.*, /usr/lib/systemd/system/rpc.* + +.EX +.PP @@ -41287,7 +44382,7 @@ index 0000000..f86ef74 +/var/run/rpc\.statd(/.*)?, /var/run/rpc\.statd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41332,23 +44427,40 @@ index 0000000..f86ef74 +selinux(8), rpcd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rpm_selinux.8 b/man/man8/rpm_selinux.8 new file mode 100644 -index 0000000..2c01fa3 +index 0000000..4337d0e --- /dev/null +++ b/man/man8/rpm_selinux.8 -@@ -0,0 +1,177 @@ +@@ -0,0 +1,190 @@ +.TH "rpm_selinux" "8" "rpm" "dwalsh@redhat.com" "rpm SELinux Policy documentation" +.SH "NAME" +rpm_selinux \- Security Enhanced Linux Policy for the rpm processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rpm -+(Policy for the RPM package manager) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rpm processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the rpm_script_t, rpm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rpm_script_t, rpm_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the rpm_script_t, rpm_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -41371,7 +44483,7 @@ index 0000000..2c01fa3 +.br +.TP 5 +Paths: -+/usr/bin/apt-get, /usr/libexec/yumDBUSBackend.py, /usr/sbin/rhn_check, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/synaptic, /usr/share/yumex/yumex-yum-backend, /usr/sbin/yum-updatesd, /usr/sbin/pup, /usr/libexec/packagekitd, /usr/bin/apt-shell, /usr/sbin/pirut, /usr/bin/package-cleanup, /usr/bin/fedora-rmdevelrpms, /bin/rpm, /usr/bin/yum, /usr/sbin/system-install-packages, /usr/bin/zif, /usr/bin/rpm, /usr/sbin/yum-complete-transaction, /usr/bin/smart, /usr/sbin/packagekitd, /usr/sbin/rhnreg_ks, /usr/share/yumex/yum_childtask\.py, /usr/sbin/up2date ++/usr/bin/apt-get, /usr/sbin/bcfg2, /usr/sbin/rhn_check, /usr/bin/rpmdev-rmdevelrpms, /usr/sbin/synaptic, /usr/share/yumex/yumex-yum-backend, /usr/bin/apt-shell, /usr/sbin/yum-updatesd, /usr/sbin/pup, /usr/libexec/packagekitd, /usr/libexec/yumDBUSBackend.py, /usr/sbin/pirut, /usr/bin/package-cleanup, /usr/bin/fedora-rmdevelrpms, /bin/rpm, /usr/bin/yum, /usr/sbin/system-install-packages, /usr/bin/zif, /usr/bin/rpm, /usr/sbin/yum-complete-transaction, /usr/bin/smart, /usr/sbin/packagekitd, /usr/sbin/rhnreg_ks, /usr/share/yumex/yum_childtask\.py, /usr/sbin/up2date + +.EX +.PP @@ -41388,10 +44500,6 @@ index 0000000..2c01fa3 + +- Set files with the rpm_log_t type, if you want to treat the data as rpm log data, usually stored under the /var/log directory. + -+.br -+.TP 5 -+Paths: -+/var/log/yum\.log.*, /var/log/rpmpkgs.* + +.EX +.PP @@ -41470,7 +44578,7 @@ index 0000000..2c01fa3 +/var/run/PackageKit(/.*)?, /var/run/yum.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41515,23 +44623,40 @@ index 0000000..2c01fa3 +selinux(8), rpm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rshd_selinux.8 b/man/man8/rshd_selinux.8 new file mode 100644 -index 0000000..929f616 +index 0000000..14fd9b9 --- /dev/null +++ b/man/man8/rshd_selinux.8 -@@ -0,0 +1,115 @@ +@@ -0,0 +1,132 @@ +.TH "rshd_selinux" "8" "rshd" "dwalsh@redhat.com" "rshd SELinux Policy documentation" +.SH "NAME" +rshd_selinux \- Security Enhanced Linux Policy for the rshd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rshd -+(Remote shell service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rshd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the rshd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the rshd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the rshd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -41565,7 +44690,7 @@ index 0000000..929f616 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41592,7 +44717,7 @@ index 0000000..929f616 + + +Default Defined Ports: -+tcp 8021 ++tcp 514 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -41636,23 +44761,40 @@ index 0000000..929f616 +selinux(8), rshd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rssh_selinux.8 b/man/man8/rssh_selinux.8 new file mode 100644 -index 0000000..fea92f8 +index 0000000..ddcbd3b --- /dev/null +++ b/man/man8/rssh_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,118 @@ +.TH "rssh_selinux" "8" "rssh" "dwalsh@redhat.com" "rssh SELinux Policy documentation" +.SH "NAME" +rssh_selinux \- Security Enhanced Linux Policy for the rssh processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rssh -+(Restricted (scp/sftp) only shell) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rssh processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the rssh_chroot_helper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rssh_chroot_helper_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the rssh_chroot_helper_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -41698,7 +44840,7 @@ index 0000000..fea92f8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41742,10 +44884,10 @@ index 0000000..fea92f8 +.SH "SEE ALSO" +selinux(8), rssh(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8 -index ad9ccf5..65a1b3e 100644 +index ad9ccf5..0bc3b79 100644 --- a/man/man8/rsync_selinux.8 +++ b/man/man8/rsync_selinux.8 -@@ -1,52 +1,205 @@ +@@ -1,52 +1,224 @@ -.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation" -.de EX -.nf @@ -41762,11 +44904,7 @@ index ad9ccf5..65a1b3e 100644 .SH "DESCRIPTION" -Security-Enhanced Linux secures the rsync server via flexible mandatory access -+ -+SELinux Linux secures -+.B rsync -+(Fast incremental file transfer for synchronization) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rsync processes via flexible mandatory access control. -.SH FILE_CONTEXTS -SELinux requires files to have an extended attribute to define the file type. @@ -41779,8 +44917,6 @@ index ad9ccf5..65a1b3e 100644 -.TP -To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration: + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. rsync policy is extremely flexible and has several booleans that allow you to manipulate the policy and run rsync with the tightest access possible. + @@ -41813,6 +44949,29 @@ index ad9ccf5..65a1b3e 100644 +.B setsebool -P rsync_use_cifs 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the rsync_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rsync_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the rsync_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. .TP @@ -41831,7 +44990,7 @@ index ad9ccf5..65a1b3e 100644 -Run the restorecon command to apply the changes: -.TP -restorecon -R -v /var/rsync/ -+Allow rsync servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_rsync_anon_write boolean to be set. ++Allow rsync servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_rsyncd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/rsync/incoming(/.*)?" @@ -41912,7 +45071,7 @@ index ad9ccf5..65a1b3e 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -41939,7 +45098,9 @@ index ad9ccf5..65a1b3e 100644 + + +Default Defined Ports: -+tcp 8021 ++tcp 873 ++.EE ++udp 873 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -41990,23 +45151,40 @@ index ad9ccf5..65a1b3e 100644 \ No newline at end of file diff --git a/man/man8/rtkit_selinux.8 b/man/man8/rtkit_selinux.8 new file mode 100644 -index 0000000..50cb948 +index 0000000..d7de40f --- /dev/null +++ b/man/man8/rtkit_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,94 @@ +.TH "rtkit_selinux" "8" "rtkit" "dwalsh@redhat.com" "rtkit SELinux Policy documentation" +.SH "NAME" +rtkit_selinux \- Security Enhanced Linux Policy for the rtkit processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rtkit -+(Realtime scheduling for user processes) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rtkit processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the rtkit_daemon_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the rtkit_daemon_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the rtkit_daemon_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -42028,7 +45206,7 @@ index 0000000..50cb948 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42073,23 +45251,30 @@ index 0000000..50cb948 +selinux(8), rtkit(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/run_selinux.8 b/man/man8/run_selinux.8 new file mode 100644 -index 0000000..75796ad +index 0000000..207ad7b --- /dev/null +++ b/man/man8/run_selinux.8 -@@ -0,0 +1,100 @@ +@@ -0,0 +1,130 @@ +.TH "run_selinux" "8" "run" "dwalsh@redhat.com" "run SELinux Policy documentation" +.SH "NAME" +run_selinux \- Security Enhanced Linux Policy for the run processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the run processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. run policy is extremely flexible and has several booleans that allow you to manipulate the policy and run run with the tightest access possible. + + +.PP ++If you want to allow Apache to run in stickshift mode, not transition to passenge, you must turn on the httpd_run_stickshift boolean. ++ ++.EX ++.B setsebool -P httpd_run_stickshift 1 ++.EE ++ ++.PP +If you want to allow xend to run qemu-dm. Not required if using paravirt and no vfb, you must turn on the xend_run_qemu boolean. + +.EX @@ -42110,6 +45295,29 @@ index 0000000..75796ad +.B setsebool -P samba_run_unconfined 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the run_init_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the run_init_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the run_init_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -42130,7 +45338,7 @@ index 0000000..75796ad + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42180,23 +45388,19 @@ index 0000000..75796ad \ No newline at end of file diff --git a/man/man8/rwho_selinux.8 b/man/man8/rwho_selinux.8 new file mode 100644 -index 0000000..65c182c +index 0000000..0dade68 --- /dev/null +++ b/man/man8/rwho_selinux.8 -@@ -0,0 +1,127 @@ +@@ -0,0 +1,123 @@ +.TH "rwho_selinux" "8" "rwho" "dwalsh@redhat.com" "rwho SELinux Policy documentation" +.SH "NAME" +rwho_selinux \- Security Enhanced Linux Policy for the rwho processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B rwho -+(Who is logged in on other machines?) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the rwho processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -42242,7 +45446,7 @@ index 0000000..65c182c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42269,7 +45473,7 @@ index 0000000..65c182c + + +Default Defined Ports: -+tcp 8021 ++udp 513 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -42312,10 +45516,10 @@ index 0000000..65c182c +.SH "SEE ALSO" +selinux(8), rwho(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8 -index ca702c7..25316f0 100644 +index ca702c7..7613acd 100644 --- a/man/man8/samba_selinux.8 +++ b/man/man8/samba_selinux.8 -@@ -1,56 +1,269 @@ +@@ -1,56 +1,282 @@ -.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation" +.TH "samba_selinux" "8" "samba" "dwalsh@redhat.com" "samba SELinux Policy documentation" .SH "NAME" @@ -42324,15 +45528,7 @@ index ca702c7..25316f0 100644 .SH "DESCRIPTION" -Security-Enhanced Linux secures the Samba server via flexible mandatory access -+ -+SELinux Linux secures -+.B samba -+( -+SMB and CIFS client/server programs for UNIX and -+name Service Switch daemon for resolving names -+from Windows NT servers. -+) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the samba processes via flexible mandatory access control. -.SH FILE_CONTEXTS -SELinux requires files to have an extended attribute to define the file type. @@ -42359,8 +45555,6 @@ index ca702c7..25316f0 100644 -If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute: - -setsebool -P allow_smbd_anon_write=1 -+ -+ .SH BOOLEANS -.br @@ -42436,7 +45630,7 @@ index ca702c7..25316f0 100644 +.EE + +.PP -+If you want to allow confined virtual guests to manage cifs file, you must turn on the sanlock_use_samba boolean. ++If you want to allow sanlock to manage cifs file, you must turn on the sanlock_use_samba boolean. + +.EX +.B setsebool -P sanlock_use_samba 1 @@ -42456,6 +45650,29 @@ index ca702c7..25316f0 100644 +.B setsebool -P virt_use_samba 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the samba_net_t, sambagui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the samba_net_t, sambagui_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the samba_net_t, sambagui_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -42546,10 +45763,10 @@ index ca702c7..25316f0 100644 + +- Set files with the samba_unit_file_t type, if you want to treat the files as samba unit content. + -+.br + .br +.TP 5 +Paths: -+/lib/systemd/system/smb.service, /usr/lib/systemd/system/smb.service ++/usr/lib/systemd/system/smb.*, /usr/lib/systemd/system/nmb.* + +.EX +.PP @@ -42558,7 +45775,7 @@ index ca702c7..25316f0 100644 + +- Set files with the samba_var_t type, if you want to store the s files under the /var directory. + - .br ++.br +.TP 5 +Paths: +/var/spool/samba(/.*)?, /var/cache/samba(/.*)?, /var/lib/samba(/.*)? @@ -42572,7 +45789,7 @@ index ca702c7..25316f0 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42631,23 +45848,40 @@ index ca702c7..25316f0 100644 \ No newline at end of file diff --git a/man/man8/sambagui_selinux.8 b/man/man8/sambagui_selinux.8 new file mode 100644 -index 0000000..763d193 +index 0000000..5487bbb --- /dev/null +++ b/man/man8/sambagui_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,94 @@ +.TH "sambagui_selinux" "8" "sambagui" "dwalsh@redhat.com" "sambagui SELinux Policy documentation" +.SH "NAME" +sambagui_selinux \- Security Enhanced Linux Policy for the sambagui processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sambagui -+(system-config-samba dbus service policy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sambagui processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the sambagui_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sambagui_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the sambagui_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -42669,7 +45903,7 @@ index 0000000..763d193 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42714,24 +45948,18 @@ index 0000000..763d193 +selinux(8), sambagui(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/sandbox_selinux.8 b/man/man8/sandbox_selinux.8 new file mode 100644 -index 0000000..437feff +index 0000000..9014a56 --- /dev/null +++ b/man/man8/sandbox_selinux.8 -@@ -0,0 +1,148 @@ +@@ -0,0 +1,165 @@ +.TH "sandbox_selinux" "8" "sandbox" "dwalsh@redhat.com" "sandbox SELinux Policy documentation" +.SH "NAME" +sandbox_selinux \- Security Enhanced Linux Policy for the sandbox processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sandbox -+(policy for sandbox) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sandbox processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. sandbox policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sandbox with the tightest access possible. + @@ -42743,6 +45971,29 @@ index 0000000..437feff +.B setsebool -P unconfined_chrome_sandbox_transition 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the sandbox_min_t, sandbox_net_t, sandbox_web_client_t, sandbox_xserver_t, sandbox_web_t, sandbox_x_client_t, sandbox_x_t, sandbox_net_client_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sandbox_min_t, sandbox_net_t, sandbox_web_client_t, sandbox_xserver_t, sandbox_web_t, sandbox_x_client_t, sandbox_x_t, sandbox_net_client_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the sandbox_min_t, sandbox_net_t, sandbox_web_client_t, sandbox_xserver_t, sandbox_web_t, sandbox_x_client_t, sandbox_x_t, sandbox_net_client_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -42819,7 +46070,7 @@ index 0000000..437feff + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -42869,24 +46120,18 @@ index 0000000..437feff \ No newline at end of file diff --git a/man/man8/sanlock_selinux.8 b/man/man8/sanlock_selinux.8 new file mode 100644 -index 0000000..b15e691 +index 0000000..c7edf94 --- /dev/null +++ b/man/man8/sanlock_selinux.8 -@@ -0,0 +1,130 @@ +@@ -0,0 +1,147 @@ +.TH "sanlock_selinux" "8" "sanlock" "dwalsh@redhat.com" "sanlock SELinux Policy documentation" +.SH "NAME" +sanlock_selinux \- Security Enhanced Linux Policy for the sanlock processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sanlock -+(policy for sanlock) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sanlock processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. sanlock policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sanlock with the tightest access possible. + @@ -42899,19 +46144,42 @@ index 0000000..b15e691 +.EE + +.PP -+If you want to allow confined virtual guests to manage nfs file, you must turn on the sanlock_use_nfs boolean. ++If you want to allow sanlock to manage nfs file, you must turn on the sanlock_use_nfs boolean. + +.EX +.B setsebool -P sanlock_use_nfs 1 +.EE + +.PP -+If you want to allow confined virtual guests to manage cifs file, you must turn on the sanlock_use_samba boolean. ++If you want to allow sanlock to manage cifs file, you must turn on the sanlock_use_samba boolean. + +.EX +.B setsebool -P sanlock_use_samba 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the sanlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sanlock_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the sanlock_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -42956,7 +46224,7 @@ index 0000000..b15e691 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43006,17 +46274,17 @@ index 0000000..b15e691 \ No newline at end of file diff --git a/man/man8/saslauthd_selinux.8 b/man/man8/saslauthd_selinux.8 new file mode 100644 -index 0000000..8a922b3 +index 0000000..2c33215 --- /dev/null +++ b/man/man8/saslauthd_selinux.8 -@@ -0,0 +1,114 @@ +@@ -0,0 +1,137 @@ +.TH "saslauthd_selinux" "8" "saslauthd" "dwalsh@redhat.com" "saslauthd SELinux Policy documentation" +.SH "NAME" +saslauthd_selinux \- Security Enhanced Linux Policy for the saslauthd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the saslauthd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. saslauthd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run saslauthd with the tightest access possible. @@ -43029,6 +46297,29 @@ index 0000000..8a922b3 +.B setsebool -P allow_saslauthd_read_shadow 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the saslauthd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the saslauthd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the saslauthd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -43074,10 +46365,10 @@ index 0000000..8a922b3 +.br +.TP 5 +Paths: -+/var/lib/sasl2(/.*)?, /var/run/saslauthd(/.*)? ++/var/run/saslauthd(/.*)?, /var/lib/sasl2(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43127,23 +46418,19 @@ index 0000000..8a922b3 \ No newline at end of file diff --git a/man/man8/sblim_selinux.8 b/man/man8/sblim_selinux.8 new file mode 100644 -index 0000000..5c6807e +index 0000000..bae951c --- /dev/null +++ b/man/man8/sblim_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,89 @@ +.TH "sblim_selinux" "8" "sblim" "dwalsh@redhat.com" "sblim SELinux Policy documentation" +.SH "NAME" +sblim_selinux \- Security Enhanced Linux Policy for the sblim processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sblim -+( policy for SBLIM Gatherer ) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sblim processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43181,7 +46468,7 @@ index 0000000..5c6807e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43297,23 +46584,40 @@ index 0000000..6bf3e2b +selinux(8), semanage(8). diff --git a/man/man8/sectoolm_selinux.8 b/man/man8/sectoolm_selinux.8 new file mode 100644 -index 0000000..232ac2e +index 0000000..eac0806 --- /dev/null +++ b/man/man8/sectoolm_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,94 @@ +.TH "sectoolm_selinux" "8" "sectoolm" "dwalsh@redhat.com" "sectoolm SELinux Policy documentation" +.SH "NAME" +sectoolm_selinux \- Security Enhanced Linux Policy for the sectoolm processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sectoolm -+(Sectool security audit tool) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sectoolm processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the sectoolm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sectoolm_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the sectoolm_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43335,7 +46639,7 @@ index 0000000..232ac2e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43380,25 +46684,19 @@ index 0000000..232ac2e +selinux(8), sectoolm(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/selinux_selinux.8 b/man/man8/selinux_selinux.8 new file mode 100644 -index 0000000..42b09e3 +index 0000000..327ab18 --- /dev/null +++ b/man/man8/selinux_selinux.8 -@@ -0,0 +1,107 @@ +@@ -0,0 +1,101 @@ +.TH "selinux_selinux" "8" "selinux" "dwalsh@redhat.com" "selinux SELinux Policy documentation" +.SH "NAME" +selinux_selinux \- Security Enhanced Linux Policy for the selinux processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B selinux -+( -+Policy for kernel security interface, in particular, selinuxfs. -+) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the selinux processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43421,7 +46719,7 @@ index 0000000..42b09e3 +.br +.TP 5 +Paths: -+/etc/selinux/([^/]*/)?users(/.*)?, /etc/selinux(/.*)?, /etc/selinux/([^/]*/)?seusers, /etc/selinux/([^/]*/)?setrans\.conf ++/etc/selinux/([^/]*/)?users(/.*)?, /etc/selinux/([^/]*/)?setrans\.conf, /etc/selinux(/.*)?, /etc/selinux/([^/]*/)?seusers + +.EX +.PP @@ -43448,7 +46746,7 @@ index 0000000..42b09e3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43493,17 +46791,40 @@ index 0000000..42b09e3 +selinux(8), selinux(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/semanage_selinux.8 b/man/man8/semanage_selinux.8 new file mode 100644 -index 0000000..ad680da +index 0000000..a135d27 --- /dev/null +++ b/man/man8/semanage_selinux.8 -@@ -0,0 +1,111 @@ +@@ -0,0 +1,134 @@ +.TH "semanage_selinux" "8" "semanage" "dwalsh@redhat.com" "semanage SELinux Policy documentation" +.SH "NAME" +semanage_selinux \- Security Enhanced Linux Policy for the semanage processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the semanage processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the semanage_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the semanage_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the semanage_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43565,7 +46886,7 @@ index 0000000..ad680da + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43610,24 +46931,18 @@ index 0000000..ad680da +selinux(8), semanage(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/sendmail_selinux.8 b/man/man8/sendmail_selinux.8 new file mode 100644 -index 0000000..f2e3fa2 +index 0000000..e713f23 --- /dev/null +++ b/man/man8/sendmail_selinux.8 -@@ -0,0 +1,158 @@ +@@ -0,0 +1,175 @@ +.TH "sendmail_selinux" "8" "sendmail" "dwalsh@redhat.com" "sendmail SELinux Policy documentation" +.SH "NAME" +sendmail_selinux \- Security Enhanced Linux Policy for the sendmail processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sendmail -+(Policy for sendmail) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sendmail processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. sendmail policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sendmail with the tightest access possible. + @@ -43653,6 +46968,29 @@ index 0000000..f2e3fa2 +.B setsebool -P gitosis_can_sendmail 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the sendmail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sendmail_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the sendmail_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -43725,7 +47063,7 @@ index 0000000..f2e3fa2 +/var/run/sendmail\.pid, /var/run/sm-client\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43775,17 +47113,19 @@ index 0000000..f2e3fa2 \ No newline at end of file diff --git a/man/man8/services_selinux.8 b/man/man8/services_selinux.8 new file mode 100644 -index 0000000..08da721 +index 0000000..1004c86 --- /dev/null +++ b/man/man8/services_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,85 @@ +.TH "services_selinux" "8" "services" "dwalsh@redhat.com" "services SELinux Policy documentation" +.SH "NAME" +services_selinux \- Security Enhanced Linux Policy for the services processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the services processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43808,7 +47148,7 @@ index 0000000..08da721 +.br +.TP 5 +Paths: -+/usr/share/munin/plugins/nut.*, /usr/share/munin/plugins/named, /usr/share/munin/plugins/varnish_.*, /usr/share/munin/plugins/tomcat_.*, /usr/share/munin/plugins/postgres_.*, /usr/share/munin/plugins/asterisk_.*, /usr/share/munin/plugins/lpstat, /usr/share/munin/plugins/mysql_.*, /usr/share/munin/plugins/slapd_.*, /usr/share/munin/plugins/apache_.*, /usr/share/munin/plugins/ping_, /usr/share/munin/plugins/squid_.*, /usr/share/munin/plugins/fail2ban, /usr/share/munin/plugins/openvpn, /usr/share/munin/plugins/snmp_.*, /usr/share/munin/plugins/samba, /usr/share/munin/plugins/ntp_.*, /usr/share/munin/plugins/http_loadtime ++/usr/share/munin/plugins/nut.*, /usr/share/munin/plugins/snmp_.*, /usr/share/munin/plugins/named, /usr/share/munin/plugins/varnish_.*, /usr/share/munin/plugins/tomcat_.*, /usr/share/munin/plugins/postgres_.*, /usr/share/munin/plugins/asterisk_.*, /usr/share/munin/plugins/lpstat, /usr/share/munin/plugins/mysql_.*, /usr/share/munin/plugins/slapd_.*, /usr/share/munin/plugins/apache_.*, /usr/share/munin/plugins/ping_, /usr/share/munin/plugins/squid_.*, /usr/share/munin/plugins/fail2ban, /usr/share/munin/plugins/openvpn, /usr/share/munin/plugins/samba, /usr/share/munin/plugins/ntp_.*, /usr/share/munin/plugins/http_loadtime + +.EX +.PP @@ -43819,7 +47159,7 @@ index 0000000..08da721 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43864,17 +47204,19 @@ index 0000000..08da721 +selinux(8), services(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setfiles_selinux.8 b/man/man8/setfiles_selinux.8 new file mode 100644 -index 0000000..33dfb2f +index 0000000..00771fb --- /dev/null +++ b/man/man8/setfiles_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +.TH "setfiles_selinux" "8" "setfiles" "dwalsh@redhat.com" "setfiles SELinux Policy documentation" +.SH "NAME" +setfiles_selinux \- Security Enhanced Linux Policy for the setfiles processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the setfiles processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43900,7 +47242,7 @@ index 0000000..33dfb2f +/sbin/setfiles.*, /sbin/restorecon, /usr/sbin/setfiles.*, /usr/sbin/restorecon + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -43945,17 +47287,19 @@ index 0000000..33dfb2f +selinux(8), setfiles(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setkey_selinux.8 b/man/man8/setkey_selinux.8 new file mode 100644 -index 0000000..8a21ecc +index 0000000..3508525 --- /dev/null +++ b/man/man8/setkey_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +.TH "setkey_selinux" "8" "setkey" "dwalsh@redhat.com" "setkey SELinux Policy documentation" +.SH "NAME" +setkey_selinux \- Security Enhanced Linux Policy for the setkey processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the setkey processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -43981,7 +47325,7 @@ index 0000000..8a21ecc +/usr/sbin/setkey, /sbin/setkey + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44026,23 +47370,19 @@ index 0000000..8a21ecc +selinux(8), setkey(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setrans_selinux.8 b/man/man8/setrans_selinux.8 new file mode 100644 -index 0000000..99b5cda +index 0000000..1851634 --- /dev/null +++ b/man/man8/setrans_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "setrans_selinux" "8" "setrans" "dwalsh@redhat.com" "setrans SELinux Policy documentation" +.SH "NAME" +setrans_selinux \- Security Enhanced Linux Policy for the setrans processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B setrans -+(SELinux MLS/MCS label translation service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the setrans processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -44088,7 +47428,7 @@ index 0000000..99b5cda +/var/run/mcstransd\.pid, /var/run/setrans(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44133,23 +47473,40 @@ index 0000000..99b5cda +selinux(8), setrans(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setroubleshoot_selinux.8 b/man/man8/setroubleshoot_selinux.8 new file mode 100644 -index 0000000..cbed8e8 +index 0000000..54077d7 --- /dev/null +++ b/man/man8/setroubleshoot_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,126 @@ +.TH "setroubleshoot_selinux" "8" "setroubleshoot" "dwalsh@redhat.com" "setroubleshoot SELinux Policy documentation" +.SH "NAME" +setroubleshoot_selinux \- Security Enhanced Linux Policy for the setroubleshoot processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B setroubleshoot -+(SELinux troubleshooting service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the setroubleshoot processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -44203,7 +47560,7 @@ index 0000000..cbed8e8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44248,59 +47605,50 @@ index 0000000..cbed8e8 +selinux(8), setroubleshoot(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setroubleshootd_selinux.8 b/man/man8/setroubleshootd_selinux.8 new file mode 100644 -index 0000000..924d3bc +index 0000000..00a008d --- /dev/null +++ b/man/man8/setroubleshootd_selinux.8 -@@ -0,0 +1,103 @@ +@@ -0,0 +1,94 @@ +.TH "setroubleshootd_selinux" "8" "setroubleshootd" "dwalsh@redhat.com" "setroubleshootd SELinux Policy documentation" +.SH "NAME" +setroubleshootd_selinux \- Security Enhanced Linux Policy for the setroubleshootd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the setroubleshootd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP -+Policy governs the access confined processes have to these files. -+SELinux setroubleshootd policy is very flexible allowing users to setup their setroubleshootd processes in as secure a method as possible. -+.PP -+The following file types are defined for setroubleshootd: -+ ++If you want to allow users to login using a sssd serve for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B setroubleshoot_fixit_exec_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the setroubleshoot_fixit_exec_t type, if you want to transition an executable to the setroubleshoot_fixit_t domain. -+ -+ -+.EX +.PP -+.B setroubleshoot_var_lib_t -+.EE -+ -+- Set files with the setroubleshoot_var_lib_t type, if you want to store the setroubleshoot files under the /var/lib directory. -+ ++If you want to allow confined applications to run with kerberos for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the allow_kerberos boolean. + +.EX -+.PP -+.B setroubleshoot_var_log_t ++setsebool -P allow_kerberos 1 +.EE + -+- Set files with the setroubleshoot_var_log_t type, if you want to treat the data as setroubleshoot var log data, usually stored under the /var/log directory. -+ ++.PP ++If you want to allow system to run with NI for the setroubleshootd_t, setroubleshoot_fixit_t, you must turn on the allow_ypbind boolean. + +.EX -+.PP -+.B setroubleshoot_var_run_t ++setsebool -P allow_ypbind 1 +.EE + -+- Set files with the setroubleshoot_var_run_t type, if you want to store the setroubleshoot files under the /run directory. ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux setroubleshootd policy is very flexible allowing users to setup their setroubleshootd processes in as secure a method as possible. ++.PP ++The following file types are defined for setroubleshootd: + + +.EX @@ -44312,7 +47660,7 @@ index 0000000..924d3bc + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44357,17 +47705,40 @@ index 0000000..924d3bc +selinux(8), setroubleshootd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/setsebool_selinux.8 b/man/man8/setsebool_selinux.8 new file mode 100644 -index 0000000..0b850e8 +index 0000000..37ebb97 --- /dev/null +++ b/man/man8/setsebool_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,94 @@ +.TH "setsebool_selinux" "8" "setsebool" "dwalsh@redhat.com" "setsebool SELinux Policy documentation" +.SH "NAME" +setsebool_selinux \- Security Enhanced Linux Policy for the setsebool processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the setsebool processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the setsebool_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the setsebool_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the setsebool_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -44389,7 +47760,7 @@ index 0000000..0b850e8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44434,35 +47805,59 @@ index 0000000..0b850e8 +selinux(8), setsebool(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/sge_selinux.8 b/man/man8/sge_selinux.8 new file mode 100644 -index 0000000..636d762 +index 0000000..ef713c2 --- /dev/null +++ b/man/man8/sge_selinux.8 -@@ -0,0 +1,124 @@ +@@ -0,0 +1,148 @@ +.TH "sge_selinux" "8" "sge" "dwalsh@redhat.com" "sge SELinux Policy documentation" +.SH "NAME" +sge_selinux \- Security Enhanced Linux Policy for the sge processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sge -+(Policy for gridengine MPI jobs) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sge processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. sge policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sge with the tightest access possible. + + +.PP ++If you want to allow sge to connect to the network using any TCP por, you must turn on the sge_domain_can_network_connect boolean. ++ ++.EX ++.B setsebool -P sge_domain_can_network_connect 1 ++.EE ++ ++.PP +If you want to allow sge to access nfs file systems, you must turn on the sge_use_nfs boolean. + +.EX +.B setsebool -P sge_use_nfs 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the sge_execd_t, sge_job_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sge_execd_t, sge_job_ssh_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the sge_execd_t, sge_job_ssh_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -44515,7 +47910,7 @@ index 0000000..636d762 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44565,23 +47960,40 @@ index 0000000..636d762 \ No newline at end of file diff --git a/man/man8/shorewall_selinux.8 b/man/man8/shorewall_selinux.8 new file mode 100644 -index 0000000..b02195e +index 0000000..49a6b51 --- /dev/null +++ b/man/man8/shorewall_selinux.8 -@@ -0,0 +1,141 @@ +@@ -0,0 +1,158 @@ +.TH "shorewall_selinux" "8" "shorewall" "dwalsh@redhat.com" "shorewall SELinux Policy documentation" +.SH "NAME" +shorewall_selinux \- Security Enhanced Linux Policy for the shorewall processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B shorewall -+(Shoreline Firewall high-level tool for configuring netfilter) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the shorewall processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the shorewall_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the shorewall_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the shorewall_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -44667,7 +48079,7 @@ index 0000000..b02195e +/var/lib/shorewall-lite(/.*)?, /var/lib/shorewall(/.*)?, /var/lib/shorewall6(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44712,17 +48124,19 @@ index 0000000..b02195e +selinux(8), shorewall(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/showmount_selinux.8 b/man/man8/showmount_selinux.8 new file mode 100644 -index 0000000..df89321 +index 0000000..4dabeda --- /dev/null +++ b/man/man8/showmount_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,73 @@ +.TH "showmount_selinux" "8" "showmount" "dwalsh@redhat.com" "showmount SELinux Policy documentation" +.SH "NAME" +showmount_selinux \- Security Enhanced Linux Policy for the showmount processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the showmount processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -44744,7 +48158,7 @@ index 0000000..df89321 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44789,23 +48203,51 @@ index 0000000..df89321 +selinux(8), showmount(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/shutdown_selinux.8 b/man/man8/shutdown_selinux.8 new file mode 100644 -index 0000000..733dd9c +index 0000000..4478330 --- /dev/null +++ b/man/man8/shutdown_selinux.8 -@@ -0,0 +1,97 @@ +@@ -0,0 +1,129 @@ +.TH "shutdown_selinux" "8" "shutdown" "dwalsh@redhat.com" "shutdown SELinux Policy documentation" +.SH "NAME" +shutdown_selinux \- Security Enhanced Linux Policy for the shutdown processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B shutdown -+(System shutdown command) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the shutdown processes via flexible mandatory access +control. + ++.SH BOOLEANS ++SELinux policy is customizable based on least access required. shutdown policy is extremely flexible and has several booleans that allow you to manipulate the policy and run shutdown with the tightest access possible. ++ ++ ++.PP ++If you want to allow HTTPD to connect to port 80 for graceful shutdow, you must turn on the httpd_graceful_shutdown boolean. + ++.EX ++.B setsebool -P httpd_graceful_shutdown 1 ++.EE ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the shutdown_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the shutdown_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the shutdown_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -44847,7 +48289,7 @@ index 0000000..733dd9c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -44881,6 +48323,9 @@ index 0000000..733dd9c +.B semanage module +can also be used to enable/disable/install/remove policy modules. + ++.B semanage boolean ++can also be used to manipulate the booleans ++ +.PP +.B system-config-selinux +is a GUI tool available to customize SELinux policy settings. @@ -44890,19 +48335,44 @@ index 0000000..733dd9c + +.SH "SEE ALSO" +selinux(8), shutdown(8), semanage(8), restorecon(8), chcon(1) ++, setsebool(8) +\ No newline at end of file diff --git a/man/man8/slapd_selinux.8 b/man/man8/slapd_selinux.8 new file mode 100644 -index 0000000..4031380 +index 0000000..64525e5 --- /dev/null +++ b/man/man8/slapd_selinux.8 -@@ -0,0 +1,175 @@ +@@ -0,0 +1,198 @@ +.TH "slapd_selinux" "8" "slapd" "dwalsh@redhat.com" "slapd SELinux Policy documentation" +.SH "NAME" +slapd_selinux \- Security Enhanced Linux Policy for the slapd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the slapd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the slapd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the slapd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the slapd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45028,7 +48498,7 @@ index 0000000..4031380 +/var/run/slapd\.args, /var/run/openldap(/.*)?, /var/run/slapd\.pid, /var/run/ldapi, /var/run/slapd.* + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45073,17 +48543,19 @@ index 0000000..4031380 +selinux(8), slapd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smbcontrol_selinux.8 b/man/man8/smbcontrol_selinux.8 new file mode 100644 -index 0000000..1f4a491 +index 0000000..8f94f43 --- /dev/null +++ b/man/man8/smbcontrol_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,73 @@ +.TH "smbcontrol_selinux" "8" "smbcontrol" "dwalsh@redhat.com" "smbcontrol SELinux Policy documentation" +.SH "NAME" +smbcontrol_selinux \- Security Enhanced Linux Policy for the smbcontrol processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the smbcontrol processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45105,7 +48577,7 @@ index 0000000..1f4a491 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45150,17 +48622,40 @@ index 0000000..1f4a491 +selinux(8), smbcontrol(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smbd_selinux.8 b/man/man8/smbd_selinux.8 new file mode 100644 -index 0000000..78125d2 +index 0000000..19102b7 --- /dev/null +++ b/man/man8/smbd_selinux.8 -@@ -0,0 +1,151 @@ +@@ -0,0 +1,174 @@ +.TH "smbd_selinux" "8" "smbd" "dwalsh@redhat.com" "smbd SELinux Policy documentation" +.SH "NAME" +smbd_selinux \- Security Enhanced Linux Policy for the smbd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the smbd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the smbmount_t, smbd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the smbmount_t, smbd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the smbmount_t, smbd_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. @@ -45173,7 +48668,7 @@ index 0000000..78125d2 +.B restorecon -F -R -v /var/smbd +.pp +.TP -+Allow smbd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_smbd_anon_write boolean to be set. ++Allow smbd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_smbdd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/smbd/incoming(/.*)?" @@ -45236,7 +48731,7 @@ index 0000000..78125d2 +/var/run/samba/gencache\.tdb, /var/run/samba/share_info\.tdb, /var/run/samba(/.*)?, /var/run/samba/locking\.tdb, /var/run/samba/connections\.tdb, /var/run/samba/smbd\.pid, /var/run/samba/sessionid\.tdb, /var/run/samba/brlock\.tdb + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45263,7 +48758,7 @@ index 0000000..78125d2 + + +Default Defined Ports: -+tcp 8021 ++tcp 137-139,445 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -45307,17 +48802,40 @@ index 0000000..78125d2 +selinux(8), smbd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smbmount_selinux.8 b/man/man8/smbmount_selinux.8 new file mode 100644 -index 0000000..e5fd258 +index 0000000..05159f9 --- /dev/null +++ b/man/man8/smbmount_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,98 @@ +.TH "smbmount_selinux" "8" "smbmount" "dwalsh@redhat.com" "smbmount SELinux Policy documentation" +.SH "NAME" +smbmount_selinux \- Security Enhanced Linux Policy for the smbmount processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the smbmount processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the smbmount_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the smbmount_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the smbmount_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45343,7 +48861,7 @@ index 0000000..e5fd258 +/usr/bin/smbmnt, /usr/bin/smbmount + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45388,23 +48906,40 @@ index 0000000..e5fd258 +selinux(8), smbmount(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smokeping_selinux.8 b/man/man8/smokeping_selinux.8 new file mode 100644 -index 0000000..6eb81ca +index 0000000..c9d11e8 --- /dev/null +++ b/man/man8/smokeping_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,118 @@ +.TH "smokeping_selinux" "8" "smokeping" "dwalsh@redhat.com" "smokeping SELinux Policy documentation" +.SH "NAME" +smokeping_selinux \- Security Enhanced Linux Policy for the smokeping processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B smokeping -+(Smokeping network latency measurement) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the smokeping processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the smokeping_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the smokeping_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the smokeping_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45450,7 +48985,7 @@ index 0000000..6eb81ca + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45495,23 +49030,40 @@ index 0000000..6eb81ca +selinux(8), smokeping(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/smoltclient_selinux.8 b/man/man8/smoltclient_selinux.8 new file mode 100644 -index 0000000..7290f4e +index 0000000..41a26b0 --- /dev/null +++ b/man/man8/smoltclient_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,102 @@ +.TH "smoltclient_selinux" "8" "smoltclient" "dwalsh@redhat.com" "smoltclient SELinux Policy documentation" +.SH "NAME" +smoltclient_selinux \- Security Enhanced Linux Policy for the smoltclient processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B smoltclient -+(The Fedora hardware profiler client) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the smoltclient processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the smoltclient_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the smoltclient_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the smoltclient_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45541,7 +49093,7 @@ index 0000000..7290f4e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45586,17 +49138,40 @@ index 0000000..7290f4e +selinux(8), smoltclient(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/snmpd_selinux.8 b/man/man8/snmpd_selinux.8 new file mode 100644 -index 0000000..ce8506a +index 0000000..2904fd1 --- /dev/null +++ b/man/man8/snmpd_selinux.8 -@@ -0,0 +1,141 @@ +@@ -0,0 +1,166 @@ +.TH "snmpd_selinux" "8" "snmpd" "dwalsh@redhat.com" "snmpd SELinux Policy documentation" +.SH "NAME" +snmpd_selinux \- Security Enhanced Linux Policy for the snmpd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the snmpd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the snmpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the snmpd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the snmpd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45662,7 +49237,7 @@ index 0000000..ce8506a +/var/run/net-snmpd(/.*)?, /var/run/snmpd\.pid, /var/run/snmpd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45689,7 +49264,9 @@ index 0000000..ce8506a + + +Default Defined Ports: -+tcp 8021 ++tcp 161-162,199,1161 ++.EE ++udp 161-162 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -45733,23 +49310,19 @@ index 0000000..ce8506a +selinux(8), snmpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/snort_selinux.8 b/man/man8/snort_selinux.8 new file mode 100644 -index 0000000..4a3cd80 +index 0000000..cccbbc7 --- /dev/null +++ b/man/man8/snort_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,117 @@ +.TH "snort_selinux" "8" "snort" "dwalsh@redhat.com" "snort SELinux Policy documentation" +.SH "NAME" +snort_selinux \- Security Enhanced Linux Policy for the snort processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B snort -+(Snort network intrusion detection system) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the snort processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45815,7 +49388,7 @@ index 0000000..4a3cd80 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45860,23 +49433,40 @@ index 0000000..4a3cd80 +selinux(8), snort(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/sosreport_selinux.8 b/man/man8/sosreport_selinux.8 new file mode 100644 -index 0000000..d92aa21 +index 0000000..e85272f --- /dev/null +++ b/man/man8/sosreport_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,110 @@ +.TH "sosreport_selinux" "8" "sosreport" "dwalsh@redhat.com" "sosreport SELinux Policy documentation" +.SH "NAME" +sosreport_selinux \- Security Enhanced Linux Policy for the sosreport processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sosreport -+(sosreport - Generate debugging information for system) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sosreport processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the sosreport_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sosreport_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the sosreport_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -45914,7 +49504,7 @@ index 0000000..d92aa21 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -45959,17 +49549,19 @@ index 0000000..d92aa21 +selinux(8), sosreport(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/soundd_selinux.8 b/man/man8/soundd_selinux.8 new file mode 100644 -index 0000000..4c912c3 +index 0000000..cdb926f --- /dev/null +++ b/man/man8/soundd_selinux.8 -@@ -0,0 +1,157 @@ +@@ -0,0 +1,159 @@ +.TH "soundd_selinux" "8" "soundd" "dwalsh@redhat.com" "soundd SELinux Policy documentation" +.SH "NAME" +soundd_selinux \- Security Enhanced Linux Policy for the soundd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the soundd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -46051,7 +49643,7 @@ index 0000000..4c912c3 +/var/run/nasd(/.*)?, /var/run/yiff-[0-9]+\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46078,7 +49670,7 @@ index 0000000..4c912c3 + + +Default Defined Ports: -+tcp 8021 ++tcp 8000,9433,16001 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -46122,17 +49714,17 @@ index 0000000..4c912c3 +selinux(8), soundd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/spamass_selinux.8 b/man/man8/spamass_selinux.8 new file mode 100644 -index 0000000..3285cb1 +index 0000000..ea48bf9 --- /dev/null +++ b/man/man8/spamass_selinux.8 -@@ -0,0 +1,106 @@ +@@ -0,0 +1,108 @@ +.TH "spamass_selinux" "8" "spamass" "dwalsh@redhat.com" "spamass SELinux Policy documentation" +.SH "NAME" +spamass_selinux \- Security Enhanced Linux Policy for the spamass processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the spamass processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. spamass policy is extremely flexible and has several booleans that allow you to manipulate the policy and run spamass with the tightest access possible. @@ -46145,6 +49737,8 @@ index 0000000..3285cb1 +.B setsebool -P spamassassin_can_network 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -46185,7 +49779,7 @@ index 0000000..3285cb1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46235,17 +49829,40 @@ index 0000000..3285cb1 \ No newline at end of file diff --git a/man/man8/spamc_selinux.8 b/man/man8/spamc_selinux.8 new file mode 100644 -index 0000000..3be61d7 +index 0000000..b6feee6 --- /dev/null +++ b/man/man8/spamc_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,118 @@ +.TH "spamc_selinux" "8" "spamc" "dwalsh@redhat.com" "spamc SELinux Policy documentation" +.SH "NAME" +spamc_selinux \- Security Enhanced Linux Policy for the spamc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the spamc processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the spamc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the spamc_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the spamc_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -46268,7 +49885,7 @@ index 0000000..3be61d7 +.br +.TP 5 +Paths: -+/usr/bin/spamc, /usr/bin/razor.*, /usr/bin/sa-learn, /usr/bin/spamassassin ++/usr/bin/pyzor, /usr/bin/spamc, /usr/bin/razor.*, /usr/bin/sa-learn, /usr/bin/spamassassin + +.EX +.PP @@ -46280,7 +49897,7 @@ index 0000000..3be61d7 +.br +.TP 5 +Paths: -+/root/\.razor(/.*)?, /root/\.spamassassin(/.*)? ++/root/\.spamd(/.*)?, /root/\.pyzor(/.*)?, /root/\.razor(/.*)?, /root/\.spamassassin(/.*)? + +.EX +.PP @@ -46291,7 +49908,7 @@ index 0000000..3be61d7 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46336,17 +49953,17 @@ index 0000000..3be61d7 +selinux(8), spamc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/spamd_selinux.8 b/man/man8/spamd_selinux.8 new file mode 100644 -index 0000000..cb40498 +index 0000000..a375aac --- /dev/null +++ b/man/man8/spamd_selinux.8 -@@ -0,0 +1,222 @@ +@@ -0,0 +1,249 @@ +.TH "spamd_selinux" "8" "spamd" "dwalsh@redhat.com" "spamd SELinux Policy documentation" +.SH "NAME" +spamd_selinux \- Security Enhanced Linux Policy for the spamd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the spamd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. spamd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run spamd with the tightest access possible. @@ -46373,6 +49990,29 @@ index 0000000..cb40498 +.B setsebool -P httpd_can_check_spam 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the spamc_t, spamd_update_t, spamd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the spamc_t, spamd_update_t, spamd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the spamc_t, spamd_update_t, spamd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -46399,6 +50039,10 @@ index 0000000..cb40498 + +- Set files with the spamd_etc_t type, if you want to store spamd files in the /etc directories. + ++.br ++.TP 5 ++Paths: ++/etc/pyzor(/.*)?, /etc/razor(/.*)? + +.EX +.PP @@ -46410,7 +50054,7 @@ index 0000000..cb40498 +.br +.TP 5 +Paths: -+/usr/sbin/spamd, /usr/bin/mimedefang-multiplexor, /usr/bin/spamd, /usr/bin/mimedefang ++/usr/sbin/spamd, /usr/bin/mimedefang-multiplexor, /usr/bin/pyzord, /usr/bin/spamd, /usr/bin/mimedefang + +.EX +.PP @@ -46422,7 +50066,7 @@ index 0000000..cb40498 +.br +.TP 5 +Paths: -+/etc/rc\.d/init\.d/spamd, /etc/rc\.d/init\.d/mimedefang.* ++/etc/rc\.d/init\.d/spamd, /etc/rc\.d/init\.d/mimedefang.*, /etc/rc\.d/init\.d/pyzord + +.EX +.PP @@ -46434,7 +50078,7 @@ index 0000000..cb40498 +.br +.TP 5 +Paths: -+/var/log/razor-agent\.log, /var/log/spamd\.log, /var/log/mimedefang ++/var/log/razor-agent\.log, /var/log/spamd\.log, /var/log/mimedefang, /var/log/pyzord\.log + +.EX +.PP @@ -46474,7 +50118,7 @@ index 0000000..cb40498 +.br +.TP 5 +Paths: -+/var/lib/spamassassin(/.*)?, /var/lib/razor(/.*)? ++/var/lib/spamassassin(/.*)?, /var/lib/razor(/.*)?, /var/lib/pyzord(/.*)? + +.EX +.PP @@ -46489,7 +50133,7 @@ index 0000000..cb40498 +/var/run/spamassassin(/.*)?, /var/spool/MIMEDefang(/.*)?, /var/spool/MD-Quarantine(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46516,7 +50160,7 @@ index 0000000..cb40498 + + +Default Defined Ports: -+tcp 8021 ++tcp 783 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -46565,24 +50209,18 @@ index 0000000..cb40498 \ No newline at end of file diff --git a/man/man8/squid_selinux.8 b/man/man8/squid_selinux.8 new file mode 100644 -index 0000000..5d1acc2 +index 0000000..1ab3de3 --- /dev/null +++ b/man/man8/squid_selinux.8 -@@ -0,0 +1,185 @@ +@@ -0,0 +1,212 @@ +.TH "squid_selinux" "8" "squid" "dwalsh@redhat.com" "squid SELinux Policy documentation" +.SH "NAME" +squid_selinux \- Security Enhanced Linux Policy for the squid processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B squid -+(Squid caching http proxy server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the squid processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. squid policy is extremely flexible and has several booleans that allow you to manipulate the policy and run squid with the tightest access possible. + @@ -46601,6 +50239,29 @@ index 0000000..5d1acc2 +.B setsebool -P squid_connect_any 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the squid_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the squid_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the squid_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -46666,6 +50327,14 @@ index 0000000..5d1acc2 + +.EX +.PP ++.B squid_tmp_t ++.EE ++ ++- Set files with the squid_tmp_t type, if you want to store squid temporary files in the /tmp directories. ++ ++ ++.EX ++.PP +.B squid_tmpfs_t +.EE + @@ -46681,7 +50350,7 @@ index 0000000..5d1acc2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46708,7 +50377,9 @@ index 0000000..5d1acc2 + + +Default Defined Ports: -+tcp 8021 ++tcp 3128,3401,4827 ++.EE ++udp 3401,4827 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -46757,17 +50428,19 @@ index 0000000..5d1acc2 \ No newline at end of file diff --git a/man/man8/srvsvcd_selinux.8 b/man/man8/srvsvcd_selinux.8 new file mode 100644 -index 0000000..036f028 +index 0000000..c7b7658 --- /dev/null +++ b/man/man8/srvsvcd_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "srvsvcd_selinux" "8" "srvsvcd" "dwalsh@redhat.com" "srvsvcd SELinux Policy documentation" +.SH "NAME" +srvsvcd_selinux \- Security Enhanced Linux Policy for the srvsvcd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the srvsvcd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -46813,7 +50486,7 @@ index 0000000..036f028 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -46858,24 +50531,18 @@ index 0000000..036f028 +selinux(8), srvsvcd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ssh_selinux.8 b/man/man8/ssh_selinux.8 new file mode 100644 -index 0000000..a3beeec +index 0000000..ace093f --- /dev/null +++ b/man/man8/ssh_selinux.8 -@@ -0,0 +1,254 @@ +@@ -0,0 +1,271 @@ +.TH "ssh_selinux" "8" "ssh" "dwalsh@redhat.com" "ssh SELinux Policy documentation" +.SH "NAME" +ssh_selinux \- Security Enhanced Linux Policy for the ssh processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ssh -+(Secure shell client and server policy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ssh processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. ssh policy is extremely flexible and has several booleans that allow you to manipulate the policy and run ssh with the tightest access possible. + @@ -46915,6 +50582,29 @@ index 0000000..a3beeec +.B setsebool -P sftpd_write_ssh_home 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -46960,7 +50650,7 @@ index 0000000..a3beeec +.br +.TP 5 +Paths: -+/var/lib/nocpulse/\.ssh(/.*)?, /var/lib/gitolite/\.ssh(/.*)?, /root/\.shosts, /var/lib/amanda/\.ssh(/.*)?, /root/\.ssh(/.*)?, /var/lib/stickshift/.*/\.ssh(/.*)? ++/var/lib/nocpulse/\.ssh(/.*)?, /var/lib/gitolite/\.ssh(/.*)?, /root/\.shosts, /var/lib/amanda/\.ssh(/.*)?, /root/\.ssh(/.*)? + +.EX +.PP @@ -47043,7 +50733,7 @@ index 0000000..a3beeec +/var/run/sshd\.init\.pid, /var/run/sshd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47070,7 +50760,7 @@ index 0000000..a3beeec + + +Default Defined Ports: -+tcp 8021 ++tcp 22 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -47119,17 +50809,17 @@ index 0000000..a3beeec \ No newline at end of file diff --git a/man/man8/sshd_selinux.8 b/man/man8/sshd_selinux.8 new file mode 100644 -index 0000000..b78c331 +index 0000000..91e477a --- /dev/null +++ b/man/man8/sshd_selinux.8 -@@ -0,0 +1,248 @@ +@@ -0,0 +1,211 @@ +.TH "sshd_selinux" "8" "sshd" "dwalsh@redhat.com" "sshd SELinux Policy documentation" +.SH "NAME" +sshd_selinux \- Security Enhanced Linux Policy for the sshd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the sshd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. sshd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run sshd with the tightest access possible. @@ -47170,75 +50860,38 @@ index 0000000..b78c331 +.B setsebool -P sftpd_write_ssh_home 1 +.EE + -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible. -+.PP -+The following file types are defined for sshd: -+ ++.SH NSSWITCH DOMAIN + -+.EX +.PP -+.B ssh_agent_exec_t -+.EE -+ -+- Set files with the ssh_agent_exec_t type, if you want to transition an executable to the ssh_agent_t domain. -+ ++If you want to allow users to login using a sssd serve for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B ssh_agent_tmp_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the ssh_agent_tmp_t type, if you want to store ssh agent temporary files in the /tmp directories. -+ -+ -+.EX +.PP -+.B ssh_exec_t -+.EE -+ -+- Set files with the ssh_exec_t type, if you want to transition an executable to the ssh_t domain. -+ ++If you want to allow confined applications to run with kerberos for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the allow_kerberos boolean. + +.EX -+.PP -+.B ssh_home_t ++setsebool -P allow_kerberos 1 +.EE + -+- Set files with the ssh_home_t type, if you want to store ssh files in the users home directory. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/nocpulse/\.ssh(/.*)?, /var/lib/gitolite/\.ssh(/.*)?, /root/\.shosts, /var/lib/amanda/\.ssh(/.*)?, /root/\.ssh(/.*)?, /var/lib/stickshift/.*/\.ssh(/.*)? -+ -+.EX +.PP -+.B ssh_keygen_exec_t -+.EE -+ -+- Set files with the ssh_keygen_exec_t type, if you want to transition an executable to the ssh_keygen_t domain. -+ ++If you want to allow system to run with NI for the ssh_keygen_t, sshd_t, ssh_t, you must turn on the allow_ypbind boolean. + +.EX -+.PP -+.B ssh_keysign_exec_t ++setsebool -P allow_ypbind 1 +.EE + -+- Set files with the ssh_keysign_exec_t type, if you want to transition an executable to the ssh_keysign_t domain. -+ -+ -+.EX ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. +.PP -+.B ssh_tmpfs_t -+.EE -+ -+- Set files with the ssh_tmpfs_t type, if you want to store ssh files on a tmpfs file system. ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux sshd policy is very flexible allowing users to setup their sshd processes in as secure a method as possible. ++.PP ++The following file types are defined for sshd: + + +.EX @@ -47298,7 +50951,7 @@ index 0000000..b78c331 +/var/run/sshd\.init\.pid, /var/run/sshd\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47325,7 +50978,7 @@ index 0000000..b78c331 + + +Default Defined Ports: -+tcp 8021 ++tcp 22 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -47374,23 +51027,40 @@ index 0000000..b78c331 \ No newline at end of file diff --git a/man/man8/sssd_selinux.8 b/man/man8/sssd_selinux.8 new file mode 100644 -index 0000000..d9a7d4a +index 0000000..c4b76f1 --- /dev/null +++ b/man/man8/sssd_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,138 @@ +.TH "sssd_selinux" "8" "sssd" "dwalsh@redhat.com" "sssd SELinux Policy documentation" +.SH "NAME" +sssd_selinux \- Security Enhanced Linux Policy for the sssd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sssd -+(System Security Services Daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sssd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the sssd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the sssd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the sssd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -47426,6 +51096,10 @@ index 0000000..d9a7d4a + +- Set files with the sssd_public_t type, if you want to treat the files as sssd public data. + ++.br ++.TP 5 ++Paths: ++/var/lib/sss/mc(/.*)?, /var/lib/sss/pubconf(/.*)? + +.EX +.PP @@ -47452,7 +51126,7 @@ index 0000000..d9a7d4a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47747,23 +51421,40 @@ index 0000000..039dc00 +selinux(8), semanage(8). diff --git a/man/man8/stunnel_selinux.8 b/man/man8/stunnel_selinux.8 new file mode 100644 -index 0000000..0af68a0 +index 0000000..a534692 --- /dev/null +++ b/man/man8/stunnel_selinux.8 -@@ -0,0 +1,131 @@ +@@ -0,0 +1,144 @@ +.TH "stunnel_selinux" "8" "stunnel" "dwalsh@redhat.com" "stunnel SELinux Policy documentation" +.SH "NAME" +stunnel_selinux \- Security Enhanced Linux Policy for the stunnel processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B stunnel -+(SSL Tunneling Proxy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the stunnel processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the stunnel_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the stunnel_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the stunnel_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -47813,7 +51504,7 @@ index 0000000..0af68a0 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47838,10 +51529,6 @@ index 0000000..0af68a0 +.TP 10 +.EE + -+ -+Default Defined Ports: -+tcp 8021 -+.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system +.PP @@ -47884,17 +51571,40 @@ index 0000000..0af68a0 +selinux(8), stunnel(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/sulogin_selinux.8 b/man/man8/sulogin_selinux.8 new file mode 100644 -index 0000000..6cff947 +index 0000000..4015cca --- /dev/null +++ b/man/man8/sulogin_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,98 @@ +.TH "sulogin_selinux" "8" "sulogin" "dwalsh@redhat.com" "sulogin SELinux Policy documentation" +.SH "NAME" +sulogin_selinux \- Security Enhanced Linux Policy for the sulogin processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the sulogin processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the sulogin_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sulogin_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the sulogin_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -47920,7 +51630,7 @@ index 0000000..6cff947 +/usr/sbin/sushell, /sbin/sulogin, /usr/sbin/sulogin, /sbin/sushell + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -47965,17 +51675,19 @@ index 0000000..6cff947 +selinux(8), sulogin(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/svc_selinux.8 b/man/man8/svc_selinux.8 new file mode 100644 -index 0000000..1c06ece +index 0000000..965dccb --- /dev/null +++ b/man/man8/svc_selinux.8 -@@ -0,0 +1,127 @@ +@@ -0,0 +1,129 @@ +.TH "svc_selinux" "8" "svc" "dwalsh@redhat.com" "svc SELinux Policy documentation" +.SH "NAME" +svc_selinux \- Security Enhanced Linux Policy for the svc processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the svc processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -48053,7 +51765,7 @@ index 0000000..1c06ece +/service, /var/tinydns(/.*)?, /service/.*, /var/service/.*, /var/qmail/supervise(/.*)?, /var/dnscache(/.*)?, /var/axfrdns(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48098,17 +51810,40 @@ index 0000000..1c06ece +selinux(8), svc(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/swat_selinux.8 b/man/man8/swat_selinux.8 new file mode 100644 -index 0000000..bd9a083 +index 0000000..56c3d8a --- /dev/null +++ b/man/man8/swat_selinux.8 -@@ -0,0 +1,113 @@ +@@ -0,0 +1,136 @@ +.TH "swat_selinux" "8" "swat" "dwalsh@redhat.com" "swat SELinux Policy documentation" +.SH "NAME" +swat_selinux \- Security Enhanced Linux Policy for the swat processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the swat processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the swat_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the swat_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the swat_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -48146,7 +51881,7 @@ index 0000000..bd9a083 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48173,7 +51908,7 @@ index 0000000..bd9a083 + + +Default Defined Ports: -+tcp 8021 ++tcp 901 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -48453,17 +52188,17 @@ index 0000000..679f836 +selinux(8), semanage(8). diff --git a/man/man8/syslogd_selinux.8 b/man/man8/syslogd_selinux.8 new file mode 100644 -index 0000000..875440a +index 0000000..e6d45ef --- /dev/null +++ b/man/man8/syslogd_selinux.8 -@@ -0,0 +1,182 @@ +@@ -0,0 +1,195 @@ +.TH "syslogd_selinux" "8" "syslogd" "dwalsh@redhat.com" "syslogd SELinux Policy documentation" +.SH "NAME" +syslogd_selinux \- Security Enhanced Linux Policy for the syslogd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the syslogd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. syslogd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run syslogd with the tightest access possible. @@ -48490,6 +52225,29 @@ index 0000000..875440a +.B setsebool -P logging_syslogd_use_tty 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the syslogd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the syslogd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the syslogd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -48503,18 +52261,6 @@ index 0000000..875440a + +.EX +.PP -+.B syslog_conf_t -+.EE -+ -+- Set files with the syslog_conf_t type, if you want to treat the files as syslog configuration data, usually stored under the /etc directory. -+ -+.br -+.TP 5 -+Paths: -+/etc/rsyslog.conf, /etc/syslog.conf -+ -+.EX -+.PP +.B syslogd_exec_t +.EE + @@ -48523,7 +52269,7 @@ index 0000000..875440a +.br +.TP 5 +Paths: -+/lib/systemd/systemd-kmsg-syslogd, /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-kmsg-syslogd, /usr/sbin/metalog, /usr/lib/systemd/systemd-journald, /usr/sbin/syslogd, /usr/sbin/minilogd, /sbin/rsyslogd, /sbin/syslogd, /sbin/syslog-ng, /sbin/minilogd, /lib/systemd/systemd-journald ++/usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/sbin/metalog, /usr/sbin/syslogd, /usr/sbin/minilogd, /sbin/rsyslogd, /usr/lib/systemd/systemd-kmsg-syslogd, /sbin/syslogd, /sbin/syslog-ng, /usr/lib/systemd/systemd-journald, /sbin/minilogd + +.EX +.PP @@ -48563,10 +52309,10 @@ index 0000000..875440a +.br +.TP 5 +Paths: -+/var/log/syslog-ng(/.*)?, /var/run/syslog-ng(/.*)?, /var/run/metalog\.pid, /var/run/syslogd\.pid, /var/run/log(/.*)?, /var/run/syslog-ng.ctl ++/var/log/syslog-ng(/.*)?, /var/run/syslogd\.pid, /var/run/syslog-ng(/.*)?, /var/run/metalog\.pid, /var/run/log(/.*)?, /var/run/syslog-ng.ctl + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48593,7 +52339,9 @@ index 0000000..875440a + + +Default Defined Ports: -+tcp 8021 ++tcp 6514 ++.EE ++udp 514,6514 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -48642,23 +52390,40 @@ index 0000000..875440a \ No newline at end of file diff --git a/man/man8/sysstat_selinux.8 b/man/man8/sysstat_selinux.8 new file mode 100644 -index 0000000..79ea311 +index 0000000..c6ea15e --- /dev/null +++ b/man/man8/sysstat_selinux.8 -@@ -0,0 +1,93 @@ +@@ -0,0 +1,110 @@ +.TH "sysstat_selinux" "8" "sysstat" "dwalsh@redhat.com" "sysstat SELinux Policy documentation" +.SH "NAME" +sysstat_selinux \- Security Enhanced Linux Policy for the sysstat processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B sysstat -+(Policy for sysstat. Reports on various system states) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the sysstat processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the sysstat_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the sysstat_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the sysstat_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -48696,7 +52461,7 @@ index 0000000..79ea311 +/var/log/sysstat(/.*)?, /var/log/sa(/.*)?, /var/log/atsar(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -48741,17 +52506,17 @@ index 0000000..79ea311 +selinux(8), sysstat(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/system_selinux.8 b/man/man8/system_selinux.8 new file mode 100644 -index 0000000..a08a3e0 +index 0000000..ebcffca --- /dev/null +++ b/man/man8/system_selinux.8 -@@ -0,0 +1,339 @@ +@@ -0,0 +1,357 @@ +.TH "system_selinux" "8" "system" "dwalsh@redhat.com" "system SELinux Policy documentation" +.SH "NAME" +system_selinux \- Security Enhanced Linux Policy for the system processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the system processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. system policy is extremely flexible and has several booleans that allow you to manipulate the policy and run system with the tightest access possible. @@ -48779,12 +52544,42 @@ index 0000000..a08a3e0 +.EE + +.PP ++If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. ++ ++.EX ++.B setsebool -P clamscan_can_scan_system 1 ++.EE ++ ++.PP +If you want to enable support for systemd as the init program, you must turn on the init_systemd boolean. + +.EX +.B setsebool -P init_systemd 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the system_cronjob_t, systemd_notify_t, systemd_logind_t, system_dbusd_t, systemd_passwd_agent_t, systemd_logger_t, systemd_tmpfiles_t, system_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the system_cronjob_t, systemd_notify_t, systemd_logind_t, system_dbusd_t, systemd_passwd_agent_t, systemd_logger_t, systemd_tmpfiles_t, system_mail_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the system_cronjob_t, systemd_notify_t, systemd_logind_t, system_dbusd_t, systemd_passwd_agent_t, systemd_logger_t, systemd_tmpfiles_t, system_mail_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -48910,7 +52705,7 @@ index 0000000..a08a3e0 +.br +.TP 5 +Paths: -+/usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/load, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/users, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/open_files ++/usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/load, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/users, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/open_files + +.EX +.PP @@ -48927,10 +52722,6 @@ index 0000000..a08a3e0 + +- Set files with the systemd_logger_exec_t type, if you want to transition an executable to the systemd_logger_t domain. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/systemd-logger, /usr/lib/systemd/systemd-logger + +.EX +.PP @@ -48939,10 +52730,6 @@ index 0000000..a08a3e0 + +- Set files with the systemd_logind_exec_t type, if you want to transition an executable to the systemd_logind_t domain. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/systemd-logind, /usr/lib/systemd/systemd-logind + +.EX +.PP @@ -48962,7 +52749,7 @@ index 0000000..a08a3e0 +.br +.TP 5 +Paths: -+/var/run/systemd/users(/.*)?, /var/run/systemd/seats(/.*)? ++/var/run/nologin, /var/run/systemd/users(/.*)?, /var/run/systemd/seats(/.*)? + +.EX +.PP @@ -49022,7 +52809,7 @@ index 0000000..a08a3e0 +.br +.TP 5 +Paths: -+/usr/bin/systemd-tmpfiles, /bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles, /lib/systemd/systemd-tmpfiles ++/usr/bin/systemd-tmpfiles, /bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles + +.EX +.PP @@ -49031,13 +52818,9 @@ index 0000000..a08a3e0 + +- Set files with the systemd_unit_file_t type, if you want to treat the files as systemd unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system(/.*)?, /lib/systemd/system(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -49087,24 +52870,18 @@ index 0000000..a08a3e0 \ No newline at end of file diff --git a/man/man8/systemd_selinux.8 b/man/man8/systemd_selinux.8 new file mode 100644 -index 0000000..93fe832 +index 0000000..9fc7307 --- /dev/null +++ b/man/man8/systemd_selinux.8 -@@ -0,0 +1,345 @@ +@@ -0,0 +1,233 @@ +.TH "systemd_selinux" "8" "systemd" "dwalsh@redhat.com" "systemd SELinux Policy documentation" +.SH "NAME" +systemd_selinux \- Security Enhanced Linux Policy for the systemd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B systemd -+(SELinux policy for systemd components) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the systemd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. systemd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run systemd with the tightest access possible. + @@ -49131,145 +52908,51 @@ index 0000000..93fe832 +.EE + +.PP -+If you want to enable support for systemd as the init program, you must turn on the init_systemd boolean. -+ -+.EX -+.B setsebool -P init_systemd 1 -+.EE -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux systemd policy is very flexible allowing users to setup their systemd processes in as secure a method as possible. -+.PP -+The following file types are defined for systemd: -+ -+ -+.EX -+.PP -+.B system_conf_t -+.EE -+ -+- Set files with the system_conf_t type, if you want to treat the files as system configuration data, usually stored under the /etc directory. -+ -+.br -+.TP 5 -+Paths: -+/etc/sysctl\.conf(\.old)?, /etc/sysconfig/ipvsadm.*, /etc/sysconfig/ebtables.*, /etc/sysconfig/ip6?tables.*, /etc/sysconfig/system-config-firewall.* -+ -+.EX -+.PP -+.B system_cron_spool_t -+.EE -+ -+- Set files with the system_cron_spool_t type, if you want to store the system cron files under the /var/spool directory. -+ -+.br -+.TP 5 -+Paths: -+/etc/crontab, /var/spool/anacron(/.*)?, /etc/cron\.d(/.*)?, /var/spool/fcron/systab\.orig, /var/spool/fcron/new\.systab, /var/spool/fcron/systab ++If you want to allow clamscan to non security files on a syste, you must turn on the clamscan_can_scan_system boolean. + +.EX -+.PP -+.B system_cronjob_lock_t ++.B setsebool -P clamscan_can_scan_system 1 +.EE + -+- Set files with the system_cronjob_lock_t type, if you want to treat the files as system cronjob lock data, stored under the /var/lock directory -+ -+ -+.EX +.PP -+.B system_cronjob_tmp_t -+.EE -+ -+- Set files with the system_cronjob_tmp_t type, if you want to store system cronjob temporary files in the /tmp directories. -+ ++If you want to enable support for systemd as the init program, you must turn on the init_systemd boolean. + +.EX -+.PP -+.B system_cronjob_var_lib_t ++.B setsebool -P init_systemd 1 +.EE + -+- Set files with the system_cronjob_var_lib_t type, if you want to store the system cronjob files under the /var/lib directory. -+ ++.SH NSSWITCH DOMAIN + -+.EX +.PP -+.B system_cronjob_var_run_t -+.EE -+ -+- Set files with the system_cronjob_var_run_t type, if you want to store the system cronjob files under the /run directory. -+ ++If you want to allow users to login using a sssd serve for the system_cronjob_t, systemd_notify_t, systemd_logind_t, system_dbusd_t, systemd_passwd_agent_t, systemd_logger_t, systemd_tmpfiles_t, system_mail_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B system_dbusd_tmp_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the system_dbusd_tmp_t type, if you want to store system dbusd temporary files in the /tmp directories. -+ -+ -+.EX +.PP -+.B system_dbusd_var_lib_t -+.EE -+ -+- Set files with the system_dbusd_var_lib_t type, if you want to store the system dbusd files under the /var/lib directory. -+ ++If you want to allow confined applications to run with kerberos for the system_cronjob_t, systemd_notify_t, systemd_logind_t, system_dbusd_t, systemd_passwd_agent_t, systemd_logger_t, systemd_tmpfiles_t, system_mail_t, you must turn on the allow_kerberos boolean. + +.EX -+.PP -+.B system_dbusd_var_run_t ++setsebool -P allow_kerberos 1 +.EE + -+- Set files with the system_dbusd_var_run_t type, if you want to store the system dbusd files under the /run directory. -+ -+.br -+.TP 5 -+Paths: -+/var/named/chroot/var/run/dbus(/.*)?, /var/run/dbus(/.*)? -+ -+.EX +.PP -+.B system_mail_tmp_t -+.EE -+ -+- Set files with the system_mail_tmp_t type, if you want to store system mail temporary files in the /tmp directories. -+ ++If you want to allow system to run with NI for the system_cronjob_t, systemd_notify_t, systemd_logind_t, system_dbusd_t, systemd_passwd_agent_t, systemd_logger_t, systemd_tmpfiles_t, system_mail_t, you must turn on the allow_ypbind boolean. + +.EX -+.PP -+.B system_map_t ++setsebool -P allow_ypbind 1 +.EE + -+- Set files with the system_map_t type, if you want to treat the files as system map data. -+ -+.br -+.TP 5 -+Paths: -+/boot/System\.map(-.*)?, /boot/efi(/.*)?/System\.map(-.*)? -+ -+.EX ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. +.PP -+.B system_munin_plugin_exec_t -+.EE -+ -+- Set files with the system_munin_plugin_exec_t type, if you want to transition an executable to the system_munin_plugin_t domain. -+ -+.br -+.TP 5 -+Paths: -+/usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/load, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/users, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/open_files -+ -+.EX ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP -+.B system_munin_plugin_tmp_t -+.EE -+ -+- Set files with the system_munin_plugin_tmp_t type, if you want to store system munin plugin temporary files in the /tmp directories. ++Policy governs the access confined processes have to these files. ++SELinux systemd policy is very flexible allowing users to setup their systemd processes in as secure a method as possible. ++.PP ++The following file types are defined for systemd: + + +.EX @@ -49279,10 +52962,6 @@ index 0000000..93fe832 + +- Set files with the systemd_logger_exec_t type, if you want to transition an executable to the systemd_logger_t domain. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/systemd-logger, /usr/lib/systemd/systemd-logger + +.EX +.PP @@ -49291,10 +52970,6 @@ index 0000000..93fe832 + +- Set files with the systemd_logind_exec_t type, if you want to transition an executable to the systemd_logind_t domain. + -+.br -+.TP 5 -+Paths: -+/lib/systemd/systemd-logind, /usr/lib/systemd/systemd-logind + +.EX +.PP @@ -49314,7 +52989,7 @@ index 0000000..93fe832 +.br +.TP 5 +Paths: -+/var/run/systemd/users(/.*)?, /var/run/systemd/seats(/.*)? ++/var/run/nologin, /var/run/systemd/users(/.*)?, /var/run/systemd/seats(/.*)? + +.EX +.PP @@ -49374,7 +53049,7 @@ index 0000000..93fe832 +.br +.TP 5 +Paths: -+/usr/bin/systemd-tmpfiles, /bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles, /lib/systemd/systemd-tmpfiles ++/usr/bin/systemd-tmpfiles, /bin/systemd-tmpfiles, /usr/lib/systemd/systemd-tmpfiles + +.EX +.PP @@ -49383,13 +53058,9 @@ index 0000000..93fe832 + +- Set files with the systemd_unit_file_t type, if you want to treat the files as systemd unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system(/.*)?, /lib/systemd/system(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -49439,24 +53110,18 @@ index 0000000..93fe832 \ No newline at end of file diff --git a/man/man8/tcpd_selinux.8 b/man/man8/tcpd_selinux.8 new file mode 100644 -index 0000000..5543123 +index 0000000..d51fd38 --- /dev/null +++ b/man/man8/tcpd_selinux.8 -@@ -0,0 +1,114 @@ +@@ -0,0 +1,110 @@ +.TH "tcpd_selinux" "8" "tcpd" "dwalsh@redhat.com" "tcpd SELinux Policy documentation" +.SH "NAME" +tcpd_selinux \- Security Enhanced Linux Policy for the tcpd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B tcpd -+(Policy for TCP daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the tcpd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. tcpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tcpd with the tightest access possible. + @@ -49482,6 +53147,8 @@ index 0000000..5543123 +.B setsebool -P user_tcp_server 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -49510,7 +53177,7 @@ index 0000000..5543123 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -49560,23 +53227,40 @@ index 0000000..5543123 \ No newline at end of file diff --git a/man/man8/tcsd_selinux.8 b/man/man8/tcsd_selinux.8 new file mode 100644 -index 0000000..514ced5 +index 0000000..99793ae --- /dev/null +++ b/man/man8/tcsd_selinux.8 -@@ -0,0 +1,119 @@ +@@ -0,0 +1,136 @@ +.TH "tcsd_selinux" "8" "tcsd" "dwalsh@redhat.com" "tcsd SELinux Policy documentation" +.SH "NAME" +tcsd_selinux \- Security Enhanced Linux Policy for the tcsd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B tcsd -+(TSS Core Services (TCS) daemon (tcsd) policy) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the tcsd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the tcsd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the tcsd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the tcsd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -49614,7 +53298,7 @@ index 0000000..514ced5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -49641,7 +53325,7 @@ index 0000000..514ced5 + + +Default Defined Ports: -+tcp 8021 ++tcp 30003 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -49685,24 +53369,18 @@ index 0000000..514ced5 +selinux(8), tcsd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/telepathy_selinux.8 b/man/man8/telepathy_selinux.8 new file mode 100644 -index 0000000..996878a +index 0000000..54f3381 --- /dev/null +++ b/man/man8/telepathy_selinux.8 -@@ -0,0 +1,311 @@ +@@ -0,0 +1,328 @@ +.TH "telepathy_selinux" "8" "telepathy" "dwalsh@redhat.com" "telepathy SELinux Policy documentation" +.SH "NAME" +telepathy_selinux \- Security Enhanced Linux Policy for the telepathy processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B telepathy -+(Telepathy communications framework) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the telepathy processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. telepathy policy is extremely flexible and has several booleans that allow you to manipulate the policy and run telepathy with the tightest access possible. + @@ -49721,6 +53399,29 @@ index 0000000..996878a +.B setsebool -P telepathy_connect_all_ports 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the telepathy_mission_control_t, telepathy_logger_t, telepathy_salut_t, telepathy_gabble_t, telepathy_idle_t, telepathy_sunshine_t, telepathy_stream_engine_t, telepathy_sofiasip_t, telepathy_msn_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the telepathy_mission_control_t, telepathy_logger_t, telepathy_salut_t, telepathy_gabble_t, telepathy_idle_t, telepathy_sunshine_t, telepathy_stream_engine_t, telepathy_sofiasip_t, telepathy_msn_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the telepathy_mission_control_t, telepathy_logger_t, telepathy_salut_t, telepathy_gabble_t, telepathy_idle_t, telepathy_sunshine_t, telepathy_stream_engine_t, telepathy_sofiasip_t, telepathy_msn_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -49953,7 +53654,7 @@ index 0000000..996878a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50003,17 +53704,40 @@ index 0000000..996878a \ No newline at end of file diff --git a/man/man8/telnetd_selinux.8 b/man/man8/telnetd_selinux.8 new file mode 100644 -index 0000000..34d5d8c +index 0000000..fc22cda --- /dev/null +++ b/man/man8/telnetd_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,148 @@ +.TH "telnetd_selinux" "8" "telnetd" "dwalsh@redhat.com" "telnetd SELinux Policy documentation" +.SH "NAME" +telnetd_selinux \- Security Enhanced Linux Policy for the telnetd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the telnetd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the telnetd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the telnetd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the telnetd_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -50063,7 +53787,7 @@ index 0000000..34d5d8c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50090,7 +53814,7 @@ index 0000000..34d5d8c + + +Default Defined Ports: -+tcp 8021 ++tcp 23 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -50134,17 +53858,40 @@ index 0000000..34d5d8c +selinux(8), telnetd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tftpd_selinux.8 b/man/man8/tftpd_selinux.8 new file mode 100644 -index 0000000..b7bdb6b +index 0000000..2b058b1 --- /dev/null +++ b/man/man8/tftpd_selinux.8 -@@ -0,0 +1,155 @@ +@@ -0,0 +1,186 @@ +.TH "tftpd_selinux" "8" "tftpd" "dwalsh@redhat.com" "tftpd SELinux Policy documentation" +.SH "NAME" +tftpd_selinux \- Security Enhanced Linux Policy for the tftpd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the tftpd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the tftpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the tftpd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the tftpd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. @@ -50157,7 +53904,7 @@ index 0000000..b7bdb6b +.B restorecon -F -R -v /var/tftpd +.pp +.TP -+Allow tftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_tftpd_anon_write boolean to be set. ++Allow tftpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_tftpdd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/tftpd/incoming(/.*)?" @@ -50185,6 +53932,14 @@ index 0000000..b7bdb6b + +.EX +.PP ++.B tftpd_etc_t ++.EE ++ ++- Set files with the tftpd_etc_t type, if you want to store tftpd files in the /etc directories. ++ ++ ++.EX ++.PP +.B tftpd_exec_t +.EE + @@ -50224,7 +53979,7 @@ index 0000000..b7bdb6b +/tftpboot/.*, /tftpboot + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50251,7 +54006,7 @@ index 0000000..b7bdb6b + + +Default Defined Ports: -+tcp 8021 ++udp 69 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -50295,23 +54050,19 @@ index 0000000..b7bdb6b +selinux(8), tftpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tgtd_selinux.8 b/man/man8/tgtd_selinux.8 new file mode 100644 -index 0000000..ed0f28a +index 0000000..a134111 --- /dev/null +++ b/man/man8/tgtd_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,113 @@ +.TH "tgtd_selinux" "8" "tgtd" "dwalsh@redhat.com" "tgtd SELinux Policy documentation" +.SH "NAME" +tgtd_selinux \- Security Enhanced Linux Policy for the tgtd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B tgtd -+(Linux Target Framework Daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the tgtd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -50373,7 +54124,7 @@ index 0000000..ed0f28a + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50418,17 +54169,19 @@ index 0000000..ed0f28a +selinux(8), tgtd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/thin_selinux.8 b/man/man8/thin_selinux.8 new file mode 100644 -index 0000000..c7f6423 +index 0000000..2b74889 --- /dev/null +++ b/man/man8/thin_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,121 @@ +.TH "thin_selinux" "8" "thin" "dwalsh@redhat.com" "thin SELinux Policy documentation" +.SH "NAME" +thin_selinux \- Security Enhanced Linux Policy for the thin processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the thin processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -50443,6 +54196,38 @@ index 0000000..c7f6423 + +.EX +.PP ++.B thin_aeolus_configserver_exec_t ++.EE ++ ++- Set files with the thin_aeolus_configserver_exec_t type, if you want to transition an executable to the thin_aeolus_configserver_t domain. ++ ++ ++.EX ++.PP ++.B thin_aeolus_configserver_lib_t ++.EE ++ ++- Set files with the thin_aeolus_configserver_lib_t type, if you want to treat the files as thin aeolus configserver lib data. ++ ++ ++.EX ++.PP ++.B thin_aeolus_configserver_log_t ++.EE ++ ++- Set files with the thin_aeolus_configserver_log_t type, if you want to treat the data as thin aeolus configserver log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP ++.B thin_aeolus_configserver_var_run_t ++.EE ++ ++- Set files with the thin_aeolus_configserver_var_run_t type, if you want to store the thin aeolus configserver files under the /run directory. ++ ++ ++.EX ++.PP +.B thin_exec_t +.EE + @@ -50451,6 +54236,14 @@ index 0000000..c7f6423 + +.EX +.PP ++.B thin_log_t ++.EE ++ ++- Set files with the thin_log_t type, if you want to treat the data as thin log data, usually stored under the /var/log directory. ++ ++ ++.EX ++.PP +.B thin_var_run_t +.EE + @@ -50458,7 +54251,7 @@ index 0000000..c7f6423 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50475,7 +54268,7 @@ index 0000000..c7f6423 +The following process types are defined for thin: + +.EX -+.B thin_t ++.B thin_t, thin_aeolus_configserver_t +.EE +.PP +Note: @@ -50503,23 +54296,40 @@ index 0000000..c7f6423 +selinux(8), thin(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/thumb_selinux.8 b/man/man8/thumb_selinux.8 new file mode 100644 -index 0000000..b03036c +index 0000000..cd31f24 --- /dev/null +++ b/man/man8/thumb_selinux.8 -@@ -0,0 +1,89 @@ +@@ -0,0 +1,114 @@ +.TH "thumb_selinux" "8" "thumb" "dwalsh@redhat.com" "thumb SELinux Policy documentation" +.SH "NAME" +thumb_selinux \- Security Enhanced Linux Policy for the thumb processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B thumb -+(policy for thumb) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the thumb processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the thumb_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the thumb_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the thumb_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -50546,6 +54356,14 @@ index 0000000..b03036c + +.EX +.PP ++.B thumb_home_t ++.EE ++ ++- Set files with the thumb_home_t type, if you want to store thumb files in the users home directory. ++ ++ ++.EX ++.PP +.B thumb_tmp_t +.EE + @@ -50553,7 +54371,7 @@ index 0000000..b03036c + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50598,23 +54416,40 @@ index 0000000..b03036c +selinux(8), thumb(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tmpreaper_selinux.8 b/man/man8/tmpreaper_selinux.8 new file mode 100644 -index 0000000..53468d0 +index 0000000..1fd8474 --- /dev/null +++ b/man/man8/tmpreaper_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,98 @@ +.TH "tmpreaper_selinux" "8" "tmpreaper" "dwalsh@redhat.com" "tmpreaper SELinux Policy documentation" +.SH "NAME" +tmpreaper_selinux \- Security Enhanced Linux Policy for the tmpreaper processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B tmpreaper -+(Manage temporary directory sizes and file ages) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the tmpreaper processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the tmpreaper_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the tmpreaper_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the tmpreaper_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -50640,7 +54475,7 @@ index 0000000..53468d0 +/usr/sbin/tmpwatch, /usr/sbin/tmpreaper + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50685,24 +54520,18 @@ index 0000000..53468d0 +selinux(8), tmpreaper(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tor_selinux.8 b/man/man8/tor_selinux.8 new file mode 100644 -index 0000000..8ec79ef +index 0000000..2c47846 --- /dev/null +++ b/man/man8/tor_selinux.8 -@@ -0,0 +1,177 @@ +@@ -0,0 +1,202 @@ +.TH "tor_selinux" "8" "tor" "dwalsh@redhat.com" "tor SELinux Policy documentation" +.SH "NAME" +tor_selinux \- Security Enhanced Linux Policy for the tor processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B tor -+(TOR, the onion router) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the tor processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. tor policy is extremely flexible and has several booleans that allow you to manipulate the policy and run tor with the tightest access possible. + @@ -50714,6 +54543,29 @@ index 0000000..8ec79ef +.B setsebool -P tor_bind_all_unreserved_ports 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the tor_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the tor_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the tor_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -50755,6 +54607,14 @@ index 0000000..8ec79ef + +.EX +.PP ++.B tor_unit_file_t ++.EE ++ ++- Set files with the tor_unit_file_t type, if you want to treat the files as tor unit content. ++ ++ ++.EX ++.PP +.B tor_var_lib_t +.EE + @@ -50782,7 +54642,7 @@ index 0000000..8ec79ef + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50809,7 +54669,7 @@ index 0000000..8ec79ef + + +Default Defined Ports: -+tcp 8021 ++tcp 6969,9001,9030,9051 +.EE + +.EX @@ -50820,7 +54680,7 @@ index 0000000..8ec79ef + + +Default Defined Ports: -+tcp 8021 ++tcp 9050 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -50869,17 +54729,40 @@ index 0000000..8ec79ef \ No newline at end of file diff --git a/man/man8/traceroute_selinux.8 b/man/man8/traceroute_selinux.8 new file mode 100644 -index 0000000..c4ea5dd +index 0000000..0508db4 --- /dev/null +++ b/man/man8/traceroute_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,124 @@ +.TH "traceroute_selinux" "8" "traceroute" "dwalsh@redhat.com" "traceroute SELinux Policy documentation" +.SH "NAME" +traceroute_selinux \- Security Enhanced Linux Policy for the traceroute processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the traceroute processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the traceroute_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the traceroute_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the traceroute_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -50902,10 +54785,10 @@ index 0000000..c4ea5dd +.br +.TP 5 +Paths: -+/bin/tracepath.*, /usr/bin/traceroute.*, /usr/bin/nmap, /usr/bin/lft, /bin/traceroute.*, /usr/bin/tracepath.*, /usr/sbin/traceroute.*, /usr/bin/mtr ++/bin/tracepath.*, /usr/sbin/mtr, /usr/bin/traceroute.*, /usr/bin/nmap, /usr/bin/lft, /bin/traceroute.*, /usr/bin/tracepath.*, /usr/sbin/traceroute.*, /usr/bin/mtr + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -50932,7 +54815,7 @@ index 0000000..c4ea5dd + + +Default Defined Ports: -+tcp 8021 ++udp 64000-64010 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -50976,23 +54859,40 @@ index 0000000..c4ea5dd +selinux(8), traceroute(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tuned_selinux.8 b/man/man8/tuned_selinux.8 new file mode 100644 -index 0000000..824c519 +index 0000000..94fa05f --- /dev/null +++ b/man/man8/tuned_selinux.8 -@@ -0,0 +1,105 @@ +@@ -0,0 +1,142 @@ +.TH "tuned_selinux" "8" "tuned" "dwalsh@redhat.com" "tuned SELinux Policy documentation" +.SH "NAME" +tuned_selinux \- Security Enhanced Linux Policy for the tuned processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B tuned -+(Dynamic adaptive system tuning daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the tuned processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the tuned_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the tuned_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the tuned_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51007,6 +54907,14 @@ index 0000000..824c519 + +.EX +.PP ++.B tuned_etc_t ++.EE ++ ++- Set files with the tuned_etc_t type, if you want to store tuned files in the /etc directories. ++ ++ ++.EX ++.PP +.B tuned_exec_t +.EE + @@ -51035,14 +54943,26 @@ index 0000000..824c519 + +.EX +.PP ++.B tuned_rw_etc_t ++.EE ++ ++- Set files with the tuned_rw_etc_t type, if you want to store tuned rw files in the /etc directories. ++ ++ ++.EX ++.PP +.B tuned_var_run_t +.EE + +- Set files with the tuned_var_run_t type, if you want to store the tuned files under the /run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/tuned(/.*)?, /var/run/tuned\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51087,23 +55007,19 @@ index 0000000..824c519 +selinux(8), tuned(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/tvtime_selinux.8 b/man/man8/tvtime_selinux.8 new file mode 100644 -index 0000000..0694cf9 +index 0000000..fd62159 --- /dev/null +++ b/man/man8/tvtime_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "tvtime_selinux" "8" "tvtime" "dwalsh@redhat.com" "tvtime SELinux Policy documentation" +.SH "NAME" +tvtime_selinux \- Security Enhanced Linux Policy for the tvtime processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B tvtime -+( tvtime - a high quality television application ) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the tvtime processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51149,7 +55065,7 @@ index 0000000..0694cf9 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51194,23 +55110,40 @@ index 0000000..0694cf9 +selinux(8), tvtime(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/udev_selinux.8 b/man/man8/udev_selinux.8 new file mode 100644 -index 0000000..e90dada +index 0000000..7a22a24 --- /dev/null +++ b/man/man8/udev_selinux.8 -@@ -0,0 +1,121 @@ +@@ -0,0 +1,138 @@ +.TH "udev_selinux" "8" "udev" "dwalsh@redhat.com" "udev SELinux Policy documentation" +.SH "NAME" +udev_selinux \- Security Enhanced Linux Policy for the udev processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B udev -+(Policy for udev) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the udev processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the udev_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the udev_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the udev_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51241,7 +55174,7 @@ index 0000000..e90dada +.br +.TP 5 +Paths: -+/lib/udev/udevd, /sbin/udevd, /sbin/udev, /usr/sbin/wait_for_sysfs, /sbin/udevsend, /usr/sbin/udevadm, /usr/bin/udevadm, /usr/bin/udevinfo, /usr/sbin/start_udev, /usr/sbin/udev, /usr/sbin/udevsend, /sbin/start_udev, /sbin/udevstart, /bin/udevadm, /sbin/wait_for_sysfs, /lib/udev/udev-acl, /sbin/udevadm, /usr/sbin/udevd, /usr/sbin/udevstart, /usr/lib/udev/udev-acl, /usr/lib/udev/udevd ++/lib/udev/udevd, /usr/bin/udevinfo, /sbin/udevd, /sbin/udev, /usr/sbin/wait_for_sysfs, /sbin/udevsend, /usr/sbin/udevadm, /usr/bin/udevadm, /usr/sbin/start_udev, /usr/sbin/udev, /sbin/wait_for_sysfs, /usr/sbin/udevsend, /sbin/start_udev, /sbin/udevstart, /bin/udevadm, /lib/udev/udev-acl, /sbin/udevadm, /usr/sbin/udevd, /usr/lib/systemd/systemd-udevd, /usr/sbin/udevstart, /usr/lib/udev/udev-acl, /usr/lib/udev/udevd + +.EX +.PP @@ -51276,7 +55209,7 @@ index 0000000..e90dada +/var/run/udev(/.*)?, /dev/\.udevdb, /var/run/PackageKit/udev(/.*)?, /dev/\.udev(/.*)?, /dev/udev\.tbl, /var/run/libgpod(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51321,23 +55254,19 @@ index 0000000..e90dada +selinux(8), udev(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ulogd_selinux.8 b/man/man8/ulogd_selinux.8 new file mode 100644 -index 0000000..3ab14e4 +index 0000000..7e31875 --- /dev/null +++ b/man/man8/ulogd_selinux.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,105 @@ +.TH "ulogd_selinux" "8" "ulogd" "dwalsh@redhat.com" "ulogd SELinux Policy documentation" +.SH "NAME" +ulogd_selinux \- Security Enhanced Linux Policy for the ulogd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B ulogd -+(Iptables/netfilter userspace logging daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the ulogd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51391,7 +55320,7 @@ index 0000000..3ab14e4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51436,23 +55365,19 @@ index 0000000..3ab14e4 +selinux(8), ulogd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/uml_selinux.8 b/man/man8/uml_selinux.8 new file mode 100644 -index 0000000..34355cf +index 0000000..e33f74d --- /dev/null +++ b/man/man8/uml_selinux.8 -@@ -0,0 +1,125 @@ +@@ -0,0 +1,121 @@ +.TH "uml_selinux" "8" "uml" "dwalsh@redhat.com" "uml SELinux Policy documentation" +.SH "NAME" +uml_selinux \- Security Enhanced Linux Policy for the uml processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B uml -+(Policy for UML) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the uml processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51522,7 +55447,7 @@ index 0000000..34355cf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51567,24 +55492,18 @@ index 0000000..34355cf +selinux(8), uml(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/unconfined_selinux.8 b/man/man8/unconfined_selinux.8 new file mode 100644 -index 0000000..49f0e32 +index 0000000..4ab510e --- /dev/null +++ b/man/man8/unconfined_selinux.8 -@@ -0,0 +1,131 @@ +@@ -0,0 +1,148 @@ +.TH "unconfined_selinux" "8" "unconfined" "dwalsh@redhat.com" "unconfined SELinux Policy documentation" +.SH "NAME" +unconfined_selinux \- Security Enhanced Linux Policy for the unconfined processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B unconfined -+(The unconfined domain) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the unconfined processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. unconfined policy is extremely flexible and has several booleans that allow you to manipulate the policy and run unconfined with the tightest access possible. + @@ -51631,6 +55550,29 @@ index 0000000..49f0e32 +.B setsebool -P unconfined_mplayer 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the unconfined_dbusd_t, unconfined_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the unconfined_dbusd_t, unconfined_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the unconfined_dbusd_t, unconfined_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -51652,10 +55594,10 @@ index 0000000..49f0e32 +.br +.TP 5 +Paths: -+/usr/bin/vncserver, /usr/sbin/xrdp, /usr/sbin/xrdp-sesman ++/usr/sbin/xrdp, /usr/sbin/xrdp-sesman, /usr/bin/vncserver + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51705,17 +55647,19 @@ index 0000000..49f0e32 \ No newline at end of file diff --git a/man/man8/update_selinux.8 b/man/man8/update_selinux.8 new file mode 100644 -index 0000000..df3a1eb +index 0000000..252ec75 --- /dev/null +++ b/man/man8/update_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,85 @@ +.TH "update_selinux" "8" "update" "dwalsh@redhat.com" "update SELinux Policy documentation" +.SH "NAME" +update_selinux \- Security Enhanced Linux Policy for the update processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the update processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51738,7 +55682,7 @@ index 0000000..df3a1eb +.br +.TP 5 +Paths: -+/usr/sbin/modules-update, /usr/sbin/update-modules, /sbin/modules-update, /sbin/generate-modprobe\.conf, /sbin/update-modules, /usr/sbin/generate-modprobe\.conf ++/usr/sbin/modules-update, /sbin/modules-update, /sbin/generate-modprobe\.conf, /sbin/update-modules, /usr/sbin/generate-modprobe\.conf, /usr/sbin/update-modules + +.EX +.PP @@ -51749,7 +55693,7 @@ index 0000000..df3a1eb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51794,23 +55738,40 @@ index 0000000..df3a1eb +selinux(8), update(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/updfstab_selinux.8 b/man/man8/updfstab_selinux.8 new file mode 100644 -index 0000000..17c099b +index 0000000..55add52 --- /dev/null +++ b/man/man8/updfstab_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,98 @@ +.TH "updfstab_selinux" "8" "updfstab" "dwalsh@redhat.com" "updfstab SELinux Policy documentation" +.SH "NAME" +updfstab_selinux \- Security Enhanced Linux Policy for the updfstab processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B updfstab -+(Red Hat utility to change /etc/fstab) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the updfstab processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the updfstab_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the updfstab_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the updfstab_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51836,7 +55797,7 @@ index 0000000..17c099b +/usr/sbin/updfstab, /usr/sbin/fstab-sync + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51881,17 +55842,40 @@ index 0000000..17c099b +selinux(8), updfstab(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/updpwd_selinux.8 b/man/man8/updpwd_selinux.8 new file mode 100644 -index 0000000..b48fb1b +index 0000000..fa6324c --- /dev/null +++ b/man/man8/updpwd_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,98 @@ +.TH "updpwd_selinux" "8" "updpwd" "dwalsh@redhat.com" "updpwd SELinux Policy documentation" +.SH "NAME" +updpwd_selinux \- Security Enhanced Linux Policy for the updpwd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the updpwd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the updpwd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the updpwd_t, you must turn on the allow_kerberos boolean. + ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the updpwd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -51917,7 +55901,7 @@ index 0000000..b48fb1b +/sbin/unix_update, /usr/sbin/unix_update + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -51962,23 +55946,19 @@ index 0000000..b48fb1b +selinux(8), updpwd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/usbmodules_selinux.8 b/man/man8/usbmodules_selinux.8 new file mode 100644 -index 0000000..83e61e3 +index 0000000..532a0c5 --- /dev/null +++ b/man/man8/usbmodules_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,77 @@ +.TH "usbmodules_selinux" "8" "usbmodules" "dwalsh@redhat.com" "usbmodules SELinux Policy documentation" +.SH "NAME" +usbmodules_selinux \- Security Enhanced Linux Policy for the usbmodules processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B usbmodules -+(List kernel modules of USB devices) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the usbmodules processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52004,7 +55984,7 @@ index 0000000..83e61e3 +/usr/sbin/usbmodules, /sbin/usbmodules + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52049,23 +56029,40 @@ index 0000000..83e61e3 +selinux(8), usbmodules(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/usbmuxd_selinux.8 b/man/man8/usbmuxd_selinux.8 new file mode 100644 -index 0000000..a8d74de +index 0000000..89f51be --- /dev/null +++ b/man/man8/usbmuxd_selinux.8 -@@ -0,0 +1,85 @@ +@@ -0,0 +1,102 @@ +.TH "usbmuxd_selinux" "8" "usbmuxd" "dwalsh@redhat.com" "usbmuxd SELinux Policy documentation" +.SH "NAME" +usbmuxd_selinux \- Security Enhanced Linux Policy for the usbmuxd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B usbmuxd -+(USB multiplexing daemon for communicating with Apple iPod Touch and iPhone) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the usbmuxd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the usbmuxd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the usbmuxd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the usbmuxd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52095,7 +56092,7 @@ index 0000000..a8d74de + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52340,17 +56337,40 @@ index 0000000..a2082e9 +selinux(8), semanage(8). diff --git a/man/man8/useradd_selinux.8 b/man/man8/useradd_selinux.8 new file mode 100644 -index 0000000..8ad5cf6 +index 0000000..f9f2f27 --- /dev/null +++ b/man/man8/useradd_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,98 @@ +.TH "useradd_selinux" "8" "useradd" "dwalsh@redhat.com" "useradd SELinux Policy documentation" +.SH "NAME" +useradd_selinux \- Security Enhanced Linux Policy for the useradd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the useradd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the useradd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the useradd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the useradd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52373,10 +56393,10 @@ index 0000000..8ad5cf6 +.br +.TP 5 +Paths: -+/usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel ++/usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /usr/sbin/newusers + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52421,23 +56441,40 @@ index 0000000..8ad5cf6 +selinux(8), useradd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/usernetctl_selinux.8 b/man/man8/usernetctl_selinux.8 new file mode 100644 -index 0000000..8789d75 +index 0000000..1f263b8 --- /dev/null +++ b/man/man8/usernetctl_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,94 @@ +.TH "usernetctl_selinux" "8" "usernetctl" "dwalsh@redhat.com" "usernetctl SELinux Policy documentation" +.SH "NAME" +usernetctl_selinux \- Security Enhanced Linux Policy for the usernetctl processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B usernetctl -+(User network interface configuration helper) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the usernetctl processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the usernetctl_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the usernetctl_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the usernetctl_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52459,7 +56496,7 @@ index 0000000..8789d75 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52504,17 +56541,40 @@ index 0000000..8789d75 +selinux(8), usernetctl(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/utempter_selinux.8 b/man/man8/utempter_selinux.8 new file mode 100644 -index 0000000..a311394 +index 0000000..56b8a3c --- /dev/null +++ b/man/man8/utempter_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,94 @@ +.TH "utempter_selinux" "8" "utempter" "dwalsh@redhat.com" "utempter SELinux Policy documentation" +.SH "NAME" +utempter_selinux \- Security Enhanced Linux Policy for the utempter processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the utempter processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the utempter_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the utempter_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the utempter_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52536,7 +56596,7 @@ index 0000000..a311394 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52581,17 +56641,40 @@ index 0000000..a311394 +selinux(8), utempter(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/uucpd_selinux.8 b/man/man8/uucpd_selinux.8 new file mode 100644 -index 0000000..10de0a8 +index 0000000..fe182af --- /dev/null +++ b/man/man8/uucpd_selinux.8 -@@ -0,0 +1,157 @@ +@@ -0,0 +1,180 @@ +.TH "uucpd_selinux" "8" "uucpd" "dwalsh@redhat.com" "uucpd SELinux Policy documentation" +.SH "NAME" +uucpd_selinux \- Security Enhanced Linux Policy for the uucpd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the uucpd processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the uucpd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the uucpd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the uucpd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52673,7 +56756,7 @@ index 0000000..10de0a8 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52700,7 +56783,7 @@ index 0000000..10de0a8 + + +Default Defined Ports: -+tcp 8021 ++tcp 540 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -52744,23 +56827,19 @@ index 0000000..10de0a8 +selinux(8), uucpd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/uuidd_selinux.8 b/man/man8/uuidd_selinux.8 new file mode 100644 -index 0000000..82a5e37 +index 0000000..3dfe015 --- /dev/null +++ b/man/man8/uuidd_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "uuidd_selinux" "8" "uuidd" "dwalsh@redhat.com" "uuidd SELinux Policy documentation" +.SH "NAME" +uuidd_selinux \- Security Enhanced Linux Policy for the uuidd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B uuidd -+(policy for uuidd) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the uuidd processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52806,7 +56885,7 @@ index 0000000..82a5e37 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52851,17 +56930,40 @@ index 0000000..82a5e37 +selinux(8), uuidd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/uux_selinux.8 b/man/man8/uux_selinux.8 new file mode 100644 -index 0000000..c1913bf +index 0000000..dca0134 --- /dev/null +++ b/man/man8/uux_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,94 @@ +.TH "uux_selinux" "8" "uux" "dwalsh@redhat.com" "uux SELinux Policy documentation" +.SH "NAME" +uux_selinux \- Security Enhanced Linux Policy for the uux processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the uux processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the uux_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the uux_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the uux_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -52883,7 +56985,7 @@ index 0000000..c1913bf + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -52928,24 +57030,18 @@ index 0000000..c1913bf +selinux(8), uux(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/varnishd_selinux.8 b/man/man8/varnishd_selinux.8 new file mode 100644 -index 0000000..97d1ed5 +index 0000000..b96f2f9 --- /dev/null +++ b/man/man8/varnishd_selinux.8 -@@ -0,0 +1,158 @@ +@@ -0,0 +1,175 @@ +.TH "varnishd_selinux" "8" "varnishd" "dwalsh@redhat.com" "varnishd SELinux Policy documentation" +.SH "NAME" +varnishd_selinux \- Security Enhanced Linux Policy for the varnishd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B varnishd -+(Varnishd http accelerator daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the varnishd processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. varnishd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run varnishd with the tightest access possible. + @@ -52957,6 +57053,29 @@ index 0000000..97d1ed5 +.B setsebool -P varnishd_connect_any 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the varnishd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the varnishd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the varnishd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -53017,7 +57136,7 @@ index 0000000..97d1ed5 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53044,7 +57163,7 @@ index 0000000..97d1ed5 + + +Default Defined Ports: -+tcp 8021 ++tcp 6081-6082 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -53093,17 +57212,19 @@ index 0000000..97d1ed5 \ No newline at end of file diff --git a/man/man8/varnishlog_selinux.8 b/man/man8/varnishlog_selinux.8 new file mode 100644 -index 0000000..a761366 +index 0000000..aec0070 --- /dev/null +++ b/man/man8/varnishlog_selinux.8 -@@ -0,0 +1,107 @@ +@@ -0,0 +1,109 @@ +.TH "varnishlog_selinux" "8" "varnishlog" "dwalsh@redhat.com" "varnishlog SELinux Policy documentation" +.SH "NAME" +varnishlog_selinux \- Security Enhanced Linux Policy for the varnishlog processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the varnishlog processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -53161,7 +57282,7 @@ index 0000000..a761366 +/var/run/varnishncsa\.pid, /var/run/varnishlog\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53206,24 +57327,18 @@ index 0000000..a761366 +selinux(8), varnishlog(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vbetool_selinux.8 b/man/man8/vbetool_selinux.8 new file mode 100644 -index 0000000..690e094 +index 0000000..a380712 --- /dev/null +++ b/man/man8/vbetool_selinux.8 -@@ -0,0 +1,92 @@ +@@ -0,0 +1,88 @@ +.TH "vbetool_selinux" "8" "vbetool" "dwalsh@redhat.com" "vbetool SELinux Policy documentation" +.SH "NAME" +vbetool_selinux \- Security Enhanced Linux Policy for the vbetool processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B vbetool -+(run real-mode video BIOS code to alter hardware state) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the vbetool processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. vbetool policy is extremely flexible and has several booleans that allow you to manipulate the policy and run vbetool with the tightest access possible. + @@ -53235,6 +57350,8 @@ index 0000000..690e094 +.B setsebool -P vbetool_mmap_zero_ignore 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -53255,7 +57372,7 @@ index 0000000..690e094 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53305,23 +57422,19 @@ index 0000000..690e094 \ No newline at end of file diff --git a/man/man8/vdagent_selinux.8 b/man/man8/vdagent_selinux.8 new file mode 100644 -index 0000000..ef8444d +index 0000000..bdcb173 --- /dev/null +++ b/man/man8/vdagent_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,97 @@ +.TH "vdagent_selinux" "8" "vdagent" "dwalsh@redhat.com" "vdagent SELinux Policy documentation" +.SH "NAME" +vdagent_selinux \- Security Enhanced Linux Policy for the vdagent processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B vdagent -+(policy for vdagent) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the vdagent processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -53367,7 +57480,7 @@ index 0000000..ef8444d +/var/run/spice-vdagentd.\pid, /var/run/spice-vdagentd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53412,23 +57525,40 @@ index 0000000..ef8444d +selinux(8), vdagent(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vhostmd_selinux.8 b/man/man8/vhostmd_selinux.8 new file mode 100644 -index 0000000..1800dc6 +index 0000000..f8014f3 --- /dev/null +++ b/man/man8/vhostmd_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,118 @@ +.TH "vhostmd_selinux" "8" "vhostmd" "dwalsh@redhat.com" "vhostmd SELinux Policy documentation" +.SH "NAME" +vhostmd_selinux \- Security Enhanced Linux Policy for the vhostmd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B vhostmd -+(Virtual host metrics daemon) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the vhostmd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the vhostmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the vhostmd_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the vhostmd_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -53474,7 +57604,7 @@ index 0000000..1800dc6 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53519,17 +57649,40 @@ index 0000000..1800dc6 +selinux(8), vhostmd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/virsh_selinux.8 b/man/man8/virsh_selinux.8 new file mode 100644 -index 0000000..97dc9a2 +index 0000000..e41a4ed --- /dev/null +++ b/man/man8/virsh_selinux.8 -@@ -0,0 +1,71 @@ +@@ -0,0 +1,94 @@ +.TH "virsh_selinux" "8" "virsh" "dwalsh@redhat.com" "virsh SELinux Policy documentation" +.SH "NAME" +virsh_selinux \- Security Enhanced Linux Policy for the virsh processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the virsh processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the virsh_ssh_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the virsh_ssh_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the virsh_ssh_t, you must turn on the allow_ypbind boolean. + ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -53551,7 +57704,7 @@ index 0000000..97dc9a2 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53596,36 +57749,23 @@ index 0000000..97dc9a2 +selinux(8), virsh(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/virt_selinux.8 b/man/man8/virt_selinux.8 new file mode 100644 -index 0000000..bc4a520 +index 0000000..9998e46 --- /dev/null +++ b/man/man8/virt_selinux.8 -@@ -0,0 +1,349 @@ +@@ -0,0 +1,372 @@ +.TH "virt_selinux" "8" "virt" "dwalsh@redhat.com" "virt SELinux Policy documentation" +.SH "NAME" +virt_selinux \- Security Enhanced Linux Policy for the virt processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B virt -+(Libvirt virtualization API) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the virt processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. virt policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virt with the tightest access possible. + + +.PP -+If you want to allow confined virtual guests to read fuse file, you must turn on the virt_use_fusefs boolean. -+ -+.EX -+.B setsebool -P virt_use_fusefs 1 -+.EE -+ -+.PP +If you want to allow confined virtual guests to manage nfs file, you must turn on the virt_use_nfs boolean. + +.EX @@ -53675,12 +57815,42 @@ index 0000000..bc4a520 +.EE + +.PP ++If you want to allow confined virtual guests to read fuse file, you must turn on the virt_use_fusefs boolean. ++ ++.EX ++.B setsebool -P virt_use_fusefs 1 ++.EE ++ ++.PP +If you want to allow confined virtual guests to manage cifs file, you must turn on the virt_use_samba boolean. + +.EX +.B setsebool -P virt_use_samba 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the virtd_t, virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the virtd_t, virtd_lxc_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the virtd_t, virtd_lxc_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -53782,6 +57952,18 @@ index 0000000..bc4a520 + +.EX +.PP ++.B virt_lxc_var_run_t ++.EE ++ ++- Set files with the virt_lxc_var_run_t type, if you want to store the virt lxc files under the /run directory. ++ ++.br ++.TP 5 ++Paths: ++/var/run/libvirt-sandbox(/.*)?, /var/run/libvirt/lxc(/.*)? ++ ++.EX ++.PP +.B virt_qmf_exec_t +.EE + @@ -53830,7 +58012,7 @@ index 0000000..bc4a520 +.br +.TP 5 +Paths: -+/usr/sbin/condor_vm-gahp, /usr/bin/imagefactory, /usr/bin/imgfac\.py, /usr/bin/nova-compute, /usr/sbin/libvirtd ++/usr/sbin/condor_vm-gahp, /usr/bin/imagefactory, /usr/bin/vios-proxy-host, /usr/bin/imgfac\.py, /usr/bin/vios-proxy-guest, /usr/bin/nova-compute, /usr/sbin/libvirtd + +.EX +.PP @@ -53856,16 +58038,8 @@ index 0000000..bc4a520 +- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain. + + -+.EX -+.PP -+.B virtd_lxc_var_run_t -+.EE -+ -+- Set files with the virtd_lxc_var_run_t type, if you want to store the virtd lxc files under the /run directory. -+ -+ +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -53892,7 +58066,7 @@ index 0000000..bc4a520 + + +Default Defined Ports: -+tcp 8021 ++tcp 49152-49216 +.EE + +.EX @@ -53903,7 +58077,9 @@ index 0000000..bc4a520 + + +Default Defined Ports: -+tcp 8021 ++tcp 16509,16514 ++.EE ++udp 16509,16514 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -53952,30 +58128,23 @@ index 0000000..bc4a520 \ No newline at end of file diff --git a/man/man8/virtd_selinux.8 b/man/man8/virtd_selinux.8 new file mode 100644 -index 0000000..40dfb33 +index 0000000..6adb1c7 --- /dev/null +++ b/man/man8/virtd_selinux.8 -@@ -0,0 +1,343 @@ +@@ -0,0 +1,232 @@ +.TH "virtd_selinux" "8" "virtd" "dwalsh@redhat.com" "virtd SELinux Policy documentation" +.SH "NAME" +virtd_selinux \- Security Enhanced Linux Policy for the virtd processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the virtd processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. virtd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virtd with the tightest access possible. + + +.PP -+If you want to allow confined virtual guests to read fuse file, you must turn on the virt_use_fusefs boolean. -+ -+.EX -+.B setsebool -P virt_use_fusefs 1 -+.EE -+ -+.PP +If you want to allow confined virtual guests to manage nfs file, you must turn on the virt_use_nfs boolean. + +.EX @@ -54025,150 +58194,52 @@ index 0000000..40dfb33 +.EE + +.PP -+If you want to allow confined virtual guests to manage cifs file, you must turn on the virt_use_samba boolean. -+ -+.EX -+.B setsebool -P virt_use_samba 1 -+.EE -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible. -+.PP -+The following file types are defined for virtd: -+ -+ -+.EX -+.PP -+.B virt_bridgehelper_exec_t -+.EE -+ -+- Set files with the virt_bridgehelper_exec_t type, if you want to transition an executable to the virt_bridgehelper_t domain. -+ ++If you want to allow confined virtual guests to read fuse file, you must turn on the virt_use_fusefs boolean. + +.EX -+.PP -+.B virt_cache_t ++.B setsebool -P virt_use_fusefs 1 +.EE + -+- Set files with the virt_cache_t type, if you want to store the files under the /var/cache directory. -+ -+.br -+.TP 5 -+Paths: -+/var/cache/oz(/.*)?, /var/cache/libvirt(/.*)? -+ -+.EX +.PP -+.B virt_content_t -+.EE -+ -+- Set files with the virt_content_t type, if you want to treat the files as virt content. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/vdsm(/.*)?, /var/lib/oz/isos(/.*)?, /var/lib/libvirt/boot(/.*)?, /var/lib/libvirt/isos(/.*)? ++If you want to allow confined virtual guests to manage cifs file, you must turn on the virt_use_samba boolean. + +.EX -+.PP -+.B virt_etc_rw_t ++.B setsebool -P virt_use_samba 1 +.EE + -+- Set files with the virt_etc_rw_t type, if you want to treat the files as virt etc read/write content. -+ -+.br -+.TP 5 -+Paths: -+/etc/libvirt/.*/.*, /etc/xen/.*/.*, /etc/xen/[^/]*, /etc/libvirt/[^/]* ++.SH NSSWITCH DOMAIN + -+.EX +.PP -+.B virt_etc_t -+.EE -+ -+- Set files with the virt_etc_t type, if you want to store virt files in the /etc directories. -+ -+.br -+.TP 5 -+Paths: -+/etc/libvirt/[^/]*, /etc/libvirt, /etc/xen/[^/]*, /etc/xen ++If you want to allow users to login using a sssd serve for the virtd_t, virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B virt_home_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the virt_home_t type, if you want to store virt files in the users home directory. -+ -+ -+.EX +.PP -+.B virt_image_t -+.EE -+ -+- Set files with the virt_image_t type, if you want to treat the files as virt image data. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/imagefactory/images(/.*)?, /var/lib/libvirt/images(/.*)? ++If you want to allow confined applications to run with kerberos for the virtd_t, virtd_lxc_t, you must turn on the allow_kerberos boolean. + +.EX -+.PP -+.B virt_log_t ++setsebool -P allow_kerberos 1 +.EE + -+- Set files with the virt_log_t type, if you want to treat the data as virt log data, usually stored under the /var/log directory. -+ -+.br -+.TP 5 -+Paths: -+/var/log/log(/.*)?, /var/log/vdsm(/.*)?, /var/log/libvirt(/.*)? -+ -+.EX +.PP -+.B virt_qmf_exec_t -+.EE -+ -+- Set files with the virt_qmf_exec_t type, if you want to transition an executable to the virt_qmf_t domain. -+ ++If you want to allow system to run with NI for the virtd_t, virtd_lxc_t, you must turn on the allow_ypbind boolean. + +.EX -+.PP -+.B virt_tmp_t ++setsebool -P allow_ypbind 1 +.EE + -+- Set files with the virt_tmp_t type, if you want to store virt temporary files in the /tmp directories. -+ -+ -+.EX ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. +.PP -+.B virt_var_lib_t -+.EE -+ -+- Set files with the virt_var_lib_t type, if you want to store the virt files under the /var/lib directory. -+ -+.br -+.TP 5 -+Paths: -+/var/lib/oz(/.*)?, /var/lib/libvirt(/.*)? -+ -+.EX ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP +.PP -+.B virt_var_run_t -+.EE -+ -+- Set files with the virt_var_run_t type, if you want to store the virt files under the /run directory. ++Policy governs the access confined processes have to these files. ++SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible. ++.PP ++The following file types are defined for virtd: + -+.br -+.TP 5 -+Paths: -+/var/run/vdsm(/.*)?, /var/vdsm(/.*)?, /var/run/libvirt(/.*)? + +.EX +.PP @@ -54180,7 +58251,7 @@ index 0000000..40dfb33 +.br +.TP 5 +Paths: -+/usr/sbin/condor_vm-gahp, /usr/bin/imagefactory, /usr/bin/imgfac\.py, /usr/bin/nova-compute, /usr/sbin/libvirtd ++/usr/sbin/condor_vm-gahp, /usr/bin/imagefactory, /usr/bin/vios-proxy-host, /usr/bin/imgfac\.py, /usr/bin/vios-proxy-guest, /usr/bin/nova-compute, /usr/sbin/libvirtd + +.EX +.PP @@ -54206,16 +58277,8 @@ index 0000000..40dfb33 +- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain. + + -+.EX -+.PP -+.B virtd_lxc_var_run_t -+.EE -+ -+- Set files with the virtd_lxc_var_run_t type, if you want to store the virtd lxc files under the /run directory. -+ -+ +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54242,7 +58305,7 @@ index 0000000..40dfb33 + + +Default Defined Ports: -+tcp 8021 ++tcp 49152-49216 +.EE + +.EX @@ -54253,7 +58316,9 @@ index 0000000..40dfb33 + + +Default Defined Ports: -+tcp 8021 ++tcp 16509,16514 ++.EE ++udp 16509,16514 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -54302,23 +58367,40 @@ index 0000000..40dfb33 \ No newline at end of file diff --git a/man/man8/vlock_selinux.8 b/man/man8/vlock_selinux.8 new file mode 100644 -index 0000000..c8e2a9e +index 0000000..bc0a141 --- /dev/null +++ b/man/man8/vlock_selinux.8 -@@ -0,0 +1,77 @@ +@@ -0,0 +1,94 @@ +.TH "vlock_selinux" "8" "vlock" "dwalsh@redhat.com" "vlock SELinux Policy documentation" +.SH "NAME" +vlock_selinux \- Security Enhanced Linux Policy for the vlock processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B vlock -+(Lock one or more sessions on the Linux console) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the vlock processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the vlock_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the vlock_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the vlock_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -54340,7 +58422,7 @@ index 0000000..c8e2a9e + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54385,23 +58467,19 @@ index 0000000..c8e2a9e +selinux(8), vlock(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vmware_selinux.8 b/man/man8/vmware_selinux.8 new file mode 100644 -index 0000000..735cd42 +index 0000000..7ce75e5 --- /dev/null +++ b/man/man8/vmware_selinux.8 -@@ -0,0 +1,173 @@ +@@ -0,0 +1,169 @@ +.TH "vmware_selinux" "8" "vmware" "dwalsh@redhat.com" "vmware SELinux Policy documentation" +.SH "NAME" +vmware_selinux \- Security Enhanced Linux Policy for the vmware processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B vmware -+(VMWare Workstation virtual machines) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the vmware processes via flexible mandatory access +control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -54432,7 +58510,7 @@ index 0000000..735cd42 +.br +.TP 5 +Paths: -+/usr/sbin/vmware-serverd, /usr/lib/vmware/bin/vmware-mks, /usr/lib/vmware/bin/vmplayer, /usr/bin/vmware-ping, /usr/lib/vmware/bin/vmware-ui, /usr/bin/vmware, /usr/bin/vmware-wizard ++/usr/sbin/vmware-serverd, /usr/lib/vmware/bin/vmware-mks, /usr/lib/vmware/bin/vmplayer, /usr/bin/vmware-ping, /usr/lib/vmware/bin/vmware-ui, /usr/bin/vmware-wizard, /usr/bin/vmware + +.EX +.PP @@ -54519,7 +58597,7 @@ index 0000000..735cd42 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54564,17 +58642,19 @@ index 0000000..735cd42 +selinux(8), vmware(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/vnstat_selinux.8 b/man/man8/vnstat_selinux.8 new file mode 100644 -index 0000000..254d3d4 +index 0000000..c497c1b --- /dev/null +++ b/man/man8/vnstat_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,97 @@ +.TH "vnstat_selinux" "8" "vnstat" "dwalsh@redhat.com" "vnstat SELinux Policy documentation" +.SH "NAME" +vnstat_selinux \- Security Enhanced Linux Policy for the vnstat processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the vnstat processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -54620,7 +58700,7 @@ index 0000000..254d3d4 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -54662,230 +58742,258 @@ index 0000000..254d3d4 +This manual page was autogenerated by genman.py. + +.SH "SEE ALSO" -+selinux(8), vnstat(8), semanage(8), restorecon(8), chcon(1) -diff --git a/man/man8/vnstatd_selinux.8 b/man/man8/vnstatd_selinux.8 ++selinux(8), vnstat(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/vnstatd_selinux.8 b/man/man8/vnstatd_selinux.8 +new file mode 100644 +index 0000000..ee13308 +--- /dev/null ++++ b/man/man8/vnstatd_selinux.8 +@@ -0,0 +1,89 @@ ++.TH "vnstatd_selinux" "8" "vnstatd" "dwalsh@redhat.com" "vnstatd SELinux Policy documentation" ++.SH "NAME" ++vnstatd_selinux \- Security Enhanced Linux Policy for the vnstatd processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the vnstatd processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux vnstatd policy is very flexible allowing users to setup their vnstatd processes in as secure a method as possible. ++.PP ++The following file types are defined for vnstatd: ++ ++ ++.EX ++.PP ++.B vnstatd_exec_t ++.EE ++ ++- Set files with the vnstatd_exec_t type, if you want to transition an executable to the vnstatd_t domain. ++ ++ ++.EX ++.PP ++.B vnstatd_var_lib_t ++.EE ++ ++- Set files with the vnstatd_var_lib_t type, if you want to store the vnstatd files under the /var/lib directory. ++ ++ ++.EX ++.PP ++.B vnstatd_var_run_t ++.EE ++ ++- Set files with the vnstatd_var_run_t type, if you want to store the vnstatd files under the /run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux vnstatd policy is very flexible allowing users to setup their vnstatd processes in as secure a method as possible. ++.PP ++The following process types are defined for vnstatd: ++ ++.EX ++.B vnstat_t, vnstatd_t ++.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), vnstatd(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/vpnc_selinux.8 b/man/man8/vpnc_selinux.8 +new file mode 100644 +index 0000000..4684cd8 +--- /dev/null ++++ b/man/man8/vpnc_selinux.8 +@@ -0,0 +1,114 @@ ++.TH "vpnc_selinux" "8" "vpnc" "dwalsh@redhat.com" "vpnc SELinux Policy documentation" ++.SH "NAME" ++vpnc_selinux \- Security Enhanced Linux Policy for the vpnc processes ++.SH "DESCRIPTION" ++ ++Security-Enhanced Linux secures the vpnc processes via flexible mandatory access ++control. ++ ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the vpnc_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the vpnc_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the vpnc_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ ++.SH FILE CONTEXTS ++SELinux requires files to have an extended attribute to define the file type. ++.PP ++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP ++.PP ++Policy governs the access confined processes have to these files. ++SELinux vpnc policy is very flexible allowing users to setup their vpnc processes in as secure a method as possible. ++.PP ++The following file types are defined for vpnc: ++ ++ ++.EX ++.PP ++.B vpnc_exec_t ++.EE ++ ++- Set files with the vpnc_exec_t type, if you want to transition an executable to the vpnc_t domain. ++ ++.br ++.TP 5 ++Paths: ++/usr/sbin/vpnc, /usr/bin/openconnect, /sbin/vpnc ++ ++.EX ++.PP ++.B vpnc_tmp_t ++.EE ++ ++- Set files with the vpnc_tmp_t type, if you want to store vpnc temporary files in the /tmp directories. ++ ++ ++.EX ++.PP ++.B vpnc_var_run_t ++.EE ++ ++- Set files with the vpnc_var_run_t type, if you want to store the vpnc files under the /run directory. ++ ++ ++.PP ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the ++.B semanage fcontext ++command. This will modify the SELinux labeling database. You will need to use ++.B restorecon ++to apply the labels. ++ ++.SH PROCESS TYPES ++SELinux defines process types (domains) for each process running on the system ++.PP ++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP ++.PP ++Policy governs the access confined processes have to files. ++SELinux vpnc policy is very flexible allowing users to setup their vpnc processes in as secure a method as possible. ++.PP ++The following process types are defined for vpnc: ++ ++.EX ++.B vpnc_t ++.EE ++.PP ++Note: ++.B semanage permissive -a PROCESS_TYPE ++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. ++ ++.SH "COMMANDS" ++.B semanage fcontext ++can also be used to manipulate default file context mappings. ++.PP ++.B semanage permissive ++can also be used to manipulate whether or not a process type is permissive. ++.PP ++.B semanage module ++can also be used to enable/disable/install/remove policy modules. ++ ++.PP ++.B system-config-selinux ++is a GUI tool available to customize SELinux policy settings. ++ ++.SH AUTHOR ++This manual page was autogenerated by genman.py. ++ ++.SH "SEE ALSO" ++selinux(8), vpnc(8), semanage(8), restorecon(8), chcon(1) +diff --git a/man/man8/wdmd_selinux.8 b/man/man8/wdmd_selinux.8 new file mode 100644 -index 0000000..1589eb8 +index 0000000..4a98476 --- /dev/null -+++ b/man/man8/vnstatd_selinux.8 -@@ -0,0 +1,101 @@ -+.TH "vnstatd_selinux" "8" "vnstatd" "dwalsh@redhat.com" "vnstatd SELinux Policy documentation" ++++ b/man/man8/wdmd_selinux.8 +@@ -0,0 +1,110 @@ ++.TH "wdmd_selinux" "8" "wdmd" "dwalsh@redhat.com" "wdmd SELinux Policy documentation" +.SH "NAME" -+vnstatd_selinux \- Security Enhanced Linux Policy for the vnstatd processes ++wdmd_selinux \- Security Enhanced Linux Policy for the wdmd processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B vnstatd -+(Console network traffic monitor) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the wdmd processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux vnstatd policy is very flexible allowing users to setup their vnstatd processes in as secure a method as possible. -+.PP -+The following file types are defined for vnstatd: -+ -+ -+.EX -+.PP -+.B vnstat_exec_t -+.EE -+ -+- Set files with the vnstat_exec_t type, if you want to transition an executable to the vnstat_t domain. -+ -+ -+.EX -+.PP -+.B vnstatd_exec_t -+.EE -+ -+- Set files with the vnstatd_exec_t type, if you want to transition an executable to the vnstatd_t domain. -+ -+ -+.EX +.PP -+.B vnstatd_var_lib_t -+.EE -+ -+- Set files with the vnstatd_var_lib_t type, if you want to store the vnstatd files under the /var/lib directory. -+ ++If you want to allow users to login using a sssd serve for the wdmd_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + +.EX -+.PP -+.B vnstatd_var_run_t ++setsebool -P authlogin_nsswitch_use_ldap 1 +.EE + -+- Set files with the vnstatd_var_run_t type, if you want to store the vnstatd files under the /run directory. -+ -+ -+.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP +.PP -+Policy governs the access confined processes have to files. -+SELinux vnstatd policy is very flexible allowing users to setup their vnstatd processes in as secure a method as possible. -+.PP -+The following process types are defined for vnstatd: ++If you want to allow confined applications to run with kerberos for the wdmd_t, you must turn on the allow_kerberos boolean. + +.EX -+.B vnstat_t, vnstatd_t ++setsebool -P allow_kerberos 1 +.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was autogenerated by genman.py. -+ -+.SH "SEE ALSO" -+selinux(8), vnstatd(8), semanage(8), restorecon(8), chcon(1) -diff --git a/man/man8/vpnc_selinux.8 b/man/man8/vpnc_selinux.8 -new file mode 100644 -index 0000000..41a5246 ---- /dev/null -+++ b/man/man8/vpnc_selinux.8 -@@ -0,0 +1,91 @@ -+.TH "vpnc_selinux" "8" "vpnc" "dwalsh@redhat.com" "vpnc SELinux Policy documentation" -+.SH "NAME" -+vpnc_selinux \- Security Enhanced Linux Policy for the vpnc processes -+.SH "DESCRIPTION" -+ -+ -+ -+ -+.SH FILE CONTEXTS -+SELinux requires files to have an extended attribute to define the file type. -+.PP -+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP -+.PP -+Policy governs the access confined processes have to these files. -+SELinux vpnc policy is very flexible allowing users to setup their vpnc processes in as secure a method as possible. -+.PP -+The following file types are defined for vpnc: -+ -+ -+.EX -+.PP -+.B vpnc_exec_t -+.EE -+ -+- Set files with the vpnc_exec_t type, if you want to transition an executable to the vpnc_t domain. -+ -+.br -+.TP 5 -+Paths: -+/usr/sbin/vpnc, /usr/bin/openconnect, /sbin/vpnc -+ -+.EX -+.PP -+.B vpnc_tmp_t -+.EE -+ -+- Set files with the vpnc_tmp_t type, if you want to store vpnc temporary files in the /tmp directories. -+ -+ -+.EX -+.PP -+.B vpnc_var_run_t -+.EE -+ -+- Set files with the vpnc_var_run_t type, if you want to store the vpnc files under the /run directory. -+ + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -+.B semanage fcontext -+command. This will modify the SELinux labeling database. You will need to use -+.B restorecon -+to apply the labels. -+ -+.SH PROCESS TYPES -+SELinux defines process types (domains) for each process running on the system -+.PP -+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP -+.PP -+Policy governs the access confined processes have to files. -+SELinux vpnc policy is very flexible allowing users to setup their vpnc processes in as secure a method as possible. -+.PP -+The following process types are defined for vpnc: ++If you want to allow system to run with NI for the wdmd_t, you must turn on the allow_ypbind boolean. + +.EX -+.B vpnc_t ++setsebool -P allow_ypbind 1 +.EE -+.PP -+Note: -+.B semanage permissive -a PROCESS_TYPE -+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated. -+ -+.SH "COMMANDS" -+.B semanage fcontext -+can also be used to manipulate default file context mappings. -+.PP -+.B semanage permissive -+can also be used to manipulate whether or not a process type is permissive. -+.PP -+.B semanage module -+can also be used to enable/disable/install/remove policy modules. -+ -+.PP -+.B system-config-selinux -+is a GUI tool available to customize SELinux policy settings. -+ -+.SH AUTHOR -+This manual page was autogenerated by genman.py. -+ -+.SH "SEE ALSO" -+selinux(8), vpnc(8), semanage(8), restorecon(8), chcon(1) -diff --git a/man/man8/wdmd_selinux.8 b/man/man8/wdmd_selinux.8 -new file mode 100644 -index 0000000..a060bdb ---- /dev/null -+++ b/man/man8/wdmd_selinux.8 -@@ -0,0 +1,93 @@ -+.TH "wdmd_selinux" "8" "wdmd" "dwalsh@redhat.com" "wdmd SELinux Policy documentation" -+.SH "NAME" -+wdmd_selinux \- Security Enhanced Linux Policy for the wdmd processes -+.SH "DESCRIPTION" -+ -+ -+SELinux Linux secures -+.B wdmd -+(policy for wdmd) -+processes via flexible mandatory access -+control. -+ -+ + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -54923,7 +59031,7 @@ index 0000000..a060bdb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55039,23 +59147,40 @@ index 0000000..072a0c0 +selinux(8), semanage(8). diff --git a/man/man8/webalizer_selinux.8 b/man/man8/webalizer_selinux.8 new file mode 100644 -index 0000000..ba0eb02 +index 0000000..f753c48 --- /dev/null +++ b/man/man8/webalizer_selinux.8 -@@ -0,0 +1,117 @@ +@@ -0,0 +1,134 @@ +.TH "webalizer_selinux" "8" "webalizer" "dwalsh@redhat.com" "webalizer SELinux Policy documentation" +.SH "NAME" +webalizer_selinux \- Security Enhanced Linux Policy for the webalizer processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B webalizer -+(Web server log analysis) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the webalizer processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the webalizer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the webalizer_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE + ++.PP ++If you want to allow system to run with NI for the webalizer_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -55117,7 +59242,7 @@ index 0000000..ba0eb02 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55162,17 +59287,17 @@ index 0000000..ba0eb02 +selinux(8), webalizer(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/winbind_selinux.8 b/man/man8/winbind_selinux.8 new file mode 100644 -index 0000000..df63d07 +index 0000000..4395c71 --- /dev/null +++ b/man/man8/winbind_selinux.8 -@@ -0,0 +1,114 @@ +@@ -0,0 +1,137 @@ +.TH "winbind_selinux" "8" "winbind" "dwalsh@redhat.com" "winbind SELinux Policy documentation" +.SH "NAME" +winbind_selinux \- Security Enhanced Linux Policy for the winbind processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the winbind processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. winbind policy is extremely flexible and has several booleans that allow you to manipulate the policy and run winbind with the tightest access possible. @@ -55185,6 +59310,29 @@ index 0000000..df63d07 +.B setsebool -P allow_httpd_mod_auth_ntlm_winbind 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the winbind_helper_t, winbind_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the winbind_helper_t, winbind_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the winbind_helper_t, winbind_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -55230,10 +59378,10 @@ index 0000000..df63d07 +.br +.TP 5 +Paths: -+/var/cache/samba/winbindd_privileged(/.*)?, /var/lib/samba/winbindd_privileged(/.*)?, /var/run/winbindd(/.*)? ++/var/cache/samba/winbindd_privileged(/.*)?, /var/lib/samba/winbindd_privileged(/.*)?, /var/run/winbindd(/.*)?, /var/run/samba/winbindd(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55283,24 +59431,18 @@ index 0000000..df63d07 \ No newline at end of file diff --git a/man/man8/wine_selinux.8 b/man/man8/wine_selinux.8 new file mode 100644 -index 0000000..c2107f1 +index 0000000..8bce1e7 --- /dev/null +++ b/man/man8/wine_selinux.8 -@@ -0,0 +1,104 @@ +@@ -0,0 +1,100 @@ +.TH "wine_selinux" "8" "wine" "dwalsh@redhat.com" "wine SELinux Policy documentation" +.SH "NAME" +wine_selinux \- Security Enhanced Linux Policy for the wine processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B wine -+(Wine Is Not an Emulator. Run Windows programs in Linux) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the wine processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. wine policy is extremely flexible and has several booleans that allow you to manipulate the policy and run wine with the tightest access possible. + @@ -55312,6 +59454,8 @@ index 0000000..c2107f1 +.B setsebool -P wine_mmap_zero_ignore 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -55344,7 +59488,7 @@ index 0000000..c2107f1 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55394,23 +59538,40 @@ index 0000000..c2107f1 \ No newline at end of file diff --git a/man/man8/wireshark_selinux.8 b/man/man8/wireshark_selinux.8 new file mode 100644 -index 0000000..4536946 +index 0000000..dfdf991 --- /dev/null +++ b/man/man8/wireshark_selinux.8 -@@ -0,0 +1,101 @@ +@@ -0,0 +1,118 @@ +.TH "wireshark_selinux" "8" "wireshark" "dwalsh@redhat.com" "wireshark SELinux Policy documentation" +.SH "NAME" +wireshark_selinux \- Security Enhanced Linux Policy for the wireshark processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B wireshark -+(Wireshark packet capture tool) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the wireshark processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the wireshark_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the wireshark_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the wireshark_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -55456,7 +59617,7 @@ index 0000000..4536946 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55501,17 +59662,19 @@ index 0000000..4536946 +selinux(8), wireshark(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/wpa_selinux.8 b/man/man8/wpa_selinux.8 new file mode 100644 -index 0000000..e8a5a9f +index 0000000..6c081d0 --- /dev/null +++ b/man/man8/wpa_selinux.8 -@@ -0,0 +1,75 @@ +@@ -0,0 +1,77 @@ +.TH "wpa_selinux" "8" "wpa" "dwalsh@redhat.com" "wpa SELinux Policy documentation" +.SH "NAME" +wpa_selinux \- Security Enhanced Linux Policy for the wpa processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the wpa processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -55537,7 +59700,7 @@ index 0000000..e8a5a9f +/usr/sbin/wpa_cli, /sbin/wpa_cli + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55582,17 +59745,40 @@ index 0000000..e8a5a9f +selinux(8), wpa(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/xauth_selinux.8 b/man/man8/xauth_selinux.8 new file mode 100644 -index 0000000..85c91f3 +index 0000000..4aa99ff --- /dev/null +++ b/man/man8/xauth_selinux.8 -@@ -0,0 +1,95 @@ +@@ -0,0 +1,118 @@ +.TH "xauth_selinux" "8" "xauth" "dwalsh@redhat.com" "xauth SELinux Policy documentation" +.SH "NAME" +xauth_selinux \- Security Enhanced Linux Policy for the xauth processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the xauth processes via flexible mandatory access ++control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the xauth_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the xauth_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the xauth_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -55638,7 +59824,7 @@ index 0000000..85c91f3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55683,17 +59869,17 @@ index 0000000..85c91f3 +selinux(8), xauth(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/xdm_selinux.8 b/man/man8/xdm_selinux.8 new file mode 100644 -index 0000000..e377b25 +index 0000000..9764445 --- /dev/null +++ b/man/man8/xdm_selinux.8 -@@ -0,0 +1,223 @@ +@@ -0,0 +1,264 @@ +.TH "xdm_selinux" "8" "xdm" "dwalsh@redhat.com" "xdm SELinux Policy documentation" +.SH "NAME" +xdm_selinux \- Security Enhanced Linux Policy for the xdm processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the xdm processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. xdm policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xdm with the tightest access possible. @@ -55713,6 +59899,29 @@ index 0000000..e377b25 +.B setsebool -P xdm_exec_bootloader 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the xdm_dbusd_t, xdm_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the xdm_dbusd_t, xdm_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the xdm_dbusd_t, xdm_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -55742,7 +59951,7 @@ index 0000000..e377b25 +.br +.TP 5 +Paths: -+/usr/bin/[xgkw]dm, /usr/bin/slim, /usr/sbin/[xgkw]dm, /usr/X11R6/bin/[xgkw]dm, /usr/sbin/lxdm, /usr/sbin/lxdm-binary, /usr/bin/lxdm-binary, /usr/bin/gpe-dm, /usr/bin/gdm-binary, /usr/bin/lxdm, /opt/kde3/bin/kdm, /usr/sbin/gdm-binary ++/usr/a/(s)?bin/[xgkw]?dm, /usr/bin/slim, /usr/(s)?bin/lightdm*, /usr/(s)?bin/[mxgkw]dm, /usr/sbin/mdm-binary, /usr/(s)?bin/lxdm(-binary)?, /usr/X11R6/bin/[xgkw]dm, /usr/(s)?bin/gdm-binary, /usr/bin/gpe-dm, /opt/kde3/bin/kdm + +.EX +.PP @@ -55774,7 +59983,7 @@ index 0000000..e377b25 +.br +.TP 5 +Paths: -+/var/log/slim\.log.*, /var/log/(l)?xdm\.log.*, /var/log/gdm(/.*)? ++/var/log/slim\.log, /var/log/lxdm\.log.*, /var/log/[mg]dm(/.*)?, /var/log/[mkwx]dm\.log.* + +.EX +.PP @@ -55783,6 +59992,10 @@ index 0000000..e377b25 + +- Set files with the xdm_rw_etc_t type, if you want to store xdm rw files in the /etc directories. + ++.br ++.TP 5 ++Paths: ++/etc/opt/VirtualGL(/.*)?, /etc/X11/wdm(/.*)? + +.EX +.PP @@ -55814,6 +60027,18 @@ index 0000000..e377b25 + +.EX +.PP ++.B xdm_unconfined_exec_t ++.EE ++ ++- Set files with the xdm_unconfined_exec_t type, if you want to transition an executable to the xdm_unconfined_t domain. ++ ++.br ++.TP 5 ++Paths: ++/etc/gdm/PostLogin(/.*)?, /etc/gdm/Init(/.*)?, /etc/gdm/PreSession(/.*)?, /etc/gdm/PostSession(/.*)? ++ ++.EX ++.PP +.B xdm_var_lib_t +.EE + @@ -55822,7 +60047,7 @@ index 0000000..e377b25 +.br +.TP 5 +Paths: -+/var/lib/[gxkw]dm(/.*)?, /var/cache/gdm(/.*)?, /var/lib/lxdm(/.*)? ++/var/lib/lightdm(/.*)?, /var/lib/[gxkw]dm(/.*)?, /var/cache/lightdm(/.*)?, /var/lib/[mxkwg]dm(/.*)?, /var/lib/lxdm(/.*)?, /var/cache/[mg]dm(/.*)? + +.EX +.PP @@ -55834,10 +60059,10 @@ index 0000000..e377b25 +.br +.TP 5 +Paths: -+/var/run/kdm(/.*)?, /var/run/slim.*, /var/run/lxdm(/.*)?, /var/run/gdm(/.*)?, /usr/lib/qt-.*/etc/settings(/.*)?, /var/run/lxdm\.auth, /var/run/xauth(/.*)?, /var/run/xdmctl(/.*)?, /var/run/[gx]dm\.pid, /var/run/slim(/.*)?, /var/run/gdm_socket, /etc/kde3?/kdm/backgroundrc, /var/run/lxdm\.pid ++/var/run/slim.*, /var/run/lxdm(/.*)?, /usr/lib/qt-.*/etc/settings(/.*)?, /var/run/lxdm\.auth, /var/run/systemd/multi-session-x(/.*)?, /var/run/xauth(/.*)?, /var/run/xdmctl(/.*)?, /var/run/[gx]dm\.pid, /var/run/[kgm]dm(/.*)?, /var/run/slim(/.*)?, /var/run/gdm_socket, /etc/kde3?/kdm/backgroundrc, /var/run/lxdm\.pid, /var/run/lightdm(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55864,7 +60089,9 @@ index 0000000..e377b25 + + +Default Defined Ports: -+tcp 8021 ++tcp 177 ++.EE ++udp 177 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -55913,17 +60140,19 @@ index 0000000..e377b25 \ No newline at end of file diff --git a/man/man8/xenconsoled_selinux.8 b/man/man8/xenconsoled_selinux.8 new file mode 100644 -index 0000000..94ba970 +index 0000000..1693d56 --- /dev/null +++ b/man/man8/xenconsoled_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,81 @@ +.TH "xenconsoled_selinux" "8" "xenconsoled" "dwalsh@redhat.com" "xenconsoled SELinux Policy documentation" +.SH "NAME" +xenconsoled_selinux \- Security Enhanced Linux Policy for the xenconsoled processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the xenconsoled processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -55953,7 +60182,7 @@ index 0000000..94ba970 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -55998,17 +60227,17 @@ index 0000000..94ba970 +selinux(8), xenconsoled(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/xend_selinux.8 b/man/man8/xend_selinux.8 new file mode 100644 -index 0000000..ef97b9c +index 0000000..bd5ca3c --- /dev/null +++ b/man/man8/xend_selinux.8 -@@ -0,0 +1,190 @@ +@@ -0,0 +1,172 @@ +.TH "xend_selinux" "8" "xend" "dwalsh@redhat.com" "xend SELinux Policy documentation" +.SH "NAME" +xend_selinux \- Security Enhanced Linux Policy for the xend processes +.SH "DESCRIPTION" + -+ -+ ++Security-Enhanced Linux secures the xend processes via flexible mandatory access ++control. + +.SH BOOLEANS +SELinux policy is customizable based on least access required. xend policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xend with the tightest access possible. @@ -56035,6 +60264,8 @@ index 0000000..ef97b9c +.B setsebool -P xend_run_blktap 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -56048,26 +60279,6 @@ index 0000000..ef97b9c + +.EX +.PP -+.B xen_devpts_t -+.EE -+ -+- Set files with the xen_devpts_t type, if you want to treat the files as xen devpts data. -+ -+ -+.EX -+.PP -+.B xen_image_t -+.EE -+ -+- Set files with the xen_image_t type, if you want to treat the files as xen image data. -+ -+.br -+.TP 5 -+Paths: -+/xen(/.*)?, /var/lib/xen/images(/.*)? -+ -+.EX -+.PP +.B xend_exec_t +.EE + @@ -56119,7 +60330,7 @@ index 0000000..ef97b9c +/var/run/xenner(/.*)?, /var/run/xend(/.*)?, /var/run/xend\.pid + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56146,7 +60357,7 @@ index 0000000..ef97b9c + + +Default Defined Ports: -+tcp 8021 ++tcp 8002 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -56195,17 +60406,19 @@ index 0000000..ef97b9c \ No newline at end of file diff --git a/man/man8/xenstored_selinux.8 b/man/man8/xenstored_selinux.8 new file mode 100644 -index 0000000..0cf576a +index 0000000..b799204 --- /dev/null +++ b/man/man8/xenstored_selinux.8 -@@ -0,0 +1,107 @@ +@@ -0,0 +1,109 @@ +.TH "xenstored_selinux" "8" "xenstored" "dwalsh@redhat.com" "xenstored SELinux Policy documentation" +.SH "NAME" +xenstored_selinux \- Security Enhanced Linux Policy for the xenstored processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the xenstored processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -56263,7 +60476,7 @@ index 0000000..0cf576a +/var/run/xenstore\.pid, /var/run/xenstored(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56545,40 +60758,34 @@ index 0000000..2478817 +selinux(8), semanage(8). diff --git a/man/man8/xserver_selinux.8 b/man/man8/xserver_selinux.8 new file mode 100644 -index 0000000..868120f +index 0000000..4c1dfef --- /dev/null +++ b/man/man8/xserver_selinux.8 -@@ -0,0 +1,176 @@ +@@ -0,0 +1,193 @@ +.TH "xserver_selinux" "8" "xserver" "dwalsh@redhat.com" "xserver SELinux Policy documentation" +.SH "NAME" +xserver_selinux \- Security Enhanced Linux Policy for the xserver processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B xserver -+(X Windows Server) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the xserver processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. xserver policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xserver with the tightest access possible. + + +.PP -+If you want to allow confined virtual guests to interact with the xserve, you must turn on the virt_use_xserver boolean. ++If you want to support X userspace object manage, you must turn on the xserver_object_manager boolean. + +.EX -+.B setsebool -P virt_use_xserver 1 ++.B setsebool -P xserver_object_manager 1 +.EE + +.PP -+If you want to support X userspace object manage, you must turn on the xserver_object_manager boolean. ++If you want to allow confined virtual guests to interact with the xserve, you must turn on the virt_use_xserver boolean. + +.EX -+.B setsebool -P xserver_object_manager 1 ++.B setsebool -P virt_use_xserver 1 +.EE + +.PP @@ -56588,6 +60795,29 @@ index 0000000..868120f +.B setsebool -P allow_xserver_execmem 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the xserver_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the xserver_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the xserver_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -56609,7 +60839,7 @@ index 0000000..868120f +.br +.TP 5 +Paths: -+/usr/bin/Xair, /usr/bin/Xephyr, /usr/X11R6/bin/Xwrapper, /usr/X11R6/bin/XFree86, /etc/init\.d/xfree86-common, /usr/X11R6/bin/Xorg, /usr/X11R6/bin/Xipaq, /usr/bin/Xorg, /usr/X11R6/bin/X ++/usr/bin/Xair, /usr/X11R6/bin/Xwrapper, /usr/X11R6/bin/XFree86, /etc/init\.d/xfree86-common, /usr/X11R6/bin/Xorg, /usr/X11R6/bin/Xipaq, /usr/bin/Xorg, /usr/X11R6/bin/X, /usr/bin/Xephyr + +.EX +.PP @@ -56621,7 +60851,7 @@ index 0000000..868120f +.br +.TP 5 +Paths: -+/usr/var/[xgkw]dm(/.*)?, /var/[xgk]dm(/.*)?, /var/log/nvidia-installer\.log.*, /var/log/XFree86.*, /var/log/Xorg.*, /var/log/[kw]dm\.log.* ++/var/log/lightdm(/.*)?, /usr/var/[xgkw]dm(/.*)?, /var/[xgk]dm(/.*)?, /var/log/nvidia-installer\.log.*, /var/log/XFree86.*, /var/log/Xorg.* + +.EX +.PP @@ -56652,7 +60882,7 @@ index 0000000..868120f +/var/run/xorg(/.*)?, /var/run/video.rom + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56679,7 +60909,7 @@ index 0000000..868120f + + +Default Defined Ports: -+tcp 8021 ++tcp 6000-6020 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -56727,10 +60957,10 @@ index 0000000..868120f +, setsebool(8) \ No newline at end of file diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8 -index 5061a5f..22c9968 100644 +index 5061a5f..238e954 100644 --- a/man/man8/ypbind_selinux.8 +++ b/man/man8/ypbind_selinux.8 -@@ -1,19 +1,118 @@ +@@ -1,19 +1,116 @@ -.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation" +.TH "ypbind_selinux" "8" "ypbind" "dwalsh@redhat.com" "ypbind SELinux Policy documentation" .SH "NAME" @@ -56740,8 +60970,8 @@ index 5061a5f..22c9968 100644 -Security-Enhanced Linux secures the system via flexible mandatory access -control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network. -+ -+ ++Security-Enhanced Linux secures the ypbind processes via flexible mandatory access ++control. + .SH BOOLEANS -.TP @@ -56760,6 +60990,8 @@ index 5061a5f..22c9968 100644 +.B setsebool -P allow_ypbind 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -56798,10 +61030,6 @@ index 5061a5f..22c9968 100644 + +- Set files with the ypbind_unit_file_t type, if you want to treat the files as ypbind unit content. + -+.br -+.TP 5 -+Paths: -+/usr/lib/systemd/system/ypbind\.service, /lib/systemd/system/ypbind\.service + +.EX +.PP @@ -56812,7 +61040,7 @@ index 5061a5f..22c9968 100644 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56864,17 +61092,19 @@ index 5061a5f..22c9968 100644 \ No newline at end of file diff --git a/man/man8/yppasswdd_selinux.8 b/man/man8/yppasswdd_selinux.8 new file mode 100644 -index 0000000..4b570b3 +index 0000000..982aeba --- /dev/null +++ b/man/man8/yppasswdd_selinux.8 -@@ -0,0 +1,79 @@ +@@ -0,0 +1,85 @@ +.TH "yppasswdd_selinux" "8" "yppasswdd" "dwalsh@redhat.com" "yppasswdd SELinux Policy documentation" +.SH "NAME" +yppasswdd_selinux \- Security Enhanced Linux Policy for the yppasswdd processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the yppasswdd processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -56894,6 +61124,10 @@ index 0000000..4b570b3 + +- Set files with the yppasswdd_exec_t type, if you want to transition an executable to the yppasswdd_t domain. + ++.br ++.TP 5 ++Paths: ++/usr/sbin/rpc\.yppasswdd\.env, /usr/sbin/rpc\.yppasswdd + +.EX +.PP @@ -56904,7 +61138,7 @@ index 0000000..4b570b3 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -56949,17 +61183,19 @@ index 0000000..4b570b3 +selinux(8), yppasswdd(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ypserv_selinux.8 b/man/man8/ypserv_selinux.8 new file mode 100644 -index 0000000..b5da81b +index 0000000..1bbc2ad --- /dev/null +++ b/man/man8/ypserv_selinux.8 -@@ -0,0 +1,87 @@ +@@ -0,0 +1,89 @@ +.TH "ypserv_selinux" "8" "ypserv" "dwalsh@redhat.com" "ypserv SELinux Policy documentation" +.SH "NAME" +ypserv_selinux \- Security Enhanced Linux Policy for the ypserv processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ypserv processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -56997,7 +61233,7 @@ index 0000000..b5da81b + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57042,17 +61278,19 @@ index 0000000..b5da81b +selinux(8), ypserv(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/ypxfr_selinux.8 b/man/man8/ypxfr_selinux.8 new file mode 100644 -index 0000000..3e761eb +index 0000000..a6a3716 --- /dev/null +++ b/man/man8/ypxfr_selinux.8 -@@ -0,0 +1,83 @@ +@@ -0,0 +1,85 @@ +.TH "ypxfr_selinux" "8" "ypxfr" "dwalsh@redhat.com" "ypxfr SELinux Policy documentation" +.SH "NAME" +ypxfr_selinux \- Security Enhanced Linux Policy for the ypxfr processes +.SH "DESCRIPTION" + ++Security-Enhanced Linux secures the ypxfr processes via flexible mandatory access ++control. + -+ ++.SH NSSWITCH DOMAIN + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -57086,7 +61324,7 @@ index 0000000..3e761eb + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57131,24 +61369,18 @@ index 0000000..3e761eb +selinux(8), ypxfr(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/zabbix_selinux.8 b/man/man8/zabbix_selinux.8 new file mode 100644 -index 0000000..6f79276 +index 0000000..bda9ceb --- /dev/null +++ b/man/man8/zabbix_selinux.8 -@@ -0,0 +1,200 @@ +@@ -0,0 +1,217 @@ +.TH "zabbix_selinux" "8" "zabbix" "dwalsh@redhat.com" "zabbix SELinux Policy documentation" +.SH "NAME" +zabbix_selinux \- Security Enhanced Linux Policy for the zabbix processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B zabbix -+(Distributed infrastructure monitoring) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the zabbix processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. zabbix policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zabbix with the tightest access possible. + @@ -57167,6 +61399,29 @@ index 0000000..6f79276 +.B setsebool -P httpd_can_connect_zabbix 1 +.EE + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the zabbix_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zabbix_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the zabbix_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -57204,7 +61459,7 @@ index 0000000..6f79276 +.br +.TP 5 +Paths: -+/usr/sbin/zabbix_server_sqlite3, /usr/sbin/zabbix_server_mysql, /usr/sbin/zabbix_server_pgsql, /usr/sbin/zabbix_server ++/usr/sbin/zabbix_server_pgsql, /usr/sbin/zabbix_server_sqlite3, /usr/sbin/zabbix_server_mysql, /usr/sbin/zabbix_server + +.EX +.PP @@ -57251,7 +61506,7 @@ index 0000000..6f79276 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57278,7 +61533,7 @@ index 0000000..6f79276 + + +Default Defined Ports: -+tcp 8021 ++tcp 10050 +.EE + +.EX @@ -57289,7 +61544,7 @@ index 0000000..6f79276 + + +Default Defined Ports: -+tcp 8021 ++tcp 10051 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -57338,23 +61593,40 @@ index 0000000..6f79276 \ No newline at end of file diff --git a/man/man8/zarafa_selinux.8 b/man/man8/zarafa_selinux.8 new file mode 100644 -index 0000000..928b3c1 +index 0000000..0ed76d5 --- /dev/null +++ b/man/man8/zarafa_selinux.8 -@@ -0,0 +1,319 @@ +@@ -0,0 +1,340 @@ +.TH "zarafa_selinux" "8" "zarafa" "dwalsh@redhat.com" "zarafa SELinux Policy documentation" +.SH "NAME" +zarafa_selinux \- Security Enhanced Linux Policy for the zarafa processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B zarafa -+(Zarafa collaboration platform) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the zarafa processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN + ++.PP ++If you want to allow users to login using a sssd serve for the zarafa_deliver_t, zarafa_spooler_t, zarafa_gateway_t, zarafa_ical_t, zarafa_server_t, zarafa_monitor_t, zarafa_indexer_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zarafa_deliver_t, zarafa_spooler_t, zarafa_gateway_t, zarafa_ical_t, zarafa_server_t, zarafa_monitor_t, zarafa_indexer_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the zarafa_deliver_t, zarafa_spooler_t, zarafa_gateway_t, zarafa_ical_t, zarafa_server_t, zarafa_monitor_t, zarafa_indexer_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -57486,6 +61758,10 @@ index 0000000..928b3c1 + +- Set files with the zarafa_indexer_var_run_t type, if you want to store the zarafa indexer files under the /run directory. + ++.br ++.TP 5 ++Paths: ++/var/run/zarafa-indexer\.pid, /var/run/zarafa-indexer + +.EX +.PP @@ -57592,7 +61868,7 @@ index 0000000..928b3c1 +/var/lib/zarafa-webaccess(/.*)?, /var/lib/zarafa(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57619,7 +61895,7 @@ index 0000000..928b3c1 + + +Default Defined Ports: -+tcp 8021 ++tcp 236,237 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -57663,24 +61939,18 @@ index 0000000..928b3c1 +selinux(8), zarafa(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/zebra_selinux.8 b/man/man8/zebra_selinux.8 new file mode 100644 -index 0000000..705cdbc +index 0000000..ef47169 --- /dev/null +++ b/man/man8/zebra_selinux.8 -@@ -0,0 +1,178 @@ +@@ -0,0 +1,176 @@ +.TH "zebra_selinux" "8" "zebra" "dwalsh@redhat.com" "zebra SELinux Policy documentation" +.SH "NAME" +zebra_selinux \- Security Enhanced Linux Policy for the zebra processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B zebra -+(Zebra border gateway protocol network routing service) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the zebra processes via flexible mandatory access +control. + -+ -+ +.SH BOOLEANS +SELinux policy is customizable based on least access required. zebra policy is extremely flexible and has several booleans that allow you to manipulate the policy and run zebra with the tightest access possible. + @@ -57692,6 +61962,8 @@ index 0000000..705cdbc +.B setsebool -P allow_zebra_write_config 1 +.EE + ++.SH NSSWITCH DOMAIN ++ +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. +.PP @@ -57737,7 +62009,7 @@ index 0000000..705cdbc +.br +.TP 5 +Paths: -+/etc/rc\.d/init\.d/ripngd, /etc/rc\.d/init\.d/zebra, /etc/rc\.d/init\.d/ripd, /etc/rc\.d/init\.d/bgpd, /etc/rc\.d/init\.d/ospf6d, /etc/rc\.d/init\.d/ospfd ++/etc/rc\.d/init\.d/ripd, /etc/rc\.d/init\.d/ripngd, /etc/rc\.d/init\.d/zebra, /etc/rc\.d/init\.d/bgpd, /etc/rc\.d/init\.d/ospf6d, /etc/rc\.d/init\.d/ospfd + +.EX +.PP @@ -57772,7 +62044,7 @@ index 0000000..705cdbc +/var/run/\.zserv, /var/run/\.zebra, /var/run/quagga(/.*)? + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -57799,7 +62071,9 @@ index 0000000..705cdbc + + +Default Defined Ports: -+tcp 8021 ++tcp 2600-2604,2606 ++.EE ++udp 2600-2604,2606 +.EE +.SH PROCESS TYPES +SELinux defines process types (domains) for each process running on the system @@ -57848,23 +62122,40 @@ index 0000000..705cdbc \ No newline at end of file diff --git a/man/man8/zoneminder_selinux.8 b/man/man8/zoneminder_selinux.8 new file mode 100644 -index 0000000..4f71f64 +index 0000000..327e838 --- /dev/null +++ b/man/man8/zoneminder_selinux.8 -@@ -0,0 +1,163 @@ +@@ -0,0 +1,180 @@ +.TH "zoneminder_selinux" "8" "zoneminder" "dwalsh@redhat.com" "zoneminder SELinux Policy documentation" +.SH "NAME" +zoneminder_selinux \- Security Enhanced Linux Policy for the zoneminder processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B zoneminder -+(policy for zoneminder) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the zoneminder processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the zoneminder_t, you must turn on the authlogin_nsswitch_use_ldap boolean. + ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE ++ ++.PP ++If you want to allow confined applications to run with kerberos for the zoneminder_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the zoneminder_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH SHARING FILES +If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. @@ -57877,7 +62168,7 @@ index 0000000..4f71f64 +.B restorecon -F -R -v /var/zoneminder +.pp +.TP -+Allow zoneminder servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_zoneminder_anon_write boolean to be set. ++Allow zoneminder servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_zoneminderd_anon_write boolean to be set. +.PP +.B +semanage fcontext -a -t public_content_rw_t "/var/zoneminder/incoming(/.*)?" @@ -57937,7 +62228,7 @@ index 0000000..4f71f64 +.br +.TP 5 +Paths: -+/var/log/motion\.log, /var/log/zoneminder(/.*)? ++/var/log/zoneminder(/.*)?, /var/log/motion\.log + +.EX +.PP @@ -57972,7 +62263,7 @@ index 0000000..4f71f64 + + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -58017,23 +62308,40 @@ index 0000000..4f71f64 +selinux(8), zoneminder(8), semanage(8), restorecon(8), chcon(1) diff --git a/man/man8/zos_selinux.8 b/man/man8/zos_selinux.8 new file mode 100644 -index 0000000..b9eb5b9 +index 0000000..0cbae91 --- /dev/null +++ b/man/man8/zos_selinux.8 -@@ -0,0 +1,81 @@ +@@ -0,0 +1,98 @@ +.TH "zos_selinux" "8" "zos" "dwalsh@redhat.com" "zos SELinux Policy documentation" +.SH "NAME" +zos_selinux \- Security Enhanced Linux Policy for the zos processes +.SH "DESCRIPTION" + -+ -+SELinux Linux secures -+.B zos -+(policy for z/OS Remote-services Audit dispatcher plugin) -+processes via flexible mandatory access ++Security-Enhanced Linux secures the zos processes via flexible mandatory access +control. + ++.SH NSSWITCH DOMAIN ++ ++.PP ++If you want to allow users to login using a sssd serve for the zos_remote_t, you must turn on the authlogin_nsswitch_use_ldap boolean. ++ ++.EX ++setsebool -P authlogin_nsswitch_use_ldap 1 ++.EE + ++.PP ++If you want to allow confined applications to run with kerberos for the zos_remote_t, you must turn on the allow_kerberos boolean. ++ ++.EX ++setsebool -P allow_kerberos 1 ++.EE ++ ++.PP ++If you want to allow system to run with NI for the zos_remote_t, you must turn on the allow_ypbind boolean. ++ ++.EX ++setsebool -P allow_ypbind 1 ++.EE + +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -58059,7 +62367,7 @@ index 0000000..b9eb5b9 +/sbin/audispd-zos-remote, /usr/sbin/audispd-zos-remote + +.PP -+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the ++Note: File context can be temporarily modified with the chcon command. If you want to permanantly change the file context you need to use the +.B semanage fcontext +command. This will modify the SELinux labeling database. You will need to use +.B restorecon @@ -60387,6 +64695,23 @@ index e0791b9..98d188e 100644 + term_dontaudit_use_all_ttys(traceroute_t) + term_dontaudit_use_all_ptys(traceroute_t) +') +diff --git a/policy/modules/admin/passenger.fc b/policy/modules/admin/passenger.fc +index 545518d..e275c31 100644 +--- a/policy/modules/admin/passenger.fc ++++ b/policy/modules/admin/passenger.fc +@@ -3,6 +3,12 @@ + /usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) + /usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) + ++/usr/local/share/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/local/share/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/local/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/local/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) ++ ++ + /var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) + + /var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0) diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if index f68b573..95efca0 100644 --- a/policy/modules/admin/passenger.if @@ -76512,7 +80837,7 @@ index 08f01e7..d8c1d48 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..ffaa90a 100644 +index 6a1e4d1..82432bb 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -75,34 +75,6 @@ interface(`domain_base_type',` @@ -76550,7 +80875,34 @@ index 6a1e4d1..ffaa90a 100644 ') ######################################## -@@ -631,7 +603,7 @@ interface(`domain_read_all_domains_state',` +@@ -513,6 +485,26 @@ interface(`domain_signull_all_domains',` + + ######################################## + ## ++## Do not audit attempts to send ++## signulls to all domains. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`domain_dontaudit_signull_all_domains',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ dontaudit $1 domain:process signull; ++') ++ ++######################################## ++## + ## Send a stop signal to all domains. + ## + ## +@@ -631,7 +623,7 @@ interface(`domain_read_all_domains_state',` ######################################## ## @@ -76559,7 +80911,7 @@ index 6a1e4d1..ffaa90a 100644 ## ## ## -@@ -655,7 +627,7 @@ interface(`domain_getattr_all_domains',` +@@ -655,7 +647,7 @@ interface(`domain_getattr_all_domains',` ## ## ## @@ -76568,7 +80920,7 @@ index 6a1e4d1..ffaa90a 100644 ## ## # -@@ -1356,6 +1328,24 @@ interface(`domain_manage_all_entry_files',` +@@ -1356,6 +1348,24 @@ interface(`domain_manage_all_entry_files',` ######################################## ## @@ -76593,7 +80945,7 @@ index 6a1e4d1..ffaa90a 100644 ## Relabel to and from all entry point ## file types. ## -@@ -1530,4 +1520,29 @@ interface(`domain_unconfined',` +@@ -1530,4 +1540,29 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; @@ -86144,10 +90496,24 @@ index e31d92a..1aa0718 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te -index deca9d3..a25356f 100644 +index deca9d3..1aa76b0 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te -@@ -38,7 +38,7 @@ type amavis_quarantine_t; +@@ -5,6 +5,13 @@ policy_module(amavis, 1.11.1) + # Declarations + # + ++## ++##

++## Allow amavis to use JIT compiler ++##

++## ++gen_tunable(amavis_use_jit, false) ++ + type amavis_t; + type amavis_exec_t; + domain_type(amavis_t) +@@ -38,7 +45,7 @@ type amavis_quarantine_t; files_type(amavis_quarantine_t) type amavis_spool_t; @@ -86156,7 +90522,7 @@ index deca9d3..a25356f 100644 ######################################## # -@@ -49,7 +49,7 @@ allow amavis_t self:capability { kill chown dac_override setgid setuid }; +@@ -49,7 +56,7 @@ allow amavis_t self:capability { kill chown dac_override setgid setuid }; dontaudit amavis_t self:capability sys_tty_config; allow amavis_t self:process { signal sigchld sigkill signull }; allow amavis_t self:fifo_file rw_fifo_file_perms; @@ -86165,7 +90531,7 @@ index deca9d3..a25356f 100644 allow amavis_t self:unix_dgram_socket create_socket_perms; allow amavis_t self:tcp_socket { listen accept }; allow amavis_t self:netlink_route_socket r_netlink_socket_perms; -@@ -75,9 +75,11 @@ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) +@@ -75,9 +82,11 @@ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) files_search_spool(amavis_t) # tmp files @@ -86178,7 +90544,7 @@ index deca9d3..a25356f 100644 # var/lib files for amavis manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -@@ -125,11 +127,14 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t) +@@ -125,11 +134,14 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t) corenet_udp_bind_generic_port(amavis_t) corenet_dontaudit_udp_bind_all_ports(amavis_t) corenet_tcp_connect_razor_port(amavis_t) @@ -86193,7 +90559,7 @@ index deca9d3..a25356f 100644 files_read_etc_files(amavis_t) files_read_etc_runtime_files(amavis_t) -@@ -137,8 +142,10 @@ files_read_usr_files(amavis_t) +@@ -137,8 +149,10 @@ files_read_usr_files(amavis_t) fs_getattr_xattr_fs(amavis_t) @@ -86204,7 +90570,7 @@ index deca9d3..a25356f 100644 # uses uptime which reads utmp - redhat bug 561383 init_read_utmp(amavis_t) init_stream_connect_script(amavis_t) -@@ -153,16 +160,17 @@ sysnet_use_ldap(amavis_t) +@@ -153,16 +167,23 @@ sysnet_use_ldap(amavis_t) userdom_dontaudit_search_user_home_dirs(amavis_t) @@ -86214,7 +90580,12 @@ index deca9d3..a25356f 100644 -cron_rw_pipes(amavis_t) - -mta_read_config(amavis_t) -- ++tunable_policy(`amavis_use_jit',` ++ allow amavis_t self:process execmem; ++',` ++ dontaudit amavis_t self:process execmem; ++') + optional_policy(` clamav_stream_connect(amavis_t) clamav_domtrans_clamscan(amavis_t) @@ -86229,7 +90600,7 @@ index deca9d3..a25356f 100644 ') optional_policy(` -@@ -171,11 +179,16 @@ optional_policy(` +@@ -171,11 +192,16 @@ optional_policy(` ') optional_policy(` @@ -86246,7 +90617,7 @@ index deca9d3..a25356f 100644 ') optional_policy(` -@@ -188,6 +201,10 @@ optional_policy(` +@@ -188,6 +214,10 @@ optional_policy(` ') optional_policy(` @@ -90981,7 +95352,7 @@ index de89d0f..954e726 100644 apache_list_sys_content($1) diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te -index 048abbf..7368f57 100644 +index 048abbf..312f256 100644 --- a/policy/modules/services/bugzilla.te +++ b/policy/modules/services/bugzilla.te @@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.0) @@ -90994,7 +95365,7 @@ index 048abbf..7368f57 100644 ######################################## # # bugzilla local policy -@@ -31,6 +34,10 @@ corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) +@@ -31,8 +34,14 @@ corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) @@ -91004,7 +95375,11 @@ index 048abbf..7368f57 100644 + files_search_var_lib(httpd_bugzilla_script_t) ++auth_read_passwd(httpd_bugzilla_script_t) ++ sysnet_read_config(httpd_bugzilla_script_t) + sysnet_use_ldap(httpd_bugzilla_script_t) + diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc new file mode 100644 index 0000000..a561ce0 @@ -93337,10 +97712,10 @@ index 0000000..7f55959 +') diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te new file mode 100644 -index 0000000..ebf11b1 +index 0000000..7e1d71e --- /dev/null +++ b/policy/modules/services/cloudform.te -@@ -0,0 +1,198 @@ +@@ -0,0 +1,199 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -93521,6 +97896,7 @@ index 0000000..ebf11b1 + +corenet_tcp_bind_generic_node(mongod_t) +corenet_tcp_bind_mongod_port(mongod_t) ++corenet_tcp_connect_postgresql_port(mongod_t) + +kernel_read_vm_sysctls(mongod_t) +kernel_read_system_state(mongod_t) @@ -113216,7 +117592,7 @@ index e9c0982..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te -index 0a0d63c..a798a26 100644 +index 0a0d63c..5a85599 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) @@ -113310,7 +117686,7 @@ index 0a0d63c..a798a26 100644 domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) -@@ -170,26 +181,35 @@ kernel_read_system_state(mysqld_safe_t) +@@ -170,26 +181,37 @@ kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) @@ -113331,6 +117707,8 @@ index 0a0d63c..a798a26 100644 +logging_send_syslog_msg(mysqld_safe_t) + +auth_read_passwd(mysqld_safe_t) ++ ++domain_dontaudit_signull_all_domains(mysqld_safe_t) miscfiles_read_localization(mysqld_safe_t) @@ -127267,7 +131645,7 @@ index 82cb169..9642fe3 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..3496da1 100644 +index e30bb63..2b51fe4 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -1,4 +1,4 @@ @@ -127463,18 +131841,22 @@ index e30bb63..3496da1 100644 ') # Support Samba sharing of NFS mount points -@@ -410,6 +437,10 @@ tunable_policy(`samba_share_fusefs',` +@@ -410,6 +437,14 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') +optional_policy(` ++ ccs_read_config(smbd_t) ++') ++ ++optional_policy(` + ctdbd_stream_connect(smbd_t) + ctdbd_manage_lib_files(smbd_t) +') optional_policy(` cups_read_rw_config(smbd_t) -@@ -422,6 +453,11 @@ optional_policy(` +@@ -422,6 +457,11 @@ optional_policy(` ') optional_policy(` @@ -127486,7 +131868,7 @@ index e30bb63..3496da1 100644 lpd_exec_lpr(smbd_t) ') -@@ -445,26 +481,26 @@ optional_policy(` +@@ -445,26 +485,26 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -127521,7 +131903,7 @@ index e30bb63..3496da1 100644 ######################################## # # nmbd Local policy -@@ -484,8 +520,11 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -484,8 +524,11 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -127534,7 +131916,7 @@ index e30bb63..3496da1 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -497,8 +536,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) +@@ -497,8 +540,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) allow nmbd_t smbcontrol_t:process signal; @@ -127543,7 +131925,7 @@ index e30bb63..3496da1 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) kernel_read_kernel_sysctls(nmbd_t) -@@ -555,18 +592,21 @@ optional_policy(` +@@ -555,18 +596,21 @@ optional_policy(` # smbcontrol local policy # @@ -127569,7 +131951,7 @@ index e30bb63..3496da1 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -574,11 +614,21 @@ samba_read_winbind_pid(smbcontrol_t) +@@ -574,11 +618,21 @@ samba_read_winbind_pid(smbcontrol_t) domain_use_interactive_fds(smbcontrol_t) @@ -127592,7 +131974,7 @@ index e30bb63..3496da1 100644 ######################################## # -@@ -644,19 +694,21 @@ auth_use_nsswitch(smbmount_t) +@@ -644,19 +698,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -127617,7 +131999,7 @@ index e30bb63..3496da1 100644 ######################################## # # SWAT Local policy -@@ -677,7 +729,8 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +733,8 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -127627,7 +132009,7 @@ index e30bb63..3496da1 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +745,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +749,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -127642,7 +132024,7 @@ index e30bb63..3496da1 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +765,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +769,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -127650,7 +132032,7 @@ index e30bb63..3496da1 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -752,8 +808,12 @@ logging_send_syslog_msg(swat_t) +@@ -752,8 +812,12 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -127663,7 +132045,7 @@ index e30bb63..3496da1 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -783,7 +843,8 @@ allow winbind_t self:udp_socket create_socket_perms; +@@ -783,7 +847,8 @@ allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; @@ -127673,7 +132055,7 @@ index e30bb63..3496da1 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -806,15 +867,19 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +871,19 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -127698,7 +132080,7 @@ index e30bb63..3496da1 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +898,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +902,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -127706,7 +132088,7 @@ index e30bb63..3496da1 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -850,10 +916,14 @@ domain_use_interactive_fds(winbind_t) +@@ -850,10 +920,14 @@ domain_use_interactive_fds(winbind_t) files_read_etc_files(winbind_t) files_read_usr_symlinks(winbind_t) @@ -127721,7 +132103,7 @@ index e30bb63..3496da1 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -864,6 +934,11 @@ userdom_manage_user_home_content_sockets(winbind_t) +@@ -864,6 +938,11 @@ userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` @@ -127733,7 +132115,7 @@ index e30bb63..3496da1 100644 kerberos_use(winbind_t) ') -@@ -904,7 +979,8 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +983,8 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -127743,7 +132125,7 @@ index e30bb63..3496da1 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,19 +998,34 @@ optional_policy(` +@@ -922,19 +1002,34 @@ optional_policy(` # optional_policy(` @@ -127757,11 +132139,11 @@ index e30bb63..3496da1 100644 + domain_type(samba_unconfined_net_t) + domain_entry_file(samba_unconfined_net_t, samba_net_exec_t) + role system_r types samba_unconfined_net_t; -+ -+ unconfined_domain(samba_unconfined_net_t) - allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; - allow smbd_t samba_unconfined_script_exec_t:file ioctl; ++ unconfined_domain(samba_unconfined_net_t) + + manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) + filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) + userdom_use_inherited_user_terminals(samba_unconfined_net_t) @@ -127773,7 +132155,7 @@ index e30bb63..3496da1 100644 +domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) +corecmd_shell_entry_type(samba_unconfined_script_t) +role system_r types samba_unconfined_script_t; - ++ +allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; +allow smbd_t samba_unconfined_script_exec_t:file ioctl; + @@ -139498,10 +143880,10 @@ index ade6c2c..08479b0 100644 miscfiles_read_localization(zebra_t) diff --git a/policy/modules/services/zoneminder.fc b/policy/modules/services/zoneminder.fc new file mode 100644 -index 0000000..47e388a +index 0000000..0097928 --- /dev/null +++ b/policy/modules/services/zoneminder.fc -@@ -0,0 +1,22 @@ +@@ -0,0 +1,24 @@ +/etc/rc\.d/init\.d/motion -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0) + +/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0) @@ -139514,6 +143896,8 @@ index 0000000..47e388a + +/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0) + ++/var/motion(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0) ++ +/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0) + +/var/log/motion\.log -- gen_context(system_u:object_r:zoneminder_log_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 9e50ae9..468fbe4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 141%{?dist} +Release: 142%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -479,6 +479,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jul 27 2012 Miroslav Grepl 3.10.0-142 +- Regenerate man pages +- Dontaudit mysqld_safe sending signull to random domains +- Add interface for mysqld to dontaudit signull to all processes +- Allow editparams.cgi running as httpd_bugzilla_script_t to read /etc/group +- Allow smbd to read cluster config +- Add additional labelinf for passenger +- Add labeling for /var/motion +- Add amavis_use_jit boolean +- Allow mongod to connet to postgresql port + * Tue Jul 24 2012 Miroslav Grepl 3.10.0-141 - Allow samba_net to read /proc/net - Allow hplip_t to send notification dbus messages to users