- Fix semanage man page

2010-09-23 15:46:21 -04:00 · 2010-09-23 15:46:21 -04:00 · 5c7ac2193a
commit 5c7ac2193a
parent 5eda7d7da7
2 changed files with 109 additions and 21 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -121,7 +121,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
     app = AuditToPolicy()
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.83/audit2allow/audit2allow.1
 --- nsapolicycoreutils/audit2allow/audit2allow.1	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/audit2allow/audit2allow.1	2010-07-30 13:50:40.000000000 -0400
+++ policycoreutils-2.0.83/audit2allow/audit2allow.1	2010-09-17 15:14:35.000000000 -0400
@@ -66,6 +66,9 @@
 .B "\-M <modulename>" 
 Generate loadable module package, conflicts with -o
@ -132,6 +132,81 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 .B "\-o <outputfile>"  | "\-\-output <outputfile>"
 append output to 
 .I <outputfile>
+@@ -117,14 +120,6 @@
+ .B Please substitute /var/log/messages for /var/log/audit/audit.log in the 
+ .B examples.
+ .PP
+-.B Using audit2allow to generate monolithic (non-module) policy
+-$ cd /etc/selinux/$SELINUXTYPE/src/policy
+-$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
+-$ cat domains/misc/local.te
+-allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
+-<review domains/misc/local.te and customize as desired>
+-$ make load
+-
+ .B Using audit2allow to generate module policy
+ 
+ $ cat /var/log/audit/audit.log | audit2allow -m local > local.te
+@@ -132,20 +127,38 @@
+ module local 1.0;
+ 
+ require {
+-        role system_r;
+        class file {  getattr open read };
+ 
+ 
+-        class fifo_file {  getattr ioctl };
+        type myapp_t;
+        type etc_t;
+ };
+ 
+ 
+-        type cupsd_config_t;
+-        type unconfined_t;
+- };
+allow myapp_t etc_t:file { getattr open read };
+<review local.te and customize as desired>
+ 
+.B Using audit2allow to generate module policy using reference policy
+ 
+-allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
+$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te
+$ cat local.te
+policy_module(local, 1.0)
+
+gen_require(`
+        type myapp_t;
+        type etc_t;
+ };
+
+files_read_etc_files(myapp_t)
+ <review local.te and customize as desired>
+ 
+.B Building module policy using Makefile
+
+# SELinux provides a policy devel environment under /usr/share/selinux/devel
+# You can create a te file and compile it by executing 
+$ make -f /usr/share/selinux/devel/Makefile
+$ semodule -i local.pp
+
+ .B Building module policy manually
+ 
+ # Compile the module
+@@ -168,6 +181,14 @@
+ 
+ semodule -i local.pp
+ 
+.B Using audit2allow to generate monolithic (non-module) policy
+$ cd /etc/selinux/$SELINUXTYPE/src/policy
+$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
+$ cat domains/misc/local.te
+allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
+<review domains/misc/local.te and customize as desired>
+$ make load
+
+ .fi
+ .PP
+ .SH AUTHOR
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/sepolgen-ifgen policycoreutils-2.0.83/audit2allow/sepolgen-ifgen
 --- nsapolicycoreutils/audit2allow/sepolgen-ifgen	2010-05-19 14:45:51.000000000 -0400
 +++ policycoreutils-2.0.83/audit2allow/sepolgen-ifgen	2010-07-30 13:50:40.000000000 -0400
@ -3208,7 +3283,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +		errorExit(error.args[1])
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.83/semanage/semanage.8
 --- nsapolicycoreutils/semanage/semanage.8	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/semanage/semanage.8	2010-07-30 13:50:40.000000000 -0400
+++ policycoreutils-2.0.83/semanage/semanage.8	2010-09-23 15:43:58.000000000 -0400
@@ -1,29 +1,65 @@
 -.TH "semanage" "8" "2005111103" "" ""
 +.TH "semanage" "8" "20100223" "" ""
@ -3236,45 +3311,45 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +.B semanage user [\-S store] \-{a|d|m|l|n|D} [\-LrRP] selinux_name
 +
 +Manage login mappings between linux users and SELinux confined users.
-+.br
+ .br
+-.B semanage login \-{a|d|m} [\-sr] login_name | %groupname
 +.B semanage login [\-S store] \-{a|d|m|l|n|D} [\-sr] login_name | %groupname
 +
 +Manage network port type definitions
-+.br
+ .br
+-.B semanage user \-{a|d|m} [\-LrRP] selinux_name
 +.B semanage port [\-S store] \-{a|d|m|l|n|D} [\-tr] [\-p proto] port | port_range
-+.br
+ .br
+-.B semanage port \-{a|d|m} [\-tr] [\-p proto] port | port_range
 +
 +Manage network interface type definitions
-+.br
+ .br
+-.B semanage interface \-{a|d|m} [\-tr] interface_spec
 +.B semanage interface [\-S store] \-{a|d|m|l|n|D} [\-tr] interface_spec
 +
 +Manage network node type definitions
 .br
-.B semanage login \-{a|d|m} [\-sr] login_name | %groupname
+-.B semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] address
 +.B semanage node [\-S store] -{a|d|m|l|n|D} [-tr] [ -p protocol ] [-M netmask] address
 .br
-.B semanage user \-{a|d|m} [\-LrRP] selinux_name
+-.B semanage fcontext \-{a|d|m} [\-frst] file_spec
 +
 +Manage file context mapping definitions
 .br
-.B semanage port \-{a|d|m} [\-tr] [\-p proto] port | port_range
+-.B semanage permissive \-{a|d} type
 +.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} [\-frst] file_spec
- .br
-.B semanage interface \-{a|d|m} [\-tr] interface_spec
+.br
 +.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} \-e replacement target
- .br
-.B semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] address
+.br
 +
 +Manage processes type enforcement mode
 .br
-.B semanage fcontext \-{a|d|m} [\-frst] file_spec
+-.B semanage dontaudit [ on | off ]
 +.B semanage permissive [\-S store] \-{a|d|l|n|D} type
- .br
-.B semanage permissive \-{a|d} type
+.br
 +
 +Disable/Enable dontaudit rules in policy
- .br
-.B semanage dontaudit [ on | off ]
+.br
 +.B semanage dontaudit [\-S store] [ on | off ]
 .P
 
@ -3299,12 +3374,22 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 .I                \-f, \-\-ftype
 File Type.   This is used with fcontext.
 Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
-@@ -99,26 +141,67 @@
+@@ -76,6 +118,9 @@
+ .I                \-m, \-\-modify     
+ Modify a OBJECT record NAME
+ .TP
+.I                \-M, \-\-mask
+Network Mask
+.TP
+ .I                \-n, \-\-noheading  
+ Do not print heading when listing OBJECTS.
+ .TP
+@@ -99,26 +144,67 @@
 .TP
 .I                \-t, \-\-type       
 SELinux Type for the object
 +.TP
-+.I                \-i
+.I                \-i, \-\-input
 +Take a set of commands from a specified file and load them in a single
 +transaction.
 
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.83
-Release: 28%{?dist}
+Release: 29%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 Source:  http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -315,6 +315,9 @@ fi
 exit 0

 %changelog
+* Thu Sep 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-29
+- Fix semanage man page
+
 * Mon Sep 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-28
 - Add seremote, to allow the execution of command inside the sandbox from outside the sandbox.