[refpolicy] Update man pages.

Christopher J. PeBenito cpebenito at tresys.com
Thu Mar 5 08:21:47 CST 2009


On Wed, 2009-03-04 at 16:14 -0500, Daniel J Walsh wrote:
> plain text document attachment (man.patch)

Merged.

> --- nsaserefpolicy/man/man8/httpd_selinux.8	2008-08-25 09:12:31.000000000 -0400
> +++ serefpolicy-3.6.7/man/man8/httpd_selinux.8	2009-03-03 17:11:59.000000000 -0500
> @@ -41,7 +41,7 @@
>  - Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options.  It is better to use this script rather than turning off SELinux protection for httpd.
>  
>  .SH NOTE
> -With certain policies you can define addional file contexts based on roles like user or staff.  httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
> +With certain policies you can define additional file contexts based on roles like user or staff.  httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
>  
>  .SH SHARING FILES
>  If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above domains to read the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for httpd you would execute:
> @@ -75,7 +75,7 @@
>  .EE
>  
>  .PP
> -httpd by default is not allowed access to the controling terminal.  In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required.  Set the httpd_tty_comm boolean to allow terminal access.
> +httpd by default is not allowed access to the controlling terminal.  In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required.  Set the httpd_tty_comm boolean to allow terminal access.
>  
>  .EX
>  setsebool -P httpd_tty_comm 1
> --- nsaserefpolicy/man/man8/kerberos_selinux.8	2008-08-07 11:15:14.000000000 -0400
> +++ serefpolicy-3.6.7/man/man8/kerberos_selinux.8	2009-03-03 17:11:59.000000000 -0500
> @@ -12,7 +12,7 @@
>  .SH "DESCRIPTION"
>  
>  Security-Enhanced Linux secures the system via flexible mandatory access
> -control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and addtional access to the network.  
> +control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.  
>  .SH BOOLEANS
>  .PP
>  You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
> --- nsaserefpolicy/man/man8/nfs_selinux.8	2008-08-07 11:15:14.000000000 -0400
> +++ serefpolicy-3.6.7/man/man8/nfs_selinux.8	2009-03-03 17:11:59.000000000 -0500
> @@ -1,14 +1,12 @@
> -.TH  "nfs_selinux"  "8"  "17 Jan 2005" "dwalsh at redhat.com" "nfs Selinux Policy documentation"
> +.TH  "nfs_selinux"  "8"  "9 Feb 2009" "dwalsh at redhat.com" "NFS SELinux Policy documentation"
>  .SH "NAME"
>  nfs_selinux \- Security Enhanced Linux Policy for NFS
>  .SH "DESCRIPTION"
>  
> -Security-Enhanced Linux secures the nfs server via flexible mandatory access
> +Security Enhanced Linux secures the NFS server via flexible mandatory access
>  control.  
>  .SH BOOLEANS
> -SELinux policy is customizable based on least access required.  So by 
> -default SElinux policy does not allow nfs to share files.  If you want to 
> -setup this machine to share nfs partitions read only, you must set the boolean nfs_export_all_ro boolean.
> +SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
>  
>  .TP
>  setsebool -P nfs_export_all_ro 1
> @@ -18,7 +16,10 @@
>  setsebool -P nfs_export_all_rw 1
>  
>  .TP
> -If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dir boolean.
> +These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off.
> +
> +.TP
> +If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean:
>  .TP
>  setsebool -P use_nfs_home_dirs 1
>  .TP
> @@ -26,5 +27,5 @@
>  .SH AUTHOR	
>  This manual page was written by Dan Walsh <dwalsh at redhat.com>.
>  
> -.SH "SEE ALSpppO"
> +.SH "SEE ALSO"
>  selinux(8), chcon(1), setsebool(8)
> --- nsaserefpolicy/man/man8/samba_selinux.8	2008-08-07 11:15:14.000000000 -0400
> +++ serefpolicy-3.6.7/man/man8/samba_selinux.8	2009-03-03 17:11:59.000000000 -0500
> @@ -14,11 +14,17 @@
>  .TP
>  chcon -t samba_share_t /var/eng
>  .TP
> -If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
> +To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
> +.TP
> +semanage fcontext -a -t samba_share_t "/var/eng(/.*)?"
> +.TP
> +This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
>  .TP
> -/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
> -.br
>  /var/eng(/.*)? system_u:object_r:samba_share_t
> +.TP
> +Run the restorecon command to apply the changes:
> +.TP
> +restorecon -R -v /var/eng/
>  
>  .SH SHARING FILES
>  If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above domains to read the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for samba you would execute:
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



More information about the refpolicy mailing list