mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-29 01:12:06 +00:00
3cba4306b9
When building binary policy, optionally run it through sepol_policydb_optimize() just before writing it out. Add an optimize-policy variable to semanage.conf(5) that controls whether optimization will be applied during libsemanage operations. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
138 lines
5.4 KiB
Groff
138 lines
5.4 KiB
Groff
.TH semanage.conf "5" "September 2011" "semanage.conf" "Linux System Administration"
|
|
.SH NAME
|
|
semanage.conf \- global configuration file for the SELinux Management library
|
|
.SH DESCRIPTION
|
|
.PP
|
|
The
|
|
.BR semanage.conf
|
|
file is usually located under the directory /etc/selinux and it is used for run-time configuration of the
|
|
behavior of the SELinux Management library.
|
|
|
|
.PP
|
|
Each line should contain a configuration parameter followed by the equal sign ("=") and then followed by the configuration value for that
|
|
parameter. Anything after the "#" symbol is ignored similarly to empty lines.
|
|
|
|
.PP
|
|
The following parameters are allowed:
|
|
|
|
.RS
|
|
.TP
|
|
.B module-store
|
|
Specify how the SELinux Management library should interact with the SELinux policy store. When set to "direct", the SELinux
|
|
Management library writes to the SELinux policy module store directly (this is the default setting).
|
|
Otherwise a socket path or a server name can be used for the argument.
|
|
If the argument begins with "/" (as in "/foo/bar"), it represents the path to a named socket that should be used to connect the policy management
|
|
server.
|
|
If the argument does not begin with a "/" (as in "foo.com:4242"), it should be interpreted as the name of a remote policy management server
|
|
to be used through a TCP connection (default port is 4242 unless a different one is specified after the server name using the colon to separate
|
|
the two fields).
|
|
|
|
.TP
|
|
.B root
|
|
Specify an alternative root path to use for the store. The default is "/"
|
|
|
|
.TP
|
|
.B store-root
|
|
Specify an alternative store_root path to use. The default is "/var/lib/selinux"
|
|
|
|
.TP
|
|
.B compiler-directory
|
|
Specify an alternative directory that contains HLL to CIL compilers. The default value is "/usr/libexec/selinux/hll".
|
|
|
|
.TP
|
|
.B ignore-module-cache
|
|
Whether or not to ignore the cache of CIL modules compiled from HLL. It can be set to either "true" or "false" and is set to "false" by default.
|
|
If the cache is ignored, then all CIL modules are recompiled from their HLL modules.
|
|
|
|
.TP
|
|
.B policy-version
|
|
When generating the policy, by default
|
|
.BR semanage
|
|
will set the policy version to POLICYDB_VERSION_MAX, as defined in <sepol/policydb/policydb.h>. Change this setting if a different
|
|
version needs to be set for the policy.
|
|
|
|
.TP
|
|
.B target-platform
|
|
The target platform to generate policies for. Valid values are "selinux" and "xen", and is set to "selinux" by default.
|
|
|
|
.TP
|
|
.B expand-check
|
|
Whether or not to check "neverallow" rules when executing all
|
|
.BR semanage
|
|
command. It can be set to either "0" (disabled) or "1" (enabled) and by default it is enabled. There might be a large
|
|
penalty in execution time if this option is enabled.
|
|
|
|
.TP
|
|
.B file-mode
|
|
By default the permission mode for the run-time policy files is set to 0644.
|
|
|
|
.TP
|
|
.B save-previous
|
|
It controls whether the previous module directory is saved after a successful commit to the policy store and it can be set to
|
|
either "true" or "false". By default it is set to "false" (the previous version is deleted).
|
|
|
|
.TP
|
|
.B save-linked
|
|
It controls whether the previously linked module is saved (with name "base.linked") after a successful commit to the policy store.
|
|
It can be set to either "true" or "false" and by default it is set to "false" (the previous module is deleted).
|
|
|
|
.TP
|
|
.B ignoredirs
|
|
List, separated by ";", of directories to ignore when setting up users homedirs.
|
|
Some distributions use this to stop labeling /root as a homedir.
|
|
|
|
.TP
|
|
.B usepasswd
|
|
Whether or not to enable the use getpwent() to obtain a list of home directories to label. It can be set to either "true" or "false".
|
|
By default it is set to "true".
|
|
|
|
.TP
|
|
.B disable-genhomedircon
|
|
It controls whether or not the genhomedircon function is executed when using the
|
|
.BR semanage
|
|
command and it can be set to either "false" or "true". By default the genhomedircon functionality is enabled (equivalent
|
|
to this option set to "false").
|
|
|
|
.TP
|
|
.B handle-unknown
|
|
This option controls the kernel behavior for handling permissions defined in the kernel but missing from the actual policy.
|
|
It can be set to "deny", "reject" or "allow".
|
|
|
|
.TP
|
|
.B bzip-blocksize
|
|
It should be in the range 0-9. A value of 0 means no compression. By default the bzip block size is set to 9 (actual block
|
|
size value is obtained after multiplication by 100000).
|
|
|
|
.TP
|
|
.B bzip-small
|
|
When set to "true", the bzip algorithm shall try to reduce its system memory usage. It can be set to either "true" or "false" and
|
|
by default it is set to "false".
|
|
|
|
.TP
|
|
.B remove-hll
|
|
When set to "true", HLL files will be removed after compilation into CIL. In order to delete HLL files already compiled into CIL,
|
|
modules will need to be recompiled with the
|
|
.BR ignore-module-cache
|
|
option set to 'true' or using the
|
|
.BR ignore-module-cache
|
|
option with semodule. The remove-hll option can be set to either "true" or "false"
|
|
and by default it is set to "false".
|
|
|
|
Please note that since this option deletes all HLL files, an updated HLL compiler will not be able to recompile the original HLL file into CIL.
|
|
In order to compile the original HLL file into CIL, the same HLL file will need to be reinstalled.
|
|
|
|
.TP
|
|
.B optimize-policy
|
|
When set to "true", the kernel policy will be optimized upon rebuilds.
|
|
It can be set to either "true" or "false" and by default it is set to "false".
|
|
|
|
.SH "SEE ALSO"
|
|
.TP
|
|
semanage(8)
|
|
.PP
|
|
|
|
.SH AUTHOR
|
|
This manual page was written by Guido Trentalancia <guido@trentalancia.com>.
|
|
|
|
The SELinux management library was written by Tresys Technology LLC and Red Hat Inc.
|