From f53146db6ac071822842be24b0dc3ebf3209868b Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Thu, 11 May 2023 18:38:21 +0200 Subject: [PATCH] Improve man pages - Add missing parameters - Add examples - Fix typos Signed-off-by: Vit Mojzis --- man/sechecker.1 | 6 +++--- man/sediff.1 | 12 ++++++++++++ man/sedta.1 | 9 +++++++++ man/seinfo.1 | 25 +++++++++++++++++++++++++ man/seinfoflow.1 | 9 +++++++++ man/sesearch.1 | 12 ++++++++++++ 6 files changed, 70 insertions(+), 3 deletions(-) diff --git a/man/sechecker.1 b/man/sechecker.1 index 507b861..e32d6d6 100644 --- a/man/sechecker.1 +++ b/man/sechecker.1 @@ -81,7 +81,7 @@ A space-separated list of object class criteria for the query. A space-separated list of permissions for the query. .PP -\fBA least one of the above options must be set in this check.\fR +\fBAt least one of the above options must be set in this check.\fR .PP Additional Options: @@ -123,7 +123,7 @@ The source role criteria for the query. The target role criteria for the query. .PP -\fBA least one of the above options must be set in this check.\fR +\fBAt least one of the above options must be set in this check.\fR .PP Additional Options: @@ -205,7 +205,7 @@ executable types are read-only.\fR .\} .nf [ro_execs] -check_type = empty_typeattr +check_type = ro_execs desc = Verify that the all executables and libraries are read-only. .fi .if n \{\ diff --git a/man/sediff.1 b/man/sediff.1 index ed3b497..6b1e471 100644 --- a/man/sediff.1 +++ b/man/sediff.1 @@ -88,6 +88,10 @@ Find differences in validatetrans rules. Find differences in mlsvalidatetrans rules. .SS Labeling Statement Differences +.IP "--ibendportcon" +Find differences in ibendportcon (InfiniBand endport context) statements. +.IP "--ibpkeycon" +Find differences in ibpkeycon (InfiniBand parition key context) statements. .IP "--initialsid" Find differences in initial SID statements. .IP "--fs_use" @@ -140,6 +144,14 @@ For example, a class is modified if one or more permissions are added or removed .RE .PP +.SH EXAMPLE +.nf +Show differences in boolean settings +# sediff -b /backup/policy.33 /etc/selinux/targeted/policy/policy.33 +Show statistics for allow and allowxperm rule changes (how many rules where added, removed, or modified) +#sediff -A --stats /backup/policy.33 /etc/selinux/targeted/policy/policy.33 + + .SH AUTHOR Chris PeBenito diff --git a/man/sedta.1 b/man/sedta.1 index 1d84d92..d3d21db 100644 --- a/man/sedta.1 +++ b/man/sedta.1 @@ -49,6 +49,8 @@ Specify the maximum number of domain transitions to output. The default is unlim A space-separated list of types to exclude from the analysis. .SS General Options +.IP "--full" +Print rule lists for transitions. .IP "--stats" Print domain transition graph statistics at the end of the analysis. .IP "-h, --help" @@ -60,6 +62,13 @@ Print additional informational messages. .IP "--debug" Enable debugging output. +.SH EXAMPLE +.nf +Show the shortest transition paths from httpd_t to unconfined_t, while not using container_runtime_t +# sedta -s httpd_t -t unconfined_t -S container_runtime_t +List all domain transition paths shorter than 3 steps from init_t to smbd_t +# sedta -s init_t -t smbd_t -A 3 + .SH AUTHOR Chris PeBenito diff --git a/man/seinfo.1 b/man/seinfo.1 index 1adea98..9e7cbde 100644 --- a/man/seinfo.1 +++ b/man/seinfo.1 @@ -56,6 +56,10 @@ There is no expanded information for this component. .IP "--genfscon [FS_TYPE]" Print a list of genfscon statements or, if FS_TYPE is provided, print the statement for the named filesystem type. There is no expanded information for this component. +.IP "--ibpkeycon [PKEY[-PKEY]]" +Print a list of InfiniBand parition key contexts. +.IP "--ibendportcon [NAME]" +Print a list of InfiniBand endport contexts. .IP "--initialsid [NAME]" Print a list of initial SIDs or, if NAME is provided, print the named initial SID. With \fI-x\fR, print the context assigned to each displayed SID. @@ -86,6 +90,18 @@ There is no expanded information for this component. .IP "--all" Print all components. +.IP "\fB Xen Component Queries: \fR" +.IP "--ioportcon" +Print all ioportcon statements. +.IP "--iomemcon" +Print all iomemcon statements. +.IP "--pcidevicecon" +Print all pcidevicecon statements. +.IP "--pirqcon" +Print all pirqcon statements. +.IP "--devicetreecon" +Print all devicetreecon statements. + .SH OPTIONS .IP "-x, --expand" Print additional details for each component matching the expression. @@ -101,6 +117,15 @@ Print additional informational messages. .IP "--debug" Enable debugging output. +.SH EXAMPLE +.nf +List aliases of and attributes assigned to type httpd_t +# seinfo -t httpd_t -x +List all executable types (all types assigned to "exec_type" attribute) +# seinfo -a exec_type -x +List all constrains and mlsconstrains for class "file" +# seinfo --constrain file + .SH AUTHOR Chris PeBenito diff --git a/man/seinfoflow.1 b/man/seinfoflow.1 index 2e4a261..75763d6 100644 --- a/man/seinfoflow.1 +++ b/man/seinfoflow.1 @@ -54,6 +54,8 @@ A space-separated list of types to exclude from the analysis. Print information flow graph statistics at the end of the analysis. .IP "-h, --help" Print help information and exit. +.IP "--full" +Print full rule lists for information flows. .IP "--version" Print version information and exit. .IP "-v, --verbose" @@ -61,6 +63,13 @@ Print additional informational messages. .IP "--debug" Enable debugging output. +.SH EXAMPLE +.nf +Show the shortest paths for process running as httpd_t to access user home files, using permission map from /var/lib/sepolgen/perm_map +# seinfoflow -m /var/lib/sepolgen/perm_map -s httpd_t -t user_home_t -S +List all data paths shorter than 3 steps from smbd_t to httpd_log_t, when samba_enable_home_dirs and samba_create_home_dirs booleans are enabled +# seinfoflow -m /var/lib/sepolgen/perm_map -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true" + .SH AUTHOR Chris PeBenito diff --git a/man/sesearch.1 b/man/sesearch.1 index 35f16c4..edc1834 100644 --- a/man/sesearch.1 +++ b/man/sesearch.1 @@ -48,6 +48,7 @@ Find type_change rules. Find role allow rules. .IP "--role_trans" Find role_transition rules. +.IP "Note: TE/MLS rule searches cannot be mixed with RBAC rule searches" .SS MLS Rule Types .IP "--range_trans" @@ -80,6 +81,8 @@ A matching rule must have the specified target attribute/type/role explicitly, i A matching rule must have all specified Booleans, instead of matching any of the specified Boolean. .IP "-ep" A matching rule must have exactly the specified permissions, instead of matching any of the specified permission. +.IP "-ex" +A matching rule must have exactly the specified extended permissions, instead of matching any listed extended permission. .IP "-Sp" A matching rule must have permissions where are a superset of the specified permissions, instead of matching any of the permissions. .IP "-rs" @@ -103,6 +106,15 @@ Print additional informational messages. .IP "--debug" Enable debugging output. +.SH EXAMPLE +.nf +List allow (and allowxperm) rules for accessing files labeled container_file_t from domains with attribute container_domain +# sesearch -A -s container_domain -t container_file_t -c file +List allow and dontaudit rules for accessing chr_files labeled container_file_t, that are controlled by boolean container_use_devices +# sesearch -A --dontaudit -t container_file_t -c chr_file -b container_use_devices +List dontaudit rules assigned via application_domain_type attribute (rules concerning specific types with that attribute are excluded) +# sesearch --dontaudit -s application_domain_type -ds + .SH AUTHOR Chris PeBenito