Subscribe to the feed

[Want to try out Red Hat Enterprise Linux? Download it now for free.]

There are many excellent man pages for the confined domains included with SELinux policy. These man pages describe booleans and context types for each domain. They also include sample semanage commands for adding context mappings, changing booleans, and more.

Unfortunately for the sysadmin getting started with SELinux configuration, these man pages are often not installed by default. The SELinux policy man pages are available from two locations. The upstream Reference Policy repo has a handful of pre-built man pages. The rest can be generated from the policy content with a tool found in the policycoreutils-devel package.

Install from a distribution package

Some distributions pre-generate the man pages and package them to make the documentation easy to add to your system. Fedora, CentOS, and Red Hat Enterprise Linux 8 all include an selinux-policy-doc.noarch package in their base repositories. This package is not installed by default, but is easy to add with a yum or dnf command:

$ sudo yum install selinux-policy-doc.noarch

Red Hat Enterprise Linux 7 has this package as well, but it is in the "Optional" repo which is not enabled by default. Either enable the repo permanently with subscription-manager:

$ sudo subscription-manager repo --enable=rhel-7-server-optional-rpms

or just add the repo temporarily during the installation:

$ sudo yum --enablerepo=rhel-7-server-optional-rpms install selinux-policy-doc.noarch

Now that the SELinux domain documentation is available, search for the relevant pages with:

$ man -k _selinux

Note: After installing the docs package you may also need to update the man page index cache before seeing the results from search:

$ sudo mandb

Generate man pages from the policy

If the docs package is not available, or if you only want to generate a man page for a specific domain, you can also build the man pages from the policy. First, install the devel packages and their dependencies:

$ sudo yum install policycoreutils-devel 

Then, use the sepolicy command to generate a specific man page by specifying the domain type (the SELinux context type associated with the running process that is being contained). For example:

$ sepolicy manpage -d httpd_t

The resulting man page will be generated in the /tmp directory and can be viewed by name:

$ man /tmp/httpd_selinux.8

There are options for the sepolicy manpage command to override the output location (--path), generate an html version (--web), or generate all (--all) pages. To see these and other options, use:

$ man sepolicy-manpage

As long as a user has write privileges to the output path, they can generate and view a man page.

Preview the magic of these man pages

The SELinux man pages for domain types all have a common layout. As with any set of man pages, the more man pages you read, the easier it is to scan or speed read the next one.

Each man page starts with the expected NAME and DESCRIPTION fields of any man page. The SELinux domain man pages then include the sections ENTRYPOINTS and PROCESS TYPES. (Entrypoints are the types assigned to the executable files, which when launched as daemons transition to the confined process types.)

Not all process types are daemons though, some may be interactive executables. For example, sshd_exec_t is an entrypoint which transitions to the sshd_t process type. In addition, sshd_t, ssh_t, and ssh_keygen_t and are also examples of process types.

Process types are also known as domain types and are the types that can be placed into permissive mode with the semanage command.

After any entrypoint and process type sections, the SELinux domain man page has sections for any BOOLEANS, PORT TYPES, MANAGED FILES, and FILE CONTEXTS that apply to that domain. These sections define keywords and provide samples for modifications that can be made with the semanage command. Enabling a boolean allows a different rule set for different use cases. File and port context modifications allow a system to be configured to hold data in a non-default location or run on a non-default port.

Each man page ends with a list of COMMANDS referenced in the man page and the traditional man page AUTHOR and SEE ALSO sections.

Start exploring

With the targeted policy, the httpd domain page is probably the longest, since that domain has the most booleans and file types to describe. It was also one of the first domains confined in the history of the SELinux targeted policy.

Start with a domain that is familiar to you such as sshd, httpd, or ntpd. Then search for domains that are relevant to your environment. After installing the selinux-docs package, I have over 850 man pages to explore on my system!

And remember, keep SELinux enforcing! (Here's how.)


About the author

Susan Lauber is a Consultant and Technical Trainer with her own company, Lauber System Solutions, Inc. She has over 25 years of experience working with Information Systems and specializes in Open Source technologies, specifically platform and data center installation, interoperability, automation, and security.

Susan is always an open source advocate and ambassador of projects she follows. She contributes to projects mostly by way of documentation and QA processes. She has contributed to Fedora Magazine and Opensource.com and is the author of "Linux Command Line Complete Video Course" (2016, Prentice Hall).

Susan is an independent instructor for several companies and holds an alphabet of certifications in those products. She is also a Certified Information Systems Security Professional (CISSP) and a Certified Technical Trainer (CTT). She has been a Red Hat Certified Instructor since 1999 and a co-author and contributor to several Red Hat Training student guides.

Follow her on twitter @laubersm to see what she is reading. Posts include a variety of technology topics as well as some travel, animals, sports, and other randomness.

 

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

Browse by channel

automation icon

Automation

The latest on IT automation for tech, teams, and environments

AI icon

Artificial intelligence

Updates on the platforms that free customers to run AI workloads anywhere

open hybrid cloud icon

Open hybrid cloud

Explore how we build a more flexible future with hybrid cloud

security icon

Security

The latest on how we reduce risks across environments and technologies

edge icon

Edge computing

Updates on the platforms that simplify operations at the edge

Infrastructure icon

Infrastructure

The latest on the world’s leading enterprise Linux platform

application development icon

Applications

Inside our solutions to the toughest application challenges

Original series icon

Original shows

Entertaining stories from the makers and leaders in enterprise tech