initial import from svn trunk revision 2950

9 files changed, 305 insertions, 0 deletions

diff --git a/libselinux/man/man8/avcstat.8 b/libselinux/man/man8/avcstat.8
new file mode 100644
index 00000000..1035331a
--- /dev/null
+++ b/libselinux/man/man8/avcstat.8
@@ -0,0 +1,31 @@
+.TH "avcstat" "8" "18 Nov 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+avcstat \- Display SELinux AVC statistics
+
+.SH "SYNOPSIS"
+.B avcstat
+.I [-c] [-f status_file] [interval]
+
+.SH "DESCRIPTION"
+.B avcstat 
+
+Display SELinux AVC statistics.  If the interval parameter is specified, the
+program will loop, displaying updated statistics every 'interval' seconds.
+Relative values are displayed by default. 
+
+.SH OPTIONS
+.TP
+.B \-c
+Display the cumulative values.
+
+.TP
+.B \-f
+Specifies the location of the AVC statistics file, defaulting to '/selinux/avc/cache_stats'.
+
+.SH "SEE ALSO"
+selinux(8)
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+The program was written by James Morris <jmorris@redhat.com>.
+
diff --git a/libselinux/man/man8/booleans.8 b/libselinux/man/man8/booleans.8
new file mode 100644
index 00000000..89c7654d
--- /dev/null
+++ b/libselinux/man/man8/booleans.8
@@ -0,0 +1,49 @@
+.TH "booleans" "8" "11 Aug 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+booleans \- Policy booleans enable runtime customization of SELinux policy.
+
+.SH "DESCRIPTION"
+This manual page describes SELinux policy booleans.
+.BR
+
+The SELinux policy can include conditional rules that are enabled or
+disabled based on the current values of a set of policy booleans.
+These policy booleans allow runtime modification of the security
+policy without having to load a new policy.  
+
+For example, the boolean httpd_enable_cgi allows the httpd daemon to
+run cgi scripts if it is enabled.  If the administrator does not want
+to allow execution of cgi scripts, he can simply disable this boolean
+value.  
+
+The policy defines a default value for each boolean, typically false.
+These default values can be overridden via local settings created via the
+.B setsebool(8)
+utility, using -P to make the setting persistent across reboots.
+The 
+.B system-config-securitylevel
+tool provides a graphical interface for altering
+the settings.  The
+.B load_policy(8)
+program will preserve
+current boolean settings upon a policy reload by default, or can
+optionally reset booleans to the boot-time defaults via the -b option.
+
+Boolean values can be listed by using the
+.B getsebool(8)
+utility and passing it the -a option.
+
+Boolean values can also be changed at runtime via the
+.B setsebool(8)
+utility or the
+.B togglesebool
+utility.  By default, these utilities only change the
+current boolean value and do not affect the persistent settings,
+unless the -P option is used to setsebool.
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+The SELinux conditional policy support was developed by Tresys Technology.
+
+.SH "SEE ALSO"
+getsebool(8), setsebool(8), selinux(8), togglesebool(8)
diff --git a/libselinux/man/man8/getenforce.8 b/libselinux/man/man8/getenforce.8
new file mode 100644
index 00000000..8dc63c83
--- /dev/null
+++ b/libselinux/man/man8/getenforce.8
@@ -0,0 +1,15 @@
+.TH "getenforce" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+getenforce \- get the current mode of SELinux
+.SH "SYNOPSIS"
+.B getenforce
+
+.SH "DESCRIPTION"
+.B getenforce
+reports whether SELinux is enforcing, permissive, or disabled.
+
+.SH AUTHOR	
+Dan Walsh, <dwalsh@redhat.com>
+
+.SH "SEE ALSO"
+selinux(8), setenforce(8), selinuxenabled(8)
diff --git a/libselinux/man/man8/getsebool.8 b/libselinux/man/man8/getsebool.8
new file mode 100644
index 00000000..a4200eec
--- /dev/null
+++ b/libselinux/man/man8/getsebool.8
@@ -0,0 +1,35 @@
+.TH "getsebool" "8" "11 Aug 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+getsebool \- get SELinux boolean value(s) 
+
+.SH "SYNOPSIS"
+.B getsebool
+.I "[-a] [boolean]"
+
+.SH "DESCRIPTION"
+.B getsebool 
+reports where a particular SELinux boolean or
+all SELinux booleans are on or off
+In certain situations a boolean can be in one state with a pending 
+change to the other state.  getsebool will report this as a pending change.
+The pending value indicates
+the value that will be applied upon the next boolean commit.
+
+The setting of boolean values occurs in two stages; first the pending
+value is changed, then the booleans are committed, causing their
+active values to become their pending values.  This allows a group of
+booleans to be changed in a single transaction, by setting all of
+their pending values as desired and then committing once.
+
+.SH OPTIONS
+.TP
+.B \-a
+Show all SELinux booleans.
+
+.SH "SEE ALSO"
+selinux(8), setsebool(8), booleans(8)
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+The program was written by Tresys Technology.
+
diff --git a/libselinux/man/man8/matchpathcon.8 b/libselinux/man/man8/matchpathcon.8
new file mode 100644
index 00000000..c1b00c0f
--- /dev/null
+++ b/libselinux/man/man8/matchpathcon.8
@@ -0,0 +1,37 @@
+.TH "matchpathcon" "8" "21 April 2005" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+matchpathcon \- get the default SELinux security context for the specified path from the file contexts configuration.
+
+.SH "SYNOPSIS"
+.B matchpathcon [-V] [-N] [-n] [-f file_contexts_file ] [-p prefix ] filepath...
+.SH "DESCRIPTION"
+.B matchpathcon
+queries the system policy and outputs the default security context associated with the filepath.
+
+Note: Identical paths can have different security contexts, depending on the file type. (regular file, directory, link file, char file ...)
+
+.B matchpathcon 
+will also take the file type into consideration in determining the default security context if the file exists.  If the file does not exist, no file type matching will occur.
+
+.SH OPTIONS
+.B \-n
+Do not display path.
+
+.B \-N
+Do not use translations.
+
+.B \-f file_context_file
+Use alternate file_context file
+
+.B \-p prefix
+Use prefix to speed translations
+
+.B \-V
+Verify file context on disk matches defaults
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+.BR selinux "(8), "
+.BR matchpathcon "(3), " 
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
new file mode 100644
index 00000000..5caa5927
--- /dev/null
+++ b/libselinux/man/man8/selinux.8
@@ -0,0 +1,82 @@
+.TH  "selinux"  "8"  "29 Apr 2005" "dwalsh@redhat.com" "SELinux Command Line documentation"
+
+.SH "NAME"
+selinux \- NSA Security-Enhanced Linux (SELinux)
+
+.SH "DESCRIPTION"
+
+NSA Security-Enhanced Linux (SELinux) is an implementation of a
+flexible mandatory access control architecture in the Linux operating
+system.  The SELinux architecture provides general support for the
+enforcement of many kinds of mandatory access control policies,
+including those based on the concepts of Type Enforcement®, Role-
+Based Access Control, and Multi-Level Security.  Background
+information and technical documentation about SELinux can be found at
+http://www.nsa.gov/selinux.
+
+The
+.I /etc/selinux/config
+configuration file controls whether SELinux is
+enabled or disabled, and if enabled, whether SELinux operates in
+permissive mode or enforcing mode.  The
+.B SELINUX
+variable may be set to
+any one of disabled, permissive, or enforcing to select one of these
+options.  The disabled option completely disables the SELinux kernel
+and application code, leaving the system running without any SELinux
+protection.  The permissive option enables the SELinux code, but
+causes it to operate in a mode where accesses that would be denied by
+policy are permitted but audited.  The enforcing option enables the
+SELinux code and causes it to enforce access denials as well as
+auditing them.  Permissive mode may yield a different set of denials
+than enforcing mode, both because enforcing mode will prevent an
+operation from proceeding past the first denial and because some
+application code will fall back to a less privileged mode of operation
+if denied access.
+
+The
+.I /etc/selinux/config
+configuration file also controls what policy
+is active on the system.  SELinux allows for multiple policies to be
+installed on the system, but only one policy may be active at any
+given time.  At present, two kinds of SELinux policy exist: targeted
+and strict.  The targeted policy is designed as a policy where most
+processes operate without restrictions, and only specific services are
+placed into distinct security domains that are confined by the policy.
+For example, the user would run in a completely unconfined domain
+while the named daemon or apache daemon would run in a specific domain
+tailored to its operation.  The strict policy is designed as a policy
+where all processes are partitioned into fine-grained security domains
+and confined by policy.  It is anticipated in the future that other
+policies will be created (Multi-Level Security for example).  You can
+define which policy you will run by setting the
+.B SELINUXTYPE
+environment variable within
+.I /etc/selinux/config.
+The corresponding
+policy configuration for each such policy must be installed in the
+/etc/selinux/SELINUXTYPE/ directories.
+
+A given SELinux policy can be customized further based on a set of
+compile-time tunable options and a set of runtime policy booleans.
+.B system-config-securitylevel
+allows customization of these booleans and tunables.
+
+Many domains that are protected by SELinux also include selinux man pages explainging how to customize their policy.  
+
+.SH FILE LABELING
+
+All files, directories, devices ... have a security context/label associated with them.  These context are stored in the extended attributes of the file system.
+Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non selinux kernel.  If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling.  
+
+The best way to relabel the file system is to create the flag file /.autorelabel and reboot.  system-config-securitylevel, also has this capability.  The restorcon/fixfiles commands are also available for relabeling files. 
+  
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8), setfiles(8), ftpd_selinux(8), named_selinux(8), rsync_selinux(8), httpd_selinux(8), nfs_selinux(8), samba_selinux(8), kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8)
+
+
+.SH FILES
+/etc/selinux/config
diff --git a/libselinux/man/man8/selinuxenabled.8 b/libselinux/man/man8/selinuxenabled.8
new file mode 100644
index 00000000..b25431f4
--- /dev/null
+++ b/libselinux/man/man8/selinuxenabled.8
@@ -0,0 +1,16 @@
+.TH "selinuxenabled" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxenabled \- tool to be used within shell scripts to determine if selinux is enabled
+.SH "SYNOPSIS"
+.B selinuxenabled
+
+.SH "DESCRIPTION"
+.B selinuxenabled
+Indicates whether SELinux is enabled or disabled. It exits with status 0 
+if SELinux is enabled and 1 if it is not enabled.
+
+.SH AUTHOR	
+Dan Walsh, <dwalsh@redhat.com>
+
+.SH "SEE ALSO"
+selinux(8), setenforce(8), getenforce(8)
diff --git a/libselinux/man/man8/setenforce.8 b/libselinux/man/man8/setenforce.8
new file mode 100644
index 00000000..8a010d6e
--- /dev/null
+++ b/libselinux/man/man8/setenforce.8
@@ -0,0 +1,23 @@
+.TH "setenforce" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+setenforce \- modify the mode SELinux is running in.
+.SH "SYNOPSIS"
+.B setenforce [ Enforcing | Permissive | 1 | 0 ]
+
+.SH "DESCRIPTION"
+Use Enforcing or 1 to put SELinux in enforcing mode.
+Use Permissive or 0 to put SELinux in permissive mode.
+You need to modify 
+.I /etc/grub.conf
+or
+.I /etc/selinux/config
+to disable SELinux.
+
+.SH AUTHOR	
+Dan Walsh, <dwalsh@redhat.com>
+
+.SH "SEE ALSO"
+selinux(8), getenforce(8), selinuxenabled(8)
+
+.SH FILES
+/etc/grub.conf, /etc/selinux/config
diff --git a/libselinux/man/man8/togglesebool.8 b/libselinux/man/man8/togglesebool.8
new file mode 100644
index 00000000..ae211754
--- /dev/null
+++ b/libselinux/man/man8/togglesebool.8
@@ -0,0 +1,17 @@
+.TH "togglesebool" "1" "26 Oct 2004" "sgrubb@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+togglesebool \- flip the current value of a SELinux boolean
+.SH "SYNOPSIS"
+.B togglesebool boolean...
+
+.SH "DESCRIPTION"
+.B togglesebool
+flips the current value of a list of booleans. If the value is currently a 1,
+then it will be changed to a 0 and vice versa. Only the "in memory" values are
+changed; the boot-time settings are unaffected. 
+
+.SH AUTHOR	
+This man page was written by Steve Grubb <sgrubb@redhat.com>
+
+.SH "SEE ALSO"
+selinux(8), booleans(8), getsebool(8), setsebool(8)