commit: 16613e5f359379db293c17d511edde5a680fedbe Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Fri Aug 15 16:23:37 2014 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Fri Aug 15 16:23:37 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=16613e5f
Add tmpfiles_selinux manual page --- man/man8/tmpfiles_selinux.8 | 100 +++++++++++++++++++++++++++++++++++++ policy/modules/system/tmpfiles.rst | 73 +++++++++++++++++++++++++++ 2 files changed, 173 insertions(+) diff --git a/man/man8/tmpfiles_selinux.8 b/man/man8/tmpfiles_selinux.8 new file mode 100644 index 0000000..8a5b140 --- /dev/null +++ b/man/man8/tmpfiles_selinux.8 @@ -0,0 +1,100 @@ +.\" Man page generated from reStructuredText. +. +.TH TMPFILES_SELINUX 8 "2014-08-15" "" "SELinux" +.SH NAME +tmpfiles_selinux \- SELinux policy module for tmpfiles +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH DESCRIPTION +.sp +The \fBtmpfiles\fP SELinux module supports the use of the tmpfiles interface (for +generating and managing temporary files, directories, sockets and what not) as +documented through the \fItmpfiles.d\fP manual page, available at +\fI\%http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html\fP +.SH BOOLEANS +.sp +The following booleans are defined through the \fBtmpfiles\fP SELinux policy module. +They can be toggled using \fBsetsebool\fP, like so: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +setsebool \-P tmpfiles_manage_all_non_security +.ft P +.fi +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B tmpfiles_manage_all_non_security +Enable to allow tmpfiles to manage non\-default types (beyond variable run\-time +locations) as well +.UNINDENT +.SH DOMAINS +.SS tmpfiles_t +.sp +The \fBtmpfiles_t\fP domain is used by the \fItmpfiles\fP and \fIcheckpath\fP scripts +which are responsible for creating and modifying the boot\-time resources. +.SH LOCATIONS +.INDENT 0.0 +.TP +.B tmpfiles_conf_t +is used for the tmpfiles configuration files (\fI/etc/tmpfiles.d\fP) +.TP +.B tmpfiles_exec_t +is used as entrypoint for the tmpfiles application +.TP +.B tmpfiles_var_run_t +is used as the variable run\-time data used by the tmpfiles application +.UNINDENT +.SH POLICY +.sp +The following interfaces can be used to enhance the default policy with +tmpfiles\-related provileges. More details on these interfaces can be found in the +interface HTML documentation, we will not list all available interfaces here. +.INDENT 0.0 +.TP +.B tmpfiles_read_conf +to allow read access on the tmpfiles configuration files +.TP +.B tmpfiles_manage_conf +to allow a domain to manage the tmpfiles configuration files +.UNINDENT +.SH SEE ALSO +.INDENT 0.0 +.IP \(bu 2 +Gentoo and SELinux at \fI\%https://wiki.gentoo.org/wiki/SELinux\fP +.IP \(bu 2 +Gentoo Hardened SELinux Project at +\fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP +.UNINDENT +.SH AUTHOR +Sven Vermeulen <[email protected]> +.\" Generated by docutils manpage writer. +. diff --git a/policy/modules/system/tmpfiles.rst b/policy/modules/system/tmpfiles.rst new file mode 100644 index 0000000..748032b --- /dev/null +++ b/policy/modules/system/tmpfiles.rst @@ -0,0 +1,73 @@ +================ +tmpfiles_selinux +================ + +---------------------------------- +SELinux policy module for tmpfiles +---------------------------------- + +:Author: Sven Vermeulen <[email protected]> +:Date: 2014-08-15 +:Manual section: 8 +:Manual group: SELinux + +DESCRIPTION +=========== + +The **tmpfiles** SELinux module supports the use of the tmpfiles interface (for +generating and managing temporary files, directories, sockets and what not) as +documented through the *tmpfiles.d* manual page, available at +http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html + +BOOLEANS +======== + +The following booleans are defined through the **tmpfiles** SELinux policy module. +They can be toggled using ``setsebool``, like so:: + + setsebool -P tmpfiles_manage_all_non_security + +tmpfiles_manage_all_non_security + Enable to allow tmpfiles to manage non-default types (beyond variable run-time + locations) as well + +DOMAINS +======= + +tmpfiles_t +---------- + +The **tmpfiles_t** domain is used by the *tmpfiles* and *checkpath* scripts +which are responsible for creating and modifying the boot-time resources. + +LOCATIONS +========= + +tmpfiles_conf_t + is used for the tmpfiles configuration files (*/etc/tmpfiles.d*) + +tmpfiles_exec_t + is used as entrypoint for the tmpfiles application + +tmpfiles_var_run_t + is used as the variable run-time data used by the tmpfiles application + +POLICY +====== + +The following interfaces can be used to enhance the default policy with +tmpfiles-related provileges. More details on these interfaces can be found in the +interface HTML documentation, we will not list all available interfaces here. + +tmpfiles_read_conf + to allow read access on the tmpfiles configuration files + +tmpfiles_manage_conf + to allow a domain to manage the tmpfiles configuration files + +SEE ALSO +======== + +* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux +* Gentoo Hardened SELinux Project at + https://wiki.gentoo.org/wiki/Project:Hardened
