From: Petr Lautrbach <plautrba@redhat.com>
To: Vit Mojzis <vmojzis@redhat.com>, selinux@vger.kernel.org
Subject: Re: [PATCH 4/5] checkpolicy: Add examples to man pages
Date: Wed, 31 May 2023 16:44:06 +0200 [thread overview]
Message-ID: <87wn0ok1c9.fsf@redhat.com> (raw)
In-Reply-To: <20230524111535.1743163-4-vmojzis@redhat.com>
Vit Mojzis <vmojzis@redhat.com> writes:
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> ---
> checkpolicy/checkpolicy.8 | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
> index 2984c238..aefa148c 100644
> --- a/checkpolicy/checkpolicy.8
> +++ b/checkpolicy/checkpolicy.8
> @@ -12,8 +12,8 @@ command.
> .PP
> .B checkpolicy
> is a program that checks and compiles a SELinux security policy configuration
> -into a binary representation that can be loaded into the kernel. If no
> -input file name is specified,
> +into a binary representation that can be loaded into the kernel.
> +If no input file name is specified,
> .B checkpolicy
> will attempt to read from policy.conf or policy, depending on whether the \-b
> flag is specified.
> @@ -64,6 +64,17 @@ Show version information.
> .B \-h,\-\-help
> Show usage information.
>
> +.SH EXAMPLE
> +.nf
> +Generate policy.conf based on the system policy
> +# checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.* -o policy.conf
Would not work on a system with multiple policy files:
# ls -l /etc/selinux/targeted/policy/
total 7016
-rw-r--r--. 1 root root 3590656 May 31 16:42 policy.32
-rw-r--r--. 1 root root 3590656 May 29 08:22 policy.33
# checkpolicy -b -M -F /etc/selinux/targeted/policy/policy.* -o policy.conf
usage: checkpolicy [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] [-c policyvers (15-33)] [-o output_file|-] [-S] [-O] [-t target_platform (selinux,xen)] [-E] [-V] [input_file]
In EXAMPLES I think it's safe to use policy.33 everywhere.
> +Recompile system policy so that unknown permissions are denied (uses policy.conf from ^^).
> +Note that binary policy extension represents its version, which is subject to change
> +# checkpolicy -M -U deny -o /etc/selinux/targeted/policy/policy.33 policy.conf
> +# load_policy
> +Generate CIL representation of current system policy
> +# checkpolicy -b -M -C /etc/selinux/targeted/policy/policy.* -o policy.out
> +
> .SH "SEE ALSO"
> SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki
>
> --
> 2.40.0
next prev parent reply other threads:[~2023-05-31 14:44 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-24 11:15 [PATCH 1/5] policycoreutils: Add examples to man pages Vit Mojzis
2023-05-24 11:15 ` [PATCH 2/5] python/sepolicy: Improve " Vit Mojzis
2023-05-31 14:37 ` Petr Lautrbach
2023-05-24 11:15 ` [PATCH 3/5] sandbox: Add examples to " Vit Mojzis
2023-05-24 11:15 ` [PATCH 4/5] checkpolicy: " Vit Mojzis
2023-05-31 14:44 ` Petr Lautrbach [this message]
2023-05-24 11:15 ` [PATCH 5/5] libselinux: " Vit Mojzis
2023-05-31 14:56 ` Petr Lautrbach
2023-06-01 14:39 ` [PATCH v2 1/5] policycoreutils: " Vit Mojzis
2023-06-01 14:39 ` [PATCH v2 2/5] python/sepolicy: Improve " Vit Mojzis
2023-06-01 14:39 ` [PATCH v2 3/5] sandbox: Add examples to " Vit Mojzis
2023-06-01 14:39 ` [PATCH v2 4/5] checkpolicy: " Vit Mojzis
2023-06-01 14:39 ` [PATCH v2 5/5] libselinux: " Vit Mojzis
2023-06-06 8:09 ` [PATCH v2 1/5] policycoreutils: " Petr Lautrbach
2023-06-08 19:51 ` James Carter
2023-05-31 14:14 ` [PATCH " Petr Lautrbach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wn0ok1c9.fsf@redhat.com \
--to=plautrba@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=vmojzis@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.