Skip to content

Commit

Permalink
libsemanage/man: add documentation for command overrides
Browse files Browse the repository at this point in the history
For example fedora contains the following cdefault configuration:

    [sefcontext_compile]
    path = /usr/sbin/sefcontext_compile
    args = -r $@
    [end]

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
  • Loading branch information
cgzones authored and bachradsusi committed Nov 27, 2024
1 parent 66da657 commit 8422032
Showing 1 changed file with 79 additions and 0 deletions.
79 changes: 79 additions & 0 deletions libsemanage/man/man5/semanage.conf.5
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,85 @@ It can be set to either "true" or "false" and by default it is set to "true".
When set to "true", duplicate type, type attribute, and role declarations will be allowed.
It can be set to either "true" or "false" and by default it is set to "true".

.RE
.PP
For certain tasks the SELinux Management library resorts to running
external commands. For the following commands their path and arguments can
be overridden:

.RS
.RS
.TP
.B load_policy
Command to load a kernel policy.
Requires no argument.
Defaults to
.IR /sbin/load_policy
with no arguments.

.TP
.B setfiles
Command to verify file context definitions.
Requires two arguments, the path to the kernel policy and the path to the
file context definition file.
Defaults to
.IR /sbin/setfiles
with the arguments '\-q \-c $@ $<'.

.TP
.B sefcontext_compile
Command to compile a file context definition file.
Requires one argument, the path to the to be compiled file context
definition file.
Defaults to
.IR /sbin/sefcontext_compile
with the argument '$@'.

.RE
.PP
Either
.IR path
or
.IR args
can be omitted.
The argument string must contain '$@' for the first required argument,
and '$<' for the second one.
The syntax for overriding an external command property is:

.RS

[\fIname\fR]
.sp 0
path = /path/to/command
.sp 0
args = --flag
.sp 0
[end]

.RE

.TP
Example

.RS

[sefcontext_compile]
.sp 0
path = /usr/sbin/sefcontext_compile
.sp 0
args = -r $@
.sp 0
[end]

.RE
.PP
Optionally the SELinux Management library can invoke external commands to
verify source modules (\fBverify module\fR), linked modules
(\fBverify linked\fR), and kernel policies (\fBverify kernel\fR).
The syntax is identical to the above command overrides.
The program should exit with a value of 0 on success, and non zero on
failure.

.SH "SEE ALSO"
.TP
semanage(8)
Expand Down

0 comments on commit 8422032

Please sign in to comment.