aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSven Vermeulen <sven.vermeulen@siphos.be>2014-08-15 18:23:37 +0200
committerSven Vermeulen <sven.vermeulen@siphos.be>2014-08-15 18:23:37 +0200
commit16613e5f359379db293c17d511edde5a680fedbe (patch)
treea2f609764c094c0e4e00954b1bac577efcc07b64
parentCorrect date (diff)
downloadhardened-refpolicy-16613e5f359379db293c17d511edde5a680fedbe.tar.gz
hardened-refpolicy-16613e5f359379db293c17d511edde5a680fedbe.tar.bz2
hardened-refpolicy-16613e5f359379db293c17d511edde5a680fedbe.zip
Add tmpfiles_selinux manual page
-rw-r--r--man/man8/tmpfiles_selinux.8100
-rw-r--r--policy/modules/system/tmpfiles.rst73
2 files changed, 173 insertions, 0 deletions
diff --git a/man/man8/tmpfiles_selinux.8 b/man/man8/tmpfiles_selinux.8
new file mode 100644
index 00000000..8a5b1405
--- /dev/null
+++ b/man/man8/tmpfiles_selinux.8
@@ -0,0 +1,100 @@
+.\" Man page generated from reStructuredText.
+.
+.TH TMPFILES_SELINUX 8 "2014-08-15" "" "SELinux"
+.SH NAME
+tmpfiles_selinux \- SELinux policy module for tmpfiles
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH DESCRIPTION
+.sp
+The \fBtmpfiles\fP SELinux module supports the use of the tmpfiles interface (for
+generating and managing temporary files, directories, sockets and what not) as
+documented through the \fItmpfiles.d\fP manual page, available at
+\fI\%http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html\fP
+.SH BOOLEANS
+.sp
+The following booleans are defined through the \fBtmpfiles\fP SELinux policy module.
+They can be toggled using \fBsetsebool\fP, like so:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+setsebool \-P tmpfiles_manage_all_non_security
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B tmpfiles_manage_all_non_security
+Enable to allow tmpfiles to manage non\-default types (beyond variable run\-time
+locations) as well
+.UNINDENT
+.SH DOMAINS
+.SS tmpfiles_t
+.sp
+The \fBtmpfiles_t\fP domain is used by the \fItmpfiles\fP and \fIcheckpath\fP scripts
+which are responsible for creating and modifying the boot\-time resources.
+.SH LOCATIONS
+.INDENT 0.0
+.TP
+.B tmpfiles_conf_t
+is used for the tmpfiles configuration files (\fI/etc/tmpfiles.d\fP)
+.TP
+.B tmpfiles_exec_t
+is used as entrypoint for the tmpfiles application
+.TP
+.B tmpfiles_var_run_t
+is used as the variable run\-time data used by the tmpfiles application
+.UNINDENT
+.SH POLICY
+.sp
+The following interfaces can be used to enhance the default policy with
+tmpfiles\-related provileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+.INDENT 0.0
+.TP
+.B tmpfiles_read_conf
+to allow read access on the tmpfiles configuration files
+.TP
+.B tmpfiles_manage_conf
+to allow a domain to manage the tmpfiles configuration files
+.UNINDENT
+.SH SEE ALSO
+.INDENT 0.0
+.IP \(bu 2
+Gentoo and SELinux at \fI\%https://wiki.gentoo.org/wiki/SELinux\fP
+.IP \(bu 2
+Gentoo Hardened SELinux Project at
+\fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP
+.UNINDENT
+.SH AUTHOR
+Sven Vermeulen <swift@gentoo.org>
+.\" Generated by docutils manpage writer.
+.
diff --git a/policy/modules/system/tmpfiles.rst b/policy/modules/system/tmpfiles.rst
new file mode 100644
index 00000000..748032b4
--- /dev/null
+++ b/policy/modules/system/tmpfiles.rst
@@ -0,0 +1,73 @@
+================
+tmpfiles_selinux
+================
+
+----------------------------------
+SELinux policy module for tmpfiles
+----------------------------------
+
+:Author: Sven Vermeulen <swift@gentoo.org>
+:Date: 2014-08-15
+:Manual section: 8
+:Manual group: SELinux
+
+DESCRIPTION
+===========
+
+The **tmpfiles** SELinux module supports the use of the tmpfiles interface (for
+generating and managing temporary files, directories, sockets and what not) as
+documented through the *tmpfiles.d* manual page, available at
+http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
+
+BOOLEANS
+========
+
+The following booleans are defined through the **tmpfiles** SELinux policy module.
+They can be toggled using ``setsebool``, like so::
+
+ setsebool -P tmpfiles_manage_all_non_security
+
+tmpfiles_manage_all_non_security
+ Enable to allow tmpfiles to manage non-default types (beyond variable run-time
+ locations) as well
+
+DOMAINS
+=======
+
+tmpfiles_t
+----------
+
+The **tmpfiles_t** domain is used by the *tmpfiles* and *checkpath* scripts
+which are responsible for creating and modifying the boot-time resources.
+
+LOCATIONS
+=========
+
+tmpfiles_conf_t
+ is used for the tmpfiles configuration files (*/etc/tmpfiles.d*)
+
+tmpfiles_exec_t
+ is used as entrypoint for the tmpfiles application
+
+tmpfiles_var_run_t
+ is used as the variable run-time data used by the tmpfiles application
+
+POLICY
+======
+
+The following interfaces can be used to enhance the default policy with
+tmpfiles-related provileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+
+tmpfiles_read_conf
+ to allow read access on the tmpfiles configuration files
+
+tmpfiles_manage_conf
+ to allow a domain to manage the tmpfiles configuration files
+
+SEE ALSO
+========
+
+* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux
+* Gentoo Hardened SELinux Project at
+ https://wiki.gentoo.org/wiki/Project:Hardened