def _file_context(self): flist = [] mpaths = [] for f in self.all_file_types: if f.startswith(self.domainname): flist.append(f) if f in self.fcdict: mpaths = mpaths + self.fcdict[f]["regex"] if len(mpaths) == 0: return mpaths.sort() mdirs = {} for mp in mpaths: found = False for md in mdirs: if mp.startswith(md): mdirs[md].append(mp) found = True break if not found: for e in equiv_dirs: if mp.startswith(e) and mp.endswith('(/.*)?'): mdirs[mp[:-6]] = [] break equiv = [] for m in mdirs: if len(mdirs[m]) > 0: equiv.append(m) self.fd.write(r""" .SH FILE CONTEXTS SELinux requires files to have an extended attribute to define the file type. .PP You can see the context of a file using the \fB\-Z\fP option to \fBls\bP .PP Policy governs the access confined processes have to these files. SELinux %(domainname)s policy is very flexible allowing users to setup their %(domainname)s processes in as secure a method as possible. .PP """ % {'domainname': self.domainname}) if len(equiv) > 0: self.fd.write(r""" .PP .B EQUIVALENCE DIRECTORIES """) for e in equiv: self.fd.write( r""" .PP %(domainname)s policy stores data with multiple different file context types under the %(equiv)s directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: .PP .B semanage fcontext -a -e %(equiv)s /srv/%(alt)s .br .B restorecon -R -v /srv/%(alt)s .PP """ % { 'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1] }) self.fd.write(r""" .PP .B STANDARD FILE CONTEXT SELinux defines the file context types for the %(domainname)s, if you wanted to store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. .B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?' .br .B restorecon -R -v /srv/my%(domainname)s_content Note: SELinux often uses regular expressions to specify labels that match multiple files. """ % { 'domainname': self.domainname, "type": flist[0] }) self.fd.write(r""" .I The following file types are defined for %(domainname)s: """ % {'domainname': self.domainname}) for f in flist: self.fd.write(""" .EX .PP .B %s .EE - %s """ % (f, sepolicy.get_description(f))) if f in self.fcdict: plural = "" if len(self.fcdict[f]["regex"]) > 1: plural = "s" self.fd.write(""" .br .TP 5 Path%s: %s""" % (plural, self.fcdict[f]["regex"][0])) for x in self.fcdict[f]["regex"][1:]: self.fd.write(", %s" % x) self.fd.write(""" .PP Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the .B semanage fcontext command. This will modify the SELinux labeling database. You will need to use .B restorecon to apply the labels. """)
def _file_context(self): flist = [] flist_non_exec = [] mpaths = [] for f in self.all_file_types: if f.startswith(self.domainname): flist.append(f) if not f in self.exec_types or not f in self.entry_types: flist_non_exec.append(f) if f in self.fcdict: mpaths = mpaths + self.fcdict[f]["regex"] if len(mpaths) == 0: return mpaths.sort() mdirs = {} for mp in mpaths: found = False for md in mdirs: if mp.startswith(md): mdirs[md].append(mp) found = True break if not found: for e in equiv_dirs: if mp.startswith(e) and mp.endswith('(/.*)?'): mdirs[mp[:-6]] = [] break equiv = [] for m in mdirs: if len(mdirs[m]) > 0: equiv.append(m) self.fd.write(r""" .SH FILE CONTEXTS SELinux requires files to have an extended attribute to define the file type. .PP You can see the context of a file using the \fB\-Z\fP option to \fBls\bP .PP Policy governs the access confined processes have to these files. SELinux %(domainname)s policy is very flexible allowing users to setup their %(domainname)s processes in as secure a method as possible. .PP """ % {'domainname': self.domainname}) if len(equiv) > 0: self.fd.write(r""" .PP .B EQUIVALENCE DIRECTORIES """) for e in equiv: self.fd.write(r""" .PP %(domainname)s policy stores data with multiple different file context types under the %(equiv)s directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: .PP .B semanage fcontext -a -e %(equiv)s /srv/%(alt)s .br .B restorecon -R -v /srv/%(alt)s .PP """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]}) if flist_non_exec: self.fd.write(r""" .PP .B STANDARD FILE CONTEXT SELinux defines the file context types for the %(domainname)s, if you wanted to store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. .B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?' .br .B restorecon -R -v /srv/my%(domainname)s_content Note: SELinux often uses regular expressions to specify labels that match multiple files. """ % {'domainname': self.domainname, "type": flist_non_exec[-1]}) self.fd.write(r""" .I The following file types are defined for %(domainname)s: """ % {'domainname': self.domainname}) flist.sort() for f in flist: self.fd.write(""" .EX .PP .B %s .EE - %s """ % (f, sepolicy.get_description(f))) if f in self.fcdict: plural = "" if len(self.fcdict[f]["regex"]) > 1: plural = "s" self.fd.write(""" .br .TP 5 Path%s: %s""" % (plural, self.fcdict[f]["regex"][0])) for x in self.fcdict[f]["regex"][1:]: self.fd.write(", %s" % x) self.fd.write(""" .PP Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the .B semanage fcontext command. This will modify the SELinux labeling database. You will need to use .B restorecon to apply the labels. """)