def _file_context(self):
flist = []
mpaths = []
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
return
mpaths.sort()
mdirs = {}
for mp in mpaths:
found = False
for md in mdirs:
if mp.startswith(md):
mdirs[md].append(mp)
found = True
break
if not found:
for e in equiv_dirs:
if mp.startswith(e) and mp.endswith('(/.*)?'):
mdirs[mp[:-6]] = []
break
equiv = []
for m in mdirs:
if len(mdirs[m]) > 0:
equiv.append(m)
self.fd.write(r"""
.SH FILE CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
.PP
You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
.PP
Policy governs the access confined processes have to these files.
SELinux %(domainname)s policy is very flexible allowing users to setup their %(domainname)s processes in as secure a method as possible.
.PP
""" % {'domainname': self.domainname})
if len(equiv) > 0:
self.fd.write(r"""
.PP
.B EQUIVALENCE DIRECTORIES
""")
for e in equiv:
self.fd.write(
r"""
.PP
%(domainname)s policy stores data with multiple different file context types under the %(equiv)s directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command:
.PP
.B semanage fcontext -a -e %(equiv)s /srv/%(alt)s
.br
.B restorecon -R -v /srv/%(alt)s
.PP
""" % {
'domainname': self.domainname,
'equiv': e,
'alt': e.split('/')[-1]
})
self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
.br
.B restorecon -R -v /srv/my%(domainname)s_content
Note: SELinux often uses regular expressions to specify labels that match multiple files.
""" % {
'domainname': self.domainname,
"type": flist[0]
})
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
""" % {'domainname': self.domainname})
for f in flist:
self.fd.write("""
.EX
.PP
.B %s
.EE
- %s
""" % (f, sepolicy.get_description(f)))
if f in self.fcdict:
plural = ""
if len(self.fcdict[f]["regex"]) > 1:
plural = "s"
self.fd.write("""
.br
.TP 5
Path%s:
%s""" % (plural, self.fcdict[f]["regex"][0]))
for x in self.fcdict[f]["regex"][1:]:
self.fd.write(", %s" % x)
self.fd.write("""
.PP
Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
.B semanage fcontext
command. This will modify the SELinux labeling database. You will need to use
.B restorecon
to apply the labels.
""")
def _file_context(self):
flist = []
flist_non_exec = []
mpaths = []
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
if not f in self.exec_types or not f in self.entry_types:
flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
return
mpaths.sort()
mdirs = {}
for mp in mpaths:
found = False
for md in mdirs:
if mp.startswith(md):
mdirs[md].append(mp)
found = True
break
if not found:
for e in equiv_dirs:
if mp.startswith(e) and mp.endswith('(/.*)?'):
mdirs[mp[:-6]] = []
break
equiv = []
for m in mdirs:
if len(mdirs[m]) > 0:
equiv.append(m)
self.fd.write(r"""
.SH FILE CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
.PP
You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
.PP
Policy governs the access confined processes have to these files.
SELinux %(domainname)s policy is very flexible allowing users to setup their %(domainname)s processes in as secure a method as possible.
.PP
""" % {'domainname': self.domainname})
if len(equiv) > 0:
self.fd.write(r"""
.PP
.B EQUIVALENCE DIRECTORIES
""")
for e in equiv:
self.fd.write(r"""
.PP
%(domainname)s policy stores data with multiple different file context types under the %(equiv)s directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command:
.PP
.B semanage fcontext -a -e %(equiv)s /srv/%(alt)s
.br
.B restorecon -R -v /srv/%(alt)s
.PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
if flist_non_exec:
self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
.br
.B restorecon -R -v /srv/my%(domainname)s_content
Note: SELinux often uses regular expressions to specify labels that match multiple files.
""" % {'domainname': self.domainname, "type": flist_non_exec[-1]})
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
""" % {'domainname': self.domainname})
flist.sort()
for f in flist:
self.fd.write("""
.EX
.PP
.B %s
.EE
- %s
""" % (f, sepolicy.get_description(f)))
if f in self.fcdict:
plural = ""
if len(self.fcdict[f]["regex"]) > 1:
plural = "s"
self.fd.write("""
.br
.TP 5
Path%s:
%s""" % (plural, self.fcdict[f]["regex"][0]))
for x in self.fcdict[f]["regex"][1:]:
self.fd.write(", %s" % x)
self.fd.write("""
.PP
Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
.B semanage fcontext
command. This will modify the SELinux labeling database. You will need to use
.B restorecon
to apply the labels.
""")
