Overview
By the end of this article you should be able to answer the following questions:
$ sepolicy manpage -a -p /usr/share/man/man8
$ mandb
$ man -K “_selinux”
So far we saw that the (target) policy dictates what security label each and every object should have, and it stores all the policy rules, i.e. which objects can access other objects based on the security labels.
Another thing you might want to do is find out what a security label actually means. There are lots of man pages that hold this info. These man pages aren’t loaded in by default and to load them in, you need to use the sepolicy.
$ whatis sepolicy sepolicy (8) - SELinux Policy Inspection tool
First we run the following command (need to memorize this):
$ sepolicy manpage -a -p /usr/share/man/man8
Then run mandb to update the man pages and add in the new pages:
$ mandb
Finally you can view all the newly added SELinux man pages like this:
$ man -k "_selinux"
abrt_dump_oops_selinux (8) - Security Enhanced Linux Policy for the abrt_dump_oops processes
abrt_handle_event_selinux (8) - Security Enhanced Linux Policy for the abrt_handle_event processes
abrt_helper_selinux (8) - Security Enhanced Linux Policy for the abrt_helper processes
abrt_retrace_coredump_selinux (8) - Security Enhanced Linux Policy for the abrt_retrace_coredump processes
abrt_retrace_worker_selinux (8) - Security Enhanced Linux Policy for the abrt_retrace_worker processes
abrt_selinux (8) - Security Enhanced Linux Policy for the abrt processes
.
.
.
...etc.
There is quite a lot!
These man pages are quite comprehensive detailed info about various security contexts and booleans are available here.