SELinux – SELinux extended man pages

Overview

By the end of this article you should be able to answer the following questions:


What is the command to load in SELinux specific man pages?

$ sepolicy manpage -a -p /usr/share/man/man8

What is the command you then need to run?

$ mandb

What is the command to view all the newly available man pages?

$ man -K “_selinux”


So far we saw that the (target) policy dictates what security label each and every object should have, and it stores all the policy rules, i.e. which objects can access other objects based on the security labels.

Another thing you might want to do is find out what a security label actually means. There are lots of man pages that hold this info. These man pages aren’t loaded in by default and to load them in, you need to use the sepolicy.

$ whatis sepolicy
sepolicy (8)         - SELinux Policy Inspection tool

First we run the following command (need to memorize this):

$ sepolicy manpage -a -p /usr/share/man/man8

Then run mandb to update the man pages and add in the new pages:

$ mandb

Finally you can view all the newly added SELinux man pages like this:

$ man -k "_selinux" 
abrt_dump_oops_selinux (8) - Security Enhanced Linux Policy for the abrt_dump_oops processes
abrt_handle_event_selinux (8) - Security Enhanced Linux Policy for the abrt_handle_event processes
abrt_helper_selinux (8) - Security Enhanced Linux Policy for the abrt_helper processes
abrt_retrace_coredump_selinux (8) - Security Enhanced Linux Policy for the abrt_retrace_coredump processes
abrt_retrace_worker_selinux (8) - Security Enhanced Linux Policy for the abrt_retrace_worker processes
abrt_selinux (8)     - Security Enhanced Linux Policy for the abrt processes
.
.
.
...etc.

There is quite a lot!

These man pages are quite comprehensive detailed info about various security contexts and booleans are available here.