Bug 119824 - Man pages are missing SELinux information
Man pages are missing SELinux information
Product: Fedora
Classification: Fedora
Component: man-pages (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ivana Varekova
Ben Levenson
: FutureFeature
: 120310 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2004-04-02 09:42 EST by James Morris
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-01-09 07:52:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description James Morris 2004-04-02 09:42:33 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007

Description of problem:
Many/most of the man pages for apps and utilities which are impacted
by SELinux do not mention SELinux.  e.g. su(1) should describe the
SELinux semantics associated with the utility. There are many other
utils affected by SELinux and it all needs to be documented in their
man pages.

Also, I've submitted man page text for mount(8) several times, and it
does not seem to have been incorporated.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. man su

Actual Results:  No information on SELinux semantics.

Expected Results:  As described above.

Additional info:
Comment 4 James Morris 2004-04-02 19:03:13 EST
Here is the SELinux specific information for mount(8):

SELinux Mount Options

When SELinux is enabled in the kernel, the following mount options
may be used:

  Label the entire filesystem with the specified security context during
  mount and change the labeling behavior to 'mountpoint labeling'.  The 
  /proc/self/attr/fscreate attribute will be ignored for file creation on 
  the filesystem, although policy-specified transitions will still work 
  normally.  This also sets the aggregate filesystem security context.

  Set the label of the aggregate filesystem to the specified security 
  context. SELinux policy controls over the filesystem itself will use
  this value.  Only valid for filesystems with EA labeling support,   
  and is not valid if 'context' has been specified.

  Set the default security context for files created in this 
filesystem to 
  the specified security context (as opposed to the current global 
  default).  Only works for filesystems with EA labeling support, and    
  is not valid if 'context' has been specified.

To set the context or fscontext options, the security policy must specify
appropriate permissions for the filesystem relabelfrom and filesystem
relabelto controls.  For the defcontext option, the filesystem relablefrom
and filesystem assoicate controls are invoked.

The security mount options are parsed out and stripped from the normal 
mount option data so that no normal filesystems need to be aware of them.


This needs to be upstreamed.

The behavior of other utilities under SELinux needs to be documented,
but I am not the person who should be managing this.
Comment 6 Eido Inoue 2004-04-16 10:19:39 EDT
*** Bug 120310 has been marked as a duplicate of this bug. ***
Comment 7 Phil Schaffner 2004-04-19 10:50:24 EDT
This bug does not seem to cover quite the same territory as 120310. 
It addresses the need to add SElinux information to existing man
pages, but the point of 120310 was the lack of any man pages for the
majority of SElinux commands.  

From 120310:

Description of problem:
There are many selinux-related commands (e.g. change_bool, compute_av,
compute_create, compute_relabel, compute_user, deftype, execcon,
getcon, getconlist, getenforce, getfilecon, getpidcon, matchpathcon,
mkdircon, policyvers, selinuxenabled, setenforce, setfilecon,
show_bools, fixfiles, load_policy), not to mention "selinux" that are
not documented in man pages.

Version-Release number of selected component (if applicable):
libselinux-1.9-1, policycoreutils-1.9.2-1

How reproducible:

Steps to Reproduce:
1. man setenforce [etc.]

Actual Results:  No manual entry for setenforce [etc.]

Expected Results:  Display man page[s]

Comment 8 Ivana Varekova 2005-08-08 10:41:12 EDT
a lot of new man-pages (including most of that mentioned in previous comment)
were add to current libselinux (libselinux-devel-1.24.2-1, libselinux-1.24.2-1)
and policycoreutils (policycoreutils-1.25.4-1) packages. 
Could you please test this verison and attach some comment if there is any
problem. Thank you.
Comment 9 Ivana Varekova 2006-01-09 07:52:08 EST
No response from reporter, I'm closing this bug.
If there is any problem, please reopen this bug.

Note You need to log in before you can comment on or make changes to this bug.